Privacy Policy

At BookingService.ai ("we," "our," or "us"), we are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered booking platform, including our website, mobile applications, and any related services (collectively, the "Service"). Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the Service. We reserve the right to make changes to this Privacy Policy at any time and for any reason. We will alert you about any changes by updating the "Last Updated" date of this Privacy Policy.

We collect information that you provide directly to us, including: Personal Information: • Name, email address, and phone number • Billing and payment information • Business name and address • Account credentials Booking Information: • Appointment schedules and preferences • Service selections and customizations • Customer communications and notes Technical Information: • IP address and device identifiers • Browser type and operating system • Usage patterns and interaction data • Cookies and similar tracking technologies AI Interaction Data: • Voice recordings from AI phone calls (with consent) • Chat transcripts from AI interactions • Booking preferences learned by our AI systems

We use the information we collect to: • Provide, maintain, and improve our Service • Process bookings and appointments • Send transactional communications (confirmations, reminders) • Provide customer support • Analyze usage patterns and optimize user experience • Detect and prevent fraud or abuse • Comply with legal obligations AI-Specific Uses: Our AI systems use your data to provide personalized booking experiences, handle phone calls on your behalf, and learn preferences to improve service quality. Voice recordings are processed in real-time and may be reviewed to improve AI accuracy.

We may share your information in the following circumstances: Service Providers (Subprocessors): We share data with third-party vendors who help us operate our Service. All subprocessors have signed Data Processing Agreements (DPAs) with us: • Payment Processing: Stripe, Inc. (US), Iyzico (Turkey) — billing address, payment method, transaction history • Email Delivery: Resend, Inc. (US) — email address, name, booking details for notifications • SMS & Voice: Twilio Inc. (US) — phone number, call transcripts for AI phone agent • AI/LLM: Google Gemini (US), OpenAI (US) — chat messages, booking context for AI features • Voice AI: Vapi.ai (US) — phone number, call audio, transcripts for AI phone agent • Voice Synthesis: ElevenLabs (US) — voice samples for AI agent preview • Push Notifications: Firebase/Google (US/EU) — device tokens, notification content • Calendar Integration: Google, Zoom, Microsoft Teams, Cisco Webex — email, meeting metadata • Analytics: Google Analytics (US) — anonymized usage data (only with your consent) Business Customers: If you book appointments through our platform, we share your booking information with the businesses you are scheduling with. Legal Requirements: We may disclose information if required by law, court order, or governmental request. Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We do not sell your personal information to third parties for marketing purposes. We notify users of material changes to our subprocessor list at least 30 days in advance via email.

We implement appropriate technical and organizational measures to protect your information, including: • Encryption of data in transit and at rest • Regular security assessments and penetration testing • Access controls and authentication measures • Employee training on data protection • SOC 2 Type II compliance However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee its absolute security.

We retain your personal information for as long as necessary to fulfill the purposes described in this policy. Our specific retention periods are: | Data Category | Retention Period | |---|---| | Account data | Duration of account + 30 days after deletion request | | Booking data | 365 days, anonymized after 180 days | | Customer profiles | 730 days, anonymized after 365 days | | Contact submissions | 90 days (IP addresses anonymized after 30 days) | | Notification logs | 180 days | | API logs | 30 days | | IP addresses | 30 days (anonymized after 7 days) | | Platform admin audit logs | Indefinite (IP addresses anonymized after 1 year) | | Payment records | As required by financial regulations (7-10 years) | When you delete your account, we will delete or anonymize your personal information within 30 days, except where retention is required by law or for legitimate business purposes (e.g., financial records). Legal Basis for Retention: We retain data based on: • Contract performance (Art. 6(1)(b) GDPR) — to provide the service • Legal obligations (Art. 6(1)(c) GDPR) — financial and tax regulations • Legitimate interests (Art. 6(1)(f) GDPR) — security, fraud prevention

