Privacy Policy

Effective Date: May 13, 2026

1. Introduction

This Privacy Policy explains how BookerAI (the "Company," "we," "us," or "our") collects, uses, shares, and protects personal information when you use booker-ai.net and our related mobile and web applications (the "Service"). It applies to barbers and other service professionals ("Pros"), clients booking with them ("Clients"), course creators, course students, and visitors.

2. Information We Collect

2.1 Information you give us

  • Account information: name, email, phone number (normalized to E.164), password (stored as a salted hash), profile photo, business address.
  • Booking data: appointments, services, durations, prices, notes, cancellations, no-shows, and review text.
  • Payment receipts: amounts, last-4 digits, and Stripe / Apple receipt identifiers. We do not store full card numbers.
  • Communications: SMS sent/received via the Service, transactional emails, push notifications, and chats with Greg AI.
  • Media: profile photos, gallery uploads, course videos and thumbnails, community-post attachments.

2.2 Information we collect automatically

  • Device & usage: User-Agent, IP address, browser type, operating system, referring URL, time stamps, error/crash logs.
  • Location: approximate location from IP, or precise location only when you grant browser/device permission (used for the "find a pro near me" feature and geocoding your business address).
  • Cookies & similar: session cookies, an optional remember-me cookie, and CSRF tokens. See Section 6.

2.3 Information from third parties

  • Stripe shares payment status, payout details, and limited card metadata.
  • Google Maps returns geocoded coordinates for the address you submit.
  • Apple returns receipt validation for in-app subscriptions.

3. How We Use Information

  • Operate the Service: create accounts, schedule appointments, send confirmations and reminders, run payouts.
  • Communicate with you about your account, bookings, and service updates.
  • Detect and prevent fraud, abuse, and security incidents.
  • Personalize search results (e.g., distance-based "find a pro").
  • Provide AI assistance through Greg AI; see AI Disclosure.
  • Improve the Service through aggregated analytics and bug diagnostics.
  • Comply with legal obligations (tax, accounting, law-enforcement requests).

We do not use your data to train third-party AI models without your consent, and we do not sell your personal information.

If you are in the European Economic Area or the United Kingdom, we rely on the following bases:

  • Contractual necessity — to provide the Service you signed up for (account, bookings, payments).
  • Legitimate interests — fraud prevention, securing the Service, improving the product, defending legal claims.
  • Consent — for optional location access, marketing emails, and any sensitive data you choose to share. You may withdraw consent at any time.
  • Legal obligation — tax, accounting, anti-money-laundering, and responses to lawful requests.

5. Sharing & Subprocessors

We share data with third-party service providers ("subprocessors") strictly to operate the Service. Each is contractually obligated to protect your data and use it only for the purposes we specify.

  • Supabase — managed Postgres database, file storage, and authentication.
  • Stripe — payment processing, subscriptions, and Connect payouts.
  • Twilio — SMS delivery (appointment confirmations, reminders, reschedules).
  • Firebase Cloud Messaging (Google) — mobile push notifications.
  • Google Gemini — large-language-model inference for Greg AI.
  • Google Cloud Speech-to-Text / Text-to-Speech — Greg AI voice features.
  • Google Maps Platform — geocoding business addresses and distance search.
  • Sentry (optional) — application error monitoring.
  • Amazon Web Services (AWS ECS) — application hosting and compute.
  • SMTP provider — transactional email delivery.
  • Apple — when you subscribe via iOS in-app purchase.

We may also share information when required by law (subpoenas, court orders), to enforce our Terms, or in connection with a merger, acquisition, or sale of assets (subject to this Policy).

Most of these subprocessors are located in the United States. If you are in the EEA/UK, international data transfers are made under the European Commission's Standard Contractual Clauses (SCCs) and supplementary safeguards where required.

6. Cookies & Tracking

  • Strictly necessary: session cookie (authentication, CSRF protection).
  • Functional: a "remember me" cookie for users who choose persistent sign-in.
  • Analytics: we currently do not use third-party advertising trackers.

You can clear cookies in your browser settings; doing so may sign you out of the Service.

7. Retention

We retain personal information only as long as needed for the purposes described above and to comply with legal obligations.

CategoryRetention
Account profileWhile account is active; deleted within 30 days after account-deletion request.
Appointment records7 years (tax / dispute / accounting), then aggregated.
Payment receipts7 years (tax obligations).
SMS / email logs13 months.
Greg AI conversations12 months, then deleted or anonymized.
Server / access logs90 days.
Audit / security logsUp to 1 year after account deletion.
BackupsRolling 30 days; deleted records expire from backups in due course.

8. Your Rights (GDPR + CCPA / CPRA)

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase ("right to be forgotten") your data, subject to legal-retention exceptions.
  • Port your data to another service in a portable format.
  • Restrict or object to processing based on legitimate interests.
  • Withdraw consent at any time without affecting prior lawful processing.
  • Lodge a complaint with your local data-protection authority.

California residents (CCPA/CPRA) additionally have the right to know what we collect, the right to delete, the right to correct, the right to limit use of sensitive personal information, and the right to opt out of "sale" or "sharing" for cross-context behavioural advertising. We do not sell your personal information and we do not share it for cross-context behavioural advertising.

To exercise any of these rights, email privacy@booker-ai.net from your account email, or use Settings → Account → Export / Delete in the app. We will respond within 30 days (CCPA: 45 days, extendable by 45). You may designate an authorized agent to make requests on your behalf; we will verify your identity before acting.

9. Children (COPPA)

The Service is not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. If we become aware that we have collected personal information from a child under 13 without verifiable parental consent, we will delete it promptly. Parents/guardians who believe their child has provided us information may contact privacy@booker-ai.net.

10. California Minors

Under California Business and Professions Code § 22581, California residents under 18 who are registered users may request removal of content they posted on the Service. To request removal, email privacy@booker-ai.net from your account email; note that complete removal may not always be possible (e.g., content republished by third parties).

11. Security

We use a layered set of safeguards: TLS encryption in transit, encryption at rest for managed-database storage (Supabase), salted password hashing, scoped service-role API keys, CSRF protection, rate limiting on authentication and write endpoints, and access controls on infrastructure. No system is 100% secure; we cannot guarantee absolute security. To report a vulnerability, see our security.txt or email security@booker-ai.net.

12. International Transfers

Personal data is processed in the United States. If you are in the EEA, UK, or Switzerland, transfers to the U.S. are made under the European Commission's Standard Contractual Clauses (or, where applicable, the EU-U.S. Data Privacy Framework) together with appropriate supplementary measures.

13. Changes to This Policy

We may update this Policy. For material changes, we will provide at least 30 days' notice by posting the updated Policy here and, where practical, notifying you in-app or by email. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

14. Contact

Privacy questions or data-rights requests: privacy@booker-ai.net.

Mailing address: BookerAI, [Street Address], [City, State ZIP], United States.

If you are in the EEA/UK, you may also contact our EU representative (to be designated).

15. AI Disclosure

Greg AI is an AI assistant powered by Google Gemini (text) and Google Cloud Speech-to-Text / Text-to-Speech (voice). When you interact with Greg AI:

  • You are interacting with an AI, not a human (Cal. Bus. & Prof. Code § 17940 et seq., "SB 1001").
  • Your prompts and a transcript of the conversation are sent to the underlying model provider for inference.
  • We may retain conversation history for up to 12 months for safety, debugging, and product improvement; you may request deletion sooner.
  • Outputs may be inaccurate. Always verify before acting on AI-generated information.

You may use the rest of the Service without using Greg AI.

Effective Date: