Legal

Privacy Policy

Effective: 22 May 2026

In plain English

We're Mekkan, a UK company building software and AI tools for beauty and hair studios.
For data about studio owners using our dashboard, we are the data controller. For data about your customers, you (the studio) are the controller and we act as your processor.
Leon may record voice conversations. It tells callers this at the start of each call.
We never sell your data. Our AI vendors (Anthropic, OpenAI, ElevenLabs) do not train their general models on it.
You have rights under UK GDPR. Email support@mekkan.ai to use them.

1. Who we are

MEKKAN AI LTD ("Mekkan", "we", "us") is a company registered in England & Wales, company number 16763924, with its registered office at 167–169 Great Portland Street, London W1W 5PF.

We provide a B2B SaaS platform — including the Mekkan dashboard and Leon, our AI agent — to beauty, hair, and personal-care studios in the UK and EU.

For all questions about this policy or your data, contact support@mekkan.ai.

2. What this policy covers

This policy applies to:

The Mekkan web dashboard at mekkan.ai and its sub-domains
Leon (voice, chat, and email surfaces, including the Leon Receptionist)
Booking, scheduling, forecasting, and analytics features
Marketing and product communications we send to you

3. Our role — controller or processor

We process two distinct categories of personal data, and our legal role differs for each:

Studio owner data (your name, email, login credentials, business profile, conversations you have with Leon as an owner): Mekkan is the data controller.
End-customer data (the customers your studio serves — their names, contact details, booking history, walk-in notes, and any voice calls handled by Leon on your behalf): you, the studio, are the data controller. Mekkan acts as your data processor, processing this data only on your documented instructions.

As a controller, you are responsible for informing your customers about how their data is processed and for obtaining any consents required. Our Data Processing Addendum sets out the processor obligations we owe you — contact us for a copy.

4. Data we collect

From studio owners

Identification: full name, email address, phone number
Account: hashed password, login activity, session tokens
Business: studio name, address, opening hours, services offered
Conversations: transcripts and metadata from chat or voice sessions you have with Leon ("Talk to Leon")
Billing: card details handled by Stripe (we store only a Stripe customer reference, not card numbers), invoices, usage records
Technical: IP address, browser user-agent, audit logs

From end customers (on your behalf)

Identification: name, contact details if provided
Booking history, walk-in notes, service preferences
Voice transcripts and metadata where Leon (Receptionist) handles a customer-facing call on your behalf

5. Lawful basis for processing

Contract — to deliver the service you signed up for (login, dashboard, booking, Leon).
Legitimate interest — security, fraud prevention, audit logging, and internal product improvement using aggregated data.
Consent — voice call recording (disclosed verbally at the start of each call) and any future marketing communications.
Legal obligation — tax, anti-money-laundering, and accounting record retention.

6. How we use the data

To run the dashboard, schedule bookings, and process payments via Stripe
To power AI features: booking forecasts, no-show prediction, end-of-day reports, voice and chat conversations with Leon
To improve Leon and our other AI features, using only aggregated and de-identified data. We never use identifiable data to train AI models.
To monitor security, detect abuse, and maintain audit trails
To respond to your support requests and account communications

7. Sub-processors

We rely on a small number of carefully selected sub-processors. Each is bound by a Data Processing Agreement that prohibits use of your data for any purpose other than providing the service to us.

Provider	Purpose	Region
Anthropic	Large language model (Claude) for Leon and AI features	US / EU
OpenAI	Large language model (GPT) used in review analysis and AI features	US / EU
ElevenLabs	Voice synthesis, speech recognition, and agent platform for Leon voice calls	US / EU
Twilio	Telephony for the Leon Receptionist (inbound voice calls)	US / EU
Cloudflare	Content delivery, secure tunnels, DDoS protection	Global
Cloud hosting providers	Application hosting and database storage on enterprise UK or EU cloud infrastructure	UK / EU
Email providers	Transactional and account-related email delivery	EU / UK
Stripe (when payments go live)	Card processing for subscriptions, trial-to-paid conversion, and usage billing	US / EU / UK

Per Anthropic's, OpenAI's and ElevenLabs' commercial terms, none of them uses our customer data to train their general-purpose models. A current list of sub-processors is available on request.

8. How long we keep data

Voice transcripts and recordings: 90 days, then automatically deleted (subject to legal hold).
Booking and customer records: for the duration of your subscription, plus up to 7 years afterwards to satisfy UK tax and accounting law.
Billing records: 7 years (UK tax law).
Audit and security logs: 12 months.
Account data: until account closure, then 30 days in soft-delete before permanent removal.

9. Voice recording and disclosure

When Leon handles a voice call (Talk to Leon for owners, or the Leon Receptionist for end customers), it announces at the start that the conversation is being recorded for security and quality. A caller who does not consent can ask to speak to a human, hang up, or stop the call at any time.

We retain voice transcripts for the period described in section 8 and use them only for service delivery, support, and aggregated quality improvement.

10. Your rights under UK GDPR

You have the right to:

Access the personal data we hold about you (Article 15)
Have inaccurate data corrected (Article 16)
Have your data erased where applicable (Article 17 — the "right to be forgotten")
Restrict how we process your data (Article 18)
Receive a portable copy of your data in a structured format (Article 20)
Object to certain types of processing (Article 21)
Withdraw consent where consent is the legal basis

To exercise any of these rights, email support@mekkan.ai with the subject "Data Request". We aim to respond within 30 days.

If you are unhappy with our response, you can complain to the UK Information Commissioner's Office at ico.org.uk or on 0303 123 1113.

11. International transfers

Some of our sub-processors (notably Anthropic, OpenAI, ElevenLabs, Stripe, and Cloudflare) are based in the United States. When personal data is transferred outside the UK or EEA, we rely on the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or another safeguard recognised under UK GDPR.

12. Security

We protect your data using:

TLS encryption for data in transit
Encryption at rest for application databases
Server-side multi-tenant isolation — owner identity is bound to each voice session on our backend, never relied on from the client
HMAC signatures on machine-to-machine webhooks
Structured audit logging of security-relevant events
Principle of least privilege for staff access

For a fuller account of our security posture, see our Security page.

No system is perfectly secure. If we ever become aware of a breach affecting your data, we will notify you and the ICO without undue delay and, where required, within 72 hours.

13. Children

The Mekkan service is intended for businesses and is not directed at children under 16. If your studio serves customers under 16, you (as the data controller for end-customer data) are responsible for obtaining parental consent where required by law.

14. Cookies

The Mekkan dashboard uses a small number of strictly necessary cookies for session management and authentication. We do not use advertising cookies and do not share data with advertising networks. For details, see our Cookies Policy.

15. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via the dashboard before they take effect. The "effective date" at the top of this page always reflects the latest version.

16. Contact us

For any privacy-related question, request, or complaint, contact us at:

Email: support@mekkan.ai
Post: MEKKAN AI LTD, 167–169 Great Portland Street, London W1W 5PF, United Kingdom
Supervisory authority: UK Information Commissioner's Office — ico.org.uk

Leave it toMekkan.

7 days free. Cancel anytime.

Start 7-day trial See pricing