Under the General Data Protection Regulation (GDPR), you have the following rights: Right of Access (Art. 15): Request a copy of the personal information we hold about you. You can download your data at any time via Settings > Privacy & Data > Export My Data. Right to Rectification (Art. 16): Request that we correct inaccurate or incomplete information. You can update your profile at any time via Settings > Profile. Right to Erasure (Art. 17): Request that we delete your personal information. You can delete your account via Settings > Security > Delete Account. Non-owner accounts are permanently deleted after a 30-day grace period. Right to Data Portability (Art. 20): Request a copy of your data in a machine-readable format (JSON). Available via Settings > Privacy & Data > Export My Data. Right to Restrict Processing (Art. 18): Request that we limit how we process your data for specific purposes (analytics, marketing, AI processing). Available via Settings > Privacy & Data > Processing Restrictions. Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes. Right Regarding Automated Decisions (Art. 22): Request human review of significant automated decisions made about you, including AI-generated recommendations. Right to Withdraw Consent (Art. 7): Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal. Right to Lodge a Complaint (Art. 77): You have the right to lodge a complaint with a supervisory authority. For Germany: Bayerisches Landesamt für Datenschutzaufsicht (BayLfDA), https://www.lda.bayern.de/ To exercise any of these rights, use the Privacy & Data settings page, or contact us at privacy@bookingservice.ai. We will respond within 30 days.

We use cookies and similar technologies. You can manage your preferences via the cookie consent banner that appears on your first visit. Types of Cookies: • Essential cookies (always active): Required for basic functionality — session management, authentication, language preferences. These cannot be disabled. • Analytics cookies (opt-in): Help us understand usage patterns via Google Analytics. We only load these if you give explicit consent. Data collected is anonymized where possible. • Marketing cookies (opt-in): Used for targeted advertising and retargeting. Only activated with your consent. • Functional cookies (opt-in): Enable enhanced features like remembering your preferences across sessions. Managing Cookies: You can control cookies through: • The cookie consent banner (appears on first visit, accessible via browser settings) • Your browser's cookie settings • The Privacy & Data settings page in your account Disabling essential cookies may limit your ability to use certain features of our Service. You can withdraw your cookie consent at any time. Legal Basis: Essential cookies are based on legitimate interest. All other cookies require your consent (Art. 6(1)(a) GDPR) and are not loaded until you provide it.

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws. We ensure appropriate safeguards are in place for international transfers, including: • Standard contractual clauses approved by relevant authorities • Compliance with Privacy Shield principles where applicable • Adequacy decisions by data protection authorities

When you connect your Google Calendar, we access your calendar events solely to: • Display your schedule within our booking management interface • Synchronize booking status between our platform and your Google Calendar • Create Google Meet conference links when you select that meeting option for bookings We do not share your Google Calendar data with any AI/ML services or use it to train AI models. Your calendar data is stored in encrypted form and used exclusively to provide and improve your booking experience.

Our Service is not directed to children under the age of 16. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact us immediately, and we will take steps to delete such information.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA): • Right to know what personal information is collected • Right to know whether your information is sold or disclosed • Right to opt out of the sale of personal information • Right to non-discrimination for exercising your rights We do not sell personal information as defined under the CCPA. To make a CCPA request, please contact us at privacy@bookingservice.ai or call our toll-free number.

If you have questions or concerns about this Privacy Policy or our data practices, please contact us: BookingService.ai Email: privacy@bookingservice.ai Address: Ettinger Str. 18, 85057 Ingolstadt, Germany Data Protection Officer (DPO): Email: dpo@bookingservice.ai Supervisory Authority: For EU residents, you may lodge a complaint with your local data protection authority. In Germany: Bayerisches Landesamt für Datenschutzaufsicht (BayLfDA) https://www.lda.bayern.de/ Data Subject Requests: Submit requests via: • Settings > Privacy & Data in your account • Email: privacy@bookingservice.ai • The GDPR request form on our website We will respond to all requests within 30 days as required by GDPR.