Version 2.2 — Effective 2026-06-22
ENTITY TRANSITION NOTICE — TRANSITION COMPLETE. Effective June 10, 2026, Bronzly is now operated by Bronzly LLC, a Wyoming limited liability company (SoS ID 2026-002001084, EIN 42-3053441, registered agent Northwest Registered Agent LLC, 30 N Gould St Ste N, Sheridan WY 82801; principal office 3315 Cherokee Trail, Loomis CA 95650). This document is Version 2.2. Acceptances recorded under Version 1.x remain valid records of prior consent; re-acceptance enforcement will be rolled out in a subsequent platform release.
Operator / Data Controller: "Bronzly" is a service operated by Bronzly LLC, a Wyoming limited liability company, with its principal office at 3315 Cherokee Trail, Loomis, CA 95650 ("Operator," "we," "us," "our") Effective Date: June 22, 2026 Version: 2.2
This Privacy Policy explains what personal information we collect, how we use and share it, and the choices you have. It applies to the Bronzly platform: the Bronzly mobile application (App ID: app.bronzly), the website at bronzly.app, and all related services (collectively, the "Service").
By using the Service you agree to this Privacy Policy. If you do not agree, please do not use the Service.
Studio Operators are business subscribers who use Bronzly to run their spray-tan studios.
End Clients are consumers who book appointments through a Studio Operator's Bronzly booking page.
Both populations are covered by this Policy. Where practices differ, we note which group is affected.
| Category | Examples | |---|---| | Contact Information | Name, email address, phone number, billing address | | Account Credentials | Password hash (managed by Clerk, our auth provider; we do not store plaintext passwords) | | Payment Information | Card details (processed and tokenized by Stripe; we do not store raw card numbers) | | Business Information (Studio Operators) | Studio name, business address, Stripe Connect payout bank details | | Booking Details (End Clients) | Appointment date/time, selected services | | Skin & Health Disclosures | Skin type, known allergies, disclosed conditions (see Section 3 below for important limitations) | | Signatures and Consents | Digital signature images captured during waiver acceptance | | Photos and Media | Before/after photos uploaded by Studio Operators with client consent | | Messages and Notes | Inbox messages, client notes entered by Studio Operators | | User-Generated Content | Custom waiver text, form responses |
| Category | Examples | |---|---| | Device Identifiers | Device ID, IP address, advertising ID (if applicable) | | Usage Data | Pages/screens visited, features used, button clicks, session duration, search queries within the App | | Diagnostics | Crash reports, performance metrics, error logs (via Sentry) | | Product Analytics and Session Replay | How you navigate and use the Service — pages and features visited, actions taken, session duration, and masked session recordings. All text inputs, form fields, and sensitive content are masked on your device before transmission: we do not receive typed text, names, email addresses, phone numbers, mailing addresses, payment details, photos, or skin-intake information. Studio Operators are associated with an internal account identifier and a one-way hashed user identifier (a pseudonymous ID derived from a server-side salt; we cannot reverse it to your name or email without access to that salt). End Clients are not associated with a name, email, or account-linked ID; a transient session identifier and IP address (used for coarse geographic location at country/region level) are received. Analytics data is processed by PostHog (see Section 5.2) and used solely to operate and improve the Service, never for advertising or cross-site profiling. | | Location | (a) General geographic location inferred from IP address; and (b) precise device GPS location — collected from Studio Operators and their staff only, only with explicit device permission granted by the user, and only while the Bronzly App is in the foreground and open, to power live route navigation, distance, and estimated arrival times for mobile spray-tan appointments ("Today's Route" / RouteIQ). Your live GPS position is processed in real time to display your location relative to your scheduled stops and is not stored by Bronzly. Precise GPS is not collected in the background, is not collected from End Clients, and is never sold, shared with third parties for their own purposes, or used for advertising. (The route plan itself — your scheduled stops and their order — is retained as part of your business records; see Section 6 and Section 8.) | | Cookies and Similar Technologies | Session cookies, local storage tokens for authentication (see Section 10, Cookies) |
For purposes of Apple's App Privacy disclosures (as required by App Store Connect), we collect data in the following Apple-defined categories:
Contact Info, Identifiers, Purchases, and Location (for Studio Operators and staff using Today's Route) are linked to your identity. Usage Data and Diagnostics may be linked or unlinked depending on whether you are signed in. Photos and User Content are linked to your identity.
