Case Study: Zoom Tan

Client Overview

Zoom Tan is a privately held wellness brand founded in 2008 and headquartered in Naples, FL. It operates nearly 100 locations across FL, NY, GA, PA, and MI, with services centered on stand‑up UV tanning and automated spray tanning; many locations advertise red‑light therapy through sister brand Zoom Fit. Memberships are contract‑free with consistent, published pricing (e.g., UV “up to 12 min once every day” and daily spray options), and the company emphasizes a walk‑in model—no appointments required and no cash accepted. Zoom Tan has also expanded into boutique fitness as Zoom Fit, offering 24/7 gym access alongside red‑light therapy and infrared sauna at select locations in New York and Florida.

The Challenge

With rapid footprint growth, Zoom Tan set a goal: deliver a fully automated salon visit. Customers should be able to schedule UV, Spray, or RedLight sessions at any location; navigate there; unlock the front door after staffed hours; access amenities; and purchase consumables—entirely via mobile. Security and privacy were non‑negotiable: digital waivers with compliant e‑signatures, biometric identity verification, and location‑based proximity checks had to be first‑class. The target flow: open app → navigate → prove identity → remote door unlock → on‑demand session → exit—without staff intervention.

This ambition came with hurdles. Regulations differ by state, requiring the app to adapt eligibility rules without fragmenting the experience. The brand’s contract-free, walk-in culture demanded that automation enhance—not restrict—flexibility. On the hardware side, a diverse fleet of booth controllers and locks had to be unified under one digital model. And because tanning is a health-sensitive service, exposure guardrails and reliable audit trails were essential. In short, the solution had to prove safer, smoother, and more scalable than staffed salons, or the automation promise would ring hollow.

Our Approach

To deliver a truly staffless salon model, we treated the project as both a user-experience challenge and an infrastructure challenge. On one side, customers needed a frictionless journey that felt intuitive and safe. On the other, salon hardware and compliance requirements demanded strict orchestration. Our approach was to decouple these layers—letting mobile UX evolve quickly while hardware and store systems followed their own pace—then connect them through a single, secure backend.

We began by mapping the entire salon visit journey—from discovery through exit—to identify technical and experiential gaps. Rather than building piecemeal integrations, we separated mobile experience design from on-premise orchestration, ensuring the app could evolve quickly while salon hardware followed its own lifecycle. This approach gave Zoom Tan a scalable foundation instead of a one-off solution.

GraphQL Layer Over Existing Infrastructure

We introduced a single GraphQL API as the backbone between mobile, back-office systems, smart locks, and booth controllers. This avoided brittle point-to-point integrations and allowed for a distinct separation of concerns.

Mobile Backend

We selected Firebase/Google Cloud for mobile-facing services (authentication, messaging, sync) and paired it with AWS-based GraphQL orchestration. This hybrid choice let us leverage Firebase’s speed for app-centric tasks while still benefiting from AWS’s scalability and observability for API and hardware orchestration.

Identity & Trust

We evaluated multiple identity verification providers and standardized on Onfido. The deciding factors were high KYC-grade assurance, robust liveness detection, and SDK maturity. We negotiated volume pricing to keep costs sustainable across nearly 100 locations. Two verification tiers were defined: full (document + liveness) for onboarding and quick (face-only) for repeat high-risk events.

From the start, we embedded compliance requirements into the user flow. Digital waivers were designed for ESIGN/UETA compliance. For biometrics, explicit, time-bound consent was captured, following US biometric privacy practices. These safeguards ensured Zoom Tan could scale nationally without rework for varying legal environments.

Proximity-aware Access

To reduce fraud and ensure users were physically present, we combined OS-level geofencing with optional BLE beacon checks at the door. Only when proximity was validated did the system issue a one-time, short-lived unlock token tied to device and user identity.

Booth & Safety Orchestration

We embedded tanning-specific safeguards into the architecture. Each account carried per-user UV exposure limits enforced by the API, while lamp-hour data allowed the system to adjust safety guidance when new bulbs were installed or equipment was serviced. This went beyond “access control” to actively protect guests and reduce brand liability.

