Privacy Policy | BookSpa

1. Introduction

BookSpa (“we,” “our,” or “us”) is committed to protecting the privacy of all individuals who use our spa booking and management platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, applications, and services (collectively, the “Service”).

We collect, use, and disclose personal information only as described in this policy, as needed to provide the Service, or as otherwise permitted or required by applicable law. If you do not agree with this policy, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

We collect information you voluntarily provide when using the Service, including:

Account Information: Your name, email address, phone number, business name, and password when you register an account.
Staff Information: Names, contact details, roles, schedules, compensation data, and performance ratings of your staff members that you input into the system.
Customer Information: Names, phone numbers, email addresses, birthdates, notes, and service history of your customers that you record in the system.
Booking Data: Appointment details including service types, dates, times, staff assignments, room allocations, and pricing information.
Payment Information: Payment method details processed through Stripe, our third-party payment processor. We do not store full credit card numbers on our servers.
Communications: Messages sent through our AI chatbot, feedback submissions, and support inquiries.

2.2 Information Collected Automatically

When you access the Service, we automatically collect:

Usage Data: Pages visited, features used, actions performed, and time spent on the Service.
Device Information: IP address, browser type and version, operating system, device type, and screen resolution.
Location Data: Approximate geographic location derived from your IP address, and precise GPS location only when you use the staff check-in feature (with your explicit permission).
Cookies and Similar Technologies: We use essential cookies for authentication, session management, security controls, and preference storage. We use Firebase (Google) Analytics to measure public website traffic and signup interactions; no authenticated merchant dashboard activity is tracked. We also use Vercel Speed Insights to measure application performance.

3. How We Use Your Information

We use the collected information for the following purposes:

Service Delivery: To provide, maintain, and improve the booking and management features of the Service.
Account Management: To authenticate users, manage subscriptions, process payments, and communicate about your account.
Business Operations: To enable scheduling, staff management, customer relationship management, invoicing, and reporting features.
Communication: To send transactional emails (booking confirmations, reminders, password resets), service announcements, and responses to your inquiries.
Security: To detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms of Service.
Analytics: To analyze usage patterns and improve the Service experience.
Legal Compliance: To comply with applicable laws, regulations, and legal processes.

4. How We Share Your Information

We do not sell your personal information. We share information only in the following circumstances:

Service Providers: We engage trusted third parties to perform functions on our behalf, including:
- Stripe — Payment processing and subscription management
- Neon — PostgreSQL database hosting
- Vercel — Frontend application hosting
- AWS (EC2) — Backend API hosting
- Cloudinary — File and image storage
- Google (Firebase) — Public website analytics (page views, signup interactions)
- Twilio — SMS notifications (when configured by you)
- Brevo — Email notifications (when configured by you)
- AI Providers (Gemini, OpenAI, Anthropic, DeepSeek, Agnes) — AI chatbot processing (when configured by you)
At Your Direction: When you configure third-party integrations (such as SMS or email notification providers), data will be shared according to your settings.
Legal Requirements: We may disclose information if required by law, court order, or governmental authority.
Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction with appropriate notice.

5. Data Storage and Retention

Storage Location: Your data may be stored or processed in the United States, Canada, and other locations where our infrastructure and service providers operate.
Retention Period: We retain account information and business data for as long as your account is active and for a limited period afterward as needed for backup, security, fraud prevention, legal, accounting, and legitimate business purposes.
Session Data: Authentication sessions expire after a limited period and can be revoked when you log out, change your password, reset your password, or when an administrator forces a logout.
Backup Data: Provider-managed backups may retain deleted information for a limited period according to backup configuration and provider policies.

6. Data Security

We implement reasonable technical and organizational safeguards designed to protect your information, including:

Encryption of data in transit using HTTPS/TLS
Encryption of selected sensitive credentials at rest using AES-256-GCM
Password hashing using bcrypt with appropriate salt rounds
SHA-256 hashing for verification tokens and OTP codes
IP blocking and rate limiting on authentication endpoints
Role-based access control (RBAC) at the API and application layers
Cross-tenant data isolation to prevent unauthorized access between merchants
Regular security updates and dependency management

However, no method of electronic storage or transmission is 100% secure. While we strive to protect your data, we cannot guarantee its absolute security. Please see our Security page for more details.

7. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal information:

Access: You can request a copy of the personal data we hold about you.
Correction: You can update or correct inaccurate information through your account settings or by contacting us.
Deletion: You can request deletion of your account and associated data, subject to legal retention requirements.
Portability: You can request your data in a structured, machine-readable format.
Restriction: You can request that we limit how we process your data in certain circumstances.
Objection: You can object to processing based on legitimate interests.
Withdraw Consent: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise these rights, please contact us using the information in Section 13.

8. Cookies Policy

We use the following types of cookies:

Essential Cookies: Required for the Service to function, including:
- staff_refresh_token — HttpOnly cookie for authentication with a limited expiry
- staff_session — Non-sensitive marker cookie for session detection (1 value)
- admin_refresh_token — HttpOnly cookie for admin authentication
Analytics Cookies:Firebase (Google) Analytics sets cookies to measure public website traffic and signup interactions (e.g., page views, CTA clicks). These cookies are limited to visitors on our public-facing pages (homepage, about, pricing, legal pages, login, registration, and password reset) and do not track any authenticated merchant dashboard activity. Data collected may be processed by Google in accordance with Google's privacy policy.
Performance Telemetry: We use Vercel Speed Insights to collect aggregate performance metrics so we can monitor and improve page loading and responsiveness.

You can control cookies through your browser settings. Disabling essential cookies may prevent the Service from functioning properly. Most browsers also allow you to block analytics and tracking cookies specifically through their privacy settings.

9. Third-Party AI Processing

When you configure and use the AI chatbot feature, your booking-related queries and customer data may be processed by the AI provider you select (Gemini, OpenAI, Anthropic, DeepSeek, or Agnes). Each provider has its own privacy practices:

You provide your own API keys for paid providers (Gemini, OpenAI, Anthropic, DeepSeek)
Agnes uses a system-provided API key for free processing
AI providers may process requests on their infrastructure subject to their respective privacy policies
We recommend reviewing the privacy policy of your chosen AI provider

10. Children's Privacy

The Service is intended for businesses and their authorized staff, not for direct use by children. Merchants are responsible for obtaining any required consent before entering personal information about minors into the Service. If we learn that a child has created an account directly with us without appropriate authorization, we will take steps to delete or restrict that account information.

11. International Data Transfers

Your information may be transferred to, stored, and processed in countries other than your country of residence, including the United States and Canada. When we use service providers in other jurisdictions, we rely on contractual, technical, and organizational safeguards appropriate to the nature of the data and the services provided.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. Your continued use of the Service after such changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices:

Email us at privacy@getbookspa.com
Use the feedback form within the application (accessible to all logged-in users)
Reach out to your account administrator