Early-bird promo: 20 free bookings when you sign up — Create free account →

Privacy Policy

Last updated: March 21, 2026

1. Introduction & Scope

This Privacy Policy explains how BookingAPI ("we," "us," or "our") collects, uses, discloses, stores, and protects information in connection with our website, dashboard, APIs, embeddable widgets, booking flows, contact forms, and related services (collectively, the "Service").

Important note on data roles: If you are a business using our Service to accept bookings, you are generally the controller or business for your end-customers' personal data. BookingAPI generally acts as your processor or service provider when we handle booking, calendar, messaging, and related operational data on your behalf. If an end-customer wants to exercise privacy rights over booking data submitted to one of our business customers, that request should usually be directed to the business they booked with first.

2. Information We Collect

Information You Provide Directly

When you contact us, request a demo, create or manage an account, or otherwise interact with us directly, we collect information such as your name, email address, phone number, company name, business details, message content, and any other information you choose to provide.

Account, Profile, and Business Data

If you use the dashboard or API, we process account credentials, organization and tenant details, business locations, staff profile details, settings, permissions, API usage records, and support history.

Booking and Customer Data

When appointments are created through the Service, we process names, email addresses, phone numbers, appointment times, service selections, assigned staff, notes, status history, and related booking details supplied by business users or their customers.

Connected Calendar and Integration Data

If you connect Google Calendar or another supported integration, we process account identifiers, calendar metadata, availability-related information, event data, and other information needed to provide the sync, connection, and troubleshooting features you enable.

Billing and Transaction Data

If you purchase paid features, tokens, credits, subscriptions, or related services, we process billing contact details, invoice records, purchase history, subscription status, and limited payment-related metadata made available to us by our payment service providers. We do not store full payment card numbers on this marketing site.

Usage Data, Device Data, and Cookies

We automatically collect technical and usage information such as IP address, device and browser details, referring URLs, page views, log data, API activity, error information, approximate location inferred from IP, and feature usage. We also use cookies, local storage, session storage, and similar technologies where needed to keep the Service working, maintain sessions, remember settings, and understand how the Service is used.

3. Sources of Information

We collect information directly from you, from your use of the Service, from bookings submitted by your customers, from connected integrations you choose to authorize, from payment and billing providers involved in transactions, and from service providers that help us operate infrastructure, support, communications, and security functions.

4. How We Use Your Information

  • To provide, operate, and maintain the Service
  • To respond to contact requests, demo inquiries, and support messages
  • To create, manage, secure, and administer accounts, organizations, and settings
  • To create, manage, and display bookings and related records
  • To manage subscriptions, tokens, credits, invoices, payments, and billing operations
  • To provide calendar connection, sync, and availability features you enable
  • To authenticate users, prevent fraud, detect abuse, and protect the security of the Service
  • To provide customer support, diagnose issues, and troubleshoot technical problems
  • To monitor performance, troubleshoot problems, and improve the Service
  • To create internal reporting, analytics, and service planning information
  • To comply with legal obligations and enforce our terms, policies, and agreements
  • Operational vs. Marketing Communications (CASL Compliance): To send operational messages such as booking confirmations, password resets, and critical administrative notices. These are distinct from marketing or promotional emails. You may withdraw consent for promotional emails at any time by clicking the "unsubscribe" link, but you will continue to receive essential operational messages required for the Service to function.

5. Cookies and Similar Technologies

We use cookies and similar technologies for a limited set of purposes. Specifically, we use:

  • Authentication and Session Cookies: First-party cookies required to keep you logged into the Service securely.
  • Stripe: Sets cookies necessary to process payments and prevent payment-related fraud.
  • Google Analytics: Sets cookies to help us understand how visitors interact with our marketing site and dashboard.

You can usually control cookies through your browser settings and, where relevant, delete locally stored data through your browser or device. Blocking some technologies will cause parts of the Service (such as logging in) to function improperly.

