Early-bird pricing: First 250 bookings at 1¢ each + 20 free bookings when you sign up — Start free →

Privacy Policy

Last updated: April 2, 2026

1. Introduction & Scope

This Privacy Policy explains how BookingAPI ("we," "us," or "our") collects, uses, discloses, stores, and protects information in connection with our website, dashboard, APIs, embeddable widgets, booking flows, contact forms, and related services (collectively, the "Service").

Important note on data roles: If you are a business using our Service to accept bookings, you are generally the controller or business for your end-customers' personal data. BookingAPI generally acts as your processor or service provider when we handle booking, calendar, messaging, and related operational data on your behalf. If an end-customer wants to exercise privacy rights over booking data submitted to one of our business customers, that request should usually be directed to the business they booked with first.

2. Information We Collect

Information You Provide Directly

When you contact us, request a demo, create or manage an account, or otherwise interact with us directly, we collect information such as your name, email address, phone number, company name, business details, message content, and any other information you choose to provide.

Account, Profile, and Business Data

If you use the dashboard or API, we process account credentials, organization and tenant details, business locations, staff profile details, settings, permissions, API usage records, and support history.

Booking and Customer Data

When appointments are created through the Service, we process names, email addresses, phone numbers, appointment times, service selections, assigned staff, notes, status history, and related booking details supplied by business users or their customers.

Connected Calendar and Integration Data

If you connect Google Calendar or another supported integration, we process account identifiers, calendar metadata, availability-related information, event data, and other information needed to provide the sync, connection, and troubleshooting features you enable.

Billing and Transaction Data

If you purchase paid features, tokens, credits, subscriptions, or related services, we process billing contact details, invoice records, purchase history, subscription status, and limited payment-related metadata made available to us by our payment service providers. We do not store full payment card numbers on this marketing site.

Usage Data, Device Data, and Cookies

We automatically collect technical and usage information such as IP address, device and browser details, referring URLs, page views, log data, API activity, error information, approximate location inferred from IP, and feature usage. We also use cookies, local storage, session storage, and similar technologies where needed to keep the Service working, maintain sessions, remember settings, and understand how the Service is used.

3. Sources of Information

We collect information directly from you, from your use of the Service, from bookings submitted by your customers, from connected integrations you choose to authorize, from payment and billing providers involved in transactions, and from service providers that help us operate infrastructure, support, communications, and security functions.

4. How We Use Your Information

  • To provide, operate, and maintain the Service
  • To respond to contact requests, demo inquiries, and support messages
  • To create, manage, secure, and administer accounts, organizations, and settings
  • To create, manage, and display bookings and related records
  • To manage subscriptions, tokens, credits, invoices, payments, and billing operations
  • To provide calendar connection, sync, and availability features you enable
  • To authenticate users, prevent fraud, detect abuse, and protect the security of the Service
  • To provide customer support, diagnose issues, and troubleshoot technical problems
  • To monitor performance, troubleshoot problems, and improve the Service
  • To create internal reporting, analytics, and service planning information
  • To comply with legal obligations and enforce our terms, policies, and agreements
  • Operational vs. Marketing Communications (CASL Compliance): To send operational messages such as booking confirmations, password resets, and critical administrative notices. These are distinct from marketing or promotional emails. You may withdraw consent for promotional emails at any time by clicking the "unsubscribe" link, but you will continue to receive essential operational messages required for the Service to function.

5. Cookies and Similar Technologies

We use cookies and similar technologies for a limited set of purposes. Specifically, we use:

  • Authentication and Session Cookies: First-party cookies required to keep you logged into the Service securely.
  • Stripe: Sets cookies necessary to process payments and prevent payment-related fraud.

You can usually control cookies through your browser settings and, where relevant, delete locally stored data through your browser or device. Blocking some technologies will cause parts of the Service (such as logging in) to function improperly.

6. How We Share Information

We do not sell personal information for money. We also do not share personal information for cross-context behavioral advertising. We disclose information in the following circumstances:

  • To service providers and infrastructure vendors that help us host, secure, support, bill, and operate the Service
  • To email, messaging, and communications providers that help deliver operational messages
  • To payment processors and billing providers involved in purchases and account billing
  • To integration partners you choose to connect, such as calendar providers
  • To professional advisers, auditors, insurers, or financing counterparties where reasonably necessary
  • To law enforcement, regulators, courts, or other parties where required by law or reasonably necessary to protect rights, safety, and security
  • To a buyer, investor, or successor in connection with a merger, acquisition, financing, reorganization, or sale of all or part of our business

7. Google Calendar Data

If you authorize Google Calendar access, we request only the Google scopes needed to support the calendar features you choose to enable. At the time of writing, BookingAPI requests https://www.googleapis.com/auth/calendar.events and https://www.googleapis.com/auth/calendar.readonly. We use that access to connect and verify your selected calendar, read calendar metadata and availability-related information needed for scheduling, create booking events, update booking events when appointments change, delete booking events when appointments are cancelled, and troubleshoot or restore calendar connections you ask us to support.

We do not request Gmail, Contacts, or Google Drive access through this calendar connection. We do not use the Google Calendar connection to create standalone calendars, change calendar sharing permissions, manage calendar ACLs, or access Google data unrelated to the booking and availability features described in this Policy.

