Your data, your rights

We take privacy seriously across every jurisdiction we operate in. This policy covers the UK, US, Australia, UAE, Israel, EU, India, Canada, and Ireland.

Last updated: March 19, 2026

1. What We Are

AI Booking Agent is a scheduling service operated as a data processor on behalf of service providers. We facilitate appointment booking through voice and web interfaces. We do not independently determine the purposes or means of processing personal data — your service provider does.

2. What We Collect

To provide scheduling services, we collect the following personal data:

Full name
Phone number
Preferred service type
Appointment date and time preferences

Important

We do NOT collect medical records, diagnoses, insurance information, or any health-related data. We are a scheduling tool, not a healthcare records system.

3. Voice Interaction Data

When you interact with our voice booking system, the following data is processed:

Your spoken responses are transcribed to text for appointment booking
Transcribed text is stored temporarily to complete your booking session
No audio recordings are made or stored
Booking-relevant information (name, date preferences) is extracted from your responses

Voice Disclaimer

At the start of every call, you will hear a disclaimer stating that this is a scheduling service only and no medical information will be recorded. Please do not share sensitive health information during your call.

4. How We Protect Your Data

Phone numbers are encrypted at rest using AES-256-GCM encryption with per-business keys. Even in the event of a data breach, your phone number cannot be read without the corresponding encryption key.

We implement industry-standard security measures including encrypted database connections, rate limiting, audit logging of all data access, and regular security reviews. Access to production systems is restricted to authorized personnel only.

5. Data Retention

We apply specific retention periods to different categories of data:

Call session data and transcripts: 90 days
Payment and billing records: 7 years (tax and financial compliance)
Audit logs: 3 years (regulatory compliance)
Customer contact data: retained until deletion is requested or business account is terminated

Your service provider controls the retention period for customer data. When a business terminates their account, all associated encryption keys are destroyed, rendering customer data permanently unrecoverable. You may also request deletion of your data at any time through your service provider.

6. Your Rights

Regardless of where you are located, you have fundamental rights over your personal data. The following rights apply across all jurisdictions we operate in:

Right to Access

You have the right to request a copy of all personal data we hold about you. This right is guaranteed under GDPR Articles 15 (EU/EEA/Ireland), UK GDPR, the Australian Privacy Act 1988, PIPEDA (Canada), the Information Technology Act (India), PDPL (UAE), and the Privacy Protection Act (Israel).

Right to Erasure

You have the right to request deletion of your personal data. Under GDPR Article 17 (the "right to be forgotten"), and equivalent provisions in the Privacy Act (Australia), PIPEDA (Canada), CCPA (US/California), PDPL (UAE), and applicable Indian data protection regulations, we will erase your data upon verified request through your service provider.

Right to Rectification

You have the right to request correction of inaccurate personal data. This right is recognized under GDPR Article 16, UK GDPR, Australian Privacy Principle 13, PIPEDA Principle 9, PDPL (UAE), and the Privacy Protection Act (Israel).

Right to Data Portability

Where applicable (GDPR Article 20, UK GDPR), you have the right to receive your data in a structured, commonly used, machine-readable format.

7. Data Processor Role

We act as a data processor. Your service provider (clinic, salon, gym, or other business) is the data controller and determines how your data is used. Under GDPR Article 28, our processing activities are governed by a Data Processing Agreement (DPA) with each service provider. We only process personal data on documented instructions from the data controller.

8. International Data Transfers

We use the following third-party services to provide our platform. Each processes data on our behalf under appropriate contractual safeguards:

Supabase

Database hosting and storage

Data shared: Encrypted customer data, appointments, business records

Cloud infrastructure (with DPA)

Twilio

Voice calls and SMS delivery

Data shared: Phone numbers, call routing, SMS messages

US-based (SOC 2, GDPR compliant)

Clerk

Staff authentication and identity

Data shared: Staff email addresses, login credentials

US-based (SOC 2, GDPR compliant)

Razorpay

Subscription billing and payments

Data shared: Business subscription details, payment status

India-based (PCI DSS compliant)

For transfers from the EU/EEA/UK, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission. For transfers from other jurisdictions, we implement equivalent contractual and organizational safeguards as required by applicable law, including PIPEDA (Canada), the Privacy Act (Australia), and PDPL (UAE).

