No software is GDPR-compliant on its own. That sentence is worth more than any vendor comparison, because it corrects the assumption most salon owners start from. Under the GDPR your salon is the controller — the responsibility sits with you — and the software is a processor that can only make compliance easier or harder. What you should look for is a tool that supports encrypted client records, access controls, digital consent, and straightforward export and deletion. MyWest, Phorest, Salonized and Clienta all market themselves as EU-ready. But the criterion most people lead with — "the data must be stored in the EU" — is not what the regulation actually says.

What the GDPR requires — and what it doesn't

The regulation is built on principles rather than product features: data minimisation (collect only what you need), purpose limitation (use it only for what you collected it for), storage limitation (don't keep it forever), and integrity and confidentiality (keep it secure). Nothing there names a country.

The persistent myth is that personal data must physically stay on EU servers. It doesn't. The GDPR restricts transfers outside the EU but explicitly permits them where appropriate safeguards exist — an adequacy decision covering the destination country, or standard contractual clauses between the parties. A vendor hosting in the EU is one convenient way to sidestep that question, not the only lawful route.

This matters practically. Rule out every non-EU tool on residency grounds and you may reject a provider that handles your data better than an EU-hosted one with weak access controls. Conversely, "our servers are in Frankfurt" is not by itself evidence of compliance. It answers one question out of six.

You are the controller — the software is not

Because you decide why and how client data is processed, you are the controller. Your vendor processes it on your behalf. Article 28 requires that relationship to be governed by a written contract, usually called a data processing agreement.

Ask for that agreement before you sign anything. A vendor that cannot produce one is telling you something important. It should state what the processor may do with your data, that it will not engage further sub-processors without your knowledge, and what happens to the data when the contract ends.

The practical consequence: no vendor can sell you compliance. They can sell you a tool that makes your obligations achievable. That is the honest framing, and marketing which claims otherwise should raise your guard rather than lower it.

The EU-ready options

SoftwareStated strengthsData locationStill verify
MyWest Encryption, strict access controls, easy export and delete Encrypted EU servers Processing agreement, sub-processors
Phorest Role-based access, secure cloud storage EU-compliant cloud Retention periods, deletion process
Salonized Built-in GDPR features, digital consent forms EU hosting partners Which partners, and where
Clienta Markets itself as fully GDPR compliant Dutch (EU) servers What "fully compliant" actually covers
General booking tools Low cost, full booking features Varies — ask Hosting, encryption, deletion, DPA

Treat the middle column as vendor claims, not verified facts. That is not cynicism; it is how the accountability principle works. You must be able to demonstrate compliance, which means holding evidence rather than marketing copy. A low-cost general tool such as Boona (from $2 per specialist, 0% commission) can handle booking and client records perfectly well — but if you rely on it, put it through the checklist below rather than assuming that a low price implies weaker protection, or that a high one implies stronger.

The verification checklist

  • A written data processing agreement under Article 28. Non-negotiable.
  • Where the data sits — and if outside the EU, on what legal basis: adequacy decision or standard contractual clauses.
  • Encryption of client records, both in transit and at rest.
  • Role-based access, so a receptionist doesn't see treatment notes they have no need for.
  • Digital consent capture, with a record of what was consented to and when.
  • Export and deletion you can perform yourself, without raising a support ticket.
  • Multi-factor authentication on staff logins.
  • A defined retention period. "We keep everything forever" contradicts storage limitation.

Health data changes the rules

If you record treatment notes, medical history, allergies or before-and-after photographs, you are likely processing data concerning health — a special category under Article 9. The default position is that processing it is prohibited unless a specific condition applies, such as explicit consent or one of the healthcare-related grounds.

For an aesthetic clinic this is the decisive criterion, well ahead of price. A booking tool designed for hair salons rarely addresses it, and the gap is invisible in a feature list. Ask directly whether treatment notes are segregated from the general client card, and who on your team can see them.

When a client asks for their data

This is where compliance stops being theoretical. A client can ask for a copy of their data, ask you to correct it, or ask you to delete it — and you generally have one month to respond.

  1. Verify who is asking. Handing records to the wrong person is itself a breach.
  2. Find everything. Booking system, client card, photographs, mailing list — and the notebook behind the desk.
  3. Check whether erasure actually applies. The right is not absolute; you may have competing retention obligations, for tax records in particular.
  4. Respond within the month, in a portable format if portability is what was requested.
  5. Record what you did. Accountability means being able to show it, not merely having done it.

Run this once as a rehearsal, before a real request arrives. Software that turns step two into an afternoon of searching is the software to avoid.

Data protection is one part of running a salon system; booking, reminders, deposits and client records all touch it. Our other guides on salon software and client data cover those pieces individually.

Frequently asked questions

Does the GDPR require my client data to be stored in the EU?

No. It restricts transfers outside the EU but permits them with appropriate safeguards, such as an adequacy decision or standard contractual clauses. EU hosting is a convenient way to avoid the question, not a legal requirement in itself.

What actually makes salon software GDPR-friendly?

A processing agreement under Article 28, encrypted records, role-based access, consent capture, self-service export and deletion, secure logins and a defined retention period. Ask the vendor to confirm each point in writing — the burden of demonstrating compliance falls on you, not on them.

Can I use a low-cost general booking tool and stay compliant?

Often yes. Compliance depends on how data is handled, not on what you pay. Put any tool through the checklist above, and pay particular attention if you record treatment notes, which fall under stricter rules.

Who is responsible if the vendor has a breach?

As controller you remain accountable to your clients, which is precisely why the processing agreement matters: it sets out the processor's obligations, including notifying you. Choosing a vendor is a decision you are answerable for.