Privacy Policy

Effective date: 9 June 2026 · Last updated: 9 June 2026

1. Who We Are

This Privacy Policy describes how Studio Hove ("we", "us", "our") handles information in connection with the Lasha mobile application (the "App"), available on the Apple App Store, and the Lasha website at lasha.app (the "Website").

Lasha is a client-management tool for lash technicians and beauty professionals. Our guiding principle is simple: your business data belongs to you, lives in your own iCloud account, and we cannot access it.

If you have any questions about this policy, contact us at [email protected].

2. Summary

• We do not have servers that store your clients, sessions, photos, or documents. All of that data is stored in your personal, private iCloud account (Apple CloudKit Private Database), which only you can access.
• We collect anonymous usage statistics (e.g. "a session was created") to improve the App. These contain no names, no emails, no client information, and no identifiers linked to you. You can turn this off at any time in Settings → "Share anonymous usage analytics."
• Payments are processed entirely by Apple. We never see your payment details.
• We do not sell, rent, or share personal information with data brokers, and we do not use your data for advertising.

3. Information We Handle — the App

3.1 Account information (Sign in with Apple)

The App uses Sign in with Apple to authenticate you. Apple provides the App with a pseudonymous user identifier. This identifier is stored only on your device, in the iOS Keychain, to keep you signed in.

• Although the Sign in with Apple flow may offer to share your name and email address, the App does not store your name or email address anywhere. You may also use Apple's "Hide My Email" feature.
• We have no account database on our own servers.

3.2 Your business data (stored in your iCloud, not with us)

When you use the App to manage your lash business, the following data is created and stored in the CloudKit Private Database of your own iCloud account:

• Client profiles (names, contact details, birthdays, addresses, notes, profile photos)
• Session records (lash styles, measurements, products used, dates, notes)
• Session photos
• Document templates and assigned documents, including client signatures

This data is encrypted in transit and at rest by Apple's iCloud infrastructure and is accessible only through your Apple Account. Studio Hove has no technical ability to read, access, or disclose it. Apple's handling of iCloud data is governed by Apple's Privacy Policy.

Your responsibility for client information: As a lash professional, you are responsible for the personal information of your clients that you choose to record in the App (including obtaining any consent required from your clients under applicable privacy laws). Studio Hove acts neither as a custodian nor a processor of this information — it never leaves your iCloud account.

3.3 Contacts (optional, on-device)

If you choose to use the Import Contacts feature, the App asks for permission to access your device's contacts so you can select which ones to import as clients. Contact data is read on your device and the selected entries are saved to your private iCloud database as described above. Your contact list is never transmitted to us or to any third party. You can deny or revoke this permission in iOS Settings at any time.

3.4 Purchases and subscriptions

Subscriptions (Lasha Premium) are processed entirely by Apple through the App Store. We receive no payment card details, billing addresses, or invoices. Apple provides us only with aggregated, anonymized sales reporting. Manage or cancel your subscription in iOS Settings → Apple Account → Subscriptions.

3.5 Anonymous usage analytics (TelemetryDeck)

To understand which features are used and to improve the App, we use TelemetryDeck (TelemetryDeck GmbH, Germany), a privacy-first analytics service. What this means in practice:

• We record anonymous events such as: app launched, client created, session created, number of photos added, document created or signed, subscription screen viewed, purchase started/completed/cancelled, account deleted, and the subscription tier in use (free / trial / premium).
• These events contain no personal information: no names, emails, client data, photo content, document content, precise location, or advertising identifiers.
• TelemetryDeck does not use cookies or fingerprinting and irreversibly hashes the random installation identifier it uses for counting, so the data cannot be linked back to you or your device. See TelemetryDeck's privacy policy.
• Opt-out: You can disable analytics at any time in the App under Settings → "Share anonymous usage analytics." When disabled, no analytics events leave your device.

3.6 Support communications

If you contact us at [email protected], we will receive your email address and the contents of your message, plus basic app version/device information included to help us troubleshoot. We use this solely to respond to and resolve your request.

4. Information We Handle — the Website

4.1 Waitlist sign-ups

When you submit your email address on our waitlist page, we collect your email address — so we can notify you when Lasha launches or has major updates on the App Store. We will only send you that notification email unless you explicitly opt in to further communication.

4.2 Contact form messages

When you use the contact form on the Website, we collect your email address (so we can reply to you) and your subject and message (to understand and respond to your enquiry).