We do not sell Google Calendar data. We do not use Google Calendar data for advertising, to build marketing profiles, or to train generalized artificial intelligence or machine learning models. We only share Google Calendar data with service providers or subprocessors where that sharing is necessary to provide, secure, support, or maintain the calendar-enabled features of the Service.

You can stop future Google Calendar access at any time by disconnecting the calendar inside the Service or by revoking BookingAPI access in your Google account permissions. If you want us to delete stored connected-calendar credentials or related integration data from our active systems, contact privacy@bookingapi.ca. Deleting a calendar connection does not necessarily remove booking, billing, audit, or other account records that we must retain for the legitimate business and legal reasons described in this Policy.

BookingAPI's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

8. International Data Transfers

BookingAPI operates from Canada, and the service providers we use process data in Canada, the United States, or other jurisdictions where they maintain operations. As a result, information is transferred to and processed in countries that have privacy laws different from those in your province, state, or country.

9. Data Retention

We retain information based on explicit lifecycle definitions rather than blanket periods:

  • Server Logs and Telemetry: Retained for 30 days for security and debugging purposes.
  • Booking Records and Customer Data: Retained for the lifetime of the business account, plus 90 days after account deletion to allow for accidental deletion recovery and standard backup cycles.
  • Connected Calendar Credentials and Integration Metadata: Retained while a calendar connection remains active and thereafter only as needed for support, security, recovery, backup, deletion processing, and compliance obligations.
  • Account, Billing, and Transaction Records: Retained for up to 7 years to support legal, tax, accounting, and compliance obligations.

When data is no longer required, we delete, de-identify, or anonymize it.

10. Security & Breach Notification (PIPEDA)

We use administrative, technical, and organizational measures designed to protect information handled by the Service. These include access controls, strict logging, environment-specific credential handling, and encrypted transport. However, no method of transmission over the internet or storage is completely secure, and we cannot guarantee absolute security.

Mandatory Breach Notification: In accordance with PIPEDA requirements, if we discover a security breach involving personal information that poses a real risk of significant harm to individuals, we will notify affected individuals, our business customers (who act as the Data Controllers), and the Privacy Commissioner of Canada as required by law without unreasonable delay.

11. Your Rights and Choices

Depending on your location and the way you interact with the Service, you have rights to request access to, correction of, deletion of, portability of, or restriction of certain personal information we hold about you. You also have the right to object to some processing or withdraw consent where processing is based on consent.

You can also take certain steps directly, such as updating profile information, disconnecting integrations, changing browser cookie settings, or contacting us to close an account or submit a privacy request.

If you are in the EEA, UK, or another jurisdiction that requires a legal basis for processing, we rely on one or more of the following: performance of a contract, compliance with legal obligations, our legitimate interests in operating and securing the Service, and your consent where applicable. To make a privacy request, contact us at privacy@bookingapi.ca. We will need to verify your identity before completing a request.

12. Data Deletion, Meta Integrations, and Third-Party Links

Our Service contains links to or integrations with third-party websites or platforms, such as Meta (WhatsApp, Facebook) or Google Calendar. We do not control and are not responsible for the broader privacy practices of those third parties, and your use is subject to their terms.

  • Meta Data Deletion: If you connected a WhatsApp Business or Facebook login integration, you may revoke access from within our dashboard or via your Meta settings. To request the complete, permanent erasure of your personal data obtained from these platforms from our systems, email privacy@bookingapi.ca with the subject "Data Deletion Request". We process these requests within 30 days.
  • Account Deletion: Any BookingAPI user can delete their account and associated data by emailing us or using the dashboard settings.
  • End Customers: If you interacted with a business via our WhatsApp AI Agent and want your conversation history or phone number deleted, please contact that business directly, as they are the data controller. You may also contact us and we will forward your request to them.

13. Children's Privacy

Our Service is not directed to children, and we do not knowingly collect personal information from children under 18 through the marketing site or business-facing platform. If we become aware that we have collected personal information from a child in violation of applicable law, we will take steps to delete it.

14. Business Transfers

If BookingAPI is involved in a merger, acquisition, financing, asset sale, reorganization, bankruptcy, or similar transaction, information is transferred as part of that process, subject to applicable confidentiality and legal requirements.

15. Region-Specific Notes

BookingAPI operations are headquartered in Ontario, Canada. Depending on your location, you have additional rights under laws such as PIPEDA, provincial privacy laws, GDPR, UK GDPR, or U.S. state privacy laws. If you are an end-customer whose information was submitted to one of our business customers through a booking flow, your request must be handled by that business as the primary controller of that data.

16. Changes to This Policy

We periodically update this Privacy Policy from time to time. When we do, we will post the updated version on this page and update the "Last updated" date above. If changes are material, we will provide additional notice where appropriate.

17. Accountability & Contact Us

BookingAPI has appointed a dedicated Privacy Officer to oversee compliance with this Privacy Policy and applicable data protection laws.

If you have questions about this Privacy Policy or want to make a privacy request or complaint, please contact our Privacy Officer at:

Email: privacy@bookingapi.ca
General Support: hello@bookingapi.ca

Email is the fastest and preferred way to reach us for privacy requests.