Privacy Policy

Last updated: May 8, 2026

Bookendo LLC ("Bookendo," "we," "us," or "our") operates the website bookendo.com and the Bookendo platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our Service.

1. Information We Collect

1.1 Personal Information You Provide

When you register for an account, use our Service, or contact us, we may collect:

• Account information: Name, email address, phone number, business name, and login credentials.
• Client data: Names, phone numbers, email addresses, appointment history, and service preferences of your business's clients, as entered by you into the platform.
• Consent form data: Information provided in digital consent forms, including signatures, photo IDs, medical history, and other form fields as configured by the business.
• Payment information: Billing details processed through our third-party payment processors (we do not store full credit card numbers).
• Communications: Messages you send us via email or support channels.

1.2 Information Collected Automatically

• Usage data: Pages visited, features used, timestamps, and interaction patterns.
• Device information: IP address, browser type, operating system, and device identifiers.
• Cookies and similar technologies: Session cookies for authentication and preferences. See Section 8.

1.3 Information from Third-Party Integrations

We may receive information from integrated services such as Twilio (SMS delivery status), Stripe (payment processing and transaction status), PayPal (payment processing and transaction status), and other payment processors (transaction confirmations).

If you choose to connect third-party services through our integrations, we may also collect:

• Google Calendar: Calendar event data (event titles, times, descriptions, and attendees) from your Google Calendar when you enable the Google Calendar sync feature. We access this data using Google OAuth 2.0 with your explicit consent.
• Google Business Profile: Your Google Place ID and business listing information when you enable the Google Reviews feature.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our Service.
• Process appointments, consent forms, and business operations.
• Send transactional communications: appointment reminders, consent form links, password resets, and account notifications.
• Send promotional communications only with your explicit opt-in consent.
• Send SMS messages on behalf of businesses to their clients for appointment reminders, consent forms, and service-related notifications.
• Generate reports and analytics for business owners.
• Synchronize appointment data with your Google Calendar when you enable the integration.
• Send review request emails to your clients after completed appointments when you enable Google Reviews.
• Detect, prevent, and address technical issues, fraud, or abuse.
• Comply with legal obligations.

3. SMS and Messaging Communications

No mobile data sharing. Bookendo does not sell, share, or transfer mobile phone numbers or SMS opt-in data to third parties for marketing purposes. SMS consent and mobile opt-in information are not shared with affiliates or external marketing partners. Phone numbers collected for SMS are used solely to deliver the messages the recipient consented to receive (appointment reminders, booking confirmations, account notifications, or — with a separate, granular opt-in — promotional messages from the business the recipient booked with).

Bookendo facilitates SMS messaging on behalf of businesses using our platform. By using our messaging features:

• Granular opt-in. SMS opt-in is collected with separate, independent checkboxes for each use case. Service-related SMS (appointment reminders, booking confirmations, account notifications) is one opt-in. Promotional SMS is a separate, independent opt-in. Checking one does not opt the recipient into the other.
• Business users are responsible for obtaining proper consent from their clients before sending messages through our platform.
• End-user clients receive messages only when the business has a legitimate reason (appointment confirmation, consent form delivery, reminders) and the client has provided their phone number and explicit, granular consent.
• Message frequency varies based on appointments and services booked.
• Message and data rates may apply depending on the recipient's carrier.
• Recipients can opt out at any time by replying STOP to any message. Reply HELP for support, or contact us at privacy@bookendo.com.
• No third-party sharing of SMS data. Mobile phone numbers, SMS opt-in records, and message content are not sold, rented, leased, or shared with third parties for marketing purposes. The only third party that processes SMS data is Twilio, our service provider, which acts solely as a processor under our instructions.
• We use Twilio as our messaging service provider. Twilio's privacy policy is available at twilio.com/legal/privacy.