6. How We Share Information

We do not sell personal information for money. We also do not share personal information for cross-context behavioral advertising. We disclose information in the following circumstances:

  • To service providers and infrastructure vendors that help us host, secure, support, bill, and operate the Service
  • To email, messaging, and communications providers that help deliver operational messages
  • To payment processors and billing providers involved in purchases and account billing
  • To integration partners you choose to connect, such as calendar providers
  • To professional advisers, auditors, insurers, or financing counterparties where reasonably necessary
  • To law enforcement, regulators, courts, or other parties where required by law or reasonably necessary to protect rights, safety, and security
  • To a buyer, investor, or successor in connection with a merger, acquisition, financing, reorganization, or sale of all or part of our business

7. Google Calendar Data

If you authorize Google Calendar access, we request explicitly defined scopes (such as https://www.googleapis.com/auth/calendar.events) to provide the calendar connection, sync, booking, availability, and troubleshooting features you request. We do not use Google Calendar data to train any artificial intelligence (AI) models whatsoever. We do not sell Google Calendar data. You can stop future access by disconnecting the calendar inside the Service or by revoking BookingAPI access from your Google account settings.

BookingAPI's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

8. International Data Transfers

BookingAPI operates from Canada, and the service providers we use process data in Canada, the United States, or other jurisdictions where they maintain operations. As a result, information is transferred to and processed in countries that have privacy laws different from those in your province, state, or country.

9. Data Retention

We retain information based on explicit lifecycle definitions rather than blanket periods:

  • Server Logs and Telemetry: Retained for 30 days for security and debugging purposes.
  • Booking Records and Customer Data: Retained for the lifetime of the business account, plus 90 days after account deletion to allow for accidental deletion recovery and standard backup cycles.
  • Account, Billing, and Transaction Records: Retained for up to 7 years to support legal, tax, accounting, and compliance obligations.

When data is no longer required, we delete, de-identify, or anonymize it.

10. Security & Breach Notification (PIPEDA)

We use administrative, technical, and organizational measures designed to protect information handled by the Service. These include access controls, strict logging, environment-specific credential handling, and encrypted transport. However, no method of transmission over the internet or storage is completely secure, and we cannot guarantee absolute security.

Mandatory Breach Notification: In accordance with PIPEDA requirements, if we discover a security breach involving personal information that poses a real risk of significant harm to individuals, we will notify affected individuals, our business customers (who act as the Data Controllers), and the Privacy Commissioner of Canada as required by law without unreasonable delay.

11. Your Rights and Choices

Depending on your location and the way you interact with the Service, you have rights to request access to, correction of, deletion of, portability of, or restriction of certain personal information we hold about you. You also have the right to object to some processing or withdraw consent where processing is based on consent.

You can also take certain steps directly, such as updating profile information, disconnecting integrations, changing browser cookie settings, or contacting us to close an account or submit a privacy request.

If you are in the EEA, UK, or another jurisdiction that requires a legal basis for processing, we rely on one or more of the following: performance of a contract, compliance with legal obligations, our legitimate interests in operating and securing the Service, and your consent where applicable. To make a privacy request, contact us at privacy@bookingapi.ca. We will need to verify your identity before completing a request.

12. Third-Party Links and Integrations

Our Service contains links to or integrations with third-party websites or services, such as Google Calendar or payment processors. We do not control and are not responsible for the privacy practices of those third parties. Your use of third-party services is subject to their own terms and privacy policies.

13. Children's Privacy

Our Service is not directed to children, and we do not knowingly collect personal information from children under 18 through the marketing site or business-facing platform. If we become aware that we have collected personal information from a child in violation of applicable law, we will take steps to delete it.

14. Business Transfers

If BookingAPI is involved in a merger, acquisition, financing, asset sale, reorganization, bankruptcy, or similar transaction, information is transferred as part of that process, subject to applicable confidentiality and legal requirements.

15. Region-Specific Notes

BookingAPI operations are headquartered in Ontario, Canada. Depending on your location, you have additional rights under laws such as PIPEDA, provincial privacy laws, GDPR, UK GDPR, or U.S. state privacy laws. If you are an end-customer whose information was submitted to one of our business customers through a booking flow, your request must be handled by that business as the primary controller of that data.

16. Changes to This Policy

We periodically update this Privacy Policy from time to time. When we do, we will post the updated version on this page and update the "Last updated" date above. If changes are material, we will provide additional notice where appropriate.

17. Accountability & Contact Us

BookingAPI has appointed a dedicated Privacy Officer to oversee compliance with this Privacy Policy and applicable data protection laws.

If you have questions about this Privacy Policy or want to make a privacy request or complaint, please contact our Privacy Officer at:

Email: privacy@bookingapi.ca
Mailing Address:
BookingAPI Privacy Officer
[Street Address]
[City, Province, Postal Code]
Canada