Privacy Policy

1. Introduction

BusyBook Ltd. Co. ("BusyBook," "we," "us," or "our") operates the BusyBook practice management platform for health, wellness, and service professionals. This Privacy Policy describes how we collect, use, disclose, and safeguard information — including Protected Health Information ("PHI") — when you use our platform, website (busybook.co), mobile applications, and related services (collectively, the "Services").

BusyBook operates as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations, including the HIPAA Privacy Rule (45 CFR Part 164, Subpart E) and the HIPAA Security Rule (45 CFR Part 164, Subpart C). We also comply with applicable state laws, including the Texas Medical Records Privacy Act (Health & Safety Code Chapter 181), the Texas Data Privacy and Security Act (Business & Commerce Code Chapter 541), and the Texas Data Breach Notification Act (Business & Commerce Code Section 521.053).

2. Information We Collect

2.1 Practice Account Information

When you create a BusyBook account, we collect:

• Identity information: Full name, email address, phone number
• Business information: Practice name, business address, business phone
• Professional credentials: State license number, license type, licensing authority
• Financial information: Tax identification number, payment method details (tokenized — we do not store raw card numbers)
• Brand preferences: Logo, brand colors, fonts, tone of voice settings
• Operational data: Business hours, service menu (services, durations, pricing), scheduling preferences

2.2 Client Health Information (PHI) — Managed by You

As a Business Associate, we process PHI that you (acting as the Covered Entity) enter into the platform on behalf of your clients. This includes:

• Client demographics: Names, contact information, date of birth, emergency contacts
• Medical history and intake: Health history questionnaires, intake forms, contraindications, allergies, medications, prior injuries
• Appointment records: Dates, times, services rendered, appointment status, cancellation history
• Session and treatment records: SOAP notes, session duration, treatment protocols, provider observations, progress notes
• Billing and payment records: Session charges, payment history, outstanding balances, insurance information, expense records
• Communications: Messages exchanged between you and your clients via the platform
• Relationship data: Visit frequency, retention status, referral source

If you are a healthcare provider that qualifies as a Covered Entity under HIPAA, you are responsible for obtaining all necessary consents, and BusyBook acts as your Business Associate. Where HIPAA does not apply, BusyBook still applies the privacy and security practices described in this policy to your data.

2.3 AI-Processed Data

When you use BusyBook's AI features (therapy protocol generation, SOAP note assistance, session summaries), session context is transmitted to our AI inference providers under strict contractual PHI protections:

• Prompts: Session context, client presentation details, treatment parameters (as entered by you)
• Responses: AI-generated therapy protocols, SOAP note suggestions, session summaries

AI processing operates under a privacy-preserving architecture: providers are contractually prohibited from retaining, training on, or using any session data for purposes beyond delivering the inference response. Client-identifying information is removed or generalized before transmission. AI-generated content that you save becomes part of the session record and is retained as PHI.

2.4 Information Collected Automatically

• Usage analytics: Pages visited, features used, click patterns, session duration (no PHI included)
• Device information: IP address, browser type and version, operating system, device type
• Log data: Server access logs, error logs, API request metadata
• Cookies and similar technologies: See our Cookie Policy

2.5 Website Visitor Information

• Lead and waitlist data: Name, email, practice information (if voluntarily submitted)
• Website analytics: Page views, referral sources, engagement metrics (anonymized)
• Marketing interaction data: Email opens, link clicks, campaign responses

2.6 Apple ID Management Feature

When you elect to use the AI Receptionist feature with iMessage integration ("Apple ID Management"), BusyBook acts as your authorized agent to configure an Apple ID for iMessage communication on your behalf. This feature requires your explicit written consent via the Apple ID Management Agreement before activation.

