Privacy Policy

1. Introduction

BookIt Technologies ("BookIt," "we," "us," or "our") operates the BookIt platform, which provides AI-powered appointment booking via SMS and web. This Privacy Policy describes how we collect, use, and protect your personal information when you use our services. It applies to business owners who use BookIt to manage bookings and to customers who book appointments through a BookIt-powered business page.

2. Information We Collect

We collect different categories of information depending on how you use BookIt:

Account Information (business owners)

• Name, email address, password, phone number, and business details when you create an account.
• Business name, address, business hours, services, pricing, and staff/resource information you add.

Booking Page Customer Information

• When a customer books through a business's BookIt page, we collect customer name, phone, email, and appointment details on behalf of that business.
• The business owner is the controller of their customer data. BookIt acts as a processor for that data.
• If a business closes their BookIt account, the customer data they collected through the booking page is deleted within 30 days unless retention is required by law.

Plan-specific data collection

What we collect depends on your plan:

Usage and Technical Data

• Log data, device information, IP address, browser type, pages viewed, and interactions with our platform.
• Information about your interactions with the dashboard (which features you view, links clicked) for product analytics.
• Error reports and diagnostics via Sentry when something breaks.

Payment Information

• Billing details for your BookIt subscription are processed by Stripe. We do not store credit card numbers.
• For businesses using BookIt Pay (Stripe Connect), customer payments are processed by Stripe directly to the business's connected Stripe account. BookIt never sees or stores customer card numbers in that flow.

Google Calendar Integration

If you connect Google Calendar, we store OAuth access and refresh tokens to sync your appointments. We access only your calendar events, not contacts, email, or other Google services. You can revoke access at any time from your Google Account settings.

Customer Reviews

After appointments, customers may be asked to rate their experience (1–5 stars). Ratings are stored with the associated business and appointment.

3. How We Use Your Information

• To provide and maintain our appointment booking services
• To send appointment confirmations, reminders, updates, and payment links via SMS (paid plans) or email (all plans)
• To process and respond to customer inquiries through our AI assistant (paid plans only)
• To improve our services, including AI response quality
• To analyze product usage and feature adoption (aggregated and event-level)
• To send you product, billing, and security communications
• To prevent fraud, abuse, and enforce our terms of service
• To comply with legal obligations

4. SMS Messaging & Mobile Information

When you interact with BookIt via SMS, you consent to receive appointment and payment-related text messages. Important details:

• Message frequency varies based on your booking activity
• Message and data rates may apply
• Reply STOP at any time to opt out of messages
• Reply HELP for assistance
• Your mobile information will not be sold or shared with third parties for promotional or marketing purposes.
• On Free plan businesses, BookIt does not provision a phone number or send SMS. Customer communication for Free plan accounts is handled by email and Google Calendar invites.

5. Information Sharing & Service Providers

We do not sell your personal information. We share it with the following categories of third-party service providers ("service providers" under the CCPA, "processors" under the GDPR), each contractually obligated to protect your data and use it only for the purposes we direct:

Infrastructure & communications

• Telnyx — SMS and voice delivery (paid plans only)
• Brevo — transactional email delivery (booking confirmations, reminders, account notifications)
• Cloudflare — content delivery, DDoS protection, and bot prevention. Cloudflare Turnstile is used on registration and other forms to verify users are not bots; this involves collecting IP address and basic browser fingerprint signals.
• Railway — application hosting and PostgreSQL database
• Sentry — error monitoring and crash reporting (may receive request URLs, user agent, and stack traces; we configure Sentry to scrub PII where possible)

Payments

• Stripe — BookIt subscription billing
• Stripe Connect — for businesses using BookIt Pay, customer payments are processed directly to the business's connected Stripe account. BookIt does not see, store, or have access to customer card details.

AI

• Anthropic (Claude AI) — paid plans only. Our AI receptionist calls the Claude API to generate replies and perform booking actions. The data sent to Anthropic may include the customer's name, phone number, prior turns of the SMS conversation, the business's services and hours, and structured tool arguments for creating, rescheduling, or cancelling appointments. BookIt does not use customer SMS conversation data to train our own models. Per Anthropic's commercial API terms, data sent via the Claude API is not used to train Anthropic's commercial models. Under Anthropic's standard terms, API data may be retained by Anthropic for up to 30 days for safety and abuse-monitoring purposes; conversations flagged for review may be retained longer. Use of the Claude AI features is also subject to Anthropic's Acceptable Use Policy and Anthropic's Privacy Policy.

Analytics & advertising

• Google Tag Manager / Google Analytics 4 — page views, conversion events, and aggregated product usage
• Google Ads conversion pixel (account AW-18002504319) — tracks signups originating from Google ad campaigns

See Section 8 (Cookies and Tracking Technologies) for details on how to opt out, and Section 11 (State Privacy Rights) for your right to opt out of targeted advertising / "sharing" under state privacy laws.

Calendar sync

• Google — Google Calendar sync (when connected by the business owner)

Business partners and legal

• The business you book with: receives your name, phone number, and appointment details necessary to provide their services.
• Legal Requirements: when required by law, subpoena, or to protect our rights, property, or safety.

6. Data Security

We implement industry-standard security measures to protect your personal information, including encryption in transit (TLS/SSL), encrypted database storage, secure access controls, and regular security reviews. We use Cloudflare for DDoS protection and Cloudflare Turnstile to prevent automated abuse. However, no method of electronic transmission or storage is 100% secure.