Operational Resilience

Reliability was non-negotiable. We designed for idempotent mutations (so a retry wouldn’t trigger double unlocks), strict rate limits to prevent abuse, and circuit-breaker patterns to isolate failures without cascading outages. Observability with structured logs and distributed traces made audit trails and incident investigation straightforward.

Experience-Driven Design

Finally, we translated all this into on-brand user journeys. Prototypes were validated with real customers, refining the flow until the experience felt seamless: discover → navigate → verify → unlock → session → exit. Each step reinforced both security and simplicity, aligning with Zoom Tan’s promise of a no-hassle visit.

The Solution

Cross-platform mobile app (React Native)

We built the mobile app in React Native to ensure a unified codebase for iOS and Android. Apollo Client handled GraphQL queries with persisted query support for speed and security. Native modules integrated Onfido’s Smart Capture SDK for document and liveness checks, plus Face ID / Touch ID for biometric step-ups. Location services combined geofencing with optional BLE door proximity, ensuring unlocks could only occur when a user was truly present. Push notifications and local device caching smoothed the experience even in low-connectivity environments.

GraphQL back end in TypeScript on AWS

The back end was implemented in TypeScript, deployed on AWS Lambda and API Gateway for scalability and cost efficiency. This GraphQL layer brokered commands between mobile, salon systems, booth controllers, and smart locks. Safelisted queries protected the API surface, while idempotent mutations ensured reliable orchestration of sensitive operations like unlockDoor or startSession. Event-driven patterns (via SNS/SQS or Pub/Sub equivalents) pushed real-time updates back to mobile so users immediately saw confirmation when a door unlocked or a session started.

Onfido Verification Flows

Identity was split into two modes:

Full verification (document + liveness) at onboarding or first entry, creating a high-assurance baseline tied to the account.
Quick verification (face-only step-up) for subsequent high-risk moments such as after-hours door unlocks. Known Faces detection helped flag attempts at account sharing. Results flowed back to the app in real time, keeping users informed at every step.

Safety & Compliance Features

Safety was not an afterthought—it was built into every interaction:

Digital waivers captured through ESIGN/UETA-compliant e-signature flows, stored centrally for audit.
UV exposure guardrails enforced per-user limits (e.g., one UV session per day) and dynamically adjusted based on lamp age, aligning with FDA sunlamp timing standards.
Context-aware alerts notified users when equipment changes (new bulbs, maintenance) could alter exposure intensity.
Age verification ensured compliance with state-specific tanning regulations by embedding ID validation into onboarding.

Store systems & hardware integration

A custom hardware interface connected GraphQL commands to OEM booth controllers and smart lock devices. These integrations surfaced real-time success/failure callbacks in the app, closing the loop for users. At the same time, salon back-office systems (e.g., membership management, billing) were connected through the same API surface, ensuring consistency between mobile purchases, waivers, and in-store sessions.

Experience Detail

Discovery: Find nearby salons, view availability, and check eligibility based on age and membership.
Access: Geofence + face step-up combine to generate a one-time, short-lived unlock token.
Session: Booth start/stop tied to the user’s verified identity and session history; timers align with regulatory guidance.
Post-visit: Session history, digital receipts, and consumable purchases are visible in-app, reinforcing transparency and upsell opportunities.

Results

Zoom Tan’s self-service model delivered measurable impact across operations, customer experience, and risk management. Operationally, it streamlined staff requirements, centralized compliance processes, and provided leadership with clearer visibility into usage patterns. For customers, it created a faster, more predictable visit and unlocked new digital conveniences such as session history and in-app upsells. On the safety and compliance front, the platform enforced exposure guardrails, improved identity assurance, and ensured audit-ready records across nearly 100 locations.