Data collected and processed under this feature includes:

• Authorization credentials: Apple ID configuration data necessary to establish the iMessage connection, stored encrypted at rest and never shared with third parties
• Consent records: Signed agreement version, timestamp, IP address (where available), and digital signature stored in our legal signatures database for audit purposes
• Consent audit log: Immutable record of consent lifecycle events — grant (on signing), and withdrawal (on disconnect) — including event timestamp, user agent, and action metadata
• Revocation records: When you disconnect, the signature record is marked revoked and the audit log is updated with event_type = 'withdrawn'

You may revoke this authorization at any time via the AI Assistant settings page ("Disconnect Apple ID"). Upon revocation, BusyBook ceases iMessage activity and records the withdrawal in the consent audit log. You should also change your Apple ID password to fully revoke access at the Apple account level.

Consent records and audit logs are retained for 6 years from signing to satisfy HIPAA audit log requirements (45 CFR §164.530(j)).

2.7 AI Model Training & Your Data

BusyBook may develop its own specialized AI models to improve features such as booking optimization, session note generation, and client communication. To train these models, we may use anonymized, de-identified practice data — but only with your explicit consent.

How it works:

• You can opt in via Settings → AI & Integrations → "Help Improve BusyBook's AI"
• This setting is off by default — we never use your data for training unless you choose to enable it
• When enabled, your practice data undergoes a de-identification process before any training use:
  • Client names, phone numbers, email addresses, and physical addresses are removed
  • Your personally identifiable information is removed
  • Dates are generalized to relative timeframes (e.g., "Day 1, Day 2")
  • Locations are generalized to regions
• De-identified data is used solely to improve BusyBook's AI capabilities
• Your data is never sold to third parties
• You can opt out at any time via Settings — opting out means your future data will no longer be included

Important disclosure: Once de-identified data has been used to train an AI model, it becomes part of the model's learned patterns and cannot be individually removed from the trained model. However, opting out ensures no future data from your practice is used in subsequent training cycles.

This consent is separate from and in addition to the general data processing consent you provide when using BusyBook. De-identification is performed in accordance with HIPAA Safe Harbor standards (45 CFR § 164.514(b)).

3. How We Use Your Information

We do not use client PHI for marketing, advertising, analytics, product improvement, or AI model training.

4. PHI Handling Under the HIPAA Privacy Rule

4.1 Our Role

BusyBook is a Business Associate as defined in 45 CFR §160.103. If you are a healthcare provider qualifying as a Covered Entity under HIPAA, you are the Covered Entity. We handle PHI only as permitted by our Business Associate Agreement and the HIPAA Privacy Rule.

4.2 Permitted Uses and Disclosures

• Treatment, Payment, and Healthcare Operations (TPO): We process PHI to enable you to provide treatment, process payments, and conduct healthcare operations.
• As directed by you: We follow your written instructions regarding PHI use and disclosure.
• As required by law: We disclose PHI when required by federal, state, or local law.
• For platform operation: Our workforce accesses PHI only as minimally necessary (Minimum Necessary Standard).

4.3 Prohibited Uses

We do not:

• Sell PHI
• Use PHI for marketing without your written authorization
• Use PHI for underwriting purposes
• Use PHI to train AI models
• Re-identify de-identified data
• Disclose PHI to any unauthorized party

4.4 Minimum Necessary Standard

We apply the HIPAA Minimum Necessary Standard (45 CFR §164.502(b)) to all internal uses of PHI. Role-based access controls and database-level security policies enforce data isolation and least-privilege access.

4.5 De-Identification

If we de-identify health information, we do so in accordance with the Safe Harbor method (45 CFR §164.514(b)) or the Expert Determination method. De-identified data is no longer PHI.

4.6 Your Obligations as Covered Entity

• Providing a Notice of Privacy Practices to your clients
• Obtaining client consent and authorizations for data collection and storage
• Executing a Business Associate Agreement with BusyBook before entering PHI
• Maintaining your own HIPAA compliance program
• Reporting suspected security incidents to security@busybook.co immediately

5. Business Associate Agreements

5.1 BusyBook ↔ You (Practice Account)

Before any PHI is processed, we require execution of a Business Associate Agreement ("BAA"). Contact privacy@busybook.co for details.

