Rekko is a mobile app for beauty professionals and independent service providers that helps you manage clients, appointments, reminders, consent forms, and your business. This policy describes what data we collect, how we use it, who we share it with, and what rights you have.
Data you add about your clients: names, phone numbers, Instagram handles, photos, notes, birthdays, visit history, appointments, and waitlist entries. This data belongs to you and is used only to operate the app on your account. We do not sell it, share it with third parties for their own purposes, or use it for advertising.
Some consent forms — medical intake, tattoo consent, and patch-test records — can include information about a client's health, allergies, or medical conditions. Under GDPR this is a special category of personal data. Because Rekko cannot itself obtain consent from your clients, the app asks you to confirm, on each such form, that the client has agreed to the processing of this information before the form can be saved. This data is stored under your account and is used only to render and store the form. Forms that do not collect health information (e.g. aftercare instructions) do not require this step.
Rekko includes an optional AI assistant. When you ask it a question, the app sends a minimized snapshot of your account — such as client first names, upcoming appointments, services, and an aggregated financial summary — to Anthropic, PBC, which generates the answer. Free-text client notes are deliberately excluded from this snapshot to avoid transmitting sensitive details. Anthropic processes the request to return a response and, under its commercial API terms, does not use the data to train its models. The first time you use the assistant the app asks for your explicit consent.
If you enable automatic reminders (a Pro feature), Rekko's server can send reminder messages to a client over WhatsApp via Twilio, Inc. To do this we share the client's phone number, name, the service, and the appointment time with Twilio. A message is sent only for clients you have individually marked as having consented to reminders, and never to clients you have placed on "do not disturb."
If you enable your public booking page, clients can submit booking requests through a web page hosted on Firebase Hosting. Information they enter (name, phone, chosen service and time) is stored under your account so you can review and confirm the booking.
Rekko Pro purchases are processed by RevenueCat, Inc. We receive subscription status, the platform identifier (Apple or Google), and a customer ID linked to your Firebase UID. Payment card details are handled exclusively by the Apple App Store or Google Play — we never see or store them.
The app requests permission to send notifications. On-device notifications remind you about upcoming appointments and sleeping clients; they are scheduled by the app and, where applicable, delivered via Firebase Cloud Messaging. This is separate from the automatic client reminders described in Section 1.6.
We do not sell your data. We rely on the following processors:
Each processor operates under its own privacy policy and applies industry-standard data protection measures.
These processors store and process data on servers located in the United States and other countries. Where your data is transferred outside your region (including to the United States), we rely on the standard contractual protections offered by each processor.
Data is retained while your account exists. When you delete your account from Settings → Delete account, the app asks our server to permanently erase your entire data tree — clients, appointments, services, consent forms, signatures, photos, templates, expenses, and settings — together with your public booking page, your subscription record at RevenueCat, and your authentication account. This erasure runs immediately. Residual copies that may remain in our providers' encrypted backups are overwritten on their normal backup-rotation cycle, within 30 days. The app also clears its local offline cache on the device on next launch.
Under applicable law (including GDPR for EU/EEA users and UK GDPR) you may:
To exercise these rights, email xeniqu@gmail.com.
California residents: we do not sell or share your personal information, and you have the right to know what data we hold, request its deletion, and not be discriminated against for exercising these rights. To make a request, contact us at the email above.
Rekko is not intended for individuals under 16. We do not knowingly collect data from such users. If we learn that we have, we delete it.
We may update this policy. Material changes will be announced in-app or by email at least 14 days before they take effect.
For data that identifies you — your account, profile, and subscription — Rekko is the data controller. For data you enter about your clients, including any health information in consent forms, you are the controller and Rekko acts as your processor, handling that data on your instructions to provide the app's features.
As the controller of your client data, you are responsible for having a lawful basis to store it, for informing your clients how you use their information, and for obtaining their consent where the law requires it — in particular before recording health information and before sending automatic reminders. Rekko provides in-app controls (per-client reminder consent, per-form health-data consent, and "do not disturb") to help you meet these obligations.
Rekko is operated by Kseniia Vylegzhanina, an independent individual developer based in Uzbekistan, who acts as the data controller for account data. Questions or requests: xeniqu@gmail.com.