Privacy Policy

1. Information We Collect

1.1 Personal Information You Provide

We collect personal information that you voluntarily provide to us when you:

• Register an account: Name, email address, password
• Book an appointment: Name, email, phone number, preferred date/time, service selection, appointment notes
• Make a payment: Payment information is processed securely through Stripe (we do not store credit card details)
• Contact us: Name, email, phone number, company name, message content
• Provide feedback: Survey responses, ratings, comments
• Use admin features: Role, permissions, audit logs, activity history

1.2 Information Automatically Collected

When you access our website, we automatically collect certain information about your device, including:

• Device Information: IP address, browser type, operating system, device identifiers
• Usage Data: Pages visited, time spent on pages, links clicked, referring website
• Session Data: Login timestamps, session duration, authentication status
• Performance Data: Page load times, errors, system health metrics

1.3 Information from Third Parties

We may receive information from third-party services we integrate with:

• Stripe: Payment confirmation, transaction status, refund information
• Email Service Providers: Email delivery status, open rates, bounce information
• Calendar Services: Calendar integration status when you add appointments

2. How We Use Your Information

We use the information we collect or receive for the following purposes:

2.1 Service Delivery

• Process and manage appointment bookings
• Facilitate payment transactions
• Send appointment confirmations, reminders, and updates
• Provide calendar integration and scheduling tools
• Enable account access and authentication
• Deliver customer support and respond to inquiries

2.2 Service Improvement

• Analyze usage patterns to improve our services
• Collect feedback to enhance customer experience
• Test new features and functionality
• Monitor system performance and security

2.3 Communication

• Send transactional emails (appointment confirmations, password resets)
• Request feedback after completed appointments
• Respond to enterprise inquiries
• Send service updates and important notices
• Provide customer support

2.4 Security and Legal Compliance

• Prevent fraud and unauthorized access
• Maintain audit logs for admin actions
• Comply with legal obligations
• Enforce our terms of service
• Protect user rights and safety

2.5 Business Operations

• Process refunds and handle cancellations
• Generate analytics and reports
• Assign staff to appointments
• Manage availability and scheduling

3. Disclosure of Your Information

We may share your information in the following situations:

3.1 Service Providers

We share your information with third-party service providers who perform services on our behalf:

• Payment Processing: Stripe (for secure payment processing)
• Email Delivery: Mailjet or SMTP providers (for transactional emails)
• Cloud Hosting: Render, AWS, or similar platforms (for application hosting)
• Database Services: MongoDB Atlas or similar (for data storage)
• Analytics: Performance monitoring services (aggregated data only)

3.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities, including:

• Complying with legal process (court orders, subpoenas)
• Protecting our rights and property
• Investigating fraud or security issues
• Protecting the safety of users or the public

3.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

3.4 With Your Consent

We may share your information for any other purpose with your explicit consent.

3.5 Aggregated or De-identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you, such as statistical data about appointment trends or service popularity.

4. Cookies and Tracking Technologies

4.1 What Are Cookies

Cookies are small data files placed on your device that help us provide and improve our services. We use both session cookies (which expire when you close your browser) and persistent cookies (which stay on your device until deleted).

4.2 How We Use Cookies

• Essential Cookies: Required for authentication, security, and core functionality
• Session Cookies: Maintain your login state and preferences
• CSRF Protection: Prevent cross-site request forgery attacks
• Flash Messages: Display temporary notifications and alerts

4.3 Your Cookie Choices

You can set your browser to refuse cookies or alert you when cookies are being sent. However, some features of our service may not function properly without cookies.

5. Third-Party Services

5.1 Stripe Payment Processing

We use Stripe to process payments. When you make a payment, Stripe collects your payment information directly. We never store your complete credit card information on our servers. Stripe's privacy policy governs their use of your information.

5.2 Calendar Integration

When you add appointments to Google Calendar or Outlook, you're redirected to those services. Their respective privacy policies govern the use of your information on those platforms.

5.3 Email Services

We use email service providers to send transactional emails. These providers process your email address and message content solely for delivery purposes.

5.4 Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to read their privacy policies.

