Privacy Policy
Effective date: April 12, 2026
Overview
Appointed ("we", "us", "our") provides salon booking software, Stripe Terminal point-of-sale, and an AI receptionist service to salon and service-business operators. This policy describes how we collect, use, disclose, and protect personal information when you visit appointedbooking.com, book a demo, or use the Appointed platform.
We are committed to complying with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Canadian privacy laws.
Privacy Officer
Our privacy officer is responsible for our compliance with this policy. For any privacy-related questions, concerns, or requests, contact:
Privacy Officer
Appointed
Email: [email protected]
Information We Collect
Website visitors
When you visit appointedbooking.com, the following information may be collected automatically:
- IP address, browser type, device type, and operating system
- Pages visited, referral source, and country of origin
This data is collected by Cloudflare, our hosting provider, for security and aggregate analytics purposes. Cloudflare Web Analytics does not use cookies and does not track you across websites.
Our website loads fonts from Google Fonts (fonts.googleapis.com). When you load a page, your browser sends your IP address and browser information to Google to retrieve the font files.
Lead form and demo requests
When you submit the lead form on appointedbooking.com, we collect:
- Your name and email address
- Your salon name and the booking software you currently use
- Your PIPEDA consent acknowledgement
This information is transmitted via Resend to [email protected] and is used solely to respond to your inquiry and schedule a demo. Cloudflare Turnstile is used to verify that the submission is not automated; Turnstile does not use tracking cookies.
Client contact and booking information
When a salon uses the Appointed platform, the following information is collected about their clients:
- Client name, email address, and phone number
- Booking history (services, stylists, dates, notes, cancellations)
- Service preferences and any notes recorded by staff
Appointed acts as a data processor on behalf of the salon (the data controller) for this information.
Payment metadata
Payments are processed directly by Stripe. Appointed does not store full card numbers, CVVs, or bank account credentials. We retain only the payment metadata Stripe returns to us: amount, currency, last four digits, card brand, tip amount, and Stripe payment identifiers. All card data is handled by Stripe under PCI DSS.
AI receptionist calls
When the AI receptionist handles an inbound call on behalf of a salon, the following may be collected:
- Caller name, phone number, and email address (if provided)
- Booking details discussed during the call (service, preferred date, stylist)
- Voice audio and transcript of the conversation
At the start of each call, the AI agent identifies itself as an AI assistant. Recording is disclosed at the beginning of the call.
How We Use Your Information
We use personal information for the following purposes:
- To respond to lead form submissions and schedule demos
- To provide the Appointed booking, POS, and AI receptionist services to our salon clients
- To process and confirm appointments, including preventing double-bookings at the database level
- To process payments through Stripe on behalf of salon operators
- To improve the quality and reliability of our services
- To ensure platform security and prevent abuse
- To comply with legal obligations
We do not sell, rent, or share your personal information with third parties for marketing purposes.
Consent
We collect and use personal information with your knowledge and consent. Depending on the context, consent may be:
- Express — for the lead form (checkbox), call recording, and any sharing of data with third parties beyond our documented processors
- Implied — for information reasonably necessary to provide a service you have requested (e.g., booking an appointment through a salon that uses Appointed)
You may withdraw your consent at any time by contacting us at [email protected]. Withdrawal may affect our ability to provide certain services.
Third-Party Service Providers
We rely on the following third-party processors to operate Appointed:
| Service | Purpose | Data shared | Location |
|---|---|---|---|
| Cloudflare | Website hosting, CDN, security, Turnstile bot protection, email routing, analytics | IP address, web traffic data, email content (routing only) | United States / Global |
| Resend | Transactional email delivery (lead form, booking confirmations) | Name, email address, message body | United States |
| Stripe | Payment processing, Stripe Terminal point-of-sale, tip handling, payouts | Cardholder data, payment amounts, tip amounts | United States / Canada |
| ElevenLabs | AI voice synthesis and speech processing for the AI receptionist | Voice audio, conversation transcripts | United States |
| Twilio | Voice telephony and SMS notifications for the AI receptionist | Phone number, call audio, SMS message content | United States |
| Google Fonts | Typography on the marketing site | IP address, browser information | United States |
Each third-party processor is bound by its own privacy policy and data processing obligations. We require contractual protections consistent with this policy.
