Privacy Policy

1. Introduction

This Privacy Policy explains how BusyBook Ltd. Co. ("BusyBook," "we," "us," or "our") collects, uses, and discloses personal information when you visit our websites, use our platform, or otherwise interact with us. BusyBook provides a white-label practice management platform for health, wellness, and service professionals — including scheduling, client management, session documentation, billing, communications, and AI-assisted features (collectively, the "Services").

2. Scope and Applicability

This Privacy Policy applies to:

• Our marketing website at busybook.co
• Our web application at app.busybook.co
• Mobile applications (when available)
• Support and communication channels (email, in-app chat, phone)
• Any other services or tools we make available to you

This Privacy Policy covers website visitors, account holders (practice owners and their staff), and clients whose information is entered into the platform by customers.

3. Roles: Controller vs. Service Provider / Business Associate

BusyBook's role — and your rights — depend on how we interact with your information:

When BusyBook acts as a controller:

We determine the purposes and means of processing your personal information. This applies to:

• Website visitors browsing busybook.co
• Prospective customers who submit lead forms or join our waitlist
• Account holders' registration, billing, and account management data
• Usage analytics and support interactions

When BusyBook acts as a service provider or Business Associate:

We process personal information on behalf of our customers (practice owners) to provide the Services. This applies to:

• Client data that customers enter into the platform (contact details, appointment records, session notes, payment history, messages)
• Staff data that customers enter for their team members
• Any PHI processed under a Business Associate Agreement

When acting as a service provider or Business Associate, we process data only as instructed by the customer and in accordance with our agreements. If you are a client of a practice that uses BusyBook, your provider is the controller of your data — please contact them directly to exercise your privacy rights.

4. Information We Collect

4.1 Information You Provide Directly

When you create an account, contact us, or use our Services, you may provide:

• Contact details: Name, email address, phone number
• Account and profile information: Username, password, profile photo, time zone, notification preferences
• Business and practice details: Practice name, business address, business phone, state license number, license type, services offered, business hours, pricing
• Payment and billing information: Payment method details (processed and tokenized by Stripe — we do not store raw card numbers), billing address, tax identification number
• Support tickets and inquiries: Messages you send to our support team, feedback, and feature requests
• Form responses: Waitlist signups, intake forms, survey responses
• Chat and communication content: Messages sent through in-app messaging or other communication features
• AI interaction data: Prompts, instructions, and preferences you provide when using AI-assisted features (e.g., session note generation, marketing copy, booking optimization)

4.2 Information We Receive from Customers and Third Parties

• Customer-entered data: Practice owners and their staff enter client and staff information into BusyBook on behalf of their business (see Section 8 for details)
• Integration data: If you connect third-party services to your BusyBook account, we receive data from those services as needed to provide the integration
• Referral data: If someone refers you to BusyBook, we may receive your name and contact information from the referring party

4.3 Information We Collect Automatically

When you use our Services, we automatically collect:

• Device information: IP address, browser type and version, operating system, device type, screen resolution
• Usage data: Pages visited, features used, click patterns, session duration, navigation paths
• Log data: Server access logs, error logs, API request metadata, timestamps
• Crash and performance data: Error reports, performance metrics, diagnostic data

4.4 Cookies and Similar Technologies

We use cookies, pixels, local storage, and similar technologies to operate our Services, remember your preferences, and understand how you interact with our platform. For detailed information, see our Cookie Policy.

5. How We Use Your Information (Non-PHI)

When acting as a controller, we use your personal information for the following purposes:

• Provide and maintain the Services: Operate the platform, process transactions, deliver features you request, and ensure the Services function correctly
• Account management: Create and manage your account, authenticate your identity, and maintain your preferences
• Communicate with you: Send transactional messages (confirmations, receipts, alerts), respond to your support requests, and provide product updates
• Personalize your experience: Tailor the platform to your preferences, display relevant content, and remember your settings
• Analyze and improve: Understand how our Services are used, identify trends, diagnose technical issues, and improve functionality (using anonymized, non-PHI data only)
• Marketing: Send promotional communications about BusyBook's products and features (to account holders only, never to clients; you can opt out at any time)
• Enforce our terms: Detect, investigate, and prevent fraud, abuse, and violations of our Terms of Service and Acceptable Use Policy
• Security: Protect the safety, integrity, and availability of our Services, infrastructure, and users
• Legal compliance: Comply with applicable laws, regulations, legal processes, and government requests
• Corporate transactions: In connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets (see Section 7)

6. How We Use Information When Acting for Customers

When customers store client or staff data in BusyBook, we process that information solely to provide the Services as instructed by the customer and in accordance with our contractual agreements. We do not use customer-entered data for our own marketing, advertising, analytics, or product development purposes.

We do not use PHI for marketing, behavioral advertising, analytics, product improvement, or AI model training.

7. How We Disclose Information

We may share personal information with the following categories of recipients:

• Service providers and subprocessors: Third-party vendors who help us operate the Services — including hosting providers, payment processors, email delivery services, analytics tools, and customer support platforms. These providers are contractually obligated to use your information only as needed to perform services on our behalf
• Integrations you connect: If you connect third-party services to your BusyBook account, we share data with those services as necessary to enable the integration
• Affiliates: Companies under common ownership or control with BusyBook Ltd. Co., subject to this Privacy Policy. No mobile information will be shared with affiliates or third parties for marketing or promotional purposes
• Professional advisors: Attorneys, accountants, auditors, and consultants who need access to information to provide professional services to us
• Mergers, acquisitions, and corporate transactions: In connection with a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets. We will notify you before your information becomes subject to a different privacy policy
• Law enforcement and regulators: When required by law, regulation, legal process, or enforceable governmental request. We will notify you when legally permitted to do so
• With your direction or consent: When you direct us to share information or provide your consent for a specific disclosure

We do not sell your personal information. We do not share personal information with third parties for their own direct marketing purposes.

