Privacy Policy
Effective date: 5 July 2026 · Last updated: 5 July 2026
1. Introduction
Xaiotech Pty Ltd ABN 63 821 547 002 trading as Bookaiq (“Bookaiq,” “we,” “us,” or “our”) operates the Bookaiq appointment scheduling and booking management platform (the “Service”).
This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use the Service, visit our websites, or interact with us. It applies to all users of the Service, including business owners (“Workspace Owners”), their staff members, and the clients who book appointments through the platform (“Booking Clients”).
By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree with this policy, please do not use the Service.
2. Information We Collect
2.1 Information you provide directly
- Account information: When you create a Bookaiq account, we collect your name, email address, password (hashed), business name, timezone, and industry type.
- Business profile: Business name, address, phone number, logo, service descriptions, pricing, and availability schedules.
- Booking information: When Booking Clients make appointments, we collect their name, email address, phone number, and any additional information collected through intake forms configured by the Workspace Owner.
- Payment information: Credit card details and billing addresses are collected and processed directly by Stripe, Inc. We do not store complete payment card numbers on our servers. We receive only a tokenised reference and last four digits for display purposes.
- Communications: When you contact our support team, submit feedback, or communicate through the Service, we collect the content of those communications.
2.2 Information collected automatically
- Usage data: Pages visited, features used, actions taken, booking patterns, and performance metrics.
- Device information: Browser type and version, operating system, device type, screen resolution, and language preferences.
- Log data: IP addresses, access times, referring URLs, and error logs for security and debugging purposes.
- Cookies and similar technologies: We use essential cookies for authentication, session management, and security. See Section 7 for details.
2.3 Information from third parties
- Social sign-in: If you sign in using Google or Microsoft, we receive your name, email address, and profile picture from the identity provider.
- Calendar integrations: If you connect Google Calendar or Outlook/Microsoft 365, we access calendar event data to check availability and prevent double-bookings.
- Conferencing providers: If a booking is held as an online video appointment, Google Meet, Microsoft Teams, or Zoom provides us with the meeting join link and identifiers for that booking.
- Payment providers: Stripe provides us with transaction status, payment confirmation, and dispute information. For customers billed by Lemon Squeezy, we receive subscription status and payment confirmations.
- Business integrations: If a Workspace Owner connects Xero, we receive invoice identifiers and status; if they connect a Meta account, we receive Facebook/Instagram Page names and identifiers.
3. How We Use Your Information
We use personal information for the following purposes:
- Providing the Service: Processing bookings, managing schedules, sending confirmations and reminders, processing payments, and enabling communication between Workspace Owners and Booking Clients.
- Account management: Creating and managing your account, authenticating your identity, and providing customer support.
- Service improvement: Analysing usage patterns to improve features, fix bugs, optimise performance, and develop new functionality.
- Communication: Sending transactional emails (booking confirmations, reminders, receipts), service announcements, and security alerts. We do not send marketing emails without your explicit consent.
- Security and fraud prevention: Detecting, preventing, and responding to security incidents, fraud, abuse, and violations of our Terms of Service.
- Legal compliance: Complying with applicable laws, regulations, legal processes, and government requests.
- Analytics and reporting: Providing Workspace Owners with aggregated analytics about their booking activity and business performance.
4. How We Share Your Information
We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We share information only in the following circumstances:
4.1 Between Workspace Owners and Booking Clients
When a Booking Client makes an appointment, their contact information and booking details are shared with the relevant Workspace Owner and their authorised staff. This is necessary to provide the scheduling service.
4.2 Service providers
We use trusted third-party service providers to operate the Service:
- Supabase (Supabase, Inc.): Database hosting and authentication services. Data is stored in Australian data centres where available.
- Stripe (Stripe, Inc.): Payment processing. Subject to Stripe’s Privacy Policy.
- Vercel (Vercel, Inc.): Application hosting and content delivery.
- Bird (Bird B.V., formerly MessageBird): SMS delivery for booking reminders and confirmations (our primary SMS provider), WhatsApp message delivery where enabled, and transactional email delivery.
