Privacy Policy

1. Introduction and Definitions

This Privacy Policy (this "Policy") explains how BusyBook, Inc. ("BusyBook," "Company," "we," "us," or "our") collects, uses, discloses, and protects personal information when you visit our websites, use our platform, or otherwise interact with us. BusyBook is a Delaware corporation with its principal place of business at 2435 Central Expy, 12th Floor, Suite 1200, Richardson, TX 75080, USA.

As used in this Policy, the following terms shall have the meanings set forth below:

• "Account Holder" means any individual or entity that creates an account on the Platform.
• "Business Associate" has the meaning set forth in 45 CFR Section 160.103.
• "Client Data" means personal information about an Account Holder's clients or staff that is entered into the Platform by or on behalf of the Account Holder.
• "End Client" means any individual whose personal information is entered into the Platform by an Account Holder.
• "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, as amended.
• "Personal Information" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with a particular individual or household.
• "PHI" or "Protected Health Information" has the meaning set forth in 45 CFR Section 160.103.
• "Platform" means the BusyBook web application at app.busybook.co, mobile applications (when available), APIs, and all associated tools and services.
• "Services" means all services provided by BusyBook through the Platform, including practice management, scheduling, client management, billing, communications, AI-assisted features, and workflow automation.

2. Scope and Applicability

This Policy applies to:

• The BusyBook marketing website at busybook.co
• The Platform at app.busybook.co
• Mobile applications (when available)
• Support and communication channels (email, in-app chat, phone)
• Any other services or tools made available by BusyBook

This Policy covers website visitors, Account Holders (practice owners and their staff), and End Clients whose information is entered into the Platform by Account Holders.

3. Roles: Controller vs. Service Provider

BusyBook's role — and your rights — depend on how we interact with your information:

When BusyBook acts as a controller:

We determine the purposes and means of processing your Personal Information. This applies to:

• Website visitors browsing busybook.co
• Prospective customers who submit lead forms or join our waitlist
• Account Holders' registration, billing, and account management data
• Usage analytics and support interactions

When BusyBook acts as a service provider or Business Associate:

We process Personal Information on behalf of our customers (Account Holders) to provide the Services. This applies to:

• Client Data that Account Holders enter into the Platform
• Staff data that Account Holders enter for their team members
• Any PHI processed under a BAA

When acting as a service provider or Business Associate, we process data only as instructed by the Account Holder and in accordance with our agreements. If you are an End Client of a practice that uses BusyBook, your provider is the controller of your data — please contact them directly to exercise your privacy rights.

4. Information We Collect

4.1 Information You Provide Directly

When you create an account, contact us, or use our Services, you may provide:

• Contact details: Name, email address, phone number
• Account and profile information: Username, password, profile photo, time zone, notification preferences
• Business and practice details: Practice name, business address, business phone, state license number, license type, services offered, business hours, pricing
• Payment and billing information: Payment method details (processed and tokenized by Stripe — we do not store raw card numbers), billing address, tax identification number
• Support tickets and inquiries: Messages you send to our support team, feedback, and feature requests
• Form responses: Waitlist signups, intake forms, survey responses
• Chat and communication content: Messages sent through in-app messaging or other communication features
• AI interaction data: Prompts, instructions, and preferences you provide when using AI-assisted features

4.2 Information We Receive from Account Holders and Third Parties

• Account Holder-entered data: Practice owners and their staff enter Client Data and staff information into BusyBook on behalf of their business (see Section 8)
• Integration data: If you connect third-party services to your BusyBook account (e.g., payment processors, calendar tools, messaging platforms), we receive data from those services as needed to provide the integration
• Referral data: If someone refers you to BusyBook, we may receive your name and contact information from the referring party

4.3 Information We Collect Automatically

When you use our Services, we automatically collect:

• Device information: IP address, browser type and version, operating system, device type, screen resolution
• Usage data: Pages visited, features used, click patterns, session duration, navigation paths
• Log data: Server access logs, error logs, API request metadata, timestamps
• Crash and performance data: Error reports, performance metrics, diagnostic data

4.4 Cookies and Similar Technologies

We use cookies, pixels, local storage, and similar technologies to operate our Services, remember your preferences, and understand how you interact with our Platform. For detailed information about the types of cookies we use and how to manage your preferences, see our Cookie Policy.

5. How We Use Your Information

When acting as a controller, we use your Personal Information for the following purposes:

• Provide and maintain the Services: Operate the Platform, process transactions, deliver features you request, and ensure the Services function correctly
• Account management: Create and manage your account, authenticate your identity, and maintain your preferences
• Communicate with you: Send transactional messages (confirmations, receipts, alerts), respond to support requests, and provide product updates
• Personalize your experience: Tailor the Platform to your preferences, display relevant content, and remember your settings
• Analyze and improve: Understand how our Services are used, identify trends, diagnose technical issues, and improve functionality (using anonymized, non-PHI data only)
• Marketing: Send promotional communications about BusyBook's products and features (to Account Holders only, never to End Clients; you can opt out at any time)
• Enforce our terms: Detect, investigate, and prevent fraud, abuse, and violations of our Terms of Service and Acceptable Use Policy
• Security: Protect the safety, integrity, and availability of our Services, infrastructure, and users
• Legal compliance: Comply with applicable laws, regulations, legal processes, and government requests
• Corporate transactions: In connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets (see Section 7)

6. How We Use Information When Acting for Account Holders

When Account Holders store Client Data or staff data in BusyBook, we process that information solely to provide the Services as instructed by the Account Holder and in accordance with our contractual agreements. We do not use Account Holder-entered data for our own marketing, advertising, analytics, or product development purposes.