8. Processing of Client and Staff Information on Behalf of Customers

BusyBook customers (practice owners and their authorized staff) use the platform to manage information about their clients and team members. The types of information customers may enter include:

• Contact information: Client and staff names, phone numbers, email addresses, physical addresses
• Appointment records: Dates, times, services booked, appointment status, cancellation and no-show history
• Service and treatment details: Services rendered, session notes, treatment records, intake forms, health history
• Payment and billing records: Charges, payment history, outstanding balances, tips, refunds
• Messages and communications: Messages exchanged between the practice and clients, appointment confirmations and reminders
• Notes and files: Internal notes, documents, photos, and other files attached to client or staff records
• Relationship and engagement data: Visit frequency, referral sources, loyalty or retention tracking

BusyBook processes this information as a service provider (and, where applicable, as a Business Associate under HIPAA) on behalf of the customer. We do not independently decide how this information is used — the customer does.

If you are a client of a practice that uses BusyBook: Your provider controls your data. To access, correct, delete, or otherwise exercise your privacy rights regarding information held in BusyBook, please contact your provider directly. BusyBook will support the provider in fulfilling your requests.

9. PHI and HIPAA Carve-Out

Protected Health Information that BusyBook processes as a Business Associate is subject to HIPAA and our Business Associate Agreement.

BusyBook does not use PHI for marketing, behavioral advertising, analytics, product improvement, or AI model training. PHI is processed solely to provide services to the customer under the terms of our BAA.

For full details on PHI handling — including permitted uses, breach notification procedures, subprocessor obligations, de-identification standards, and data retention — see our Business Associate Agreement.

10. Legal Bases for Processing (International)

BusyBook currently operates in the United States and serves U.S.-based customers. If we expand our Services to users in the European Union, United Kingdom, or other jurisdictions that require a legal basis for processing personal information, we will rely on the following bases as applicable:

• Contract performance: Processing necessary to fulfill our agreement with you
• Legitimate interests: Processing necessary for our legitimate business interests, where those interests are not overridden by your rights
• Consent: Processing based on your freely given, informed consent
• Legal obligation: Processing necessary to comply with applicable law

We will update this section with jurisdiction-specific details if and when we begin serving users outside the United States.

11. Your Rights and Choices

Depending on your relationship with BusyBook and applicable law, you may have the following rights:

• Access: Request a copy of the personal information we hold about you
• Correction: Request that we correct inaccurate or incomplete information
• Deletion: Request that we delete your personal information (subject to legal retention requirements)
• Data portability: Request an export of your data in a structured, commonly used format (JSON or CSV)
• Marketing opt-out: Unsubscribe from marketing communications at any time using the unsubscribe link in our emails or through your account settings
• Cookie choices: Manage your cookie preferences through your browser settings or our cookie management tools (see our Cookie Policy)

To exercise these rights, contact us at [email protected]. We will respond within 30 days.

For clients of practices using BusyBook: Your privacy rights regarding information held in BusyBook are exercised through your provider (the practice owner), who controls your data. BusyBook provides the technical tools for providers to fulfill access, correction, export, and deletion requests on your behalf. If you are a healthcare client with rights under HIPAA, please contact your provider directly.

12. State-Specific Privacy Notices

Residents of certain U.S. states may have additional privacy rights under state law, including rights to:

• Access, correct, and delete personal data
• Receive personal data in a portable format
• Opt out of targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects
• Appeal a denial of a privacy rights request

We honor these rights as required by applicable law. We also honor Global Privacy Control (GPC) and similar opt-out preference signals transmitted by your browser. To exercise state-specific rights, contact us at [email protected].

We do not sell personal information. We do not use personal information for targeted advertising based on data purchased from third parties.

13. Data Security

We implement appropriate technical and organizational safeguards to protect the personal information we process, including:

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access controls: Role-based access, row-level security at the database layer, and multi-factor authentication
• Monitoring and logging: Security event logging, intrusion detection, and regular security reviews
• Incident response: Formal incident response procedures with defined roles and escalation paths

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

14. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required by law.

When you close your account, we offer you the opportunity to export your data. After a 30-day grace period, we permanently delete your personal information from production systems, with the exception of records we are legally required to retain (e.g., billing records, audit logs).

15. International Data Transfers

BusyBook stores and processes all data in the United States. We do not currently transfer personal information outside the United States. If this changes in the future, we will update this Privacy Policy and implement appropriate safeguards before any international transfer occurs.

16. Children's Privacy

BusyBook is not directed to individuals under 18 years of age, and we do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18 without appropriate authorization, we will take steps to delete that information promptly.

Healthcare and wellness practices that treat minors may enter minor client data into BusyBook. The practice is responsible for obtaining parental or guardian consent and complying with applicable laws governing minors' data.

17. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services that are not operated by BusyBook. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party service before providing your information.

When you connect third-party integrations to your BusyBook account, your use of those integrations is governed by the third party's own terms and privacy policy.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes:

• We will update the "Last Updated" date at the top of this policy
• For material changes, we will notify you via email and/or an in-app notification at least 30 days before the changes take effect
• Updated versions will be posted at busybook.co

Your continued use of the Services after changes become effective constitutes acceptance of the updated policy. If you do not agree, you may close your account and request deletion of your data.

19. Contact Information

This Privacy Policy is provided for informational purposes and does not constitute legal advice. BusyBook recommends that you consult your own legal counsel regarding your privacy law obligations.