- Resend (Resend, Inc.): Transactional email delivery (alternate/fallback route).
- Twilio (Twilio Inc.): Legacy SMS delivery route, retained as a contingency fallback only.
- Lemon Squeezy (Lemon Squeezy, LLC): Merchant-of-record subscription billing for customers outside Australia. Lemon Squeezy collects payment details, calculates local taxes, and issues the invoice; we receive subscription status, not full payment details.
- Google (Google LLC): Google sign-in, Google Calendar sync, Google Meet links for online-video bookings, the Places API and static maps used for business address search and display, and Firebase Cloud Messaging for push notifications to the Bookaiq Android app.
- Microsoft (Microsoft Corporation): Microsoft sign-in, Outlook/Microsoft 365 calendar sync, and Microsoft Teams meeting links for online-video bookings.
- Zoom (Zoom Communications, Inc.): Zoom meeting links for online-video bookings, engaged only when a Workspace Owner connects their Zoom account.
- Xero (Xero Limited): Invoice creation in the Workspace Owner’s own Xero organisation, engaged only when a Workspace Owner connects Xero.
- Meta (Meta Platforms, Inc.): Facebook/Instagram Page connection (where available), engaged only when a Workspace Owner connects their Meta account.
Each provider processes data only as instructed by us and is contractually bound to protect your information. The full list, including the data each provider processes and its hosting region, is published at bookaiq.com/legal/sub-processors.
4.3 Legal requirements
We may disclose information if required by law, subpoena, court order, or government regulation, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
4.4 Business transfers
In the event of a merger, acquisition, reorganisation, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and your options regarding your information.
4.5 Third-party services you connect
Some features work by connecting the Service to an account you already hold with a third party. When you (or a staff member acting for your workspace) connect one of these services, Bookaiq exchanges data with that provider at your direction, and the provider processes that data in your own account under its own terms and privacy policy — not this one:
- Google — Google Calendar sync and Google Meet links (policies.google.com/privacy)
- Microsoft — Outlook/Microsoft 365 calendar sync and Microsoft Teams links (privacy.microsoft.com)
- Zoom — video meeting links for online bookings (zoom.us/privacy)
- Xero — invoices created in your Xero organisation (xero.com/legal/privacy)
- Meta — Facebook/Instagram Page connection, where available (facebook.com/privacy/policy)
In addition:
- Your own email provider: Workspace Owners may connect their own Gmail / Microsoft 365 mailbox (or their own SMTP server) so booking emails are sent from their own address. Those messages are then transmitted through the Workspace Owner’s own email provider, not Bookaiq’s.
- Your own analytics tags: Workspace Owners may add their own Google Analytics 4 measurement ID and/or Meta Pixel ID to their public booking page. Those tags send events directly from the visitor’s browser to Google or Meta under the Workspace Owner’s own account.
You can disconnect these services at any time in Settings → Integrations, and you can also revoke Bookaiq’s access from the provider’s own security settings. Disconnecting stops future data flows but does not delete data already held in your third-party account. The full list of providers, with the data each processes, is published at bookaiq.com/legal/sub-processors.
5. Data Security
We implement industry-standard security measures to protect your information:
- All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
- Passwords are hashed using bcrypt and never stored in plain text.
- Database access is protected by row-level security policies, ensuring users can only access their own data.
- API endpoints require authenticated sessions with JWT tokens.
- We conduct regular security reviews and monitoring.
- Access to production systems is restricted to authorised personnel with multi-factor authentication.
While we strive to protect your information, no method of electronic transmission or storage is 100% secure. If you become aware of a security vulnerability, please report it to support@bookaiq.com.
6. Data Retention
We retain your personal information as follows:
- Account data: Retained while your account is active and for 30 days after account closure to allow for reactivation.
- Booking records: Retained for the duration of the Workspace Owner’s account, plus 7 years for financial and legal compliance purposes.
- Payment records: Retained as required by applicable tax and financial regulations (typically 7 years).
