Privacy Policy

1. Introduction

Welcome to Booky AI ("we," "our," or "us"), operated by Booky AI Ltd. We are committed to protecting your privacy and ensuring you have a positive experience on our website (bookyai.co.uk) and in using our cloud-based software-as-a-service (SaaS) platform (collectively, the "Services").

This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices you have regarding your data. By using our Services, you consent to the practices described in this Policy.

2. Information We Collect

We collect several types of information to provide and improve our Services:

2.1 Account Information

When you register for a Booky AI account, we collect:

• Full name, email address, and phone number
• Business name, industry, address, and timezone
• Password (stored in hashed form — we never store plaintext passwords)

2.2 Information from Google Sign-In

If you choose to sign in using Google OAuth 2.0, we request access to the following scopes:

• openid — To verify your identity
• email — To retrieve your email address for account creation or linking
• profile — To retrieve your name and profile picture

We use this information solely to create or authenticate your Booky AI account. We do not post to, modify, or access any other Google service on your behalf through this sign-in process.

2.3 Billing and Payment Information

When you subscribe to a paid plan, payment processing is handled entirely by our third-party payment processor, Lemon Squeezy. We do not store your credit card number, CVV, or full payment details on our servers. We only receive and store:

• Subscription status, plan type, and billing period
• Lemon Squeezy customer ID and subscription ID (for reference)
• Transaction history (dates, amounts, invoice references)

2.4 Business and Operational Data

As you use our platform, we store data you create and manage, including:

• Booking and appointment records
• Customer/lead contact details (names, phone numbers, emails)
• Staff member profiles and schedules
• Invoice and quotation records
• SMS and voice call logs (timestamps, durations, statuses)
• AI agent configurations, prompts, and conversation histories

2.5 Automatically Collected Information

When you access our Services, we automatically collect:

• Device Information: Browser type, operating system, screen resolution, and device identifiers
• Log Data: IP address, pages visited, timestamps, referring URLs, and actions taken within the platform
• Cookies and Similar Technologies: See Section 9 (Cookies Policy) below

3. Google Calendar Integration

Booky AI offers an optional Google Calendar integration that enables two-way synchronisation between your Booky AI bookings and your Google Calendar. This integration is entirely opt-in — you must explicitly connect it from your staff settings.

3.1 Scopes Requested

When you connect Google Calendar, we request the following OAuth 2.0 scope:

• https://www.googleapis.com/auth/calendar.events — Allows Booky AI to create, read, update, and delete events on your Google Calendar

We do not request access to your entire Google account, Google Drive, Gmail, or any other Google service beyond Calendar Events.

3.2 How We Use Google Calendar Data

When this integration is active, Booky AI uses your Google Calendar data for the following purposes only:

• Push bookings to Google Calendar: When a booking is created, updated, or cancelled in Booky AI, we create, update, or delete the corresponding event on your linked Google Calendar
• Pull availability blocks: We periodically read your Google Calendar events to identify busy/unavailable time slots, preventing double-bookings in Booky AI's scheduling system
• Sync state management: We store a sync token (provided by Google) to efficiently poll only for changes since the last sync, minimising API calls

3.3 Data Storage for Google Calendar

We store the following data related to your Google Calendar integration:

• OAuth access token and refresh token (encrypted, used solely to authenticate API requests)
• Google Calendar event IDs (to map Booky AI bookings to their corresponding Google Calendar events)
• Busy/blocked time slots pulled from your calendar (start time, end time, event title — used only for availability checking)
• Sync token for incremental polling

We do not store the full content of your personal Google Calendar events. We only store event IDs and busy/free status for scheduling purposes.

3.4 Revoking Google Calendar Access

You can disconnect Google Calendar at any time from your staff settings page. When you disconnect:

• We immediately deactivate the sync and clear your stored OAuth tokens
• Previously synced calendar blocks are removed
• Existing bookings already pushed to your Google Calendar remain there (they are standard calendar events)

You can also revoke access via your Google Account Permissions page at any time.

3.5 Compliance with Google API Services User Data Policy

Booky AI's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only use Google user data for the purposes described in this Privacy Policy
• We do not sell Google user data to third parties
• We do not use Google user data for advertising purposes
• We do not allow humans to read Google user data unless with explicit user consent, for security purposes, to comply with law, or for internal operations where the data has been aggregated and anonymised

4. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To operate the Booky AI platform, process bookings, manage leads, send SMS notifications, and conduct AI-powered voice calls on your behalf
• Account Management: To create and manage your account, process subscription payments, and provide customer support
• Communication: To send transactional emails (booking confirmations, password resets, billing receipts), and — with your consent — promotional updates about new features
• Analytics and Improvement: To analyse usage patterns, improve our platform, fix bugs, and develop new features
• Security: To detect and prevent fraud, abuse, and security threats
• Legal Compliance: To comply with applicable laws, regulations, and legal processes

5. Third-Party Services and Data Sharing

We work with trusted third-party service providers to operate our platform. We share only the minimum data necessary for each service:

5.1 Service Providers

• Twilio: SMS delivery and phone number provisioning. We share recipient phone numbers and message content to send SMS on your behalf
• Retell AI: AI-powered voice calling. We share lead phone numbers and call context to conduct automated voice calls
• Lemon Squeezy: Payment processing and subscription management. We share your email and business ID for billing purposes
• Google: Authentication (OAuth Sign-In) and Calendar synchronisation as described in Section 3
• OpenAI / Google Gemini: AI language models for generating responses, analysing leads, and powering the AI agent. We share conversation context; no personally identifiable information is sent unless it is part of the business conversation

5.2 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to any third party for marketing or advertising purposes.

5.3 Legal Disclosure

We may disclose your information if required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6. Data Security

We implement industry-standard security measures to protect your data:

• All data transmitted between your browser and our servers is encrypted using TLS/SSL (HTTPS)
• Passwords are hashed using strong one-way algorithms and are never stored in plaintext
• OAuth tokens are stored securely and used only for their intended integration purpose
• We restrict access to personal data to employees and contractors who need it to operate or improve our Services
• We conduct regular reviews of our data collection, storage, and processing practices

While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide you with our Services. Specifically:

• Account data: Retained until you delete your account
• Booking and business data: Retained for the duration of your subscription and for up to 90 days after account closure for backup and recovery purposes
• OAuth tokens: Cleared immediately upon disconnection of the integration or account deletion
• Server logs: Retained for up to 90 days for debugging and security analysis
• Webhook and billing records: Retained for up to 7 years for legal and tax compliance

You may request deletion of your data at any time by contacting us (see Section 11).

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data (subject to legal retention requirements)
• Portability: Request your data in a structured, machine-readable format
• Restriction: Request that we limit processing of your data under certain circumstances
• Objection: Object to processing of your data for direct marketing purposes
• Withdraw Consent: Withdraw consent where processing is based on consent, without affecting the lawfulness of prior processing

To exercise any of these rights, please contact us at info@bookyai.co.uk. We will respond within 30 days.

9. Cookies Policy

We use cookies and similar technologies for the following purposes:

• Essential Cookies: Required for the platform to function (session management, CSRF protection, authentication state). These cannot be disabled.
• Analytics Cookies: Help us understand how users interact with our platform to improve the experience. These are anonymised and aggregated.

We do not use advertising or tracking cookies. You can manage cookie preferences through your browser settings.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Notify you via email or an in-app notification for significant changes

Your continued use of our Services after changes to this Policy constitutes acceptance of the updated terms.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: info@bookyai.co.uk
• Website: bookyai.co.uk/contact