Cross-Border Data Transfers
Your personal information may be stored and processed in the United States or other countries where our service providers operate. When your information is in another jurisdiction, it is subject to the laws of that jurisdiction and may be accessible to law enforcement and government agencies under those laws. We remain accountable for the protection of your personal information regardless of where it is processed.
Data Processor and Controller Roles
For our marketing website and direct business relationships (lead form, demos, billing), Appointed is the data controller and is responsible for your personal information.
For our booking platform, point-of-sale, and AI receptionist services, we act as a data processor on behalf of our salon clients (the data controllers). When a client books an appointment at a salon that uses Appointed, the salon is responsible for the personal information collected; we process it under their instructions and our contractual obligations.
Data Retention
We retain personal information only as long as necessary to fulfil the purposes for which it was collected:
- Website analytics — retained by Cloudflare per their standard retention period (aggregate data only)
- Lead form submissions — retained for the duration of the sales conversation and a reasonable period afterward; deleted on request
- Client and booking data — retained for the duration of the salon's subscription and returned or destroyed on termination per our processor agreement
- Payment metadata — retained as required by Stripe and Canadian tax law (minimum six years)
- AI receptionist recordings and transcripts — retained for quality improvement for 90 days unless a longer period is required by the salon or by law
When personal information is no longer needed, it is securely destroyed or anonymized.
Security
We protect personal information with safeguards appropriate to the sensitivity of the information, including:
- HTTPS/TLS encryption for all website and API traffic
- Database-level overlap prevention and row-level tenant isolation
- Cloudflare security services (DDoS protection, Turnstile bot mitigation, WAF)
- Access controls and authentication for administrative systems
- PCI DSS compliance delegated to Stripe for cardholder data
- Contractual security requirements for third-party processors
No method of transmission over the internet is 100% secure. While we take reasonable measures to protect your information, we cannot guarantee absolute security.
Cookies and Tracking
Our marketing website does not use cookies for tracking or advertising. Cloudflare Web Analytics collects aggregate, privacy-respecting data without cookies or cross-site tracking. The Appointed platform uses a first-party session cookie to keep salon operators and clients signed in while they use the booking portal.
Your Rights
Under PIPEDA and applicable Canadian privacy laws, you have the right to:
- Access — request a copy of the personal information we hold about you
- Correction — request that inaccurate or incomplete information be corrected
- Deletion — request that your personal information be destroyed or anonymized when it is no longer needed
- Withdraw consent — withdraw your consent for collection, use, or disclosure at any time
To exercise any of these rights, contact our privacy officer at [email protected]. We will respond within 30 days.
Data Breach Notification
In the event of a breach of security safeguards involving personal information that creates a real risk of significant harm, we will:
- Notify affected individuals as soon as feasible
- Report the breach to the Office of the Privacy Commissioner of Canada
- Notify any other organizations that may be able to reduce the risk of harm
We maintain records of all security breaches for a minimum of 24 months as required by law.
Children's Privacy
Our services are directed to salons and service businesses, not to individuals under the age of 18. We do not knowingly collect personal information from children.
Changes to This Policy
We may update this policy from time to time. Changes will be posted on this page with an updated effective date. We encourage you to review this policy periodically.
Complaints
If you have concerns about how we handle your personal information, please contact our privacy officer first. If you are not satisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada:
Office of the Privacy Commissioner of Canada
Website: www.priv.gc.ca
Phone: 1-800-282-1376
Contact
For any questions about this privacy policy or our privacy practices, contact us at [email protected].