Skin type, allergy disclosures, and similar information collected during the booking intake process are cosmetic service data only. We are not a healthcare provider and the Service is not a covered entity under HIPAA. We do not create or maintain medical records. Any skin or allergy information you provide is used solely to help Studio Operators tailor spray-tan services.
We use the information we collect to:
We do not use your personal information to make fully automated decisions that have legally significant effects on you without human review.
Bronzly sends transactional SMS text messages to End Clients on behalf of the Studio Operator they booked with — appointment booking confirmations, appointment reminders, and post-appointment rinse-timing alerts. A Studio Operator may also send other appointment-related messages and, where you have separately opted in, promotional messages.
Mobile information sharing. No mobile information — including your phone number and SMS opt-in or consent — will be sold, rented, shared with, or transferred to any third parties or affiliates for marketing or promotional purposes. Text-messaging originator opt-in data and consent are excluded from every category of information we may otherwise share or disclose; this data is used solely to deliver the messages you requested and is never shared with third parties for their own marketing.
We do not sell your personal information. We share data only as described below.
If you are an End Client, the Studio Operator whose booking page you use will have access to your booking details, contact information, skin disclosures, signed waivers, photos (if you consented), and appointment history. Studio Operators are independently responsible for their own data handling practices when they access this information.
We share data with the following sub-processors to operate the Service:
| Sub-Processor | Purpose | Privacy Policy | |---|---|---| | Supabase | Database hosting and storage | supabase.com/privacy | | Clerk | Authentication and identity management | clerk.com/legal/privacy | | Stripe | Payment processing and billing | stripe.com/privacy | | Stripe Connect | Studio Operator payouts | stripe.com/connect-account/legal | | Twilio | SMS appointment reminders and notifications | twilio.com/legal/privacy | | Resend / SendGrid | Transactional email delivery | resend.com/legal/privacy-policy | | Sentry | Error monitoring and diagnostics | sentry.io/privacy | | PostHog | Product analytics and masked session replay — feature usage analytics and issue diagnosis. Hosted in the United States (us-east-1 region). | posthog.com/privacy | | Inngest | Background job orchestration | inngest.com/privacy | | Apple | App Store distribution (iOS App only) | apple.com/legal/privacy |
We enter into data processing agreements with sub-processors as required by applicable law.
If Bronzly LLC is involved in a merger, acquisition, entity conversion, financing, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you via email or in-app notice before your information is transferred and becomes subject to a different privacy policy. For EEA, UK, or Swiss users, any such transfer will be subject to the protections required under applicable data protection law, and we will provide you with an opportunity to exercise your data rights before any change in data controller takes effect.
We may disclose your information if required by law, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Bronzly, our users, or the public.
| Data Type | Retention Period | |---|---| | Active account data | Retained while account is active | | Appointment records | 3 years from appointment date (to support dispute resolution and business records) | | Signed waivers and consents | 5 years from signing date | | Payment transaction records | 7 years (as required for financial compliance) | | Diagnostic and log data | 90 days | | Precise device GPS (artist live position) | Not stored — processed in real time on device only | | Route plan / stop data (Today's Route) | Retained as the Studio Operator's business record; purged within 30 days of account deletion (see Section 8) | | Marketing email consent records | Until consent is withdrawn, plus 2 years | | Deleted account data | Purged within 30 days of deletion request (see Section 8), except as required by law |
Depending on where you live, you may have the following rights:
California residents have additional rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA, including the right to know the specific pieces of personal information collected, the right to correct inaccurate data, and the right to limit use of sensitive personal information.
Limit the Use of My Sensitive Personal Information (CPRA). Bronzly collects skin type and allergy disclosures, which qualify as sensitive personal information under CPRA. You have the right to direct us to limit the use of this information to only what is necessary to provide the services you request. To exercise this right, email support@bronzly.app with the subject line "Limit SPI Use" from your registered email address, or use the in-app account settings. We will confirm and apply your preference within 15 business days. Note: limiting use of skin disclosures may affect a Studio Operator's ability to tailor services to your skin type.