Operational Impact

Enabled secure after-hours access with biometric step-up, reducing reliance on front-desk staff and extending usable hours without increasing labor costs.
Centralized waiver capture and identity proofing created a single source of truth across nearly 100 locations, eliminating paper processes and ensuring legal compliance.
Standardized API-driven booth orchestration simplified integration of new hardware vendors and reduced ongoing maintenance overhead.
Event-driven logs and analytics allowed leadership to track usage trends, equipment load, and membership patterns in real time, improving capacity planning.
Reduced support calls for basic access issues (lost cards, manual check-ins) by shifting responsibility to the app’s identity and unlock flows

Customer Experience

Delivered a consistent, “tap-to-tan” journey: discover location, verify identity, unlock, start session, exit—predictable and repeatable across the entire footprint.
Optional soft-reservations for spray booths improved fairness and reduced bottlenecks, while keeping the brand’s signature walk-in flexibility intact.
In-app upsell of eyewear, lotions, and membership upgrades provided a new revenue channel without requiring staff involvement.
Faster sessions—guests now bypass check-in lines, saving minutes per visit, which compounds for repeat daily users.
Digital receipts and session history in the app improved transparency for guests and created a perception of professionalism and trust.

Risk & Safety

Guardrails enforced maximum daily UV exposure per user, reducing liability risk and improving alignment with FDA sunlamp regulations.
Lamp-hour tracking and context-aware warnings ensured guests were informed when intensity might differ due to new or aging bulbs.
Multi-factor identity (document + liveness, then face-only step-ups) reduced account sharing and underage use attempts.
Geofencing and BLE proximity checks reduced fraud by ensuring unlocks only occurred on-site, at the correct location, and within a narrow time window.
Centralized logs of waivers, unlocks, and sessions strengthened auditability in the event of compliance checks or customer disputes.
Improved guest confidence: transparent safeguards reassured customers that Zoom Tan prioritizes safety and compliance, differentiating it from smaller competitors.

Key Takeaways

The Zoom Tan project demonstrates how thoughtful architecture, strong identity practices, and built-in safety can transform a traditional, staff-dependent business into a scalable, automated model. By unifying mobile UX with a resilient GraphQL back end, standardizing identity verification, and embedding regulatory safeguards from the start, the solution improved both operational efficiency and customer trust. These lessons extend beyond tanning salons—showing how wellness and fitness operators can modernize access, compliance, and engagement through digital-first design.

Staffless, secure access at scale – By combining mobile identity verification, proximity checks, and smart lock integration, Zoom Tan can safely extend hours and reduce staffing overhead without sacrificing guest security.
GraphQL as a control hub – A single GraphQL API provided a clean abstraction between fast-moving mobile UX and slower hardware upgrade cycles. Persisted queries hardened the interface and improved performance.
Future-proofed identity strategy – Standardizing on Onfido for document verification, motion-based liveness, and face step-ups ensures compliance today and flexibility to layer in additional vendors or modalities later.
Digital compliance built-in – ESIGN/UETA-compliant waivers, biometric consent notices, and audit-ready logs reduce legal risk while keeping user flows seamless.
UV safety guardrails – Per-user exposure caps and lamp-hour awareness align with FDA sunlamp rules and help mitigate brand risk from overexposure. This also reinforces trust with customers.
Operational efficiency – Centralized waiver capture and automated access reduced the manual work of front-desk staff and created consistent audit trails across nearly 100 sites.
Customer experience consistency – Guests get the same “tap-to-tan” journey across locations, with optional soft-reservations for spray booths layered on top of the brand’s walk-in culture.
Resilient architecture – Idempotent mutations, circuit breakers, and strict rate limits prevent device misfires and ensure smooth orchestration even when connectivity is degraded.
Analytics & observability – Event-driven logs at each unlock and session provide operational insight, fraud detection signals, and a foundation for usage-based analytics.
Brand differentiation – A staffless, mobile-first model positions Zoom Tan as one of the few tanning and wellness brands to embrace automation at scale, creating a defensible advantage in a crowded, low-margin industry.
Cross-category applicability – The same identity + access orchestration patterns can extend to Zoom Fit gyms, red-light therapy, or future wellness modalities, making this architecture a platform play rather than a one-off.
Scalability & growth – By decoupling mobile from hardware cycles, the solution is ready for new states, new devices, and new service lines without costly rewrites.

Operating multi-site wellness or fitness locations and considering self-service entry or automated sessions? Let’s assess the identity, access, and orchestration patterns that fit your footprint—and build a pilot in weeks. → Schedule a discovery call.