4. Third-Party Integrations and Google API Services

4.1 Google Calendar Integration

When you connect your Google Calendar to Bookendo:

• We request access to your Google Calendar data through Google's OAuth 2.0 authorization flow.
• We use the calendar.events scope to read, create, update, and delete calendar events on your behalf.
• Appointment data from Bookendo is synced to your Google Calendar, and events from your Google Calendar are used to determine availability in Bookendo.
• We store your Google OAuth tokens (encrypted) to maintain the connection. You can revoke access at any time from Bookendo's Integrations page or from your Google Account permissions.
• We do not use your Google Calendar data for advertising, profiling, or any purpose other than providing the calendar sync feature.
• Bookendo's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

4.2 Google Reviews Integration

When you enable the Google Reviews feature:

• We store your Google Place ID to generate review request links.
• We send automated emails to your clients after completed appointments containing a direct link to leave a review on Google.
• We do not access or store your Google Reviews data; we only generate links to the Google review page.

4.3 Mobile Application

When you use the Bookendo mobile application, we may request access to certain device features. Each permission is only used for its stated purpose and is never accessed without your action:

• Camera: Used to capture photos for client profiles, consent forms, and service documentation. Photos are uploaded to your business account and stored securely on our servers. The camera is only activated when you explicitly choose to take a photo within the app.
• Bluetooth: Used exclusively to connect to Stripe card readers (such as the Stripe M2) for in-person payment processing. Bluetooth is only activated when you initiate the card reader connection from the POS screen.
• Location (approximate): Used solely in conjunction with Bluetooth to discover nearby Stripe card readers, as required by Android system permissions. We do not track, store, or transmit your location data.
• Internet access: Required for the app to communicate with Bookendo servers, process payments, send notifications, and sync data.
• Push notifications: Used to deliver appointment reminders, incoming call alerts, and system notifications. You can disable push notifications at any time through your device settings.

You can revoke any of these permissions at any time through your device settings. Revoking a permission may limit certain features of the app (for example, revoking Bluetooth access will prevent card reader connectivity).

5. How We Share Your Information

We do not sell your personal information. We may share information with:

• Service providers: Twilio (SMS), Cloudflare (CDN/security), Google APIs (Calendar sync, Maps, Reviews), Stripe (payment processing), PayPal (payment processing), email providers, and other payment processors — only as necessary to operate the Service.
• Business-client relationship: Client data is accessible to the business that created the client record. Businesses are data controllers for their client data.
• Legal requirements: When required by law, court order, or to protect our rights, safety, or property.
• Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users.

6. Data Retention

• Account data: Retained while your account is active and for 90 days after deletion request.
• Client data: Retained as long as the business account is active. Businesses can delete individual client records at any time.
• Consent forms: Retained for a minimum of 7 years for legal compliance purposes, unless the business requests earlier deletion.
• Messaging logs: SMS delivery logs are retained for 12 months for troubleshooting and compliance.
• Audit logs: Retained for 3 years for security and compliance purposes.

7. Data Security

We implement industry-standard security measures including:

• TLS 1.2/1.3 encryption for all data in transit.
• Encrypted storage for sensitive data at rest.
• Role-based access controls and multi-tenant data isolation.
• Regular security audits and monitoring.
• Secure password hashing (bcrypt).

No method of transmission over the Internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

8. Cookies

We use essential cookies for:

• Authentication: JWT tokens stored in localStorage to maintain your session.
• Preferences: Language selection and UI preferences.

We do not use third-party tracking cookies or advertising cookies.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data (subject to legal retention requirements).
• Object to or restrict processing of your data.
• Data portability — receive your data in a structured, machine-readable format.
• Withdraw consent at any time for consent-based processing.
• Opt out of SMS communications by replying STOP.

To exercise any of these rights, contact us at privacy@bookendo.com.

10. California Privacy Rights (CCPA)

California residents have additional rights under the CCPA:

• Right to know what personal information is collected, used, and shared.
• Right to delete personal information.
• Right to opt out of the sale of personal information (we do not sell personal information).
• Right to non-discrimination for exercising privacy rights.

11. Children's Privacy

Our Service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If we discover that a child under 16 has provided us with personal information, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at privacy@bookendo.com.

12. International Data Transfers

Our servers are located in the United States and Canada. If you are accessing our Service from outside these countries, please be aware that your data will be transferred to and processed in these jurisdictions.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. Continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy, contact us at:

Bookendo LLC
Email: privacy@bookendo.com
Phone: +1 (470) 798-1411
Address: 1276 Industrial Blvd, Suite 2, Gainesville, GA 30501
Website: bookendo.com