EEA, UK, and Swiss residents have rights under the General Data Protection Regulation (GDPR) and applicable national laws, including the right to object to processing, the right to restrict processing, and the right to lodge a complaint with a supervisory authority. Our legal bases for processing are: (a) contract performance (to provide the Service you requested); (b) legitimate interests (fraud prevention, security, product improvement); (c) consent (marketing communications, optional photo uploads); and (d) legal obligation.
To exercise any of these rights, submit a request through the in-app account settings or contact us at support@bronzly.app. We will respond within 45 days (or within the timeframe required by applicable law).
If you are located in Canada, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) (and any substantially-similar provincial privacy law) applies to our handling of your personal information. Under PIPEDA you have the right to:
We collect, use, and disclose personal information only for purposes a reasonable person would consider appropriate in the circumstances, and we obtain consent as PIPEDA requires. For commercial electronic messages sent to Canadian recipients, we also comply with Canada's Anti-Spam Legislation (CASL): marketing email and SMS are sent only with express consent, every commercial message identifies the studio on whose behalf it is sent and includes the studio's mailing address and a working unsubscribe mechanism, and consent records are retained for the period CASL requires.
To exercise any PIPEDA right, contact us at support@bronzly.app or, for Quebec residents, the privacy officer named in Section 7.2.
If you are a resident of Quebec, Quebec's Act respecting the protection of personal information in the private sector (as amended by Law 25) applies in addition to PIPEDA. Under Law 25 you have the right to access, correct, and request the deletion of your personal information; to withdraw consent; to data portability; and to be informed about the use of automated decision-making (we do not make automated decisions producing legal effects without human review — see Section 4). You may also lodge a complaint with the Commission d'accès à l'information du Québec (CAI).
Person in charge of the protection of personal information (Privacy Officer). As required by Law 25, Bronzly LLC has designated a person responsible for ensuring compliance with Quebec privacy law:
[NEEDS:Jason — name + title of designated privacy officer]Cross-border transfer and Privacy Impact Assessment. Bronzly stores and processes personal information in the United States through our infrastructure sub-processors (including Supabase for database and storage hosting, and Stripe for payment processing). Before relying on these US-based service providers for the personal information of Quebec residents, Bronzly conducts a Privacy Impact Assessment (PIA) as required by Law 25 to evaluate whether the information will receive adequate protection, taking into account the sensitivity of the information, the purposes of its use, the protection measures in place (including contractual data-processing terms), and the legal framework of the jurisdiction in which it will be processed. The cross-border-transfer disclosure in Section 13 forms part of this assessment.
Breach notification. In the event of a confidentiality incident involving the personal information of Quebec residents that presents a risk of serious injury, we will notify the affected individuals and the Commission d'accès à l'information with diligence, and we will keep a register of confidentiality incidents, as Law 25 requires.
Note for Studio Operators: This Policy describes Bronzly's practices as the platform operator. Studio Operators who themselves determine the purposes for which their clients' personal information is used have their own obligations under PIPEDA and, in Quebec, Law 25 (including, above certain thresholds, designating their own privacy officer). The tax, privacy, and legal settings in the Bronzly app are provided for convenience and are not legal advice — confirm your obligations with your own lawyer or accountant.
In-app deletion path (Apple requirement). You can delete your Bronzly account and associated personal data directly within the App:
Initiating deletion from within the App will queue your account for permanent deletion. We will confirm deletion by email within 5 business days. Data deletion is completed within 30 days, except for records we are legally required to retain (see Section 6).
Web path. You may also request account deletion by emailing support@bronzly.app from your registered email address. We will process deletion requests within 30 days.
We do not sell, rent, or trade your personal information to third parties for their independent marketing purposes. If our practices change in the future, we will update this Policy and provide you with a clear opt-out mechanism before any such sale begins.
Global Privacy Control (GPC). We recognize and honor the Global Privacy Control browser signal. When a request reaches us with a valid GPC signal, we treat it as an opt-out: we do not enable masked product analytics for that visitor and we do not, in any event, sell or share personal information. Because we do not sell or share personal information, no separate "Do Not Sell or Share My Personal Information" action is required; the GPC signal and the analytics opt-out options described in Section 10 are sufficient to opt out of all non-essential processing.