5.2 Subprocessors

5.3 AI Vendor Safeguards

• No model training: Provider may not use prompts or PHI to train, fine-tune, or improve AI models
• No retention: Provider may not retain session data beyond the scope of delivering the inference response
• Termination certification: Provider must certify destruction of all data upon contract termination
• No secondary use: Provider may not use PHI for any purpose other than providing the contracted inference service
• De-identification: Client-identifying information is removed or generalized before transmission where technically feasible

6. User Rights

6.1 Your Rights as an Account Holder

Response timeline: We respond to all rights requests within 30 days.

6.2 Client Rights (Exercised Through You)

Your clients' rights under HIPAA are exercised through you as the Covered Entity, including right of access to their PHI, right to request amendment, right to an accounting of disclosures, and right to request restrictions. BusyBook provides the technical capability for you to fulfill these rights.

6.3 Texas Data Privacy and Security Act (TDPSA) Rights

For data outside HIPAA's scope, Texas residents have additional rights under the TDPSA including access, correction, deletion, portability, and the right to opt out of targeted advertising. We honor Global Privacy Control (GPC) browser signals. Contact privacy@busybook.co to exercise TDPSA rights. We respond within 45 days.

7. Security Measures

We implement comprehensive safeguards consistent with the HIPAA Security Rule (45 CFR Part 164, Subpart C).

For full details, see our Security Practices page.

8. Breach Notification

8.1 HIPAA Breach Notification

• Notify affected account holder: Within 24 hours of confirmed breach
• Notify affected individuals: Within 60 days of discovery
• Notify HHS: Within 60 days if 500+ individuals affected; annually for fewer

8.2 Texas Breach Notification

• Notify affected individuals: Within 60 days
• Notify Texas Attorney General: Within 30 days if 250+ Texas residents affected

8.3 Your Role

If you suspect unauthorized access: immediately change your password, contact security@busybook.co, document what you observed, and do not delete any data.

9. Data Retention and Deletion

Account Closure Process

1. Day 0: Initiate closure via account settings or email privacy@busybook.co
2. Days 0–7: Confirmation email; data export option offered
3. Days 7–30: Grace period — account suspended, data preserved
4. Days 30–90: All PHI permanently deleted from production databases
5. Day 90: Final backup rotation completes; deletion confirmation sent

10. Infrastructure and Data Residency

BusyBook operates on secure, managed infrastructure in the United States with strong data isolation, encryption controls, and physical security. All ePHI is processed and stored within BusyBook-controlled infrastructure and does not leave the United States.

BusyBook's architecture also supports account holders who wish to run a dedicated instance. Contact privacy@busybook.co for information about dedicated deployment options.

11. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information or your clients' PHI to any third party.

We may disclose information when required by law, including court orders, subpoenas, law enforcement requests, public health authorities, health oversight agencies, or to protect the rights, safety, or property of BusyBook, our users, or others.

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the successor entity. We will notify you before your information becomes subject to a different privacy policy.

12. Cookies and Tracking Technologies

We use cookies and similar technologies. See our Cookie Policy for full details. We honor Global Privacy Control (GPC) browser signals. We do not use third-party advertising cookies.

13. International Data Transfers

All data is processed and stored on servers located in the United States. We do not currently transfer data outside the United States.

14. Children's Privacy

BusyBook is not intended for use by individuals under 18. If you treat minors, you are responsible for obtaining parental or guardian consent before entering minor client information into the platform.

15. Changes to This Privacy Policy

We will notify you via email and/or in-platform notification at least 30 days before material changes take effect. Your continued use after changes constitutes acceptance.

16. Contact Us

This Privacy Policy is provided for informational purposes. BusyBook recommends that you consult your own legal counsel regarding your individual HIPAA and state privacy law obligations. This document does not constitute legal advice.