6. Security of Your Information

We implement comprehensive security measures to protect your personal information:

6.1 Technical Security

• Encryption: All data transmitted over HTTPS/TLS
• Password Protection: Passwords hashed using bcrypt (12 rounds)
• Session Security: HttpOnly cookies, secure flags, SameSite protection
• CSRF Protection: Token-based protection on all state-changing operations
• Rate Limiting: Protection against brute-force attacks
• Account Lockout: Automatic lockout after failed login attempts

6.2 Administrative Security

• Two-Factor Authentication: Required for all admin accounts
• Role-Based Access Control: Principle of least privilege
• Audit Logging: Comprehensive logging of admin actions
• Regular Security Reviews: Periodic vulnerability assessments

6.3 Data Protection

• Database Security: MongoDB with authentication and encryption
• Sensitive Data Sanitization: Automatic redaction in logs
• Regular Backups: Automated backup systems
• Incident Response: Documented procedures for security incidents

Important: While we implement robust security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but strive to use commercially acceptable means to protect your personal information.

7. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this privacy policy, unless a longer retention period is required or permitted by law.

7.1 Retention Periods

• Active Accounts: Retained while account is active
• Appointment Data: Retained for 7 years for business and legal purposes
• Payment Records: Retained per financial regulations (typically 7 years)
• Audit Logs: Retained for 1 year for security purposes
• Application Logs: Retained for 30 days
• Session Data: Automatically deleted after 8 hours

7.2 Account Deletion

When you request account deletion:

• Your personal information will be deleted or anonymized
• Some information may be retained in backup systems for up to 90 days
• Legal, financial, and safety-related information may be retained as required by law
• Aggregated, anonymized data may be retained indefinitely

8. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

8.1 Access and Portability

• Request a copy of your personal information
• Receive your data in a structured, commonly used format
• Access your appointment history and account details through your dashboard

8.2 Correction and Update

• Update your profile information at any time
• Correct inaccurate or incomplete information
• Request correction of information we hold about you

8.3 Deletion

• Request deletion of your account and personal information
• Right to be forgotten (subject to legal retention requirements)
• Delete specific appointments or feedback

8.4 Objection and Restriction

• Object to processing of your personal information
• Request restriction of processing in certain circumstances
• Opt-out of non-essential communications

8.5 Withdrawal of Consent

• Withdraw consent for data processing where consent is the legal basis
• Note: Withdrawal does not affect the lawfulness of processing before withdrawal

8.6 How to Exercise Your Rights

To exercise any of these rights, please:

• Email us at: [email protected]
• Use your account settings for profile updates
• Contact customer support through the website

We will respond to your request within 30 days. We may need to verify your identity before processing your request.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that are different from the laws of your country.

9.1 Legal Basis for Transfers

When we transfer personal information internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions recognizing equivalent data protection
• Your explicit consent for the transfer
• Necessity for contract performance or legal claims

9.2 Data Processing Locations

Your data may be processed in the following locations:

• United States (primary hosting and processing)
• European Union (for EU customers)
• Other regions as necessary for service delivery

10. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

If we learn that we have collected personal information from a child under 18 without verification of parental consent, we will delete that information promptly.

11. California Privacy Rights

11.1 California Consumer Privacy Act (CCPA)

If you are a California resident, you have specific rights under the CCPA:

Right to Know

• Categories of personal information collected
• Categories of sources from which information is collected
• Business or commercial purpose for collecting information
• Categories of third parties with whom we share information
• Specific pieces of personal information we have collected

Right to Delete

Request deletion of personal information we have collected, subject to certain exceptions.

Right to Opt-Out

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

11.2 California "Shine the Light" Law

California residents may request information about our disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

11.3 How to Exercise California Rights

Email: [email protected]

Subject: California Privacy Rights Request

We will verify your identity and respond within 45 days.

12. GDPR Compliance (European Economic Area)

12.1 Legal Basis for Processing

We process your personal information under the following legal bases:

• Contract Performance: To provide services you've requested (appointments, payments)
• Legitimate Interests: To improve our services, ensure security, and prevent fraud
• Legal Compliance: To comply with legal obligations
• Consent: Where you have given explicit consent (e.g., marketing communications)

12.2 Your GDPR Rights

Under GDPR, you have the following rights:

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Rights related to automated decision-making and profiling

12.3 Data Protection Officer

Contact our Data Protection Officer:

Email: [email protected]

12.4 Supervisory Authority

You have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not complied with applicable data protection laws.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

13.1 Notification of Changes

• Material changes will be posted on this page with an updated "Last Updated" date
• We may notify you via email or through a notice on our website
• Continued use of our services after changes constitutes acceptance of the revised policy

13.2 Review Regularly

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: