Salon booking systems - capture and use of your credit card

Think again before you book your haircut, spa day and other beauty treatments on-line using your credit card

By way of background, I am a records and information management specialist
for over 30 years plus my partner is a tax accountant - we know a little more
the general public about ‘information collection’ especially financial records.

Collection of credit card details

Recently I had an unnerving experience with a local beauty salon upon discovering they had collected my credit card details at point of sale WITHOUT my knowledge. They had moved from their old booking system to Fresha - a system that uses a non-bank EFT system for payments.

After my service I received my receipt via SMS link along with a request to rate their service AND provide a tip to my therapist (!!!). As I asked to rebook the same service whilst in the salon, I received another SMS ink telling me that a deposit will be taken as to confirm my booking - BOTH SMS link states that they already had my credit card details kept on file (for ‘my’ convenience).

I contacted the salon owner about this, she explained that I provided ‘consent’ when I created the Fresha account and when I provided a
deposit/made my original booking. I asked her to check if such a deposit was made as I was charged in full. (FYI made my original booking via SMS not in the on-line booking system.)

Note that I DIDN’T create the account - rather the staff member created the account using information from my previous bookings in the old system, consequently I did not consent to any of the salon/Fresha policies. And was not told that paying by EFT would collect my credit card details.

Fresha’s privacy policy - Fresha Privacy Policy
states they DO collect your credit card details… but doesn’t say how they do so.

How long should a salon have my credit card details on file?
Noting that hotels place a hold on your credit card and release it once you have checked out.

Should salons delete credit card details after a set time/after you’ve had your service?

No shows and cancellations

As a consumer I have another concern with holding credit card details on file, it allows salons to charge for no shows and cancellations.
Of course, this is at the discretion of the salon to decide if the client’s excuse/reason for reschedule/cancellation etc is valid. Without a clearly published and understood policy, it can be misused.

No idea where the booking systems are storing credit card details in the
cloud (it is SUPPOSED to be onshore) and with more salons demanding a deposit when you make a booking, I believe Fresha is in breach of consumer laws for non-disclosure.

Fresha has not responded to my emails or answered my concerns

The response I received from the ACCC was vague

"Thank you for writing to us about Fresha. We have recorded the details of your report. The ACCC cannot provide legal advice so we are unable to tell you how long salon can have your credit card details on file. "

Hi @Bindii, welcome to the community.

In relation to Fresha’s Privacy Policy, the following information is collected when a credit card is shown at the point of sale:

Fresha stores the following card information:

• card brand,
• card holder name,
• card’s last four digits,
• card expiry month and expiry year.

It doesn’t store all the card information. This capture of information appears similar to that captured by some business and appears on the credit card slip issued by the business at the point of sale. There is also insufficient information to process a purchase against the card as only the last 4 digits of the card are captured and the CVV isn’t stored.

Did you use your credit card to make the first booking to the salon - say for deposit or security purposes in the case of a cancellation? It appears that you did from your first sentence in your post.

If you did, it is likely that the booking system (which could also be Fresha.com looking at their website) retained your credit card details (whole of card number, expiry date and CVV). This is common across booking platforms for food, accommodation, transportation etc.

A business can use these stored credit card details to process payments. Fresha.com allows online processing of payments using customer provided credit card details. I suspect that information about how credit card details can be used and are stored would have been provided through the booking process.

I never ever provided my credit card details for my previous bookings.

The salon went from a desk top booking management system which held my name and mobile number I provided when making a booking.

The salon created the Fresha account so I didn’t provide consent for credit card capture.

It was never declared they were capturing my card details when I paid for my service on the day, never declared they had set up my personal details into a new system (and using my details for marketing… Yuck.)

Sadly you’ve missed my point - no declaration was made on how my personal details where going to be used including capture of credit card, their policy on no shows.

With online shopping, you can opt-out on saving your credit card details for future use.

With salon bookings there is no opting out.

And where is these online platforms holding our financial details?

It is supposed to be onshore as per Australian legislation.

@Bindii I twice treated a friend to a treatment in a beauty parlour a few years ago and was like you mystified how profile with Fresha was created (for me as it was my CC) without my knowledge and consent. Like you I received sms messages following the treatments. Both times I paid with a CC and once I booked in person and once via the phone. Not once did I book online.

A couple of years ago that salon went out of business.

So who has those CC details now? When it went out of business, surprise surprise, no mention was made of what would happen to the collected data.

As to your comment on where the information is held, I believe you are incorrect asserting they must be kept onshore as I was told recently that a major professional services firm often contract out work to folk in the Philippines where regardless of what good intentions exist in Australia’s corporate sector or regulatory bodies, storing, copying or at the very least accessing that data when it’s offshore is child’s play, surely.

It’s now common for many businesses to use customer billing, appointment booking and record management software products.

My dentist and GP use one. The specialist medical practices do it. Even the Covid Vaccination hub used one. One as customer may fill in details on line or hand a paper form to the staff to enter into the system. At the end of each appointment the updated record of the visit is used to also generate the bill. The one system manages all.

For a salon knowing which treatments, hair colour etc you prefer are all useful for the next time booking.

Not so long ago the electronic payment systems were independent of all else. Pay today by CC or debit and the often linked systems have potential access to a wealth of detail. The latest shift is a move towards electronic receipts issued via SMS or email!

I’d note there are numerous businesses that I’m aware are keeping a digital record of my transactions and other details. The one inconsistency is how each has advised or not what T&C’s apply to how they use that data.

The following may be relevant to the discussion.

Note the regulations provides exemptions for many businesses with less than $3M annual turnover.

As a records and management specialist - I’m extremely aware of my digital foot print and I minimise it as best as I can.

These software systems and the salons that use them NEED to be transparent. Privacy Act plus Spam Act and ATO compliance as well (financial records).

I’d like an automatic archival built into these systems so they are single use only. Ie. When my booked service is completed, my payment details are no longer available.

Is that only for the system the one salon mentioned uses or is that for all systems used by all businesses?

The average consumer will have little understanding of what a modern business management system can do. Neither does the average consumer know how a business is using the chosen solution/s.

Does the system hold the actual card details or does it hold an authorisation code issued by the card provider?

I’m certainly aware of the ability to save your CC details with some online retailers for the convenience of your next shop. Qantas comes to mind. I don’t available myself of the feature.