9. Children's Privacy

We do not knowingly collect data from children under 16 (or under 13 in jurisdictions where that is the applicable age threshold, such as the US under COPPA). If we become aware that we have collected personal data from a child without appropriate parental consent, we will take steps to delete that information promptly.

10. Contact & Exercising Your Rights

To exercise your data rights (access, erasure, rectification, or portability), please contact your service provider in the first instance, as they are the data controller. You may also contact us directly at privacy@aibookingagent.com.

If you are unsatisfied with how your request has been handled, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction (e.g., the ICO in the UK, the DPC in Ireland, the OAIC in Australia, the OPC in Canada).

11. Updates to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. Changes will be posted on this page with an updated "Last updated" date. We encourage you to review this policy periodically.

Jurisdiction Coverage

This policy is designed to comply with data protection regulations across the following jurisdictions:

European Union

GDPR

United Kingdom

UK GDPR / DPA 2018

Ireland

GDPR / DPC

United States

CCPA / State Laws

Canada

PIPEDA

Australia

Privacy Act 1988

India

IT Act / DPDPA

UAE

PDPL

Israel

Privacy Protection Act

Your data, your rights

We take privacy seriously across every jurisdiction we operate in. This policy covers the UK, US, Australia, UAE, Israel, EU, India, Canada, and Ireland.

Last updated: March 19, 2026

1. What We Are

2. What We Collect

To provide scheduling services, we collect the following personal data:

Full name
Phone number
Preferred service type
Appointment date and time preferences

Important

We do NOT collect medical records, diagnoses, insurance information, or any health-related data. We are a scheduling tool, not a healthcare records system.

3. Voice Interaction Data

When you interact with our voice booking system, the following data is processed:

Your spoken responses are transcribed to text for appointment booking
Transcribed text is stored temporarily to complete your booking session
No audio recordings are made or stored
Booking-relevant information (name, date preferences) is extracted from your responses

Voice Disclaimer

4. How We Protect Your Data

Phone numbers are encrypted at rest using AES-256-GCM encryption with per-business keys. Even in the event of a data breach, your phone number cannot be read without the corresponding encryption key.

5. Data Retention

We apply specific retention periods to different categories of data:

Call session data and transcripts: 90 days
Payment and billing records: 7 years (tax and financial compliance)
Audit logs: 3 years (regulatory compliance)
Customer contact data: retained until deletion is requested or business account is terminated

6. Your Rights

Regardless of where you are located, you have fundamental rights over your personal data. The following rights apply across all jurisdictions we operate in:

Right to Access

Right to Erasure

Right to Rectification

Right to Data Portability

Where applicable (GDPR Article 20, UK GDPR), you have the right to receive your data in a structured, commonly used, machine-readable format.

7. Data Processor Role

8. International Data Transfers

We use the following third-party services to provide our platform. Each processes data on our behalf under appropriate contractual safeguards:

Supabase

Database hosting and storage

Data shared: Encrypted customer data, appointments, business records

Cloud infrastructure (with DPA)

Twilio

Voice calls and SMS delivery

Data shared: Phone numbers, call routing, SMS messages

US-based (SOC 2, GDPR compliant)

Clerk

Staff authentication and identity

Data shared: Staff email addresses, login credentials

US-based (SOC 2, GDPR compliant)

Razorpay

Subscription billing and payments

Data shared: Business subscription details, payment status

India-based (PCI DSS compliant)

9. Children's Privacy

10. Contact & Exercising Your Rights

11. Updates to This Policy

Jurisdiction Coverage

This policy is designed to comply with data protection regulations across the following jurisdictions:

European Union

GDPR

United Kingdom

UK GDPR / DPA 2018

Ireland

GDPR / DPC

United States

CCPA / State Laws

Canada

PIPEDA

Australia

Privacy Act 1988

India

IT Act / DPDPA

UAE

PDPL

Israel

Privacy Protection Act