We do not use PHI for marketing, behavioral advertising, analytics, product improvement, or AI model training.

7. How We Disclose Information

We may share Personal Information with the following categories of recipients:

• Service providers and subprocessors: Third-party vendors who help us operate the Services, including hosting providers, payment processors (Stripe), email delivery services, analytics tools, and customer support platforms. These providers are contractually obligated to use your information only as needed to perform services on our behalf.
• Integrations you connect: If you connect third-party services to your BusyBook account, we share data with those services as necessary to enable the integration based on your configuration.
• Affiliates: Companies under common ownership or control with BusyBook, Inc., subject to this Policy.
• Professional advisors: Attorneys, accountants, auditors, and consultants who need access to information to provide professional services to us.
• Mergers, acquisitions, and corporate transactions: In connection with a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred to the successor entity. We will notify you before your information becomes subject to a different privacy policy.
• Law enforcement and regulators: When required by law, regulation, legal process, or enforceable governmental request, including court orders, subpoenas, and public health or safety obligations. We will notify you when legally permitted to do so.
• With your direction or consent: When you direct us to share information or provide your consent for a specific disclosure.

We do not sell your Personal Information. We do not share Personal Information with third parties for their own direct marketing purposes. No mobile information will be shared with affiliates or third parties for marketing or promotional purposes.

8. Processing of Client and Staff Information on Behalf of Account Holders

Account Holders use the Platform to manage information about their clients and team members. The types of Client Data that Account Holders may enter include:

• Contact information: Client and staff names, phone numbers, email addresses, physical addresses
• Appointment records: Dates, times, services booked, appointment status, cancellation and no-show history
• Service and treatment details: Services rendered, session notes, treatment records, intake forms, health history
• Payment and billing records: Charges, payment history, outstanding balances, tips, refunds
• Messages and communications: Messages exchanged between the practice and clients, appointment confirmations and reminders
• Notes and files: Internal notes, documents, photos, and other files attached to client or staff records
• Relationship and engagement data: Visit frequency, referral sources, loyalty or retention tracking

BusyBook processes this information as a service provider (and, where applicable, as a Business Associate under HIPAA) on behalf of the Account Holder in accordance with our contractual agreements. We do not independently decide how this information is used — the Account Holder does. We do not mine Client Data, build advertising profiles, or use Client Data for purposes unrelated to providing the Services.

If you are an End Client of a practice that uses BusyBook: Your provider controls your data. To access, correct, delete, or otherwise exercise your privacy rights regarding information held in BusyBook, please contact your provider directly. BusyBook will support the provider in fulfilling your requests.

9. HIPAA and Protected Health Information

9.1 BusyBook as a Business Associate

BusyBook processes PHI in its capacity as a Business Associate under HIPAA on behalf of Account Holders who are Covered Entities. PHI processed in this capacity is governed by HIPAA and our Business Associate Agreement, not this Policy.

9.2 PHI Categories

The following categories of information are treated as PHI when associated with an identifiable individual and entered by or on behalf of a Covered Entity:

9.3 PHI Restrictions

BusyBook does not use PHI for: (a) marketing or behavioral advertising; (b) analytics or product improvement (except in de-identified form as permitted by 45 CFR Section 164.514); (c) AI model training; or (d) any purpose not expressly permitted by HIPAA and the BAA.

9.4 De-Identified Data

BusyBook may use de-identified data (data from which all HIPAA identifiers have been removed in accordance with 45 CFR Section 164.514) for product improvement, analytics, and aggregated reporting. De-identified data is not PHI and is not subject to the BAA.

9.5 Business Associate Agreement

Account Holders who are Covered Entities must execute a BAA with BusyBook before entering PHI into the Platform. For breach notification procedures, subprocessor obligations, permitted uses, and data retention requirements related to PHI, see the BAA.

9.6 Subprocessors

BusyBook engages third-party subprocessors to provide the Services. BusyBook ensures each subprocessor that handles PHI is bound by obligations no less protective than those in the BAA.

10. State-Specific Privacy Notices

10.1 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"):

• Right to Know: You may request the categories and specific pieces of Personal Information we have collected about you.
• Right to Delete: You may request that we delete your Personal Information, subject to certain exceptions.
• Right to Correct: You may request that we correct inaccurate Personal Information.
• Right to Opt Out of Sale/Sharing: We do not sell your Personal Information or share it for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: You may request that we limit the use of sensitive Personal Information to purposes necessary for providing the Services.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact us at privacy@busybook.co or call 469-334-4017. We will verify your identity before processing your request.

