← Mekkan

Privacy Policy

Effective date: 19 May 2026

In plain English

  • We're Mekkan, a UK company building software and AI tools for beauty and hair studios.
  • For data about studio owners using our dashboard, we are the data controller. For data about your customers, you (the studio) are the controller and we act as your processor.
  • Leon, our AI agent, may record voice conversations. It tells callers this at the start of each call.
  • We never sell your data. Our AI vendors (Anthropic, ElevenLabs) do not train their general models on it.
  • You have rights under UK GDPR, including the right to access, correct, and delete your data. Email support@mekkan.ai to use them.

1. Who we are

Mekkan AI Ltd ("Mekkan", "we", "us") is a company registered in England and Wales, company number 16763924, with its registered office at 167-169 Great Portland Street, London, W1W 5PF.

We provide a B2B SaaS platform — including the Mekkan dashboard and the Leon AI agent — to beauty, hair, and personal-care studios in the UK and EU.

For all questions about this policy or your data, contact support@mekkan.ai.

2. What this policy covers

This policy applies to:

  • The Mekkan web dashboard at mekkan.ai and its sub-domains
  • The Leon AI agent (voice and chat surfaces)
  • Booking, scheduling, and analytics features
  • Marketing and product communications we send to you

3. Our role — controller or processor

We process two distinct categories of personal data, and our legal role differs for each:

  • Studio owner data (your name, email, login credentials, business profile, voice conversations you have with Leon as an owner): Mekkan is the data controller.
  • End-customer data (the customers your studio serves — their names, contact details, booking history, walk-in notes, and any voice calls handled by Leon on your behalf): you, the studio, are the data controller. Mekkan acts as your data processor, processing this data only on your documented instructions.

As a controller, you are responsible for informing your customers about how their data is processed and for obtaining any consents required. Our Data Processing Addendum sets out the processor obligations we owe you — contact us for a copy.

4. Data we collect

From studio owners

  • Identification: full name, email address, phone number
  • Account: hashed password, login activity, session tokens
  • Business: studio name, address, opening hours, services offered
  • Voice: transcripts and metadata from voice conversations you have with Leon (Owner Voice)
  • Technical: IP address, browser user-agent, audit logs

From end customers (on your behalf)

  • Identification: name, contact details if provided
  • Booking history, walk-in notes, service preferences
  • Voice transcripts and metadata where Leon handles a customer-facing call on your behalf

5. Lawful basis for processing

  • Contract — to deliver the service you signed up for (login, dashboard, booking, voice agent).
  • Legitimate interest — security, fraud prevention, audit logging, and internal product improvement using aggregated data.
  • Consent — voice call recording (disclosed verbally at the start of each call) and any future marketing communications.
  • Legal obligation — tax, anti-money-laundering, and accounting record retention.

6. How we use the data

  • To run the dashboard, schedule bookings, and process payments
  • To power AI features: booking forecasts, no-show prediction, end- of-day reports, voice conversations
  • To improve Leon and our other AI features, using only aggregated and de-identified data. We never use identifiable data to train AI models.
  • To monitor security, detect abuse, and maintain audit trails
  • To respond to your support requests and account communications

7. Sub-processors

We rely on a small number of carefully selected sub-processors. Each is bound by a Data Processing Agreement that prohibits use of your data for any purpose other than providing the service to us.

ProviderPurposeRegion
AnthropicLarge language model (Claude) for Leon and AI featuresUS / EU
ElevenLabsVoice synthesis, speech recognition, and agent platformUS / EU
CloudflareContent delivery, secure tunnels, DDoS protectionGlobal
Cloud hosting providersApplication hosting and database storage on enterprise UK or EU cloud infrastructureUK / EU
Email providersTransactional and account-related email deliveryEU / UK

Per Anthropic's and ElevenLabs' commercial terms, neither uses our customer data to train their general-purpose models. A current list of sub-processors is available on request.

8. How long we keep data

  • Voice transcripts and recordings: 90 days, then automatically deleted (subject to legal hold).
  • Booking and customer records: for the duration of your subscription, plus up to 7 years afterwards to satisfy UK tax and accounting law.
  • Audit and security logs: 12 months.
  • Account data: until account closure, then 30 days in soft-delete before permanent removal.

9. Voice recording and disclosure

When Leon handles a voice call (Owner Voice or Receptionist), it announces at the start that the conversation is being recorded for security and quality. A caller who does not consent can ask to speak to a human, hang up, or stop the call at any time.

We retain voice transcripts for the period described in section 8 and use them only for service delivery, support, and aggregated quality improvement.

10. Your rights under UK GDPR

You have the right to:

  • Access the personal data we hold about you (Article 15)
  • Have inaccurate data corrected (Article 16)
  • Have your data erased where applicable (Article 17 — the "right to be forgotten")
  • Restrict how we process your data (Article 18)
  • Receive a portable copy of your data in a structured format (Article 20)
  • Object to certain types of processing (Article 21)
  • Withdraw consent where consent is the legal basis

To exercise any of these rights, email support@mekkan.ai with the subject "Data Request". We aim to respond within 30 days.

If you are unhappy with our response, you can complain to the UK Information Commissioner's Office at ico.org.uk or on 0303 123 1113.

11. International transfers

Some of our sub-processors (notably Anthropic, ElevenLabs, and Cloudflare) are based in the United States. When personal data is transferred outside the UK or EEA, we rely on the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or another safeguard recognised under UK GDPR.

12. Security

We protect your data using:

  • TLS encryption for data in transit
  • Encryption at rest for application databases
  • Server-side multi-tenant isolation — owner identity is bound to each voice session on our backend, never relied on from the client
  • HMAC signatures on machine-to-machine webhooks
  • Structured audit logging of security-relevant events
  • Principle of least privilege for staff access

No system is perfectly secure. If we ever become aware of a breach affecting your data, we will notify you and the ICO without undue delay and, where required, within 72 hours.

13. Children

The Mekkan service is intended for businesses and is not directed at children under 16. If your studio serves customers under 16, you (as the data controller for end-customer data) are responsible for obtaining parental consent where required by law.

14. Cookies

The Mekkan dashboard uses a small number of strictly necessary cookies for session management and authentication. We do not use advertising cookies and do not share data with advertising networks.

15. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via the dashboard before they take effect. The "effective date" at the top of this page always reflects the latest version.

16. Contact us

For any privacy-related question, request, or complaint, contact us at:

  • Email: support@mekkan.ai
  • Post: Mekkan AI Ltd, 167-169 Great Portland Street, London, W1W 5PF, United Kingdom
  • Supervisory authority: UK Information Commissioner's Office — ico.org.uk