4.3 Website service providers

We use a small number of third-party services to operate the Website. Each has access only to the data necessary to perform its function:

• Formspree (privacy policy) — processes form submissions from our waitlist and contact forms. Your submitted data is transmitted to Formspree's servers and then forwarded to us by email. Formspree is based in the United States.
• Google Fonts (privacy policy) — serves the Inter typeface used on this site. Your browser may send a request to Google's servers when loading this font, which may include your IP address.
• Cloudflare (privacy policy) — hosts and delivers this Website. Cloudflare may process standard server-level data (IP address, browser type, request timestamps) to deliver pages securely and efficiently.

4.4 Cookies

We do not use cookies on the Website beyond what may be set by Formspree or Cloudflare as part of their technical operation (for example, security or caching cookies). We do not place any tracking or analytics cookies ourselves and we do not use third-party advertising cookies.

5. What We Do NOT Do

• We do not sell, rent, or trade personal information.
• We do not share information with data brokers.
• We do not use your data for third-party advertising or cross-app tracking (the App does not use Apple's App Tracking Transparency framework because it does not track).
• We do not collect precise location data.

6. Legal Bases and Consent (Canada)

We handle information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation, including Quebec's private-sector privacy law as amended by Law 25:

• Account identifier and business data: processed because it is necessary to provide the service you request; stored under your own Apple Account.
• Anonymous analytics: collected on the basis of your consent, which you may withdraw at any time via the in-app toggle. The data is anonymized at source and is not used to identify, locate, or profile any individual.
• Waitlist and support emails: processed on the basis of your consent and to respond to your request.

You may withdraw consent at any time as described above; withdrawing consent for analytics does not affect your use of the App.

CASL (waitlist emails): By submitting your email address on our waitlist page, you expressly consent to receiving a commercial electronic message notifying you about Lasha's availability, in accordance with Canada's Anti-Spam Legislation (CASL). Every email we send will include a clear and easy way to withdraw your consent. We will honour all unsubscribe requests promptly and without charge.

7. Retention and Deletion

• Business data: retained in your iCloud account until you delete it. You can delete individual records in the App, or delete all of your data using Settings → Manage Account → Delete Account, which permanently removes your clients, sessions, photos, and documents from your private iCloud database. This cannot be undone.
• Account identifier: removed from the device Keychain when you sign out or delete your account.
• Anonymous analytics: cannot be linked to you and therefore cannot be selectively deleted; it is retained by TelemetryDeck in aggregate form for as long as needed to provide usage statistics, in accordance with TelemetryDeck's own privacy policy.
• Waitlist email addresses: retained until the launch notification is sent, or until you ask us to remove your address — whichever comes first.
• Support and contact form messages: retained for up to one (1) year after your request is resolved, for quality and legal record-keeping purposes, and then deleted.

Deleting the App from your device does not by itself delete data already stored in your iCloud account.

8. Security

• Business data is protected by Apple's iCloud security (encryption in transit and at rest, Apple Account authentication).
• The locally stored sign-in identifier is protected by the iOS Keychain.
• Analytics transmissions are encrypted (HTTPS) and contain no personal information.

No method of transmission or storage is 100% secure, but the App's architecture is designed so that the most sensitive data (your clients' information) never passes through systems we operate.

9. International Transfers

Anonymous analytics data is processed by TelemetryDeck GmbH in the European Union (Germany), a jurisdiction with comprehensive privacy protection (GDPR). Form submissions are processed by Formspree in the United States. Your iCloud data is handled by Apple in accordance with your Apple Account settings and Apple's policies.

10. Children

The App and Website are intended for professional use and are not directed at children under 13 (or the applicable age of consent in your province). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Your Rights

Subject to applicable law, you have the right to:

• Access the personal information we hold about you (note: we hold essentially none — your business data is in your own iCloud);
• Correct inaccurate or incomplete information;
• Delete your data (see Section 7);
• Withdraw consent at any time — to analytics via the in-app Settings toggle, or to waitlist emails via the unsubscribe link;
• Complain to the Office of the Privacy Commissioner of Canada or, in Quebec, the Commission d'accès à l'information.

To exercise any right, contact us at [email protected]. We will respond within 30 days.

Privacy Officer: Studio Hove has designated a Privacy Officer accountable for compliance with this policy, reachable at [email protected] (attention: Privacy Officer).

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the App or the Website before they take effect. The "Last updated" date at the top reflects the latest revision.

13. Contact

Studio Hove
60 McLaren, Unit 1, Ottawa, Ontario, Canada
Email: [email protected]
Website: https://www.lasha.app