Privacy Policy

Introduction

Welcome to Appointa. This Privacy Policy explains how the entity that owns and operates Appointa (the "Company," "we," "us," or "our"), a Delaware Limited Liability Company, collects, uses, discloses, and protects personal information when you use our website, platform, and related services (collectively, the "Services").

Protecting your privacy is a top priority for us. We are committed to being transparent about the data we collect and how we use it. This policy is designed to help you understand your privacy rights and how to exercise them, in accordance with applicable data protection laws including the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable privacy laws.

This Privacy Policy is incorporated into our Terms of Service. By using our Services, you agree to the collection and use of information in accordance with this policy.

1. Scope of This Policy & Our Role

This policy applies to all users of our Services, including:

Providers (or Subscribers): Businesses or individuals who subscribe to our Services to manage their appointments.
End Customers (or Clients): Individuals who book appointments with Providers through our platform.
Website Visitors: Individuals who browse our website.

Understanding Our Role in Data Processing

It is crucial to understand our role in processing your data, which depends on how you interact with our Services:

Appointa as Data Controller: When we collect personal information from Providers to create and manage their accounts, process subscription payments, and communicate with them directly, we act as the Data Controller. This means we determine the purposes and means of processing that data.

Appointa as Data Processor: When Providers use our Services to collect and manage information about their End Customers (e.g., names, contact details, appointment information), the Provider is the Data Controller, and Appointa acts as the Data Processor. We process this data on behalf of and in accordance with the instructions of the Provider.

Important for End Customers: If you are an End Customer, your data is primarily controlled by the Provider with whom you booked an appointment. Any questions or requests regarding your data should first be directed to that Provider. We will assist Providers in responding to such requests as required.

2. Information We Collect

We collect different types of information depending on your interaction with our Services.

2.1. Information You Provide to Us

From Providers:

Category	Examples	Purpose
Account Information	Name, email address, password, business name, business address, phone number	Account creation and management, customer support, communications
Billing Information	Payment card details, billing address (processed by Stripe)	Subscription payment processing
Business Profile	Service descriptions, pricing, availability schedules, portfolio images, logos	Creating public booking pages and providing the Services
Client/Customer Data	Names, email addresses, phone numbers, appointment details of your End Customers	Enabling appointment booking and management on your behalf

From End Customers:

Category	Examples	Purpose
Booking Information	Name, email address, phone number	Booking appointments, sending confirmations and reminders, OTP verification
Appointment Details	Selected service, date, time, any notes provided	Facilitating the appointment with the Provider

2.2. Information We Collect Automatically

When you use our Services, we automatically collect certain information:

Usage Data:

Features used and actions taken within the Services
Pages and screens viewed
Clicks and navigation patterns
Date, time, and duration of your activities

Device and Technical Information:

IP address, browser type and version
Operating system, device type
Screen resolution, language and timezone settings

2.3. Information from Third Parties

We may receive information from:

Third-party integrations: When you connect your Appointa account with third-party services
Payment processors: Transaction status and fraud prevention data from Stripe
Analytics providers: Aggregated usage insights

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1. To Provide and Operate the Services

Creating and managing your account
Processing appointments and bookings
Sending transactional communications (confirmations, reminders, OTP codes)
Providing customer support
Processing subscription payments

3.2. To Improve and Develop the Services

Analyzing usage patterns to improve functionality
Developing new features and services
Conducting research and analytics

3.3. For Security and Protection

Detecting and preventing fraud, abuse, and security incidents
Protecting the rights, property, and safety of our users
Enforcing our Terms of Service
Complying with legal obligations

3.4. Legal Basis for Processing (GDPR)

For users in the EEA, UK, and Switzerland, we process personal data based on:

Purpose	Legal Basis
Providing the Services	Performance of a contract
Processing payments	Performance of a contract
Security and fraud prevention	Legitimate interests
Analytics and improvement	Legitimate interests
Legal compliance	Legal obligation
Marketing communications	Consent

5. Our Third-Party Service Providers

We use the following third-party service providers:

Category	Provider	Purpose
Cloud Infrastructure	Supabase (AWS)	Database hosting, authentication, file storage
Payment Processing	Stripe	Subscription billing, payment processing
SMS Communications	Twilio	OTP verification, appointment notifications
Application Hosting	Vercel	Web application hosting
Email Delivery	Resend	Transactional email delivery
Analytics	PostHog	Usage analytics
Error Monitoring	Sentry	Error tracking and debugging
Maps	Google Maps	Location display on booking pages

6. International Data Transfers

Appointa is headquartered in the United States, and our primary data processing facilities are located in the US and Europe. When you use our Services, your personal information may be transferred to, stored, and processed in countries other than your own.

6.1. Transfers from the EEA, UK, and Switzerland

We ensure transfers are subject to appropriate safeguards:

Standard Contractual Clauses (SCCs): We rely on SCCs as a legal mechanism for transfers to countries without an adequacy decision.
Adequacy Decisions: Where applicable, we transfer data to countries deemed adequate by the European Commission.
Supplementary Measures: We implement additional technical and organizational measures where necessary.

7. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected.

Data Category	Retention Period
Provider Account Data	Duration of account + 3 years
End Customer Data	As instructed by Provider, or until account termination + 30 days
Billing Records	7 years (tax/accounting requirements)
Security Logs	1 year

8. Data Security

We implement technical and organizational security measures to protect your personal information.

8.1. Technical Measures

Encryption in Transit: All data is encrypted using TLS 1.2 or higher
Encryption at Rest: Data stored in our databases is encrypted
Access Controls: Role-based access on a need-to-know basis
Data Isolation: Row Level Security (RLS) ensures Providers only access their own data

8.2. Organizational Measures

Comprehensive security policies and procedures
Regular employee training on data protection
Vendor security assessments
Incident response procedures

9. Your Data Protection Rights

Regardless of your location, you may:

Access your data: Request information about what personal data we hold
Correct your data: Update or correct inaccurate information
Delete your data: Request deletion of your personal information
Export your data: Receive a copy in a portable format

How to Exercise Your Rights

For Providers: Access and update most information directly through your account settings, or contact us at privacy@appointa.com.

For End Customers: Contact the Provider with whom you booked your appointment, as they are the Data Controller for your information.

Response Time: We respond within 30 days for GDPR and 45 days for CCPA requests.

11. Additional Information for California Residents (CCPA/CPRA)

We do not sell your personal information as defined by the CCPA.

We do not share your personal information for cross-context behavioral advertising.

Your CCPA Rights

Right to Know: Request disclosure of categories and specific pieces of personal information collected
Right to Delete: Request deletion of personal information
Right to Correct: Request correction of inaccurate information
Right to Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise your rights, email us at privacy@appointa.com.

12. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve our Services.

Type	Purpose
Strictly Necessary	Essential for authentication and security
Functional	Remember your preferences and settings
Analytics	Understand how users interact with our Services

You can control cookies through your browser settings. See our Cookie Policy for more details.

13. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you believe your child has provided us with personal information, please contact us at privacy@appointa.com.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will:

Post the updated policy with a new "Last Updated" date
Provide notice through email for material changes
Your continued use after changes constitutes acceptance

15. Contact Us

If you have any questions about this Privacy Policy, please contact us:

Email: privacy@appointa.com
General Support: support@appointa.com
Legal Inquiries: legal@appointa.com

Document Version: 1.0