7. Data Retention

We retain different types of data for different periods:

• SMS message content: Retained for 60 days, then automatically deleted.
• Interaction logs: Retained for 90 days.
• Scheduled message records: Deleted 30 days after sending.
• Appointment records: Retained for the life of the business's account.
• Reviews: Retained for the life of the business's account.
• Google Calendar OAuth tokens: Retained until you disconnect the integration or close your account, whichever is sooner.
• Encrypted backups: Database backups are retained for up to 30 days for disaster recovery. Data deleted from the live database may persist in backups for that period.
• Sentry error data: 90-day retention per Sentry's defaults.
• Data after account closure: Upon account closure, appointment records, reviews, customer contacts, and message history will be permanently deleted within 30 days of the end of your final billing period, except where retention is required by law, fraud prevention, or dispute resolution.

8. Cookies and Tracking Technologies

BookIt uses cookies, local storage, and similar tracking technologies for the following purposes:

Strictly necessary

• Authentication: We store a secure authentication token (in both an httpOnly cookie and browser local storage) to keep you logged in. This token expires after 24 hours.
• CSRF and security tokens issued by Cloudflare Turnstile on registration and other forms.

Analytics

• Google Analytics 4 / Google Tag Manager — page views, button clicks, and conversion events. May set first-party cookies (`_ga`, `_ga_*`) with a 24-month default lifetime.

Advertising

• Google Ads conversion tracking (account AW-18002504319) — used to attribute signups to ad campaigns. May set cookies for cross-site tracking.

Your choices

• You can disable cookies in your browser settings, though strictly necessary cookies are required for the dashboard to function.
• You can opt out of Google Analytics with the Google Analytics opt-out browser add-on.
• You can opt out of Google personalized advertising at adssettings.google.com.
• See the "Do Not Sell or Share My Personal Information" section below for opt-out rights, including how to submit an opt-out request by email.

9. Do Not Sell or Share My Personal Information

BookIt does not sell personal information in the traditional sense (we do not receive money in exchange for your data). However, under the California Consumer Privacy Act (CCPA) and similar state laws, the use of third-party advertising cookies (Google Ads conversion tracking) may qualify as "sharing" personal information for cross-context behavioral advertising purposes.

To opt out, you can:

• Email support@bookittechnologies.com with the subject line "Do Not Sell or Share" and we will process your request within 15 business days. Include the email address and account (if any) you want the opt-out applied to.

We will not discriminate against you for exercising this right.

10. Your Rights

Depending on your location, you may have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your account and personal data by contacting support@bookittechnologies.com. Account data will be removed within 30 days. Note that SMS messages and interaction logs are automatically deleted on a rolling basis (60–90 days).
• Request a portable copy of your data
• Opt out of SMS communications by replying STOP
• Opt out of marketing emails via the unsubscribe link in each email
• Opt out of "sale" or "sharing" of personal information (see Section 9)
• Withdraw consent for data processing

11. State Privacy Rights

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or another U.S. state with a comprehensive consumer privacy law, you may have additional rights, including:

• Right to know / access — request disclosure of what personal information we collect, use, and share.
• Right to delete — request deletion of your personal information (subject to legal exceptions).
• Right to correct — request that we fix inaccurate information.
• Right to data portability — request a copy of your personal data in a portable, machine-readable format.
• Right to opt out of "sale" or "sharing" for cross-context behavioral advertising — see Section 9. We honor the Global Privacy Control signal.
• Right to opt out of profiling with legal or similarly significant effects (BookIt does not engage in automated decision-making with such effects).
• Right to non-discrimination — we will not discriminate against you for exercising these rights.
• Right to appeal — if we deny a privacy request, you may appeal by replying to our denial email; we will respond within 60 days.

To exercise these rights, email support@bookittechnologies.com with the subject line "Privacy Request." We may need to verify your identity before responding. We do not charge a fee unless the request is manifestly unfounded or excessive.

12. Children's Privacy

BookIt is intended for users 18 years of age and older. We do not knowingly collect personal information from individuals under 18 to create business accounts.

Booking pages hosted by BookIt are intended for individuals 13 and older. Businesses are responsible for ensuring they do not solicit bookings from children under 13 in a manner that would require parental consent under the Children's Online Privacy Protection Act (COPPA).

13. International Data Transfers

Your information is stored and processed in the United States. If you are located outside the United States, please be aware that your information will be transferred to and processed in the United States, where data protection laws may differ from those in your country.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. For significant changes, we will provide additional notice (e.g., a banner on the dashboard or an email).

15. Google API Services User Data Policy

BookIt Technologies integrates with Google Workspace APIs (specifically Google Calendar) to allow businesses to synchronize their appointments. BookIt's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

The use of raw or derived user data received from Workspace APIs will adhere to the Google User Data Policy, including the Limited Use requirements.

Specifically, BookIt only accesses and uses Google Calendar data to provide the scheduling features visible to the business owner who connected the account. We do not transfer Google user data to third parties, use it for advertising, allow humans to read it (except where required for security, legal compliance, or with the user's explicit consent), or sell it.

16. Contact Us

If you have questions about this Privacy Policy or your personal data, contact us at:

BookIt Technologies
Email: support@bookittechnologies.com
Website: bookittechnologies.com