The Service uses cookies and similar technologies for:
How analytics consent is determined by region. For visitors located in the United States and other non-EEA/UK jurisdictions, masked product analytics operate under a notice-and-opt-out model: analytics are enabled by default with the disclosures in this Policy, and you may opt out at any time (see "Your opt-out choices" below and Section 9). For visitors located in the European Economic Area, the United Kingdom, and (where applicable) Switzerland, masked analytics and any non-essential analytics storage are off by default and begin only after you give prior, explicit consent through the on-site consent banner; declining or dismissing the banner leaves analytics off. A single, strictly-necessary region cookie (bz_geo_eea) records a coarse country/region indicator so we can apply the correct default; it contains no precise location and no personal identifier. A second strictly-necessary cookie (ph_consent) records only your analytics choice (granted or declined) so we do not re-prompt you.
Your opt-out choices (non-EEA / U.S.). You can opt out of masked analytics in any of the following ways: (a) enable Global Privacy Control (GPC) in a supported browser or extension — we honor a GPC signal as a valid opt-out and do not enable analytics for requests that carry it; (b) configure your browser to block cookies; or (c) contact us at support@bronzly.app to request that analytics be disabled for you. Opting out does not affect your ability to use the Service.
We do not use third-party advertising cookies or cross-site tracking for behavioral advertising. You can configure your browser to block cookies, but doing so may affect your ability to use certain features of the Service. The Bronzly App uses device-local storage for session tokens; no cross-app tracking occurs.
The Service is intended for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If you are under 18, do not use or provide any information on or through the Service.
If you believe a person under 18 has provided us with personal information without authorization, contact us at support@bronzly.app and we will delete the information promptly.
We implement commercially reasonable technical and organizational measures to protect your personal information against unauthorized access, disclosure, alteration, or destruction. These measures include encryption in transit (TLS), encryption at rest (Supabase AES-256), access controls, and regular security reviews.
No method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security and are not responsible for unauthorized third-party circumvention of our security measures.
Bronzly is operated from the United States. If you access the Service from outside the United States, your information may be transferred to and processed in the United States, which may not provide the same level of data protection as your home country.
For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) as adopted by the European Commission, or equivalent approved transfer mechanisms under applicable law, as the legal basis for such transfers. We do not rely on consent as the basis for international data transfers.
Canadian users — cross-border transfer disclosure. If you are located in Canada, please be aware that your personal information is stored and processed in the United States by our infrastructure sub-processors, including Supabase (database and file storage hosting) and Stripe (payment processing and Studio Operator payouts). While your information is in the United States, it is subject to US law, including lawful access by US courts, law enforcement, and government agencies, and US law may not provide the same level of protection as Canadian federal or provincial privacy law. We protect this information through contractual data-processing terms with each sub-processor and the technical and organizational measures described in Section 12. For Quebec residents, this transfer is assessed through the Privacy Impact Assessment described in Section 7.2 before we rely on these US-based providers for Quebec residents' personal information.
Bronzly is operated by Bronzly LLC, a Wyoming limited liability company. The data controller of record for all personal data processed through this Service is Bronzly LLC, located at 3315 Cherokee Trail, Loomis, CA 95650.
GDPR / UK GDPR users: Requests to exercise your data rights (access, rectification, erasure, portability, objection) should be directed to Bronzly LLC at support@bronzly.app. All rights afforded to you under GDPR Article 15–22 remain fully applicable and will be honored within statutory timeframes.
App Store distribution. The Bronzly mobile application is distributed via the Apple App Store by Bronzly LLC, a Wyoming limited liability company, which serves as the enrolled Apple Developer. Bronzly LLC is also the data controller for the Service.
The Service may contain links to or integrations with third-party websites, apps, or services. This Privacy Policy does not apply to those third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you use.
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated Policy at bronzly.app/privacy and, for material changes affecting your rights, by in-app notification or email at least 30 days before the changes take effect. The "Effective Date" at the top of this Policy indicates when it was last updated.
For privacy questions, legal notices, support requests, or account/data requests:
Support: support@bronzly.app Mailing address: Bronzly LLC, 3315 Cherokee Trail, Loomis, CA 95650