← Back to home

Privacy Policy

Last updated: April 26, 2026

ServiceBooked ("we", "us") provides an AI receptionist platform for service-based businesses. This policy explains what personal information we collect from two groups — business owners who sign up for our Service, and their customers whose calls, messages, and bookings flow through it — and how we use, share, retain, and protect that information. This policy is written to align with PIPEDA (Canada), GDPR (EU/EEA/UK), and CCPA/CPRA (California).

1. Information We Collect

From business owners (account holders):

  • Account information (name, email, business name, business type, phone number, address)
  • Authentication data (password hash, or Google account identifier if using Google sign-in)
  • Payment information (card details are collected and stored by Stripe — we never see or store the card number)
  • Google Calendar OAuth tokens, if you connect a calendar — stored encrypted and used only to read/write events on the calendars you authorize
  • Configuration content you create (AI instructions, workflow templates, pipeline stages, contact tags, business hours)
  • Usage data (pages visited, features used, IP address, browser type, device, approximate location from IP)

From your customers (end users of the Service):

  • Contact information they share with you (name, phone, email, address)
  • SMS conversation transcripts between them and your business
  • Chat widget transcripts from your website
  • Voice call audio recordings and AI-generated transcripts (when calls go through the AI receptionist)
  • Booking details (appointment date/time, service, notes)
  • Any other content they submit through forms, the chat widget, or in conversation with the AI

We collect customer information on your behalf as a data processor. You, the business owner, are the data controller for that information and are responsible for having a lawful basis to collect it (typically the customer's consent or your contract with them).

2. How We Use Information

  • Operate the Service — route calls, send and receive SMS, run the AI chat widget, sync calendars, dispatch reminders
  • Run the AI receptionist — voice and chat conversations are sent to large-language-model providers to generate replies, qualify leads, and book appointments
  • Process payments and manage subscriptions (via Stripe)
  • Send service-related communications (account, billing, security, product changes)
  • Improve reliability and detect abuse (rate limits, spam detection, error monitoring)
  • Comply with legal obligations and enforce our Terms

We do not use customer voice recordings, SMS bodies, or chat transcripts to train third-party AI models. Our LLM providers (see Subprocessors) are configured so prompt and completion data is not used for their model training.

3. Automated Decision-Making and AI

The Service uses AI to converse with your customers, qualify leads, schedule appointments, and summarize conversations. Outcomes (bookings, follow-up suggestions) are produced automatically. These decisions are not legally or similarly significant — a human business owner reviews bookings and can override or cancel any action the AI takes. If a customer wants a human-only conversation, they can request to speak with you directly and you (the business owner) will see that request.

AI-generated content can be inaccurate. We display AI summaries and transcripts as a convenience; they are not a substitute for the underlying recording or message log.

4. Subprocessors

We share data with the following service providers strictly to operate the Service:

  • Supabase — database and authentication hosting
  • Stripe — payment processing and subscription billing
  • Twilio — SMS delivery and inbound message routing
  • Vapi — voice AI infrastructure (call audio, recordings, real-time transcription)
  • Resend — transactional email delivery
  • Google — Google Calendar API (only calendars you connect) and Google sign-in
  • Google Gemini — large-language-model inference for the AI receptionist (voice, chat, and summarization)
  • Inngest — background job and workflow orchestration (reminders, follow-ups, scheduled tasks)
  • Vercel — application hosting and edge delivery

We do not sell personal information. We do not share personal information with advertisers or data brokers.

5. International Transfers

Most of our subprocessors operate from the United States. If you or your customers are located in Canada, the EU/EEA, or the UK, your information may be transferred to and processed in the United States. Where required, transfers are protected by Standard Contractual Clauses or equivalent safeguards established between us and each subprocessor.

6. SMS and Calls

Customers receive SMS from your business through the Service. Standard message and data rates may apply. Customers can stop SMS at any time by replying STOP; HELP returns contact information. Inbound and outbound SMS are logged so you can review the conversation history with each customer.

Voice calls handled by the AI receptionist may be recorded and transcribed. As the business owner, you are responsible for any call-recording disclosure required by your jurisdiction (for example, two-party consent rules in some U.S. states and Canadian provinces). The Service can play a recording-disclosure greeting; you are responsible for keeping it enabled where required.

SMS messaging consent and phone numbers collected from your customers are not shared with third parties for marketing purposes.

7. Data Retention

  • Account data — kept for the life of your account; deleted within 30 days of account closure
  • SMS and chat transcripts — kept for the life of your account; deleted within 30 days of account closure
  • Voice call recordings — kept for 90 days, then automatically deleted; transcripts kept with the conversation history
  • Application logs — kept for 30 days for debugging and abuse prevention
  • Billing records — kept for 7 years after the last invoice to meet tax and accounting obligations
  • Backups — encrypted database backups kept for 30 days, then overwritten

You can request deletion of your account and associated data at any time from your account settings or by emailing us. Customer-level deletion requests should be sent to the business that collected the data; we will assist that business in honoring the request.

8. Cookies

We use only essential cookies for authentication, session management, and CSRF protection. We do not use advertising or cross-site tracking cookies. Because we use only essential cookies, no cookie consent banner is shown.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you
  • Correct or update inaccurate information
  • Delete your information (subject to legal retention obligations)
  • Export a copy of your information in a portable format
  • Withdraw consent or object to certain processing
  • Lodge a complaint with your local data protection authority — for Canadian residents, the Office of the Privacy Commissioner of Canada; for EU/EEA/UK residents, your national supervisory authority

To exercise these rights, contact us at the address below. We respond within 30 days.

10. Security

We protect data in transit with TLS and at rest with disk-level encryption. Access to production databases is restricted to a small number of administrators and audited. OAuth tokens are encrypted at the application layer. We perform routine dependency scanning and apply security patches promptly.

No method of transmission or storage is perfectly secure. If we become aware of a breach affecting your personal information, we will notify affected users and the relevant authorities without undue delay, and within 72 hours where required by law.

11. Children

The Service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us and we will delete it.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated by email or in-app notice before they take effect. The "Last updated" date at the top reflects the most recent revision.

13. Contact

For privacy questions, data requests, or breach reports, contact us at privacy@servicebooked.ca.