10.2 Texas Residents

If you are a Texas resident, the Texas Data Privacy and Security Act ("TDPSA") provides you with certain rights, including the rights to: (a) confirm whether we are processing your Personal Information; (b) access your Personal Information; (c) correct inaccuracies; (d) delete your Personal Information; (e) obtain a portable copy of your data; and (f) opt out of targeted advertising, the sale of Personal Information, and profiling that produces legal or similarly significant effects.

To exercise these rights, contact us at privacy@busybook.co. You may appeal a denial by contacting us with "Appeal" in the subject line.

10.3 Other State Privacy Laws

Residents of states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, Oregon, Montana, and others) may have similar rights. We honor these rights as required by applicable law.

10.4 Global Privacy Control

We honor Global Privacy Control ("GPC") and similar opt-out preference signals transmitted by your browser. If we receive a GPC signal, we will treat it as a valid opt-out request under applicable state privacy laws.

10.5 No Sale of Personal Information

We do not sell Personal Information. We do not use Personal Information for targeted advertising based on data purchased from third parties.

11. Your Rights and Choices

Depending on your relationship with BusyBook and applicable law, you may have the following rights:

• Access: Request a copy of the Personal Information we hold about you.
• Correction: Request that we correct inaccurate or incomplete information.
• Deletion: Request that we delete your Personal Information (subject to legal retention requirements and HIPAA obligations).
• Data portability: Request an export of your data in a structured, commonly used format (JSON or CSV).
• Marketing opt-out: Unsubscribe from marketing communications at any time using the unsubscribe link in our emails or through your account settings.
• Cookie choices: Manage your cookie preferences through your browser settings or our cookie management tools (see our Cookie Policy).
• AI opt-out: Disable AI Features or opt out of voluntary de-identified data contributions through Platform settings.

To exercise these rights, contact us at privacy@busybook.co. We will respond within thirty (30) days, or within the timeframe required by applicable law.

For End Clients of practices using BusyBook: Your privacy rights regarding information held in BusyBook are exercised through your provider (the Account Holder), who controls your data. BusyBook provides the technical tools for providers to fulfill access, correction, export, and deletion requests on your behalf.

12. Data Security

We implement appropriate technical and organizational safeguards to protect the Personal Information we process, including:

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access controls: Role-based access, row-level security at the database layer, and multi-factor authentication
• Monitoring and logging: Security event logging, intrusion detection, and regular security reviews
• Incident response: Formal incident response procedures with defined roles and escalation paths
• Personnel: All personnel with access to Personal Information receive security awareness training

No method of transmission or storage is completely secure. While we strive to protect your information using commercially reasonable measures, we cannot guarantee absolute security. For additional detail, see our Security Practices documentation.

13. Data Retention

We retain Personal Information for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required by law.

PHI retention is governed by HIPAA, applicable state medical record retention laws, and our Business Associate Agreement.

When you close your account, we offer you the opportunity to export your data. After a sixty (60) day Export Window, we permanently delete your Personal Information from production systems, with the exception of records we are legally required to retain (e.g., billing records, audit logs).

14. International Data Transfers

BusyBook stores and processes all data in the United States. We do not currently transfer Personal Information outside the United States. If this changes in the future, we will update this Policy and implement appropriate safeguards (such as Standard Contractual Clauses or other mechanisms approved under applicable law) before any international transfer occurs.

By using the Services, you acknowledge that your information will be processed in the United States, which may have different data protection laws than your country of residence.

15. Children's Privacy

BusyBook is not directed to individuals under eighteen (18) years of age, and we do not knowingly collect Personal Information from children under thirteen (13) years of age. If we learn that we have collected Personal Information from a child under thirteen (13) without verifiable parental consent as required by the Children's Online Privacy Protection Act ("COPPA"), we will take steps to delete that information promptly.

Health and wellness practices that treat minors may enter minor client data into BusyBook. The practice (Account Holder) is responsible for obtaining parental or guardian consent and complying with applicable laws governing minors' data, including COPPA where applicable. BusyBook processes this data as a service provider under the Account Holder's instructions.

16. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services that are not operated by BusyBook. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party service before providing your information.

When you connect third-party integrations to your BusyBook account, your use of those integrations is governed by the third party's own terms and privacy policy.

17. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, legal requirements, or the Services. When we make changes:

• We will update the "Last Updated" date at the top of this Policy.
• For material changes, we will notify you via email and/or an in-Platform notification at least 30 days before the changes take effect.
• Updated versions will be posted at busybook.co.

Your continued use of the Services after changes become effective constitutes acceptance of the updated Policy. If you do not agree, you may close your account and request deletion of your data.

18. Contact Information

This Privacy Policy is provided for informational purposes and does not constitute legal advice. BusyBook recommends that you consult your own legal counsel regarding your privacy law obligations.