Privacy Policy

BookFlow AI ("Company," "we," "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services. Please read this policy carefully. By using BookFlow AI, you consent to the practices described herein.

1. Information We Collect

1.1 Information You Provide

• Account data: name, email address, phone number, business name, and industry when you register.
• Payment data: billing information processed securely through Paddle. We do not store your full credit card number.
• Lead data: names, phone numbers, email addresses, and any other contact information you upload or integrate via webhooks.
• Onboarding data: business description, preferred language, agent configuration, and calendar credentials.

1.2 Information Collected Automatically

• Usage data: pages visited, features used, clicks, session duration, and interaction patterns.
• Device data: browser type, operating system, IP address, and device identifiers.
• Call data: call recordings, transcripts, duration, sentiment analysis, and outcomes (booked / not interested / no answer).
• Cookies: we use essential cookies for authentication and session management. See Section 7 for details.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the BookFlow AI platform.
• Process AI-powered outbound calls and book appointments on your calendar.
• Process payments and manage your subscription.
• Generate analytics, call quality scores, and performance reports in your dashboard.
• Improve our AI models and voice quality (using anonymized, aggregated data only).
• Send transactional emails (receipts, password resets, onboarding guidance).
• Respond to support requests and communicate about product updates.
• Detect and prevent fraud or abuse of the platform.

3. How We Share Your Information

We do not sell your personal data. We share information only in these limited circumstances:

• Service providers: a limited number of infrastructure, hosting, payment, calendar, voice, and email sub-processors that process data only on our behalf and under strict contractual obligations. The current list is maintained at bookflow.ai/subprocessors.
• Legal requirements: when required by law, subpoena, or government request.
• Business transfers: in connection with a merger, acquisition, or sale of assets, with prior notice to affected users.
• With your consent: when you explicitly authorize a third-party integration (e.g., GoHighLevel, HubSpot, Zapier).

4. Call Recordings & Transcripts

BookFlow AI records calls made by the AI agent for quality assurance, analytics, and your review. Recordings and transcripts are:

• Stored securely and accessible only to you through your dashboard.
• Retained for the duration of your subscription plus 30 days after account deletion.
• Not shared with other customers or used for marketing purposes.
• Subject to applicable call recording consent laws. You are responsible for ensuring compliance with two-party consent requirements in your jurisdiction.

5. Data Security

We implement industry-standard security measures to protect your data:

• All data in transit is encrypted using TLS 1.2+ (HTTPS).
• Data at rest is encrypted using AES-256 encryption.
• Authentication is managed through Supabase Auth with secure session tokens.
• Payment processing is PCI-DSS compliant through Paddle — we never store raw card data.
• Access to production systems is restricted and audited.

While we take reasonable precautions, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

• Account data: retained while your account is active and for 30 days after deletion.
• Call recordings: retained for the duration of your subscription plus 30 days.
• Billing records: retained for 7 years as required by financial regulations.
• Usage analytics: retained in anonymized, aggregated form indefinitely.

You may request earlier deletion of your data by contacting us at hello@bookflow.ai.

7. Cookies & Tracking

We use the following types of cookies:

We do not use third-party advertising cookies. You can disable non-essential cookies in your browser settings.

8. Your Rights (GDPR & CCPA)

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: request a copy of the data we hold about you.
• Rectification: correct inaccurate or incomplete data.
• Erasure: request deletion of your personal data ("right to be forgotten").
• Portability: receive your data in a structured, machine-readable format.
• Objection: object to certain processing activities.
• Restriction: request that we limit how we process your data.
• Opt-out of sale: we do not sell personal data, but California residents may make a formal request under CCPA.

To exercise any of these rights, email us at hello@bookflow.ai with the subject line "Privacy Request." We will respond within 30 days.

9. International Data Transfers

BookFlow AI is hosted on infrastructure located in the United States (Vercel, Supabase). If you access the Service from outside the US, your data will be transferred to and processed in the United States. We ensure appropriate safeguards are in place in compliance with GDPR, including standard contractual clauses where applicable.

10. Children's Privacy

BookFlow AI is not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a person under 18, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or an in-app notification. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact Us

For any privacy-related questions or requests, contact us at: