Privacy Policy

1. Overview

BookSpa AI ("BookSpa," "we," "us," or "our") operates an AI-powered phone receptionist and scheduling platform for medical spas and aesthetic practices. This Privacy Policy explains how we collect, use, share, and protect information when you use our website at bookspaai.com, our dashboard, and our AI receptionist services.

We take privacy seriously. We collect only what we need, store it securely, and never sell your personal information to third parties.

2. Information We Collect

Information you provide directly:

• Name, email address, phone number, and spa name when signing up or joining the waitlist
• Payment information processed securely through Stripe (we never store card numbers)
• Spa profile details including business hours, services, and pricing entered in your dashboard
• Account credentials including email and password (passwords are encrypted)

Information collected automatically:

• Call data including caller phone numbers, call duration, and timestamps
• AI-generated transcripts and summaries of calls handled by Sage
• Usage data such as pages visited, features used, and session duration
• Device information including browser type, operating system, and IP address

Information from callers (your clients):

• Name, phone number, and email address collected during booking conversations
• Service preferences and appointment requests
• Voice recordings of calls handled by Sage (where enabled)

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and improve our AI receptionist and scheduling services
• Create and manage your spa dashboard account
• Process payments and manage your subscription
• Send transactional emails such as booking confirmations and call summaries
• Notify you of new features, updates, or changes to our service
• Provide customer support and respond to inquiries
• Analyze usage patterns to improve our AI and platform performance
• Comply with legal obligations and enforce our Terms of Service

We do not use your data for advertising purposes, and we do not sell your information to marketers or data brokers.

4. How We Share Information

We share your information only in these limited circumstances:

• Service providers: We work with trusted third parties including Supabase (database), Stripe (payments), Resend (email), Vapi (voice AI), and Anthropic (AI). These providers process data only on our behalf and are bound by confidentiality agreements.
• Your clients: Booking confirmations and appointment details are shared with the clients whose appointments Sage books, using contact information they provided during the call.
• Legal requirements: We may disclose information when required by law, court order, or government request.
• Business transfer: In the event of a merger, acquisition, or sale, your information may be transferred as part of that transaction with advance notice.
• With your consent: We will share information in other circumstances only with your explicit permission.

We never sell your personal information. Ever.

5. Call Recording & Transcripts

BookSpa's AI receptionist Sage handles inbound calls on your behalf. Please be aware of the following:

• Calls may be recorded and transcribed to provide you with summaries and booking details
• As a spa owner, you are responsible for notifying your callers that calls may be recorded, as required by applicable law in your jurisdiction
• Transcripts are stored in your Supabase database and visible only to your account
• You may configure automatic transcript deletion in your dashboard settings
• We do not store sensitive medical information — Sage is trained not to collect health data beyond what is necessary for booking aesthetic services
• Call recordings are retained for 90 days by default and can be deleted upon request

6. Cookies & Tracking

We use minimal cookies necessary to operate our service:

• Session cookies: Keep you logged into your dashboard
• Preference cookies: Remember your settings and preferences
• Analytics: If Google Analytics is enabled, it collects anonymized usage data. You may opt out via your browser settings.

We do not use advertising cookies, tracking pixels, or cross-site tracking technologies. You may disable cookies in your browser settings, though some features may not function properly without them.

7. Data Retention

We retain your information for as long as your account is active or as needed to provide services:

• Account data is retained until you delete your account
• Call transcripts are retained for 90 days by default (configurable in settings)
• Booking records are retained for 2 years for business continuity
• Payment records are retained as required by law (typically 7 years)
• Waitlist and signup data is retained until you request deletion

To request deletion of your data, email us at info@bookspaai.com.

8. Security

We implement industry-standard security measures to protect your information:

• All data is encrypted in transit using TLS/SSL
• Passwords are hashed using bcrypt and never stored in plain text
• API keys and sensitive credentials are stored as environment variables, never in code
• Our database uses row-level security so each spa can only access its own data
• We conduct regular security reviews of our infrastructure

While we take security seriously, no system is 100% secure. If you discover a security vulnerability, please report it responsibly to info@bookspaai.com.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information
• Portability: Request your data in a machine-readable format
• Objection: Object to certain types of processing
• Withdrawal: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact us at info@bookspaai.com. We will respond within 30 days.

10. Children's Privacy

BookSpa is designed for business use by adults operating medical spa practices. Our services are not directed at children under 13, and we do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately at info@bookspaai.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Send an email notification to all active account holders
• Display a notice in your dashboard for 30 days

Your continued use of BookSpa after changes take effect constitutes acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

• Email: info@bookspaai.com
• General inquiries: info@bookspaai.com
• Website: bookspaai.com

We aim to respond to all privacy-related inquiries within 5 business days.