Privacy Policy
This Privacy Policy explains how PeasyBooking Technologies Inc. (“PeasyBooking”, “we”) handles personal information. It is written to align with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws, including provincial health-information laws such as Ontario’s PHIPA, where they apply.
1. Two roles for personal information
Account and provider information. When a business signs up and uses PeasyBooking, we act as the organization responsible for the personal information of account holders and staff (for example, names, emails, and login activity). This Policy governs that information.
Client and patient information. When a clinic or salon uses PeasyBooking to manage its own clients, we process that information on the business’s behalf and under its instructions. The business is responsible for that information; our handling of it is governed by our Data Processing Agreement. Individuals with questions about their records should contact the business that serves them.
2. Information we collect
- Account & business data: name, email, phone, business name and details, role, and preferences.
- Booking & service data: appointments, services, notes, and related records you enter.
- Payment data: subscription and payment activity. Card details are handled directly by our payment processor (Stripe); we do not store full card numbers.
- Usage & device data: log data, IP address, browser type, and actions taken, used to operate and secure the service.
- Communications: messages you send us for support.
3. Why we use it, and consent
We use personal information to provide, maintain, secure, and improve the service; to process subscriptions and payments; to send transactional messages (such as password resets and account notices); and to comply with legal obligations. Consistent with PIPEDA, we collect, use, and disclose personal information for purposes a reasonable person would consider appropriate, and we obtain consent where required. You may withdraw consent subject to legal and contractual limits, though some withdrawals may mean we can no longer provide the service.
4. Service providers (sub-processors)
We share personal information with vetted service providers only as needed to run the service, under contracts that limit their use of it:
- Google Cloud Platform — hosting, database, and file storage.
- Google Identity Platform / Firebase Authentication — account sign-in and authentication.
- Stripe — subscription billing and payment processing.
- Resend — sending transactional email (for example, password-reset and verification messages).
- SMS provider — sending text-message reminders, where you enable SMS (currently optional).
We do not sell personal information. We may disclose information if required by law, to enforce our agreements, or to protect rights and safety. A current list of sub-processors is maintained in our Data Processing Agreement.
5. Where your data is stored
Customer data is hosted in Canada, in Google Cloud’s northamerica-northeast1 (Montréal) region. Some service providers (for example, payment and email providers) may process limited data outside Canada to deliver their services; where that occurs, the information remains subject to contractual and legal protections.
6. How we protect it
We use technical and organizational safeguards appropriate to the sensitivity of the information, including encryption in transit and at rest, network isolation, role-based access controls, and audit logging. Sensitive client records are stored in an encrypted records vault. No method of transmission or storage is perfectly secure, and we do not currently claim formal HIPAA compliance or a SOC 2 attestation.
7. Retention and deletion
We retain personal information for as long as your account is active and as needed to provide the service or meet legal obligations. When a business account is closed, a 30-day grace period applies, after which the account and its associated non-clinical data are permanently deleted. Clinical notes and records-vault (health) data are not deleted on that timer: they are deleted only on the business’s documented instruction, after it confirms that its record-retention, preservation, and legal obligations have been satisfied — reflecting clinics’ multi-year statutory and professional record-retention duties. Backups are retained on a rolling basis and age out over time.
8. Your rights
Subject to applicable law, you may request access to the personal information we hold about you, ask us to correct it, or withdraw consent. We will respond within the timeframes PIPEDA requires. To exercise these rights, contact us using the details below. If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada. (Individuals seeking access to client records held by a business using PeasyBooking should contact that business directly.)
Data portability. Where Quebec’s Law 25 applies to you, you may request that the computerized personal information you provided to us be communicated to you in a structured, commonly used, machine-readable format (for example, CSV or JSON), or, at your request and where technically feasible, transmitted directly to a person or body authorized by law to collect it. Send the request to our Privacy Officer using the contact details below and identify it as a “data portability request”; after we verify your identity, we provide it within the timeframes the law requires, at no charge in the ordinary case.
9. Cookies
We use strictly necessary cookies and similar technologies to keep you signed in and to operate the service securely. We do not use them for third-party advertising.
10. Children
PeasyBooking is a business tool and is not directed to children. Where a business records information about minor clients, it does so under its own authority and responsibility.
11. Breach notification
If a breach of security safeguards creates a real risk of significant harm, we will notify affected parties and the Office of the Privacy Commissioner of Canada as required by PIPEDA, and will keep records of breaches as required.
12. Changes and contact
We may update this Policy from time to time and will post the new effective date. Privacy questions or requests: PeasyBooking Technologies Inc., Attn: Privacy Officer, 150 Evergreen Mount SW, Calgary, AB T2Y 0L8, or info@peasybooking.com.
Our governance policies and practices for personal information — including who our Privacy Officer is, our retention and destruction framework, how access is controlled, and how complaints are handled — are published in simple and clear terms on our Privacy Governance page, as required by Quebec’s Law 25.