- Usage logs: Retained for up to 90 days for debugging and security purposes, then anonymised or deleted.
- Support communications: Retained for 2 years to provide context for ongoing support relationships.
You may request earlier deletion of your data subject to our legal retention obligations. See Section 8 for details on your rights.
7. Cookies and Tracking Technologies
7.1 Essential cookies
We use essential cookies that are strictly necessary for the Service to function. These include authentication session cookies, CSRF protection tokens, and user preference cookies. These cannot be disabled.
7.2 Analytics
We may use privacy-respecting analytics to understand how the Service is used. We do not use third-party advertising cookies, cross-site tracking, or fingerprinting technologies.
7.3 Booking page tracking
Public booking pages can use a first-party visitor identifier cookie to provide attribution analytics to Workspace Owners (such as how clients found their booking page). This cookie is set only after you accept the cookie notice shown on the booking page; if you decline, no identifier cookie is set and the visit is counted without a persistent identifier. The cookie does not track users across other websites.
7.4 Cookie Policy
The full list of cookies we set, their durations, and your choices is published in our Cookie Policy.
8. Your Rights
Depending on your location, you may have the following rights regarding your personal information:
8.1 All users
- Access: Request a copy of the personal information we hold about you.
- Correction: Request correction of inaccurate or incomplete personal information.
- Deletion: Request deletion of your personal information, subject to our legal retention obligations.
- Data portability: Export your data through the Service’s export features or by contacting support.
- Withdraw consent: Where processing is based on consent, you may withdraw consent at any time.
8.2 Australian Privacy Act
If you are an Australian resident, you have rights under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). You may lodge a complaint with us or with the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached.
8.3 GDPR (European Economic Area)
If you are in the EEA, you have additional rights under the General Data Protection Regulation, including the right to restriction of processing, the right to object to processing, and the right to lodge a complaint with a supervisory authority. Our legal basis for processing is contractual necessity (to provide the Service), legitimate interest (to improve and secure the Service), and consent (where applicable).
8.4 UK GDPR (United Kingdom)
If you are in the United Kingdom, you have equivalent rights under the UK GDPR and the Data Protection Act 2018, including access, rectification, erasure, restriction, portability, and the right to object to processing based on legitimate interest. You may lodge a complaint with the Information Commissioner’s Office (ICO).
8.5 California (CCPA / CPRA)
If you are a California resident, you have the right to know what personal information we collect and the purposes, to request deletion or correction, and to non-discrimination for exercising your rights. We do not sell or share (for cross-context behavioural advertising) your personal information, so there is no sale or sharing to opt out of. We do not use sensitive personal information beyond what is necessary to provide the Service.
8.6 New Zealand (Privacy Act 2020)
If you are in New Zealand, you have rights of access to and correction of your personal information under the Privacy Act 2020 and its Information Privacy Principles. You may complain to us, or to the Office of the Privacy Commissioner if you believe your privacy has been interfered with.
8.7 Canada (PIPEDA)
If you are in Canada, you have the right to access and correct your personal information and to withdraw consent to its processing, subject to legal or contractual restrictions, under the Personal Information Protection and Electronic Documents Act (PIPEDA). You may complain to us, or to the Office of the Privacy Commissioner of Canada.
8.8 Exercising your rights
To exercise any of these rights, contact us at support@bookaiq.com. We will respond within 30 days. We may ask you to verify your identity before processing your request.
9. International Data Transfers
Bookaiq is operated from Australia. Your information may be processed in countries other than your own, including Australia and the United States (where our service providers are located). We ensure appropriate safeguards are in place for international transfers, including standard contractual clauses where required.
10. Data Processing for Workspace Owners
When Workspace Owners use Bookaiq to manage their client bookings, they act as the data controller for their client data, and Bookaiq acts as a data processor. Workspace Owners are responsible for:
- Ensuring they have a lawful basis to collect and process their clients’ personal information through the Service.
- Providing appropriate privacy notices to their clients.
- Responding to data subject requests from their clients regarding data held in their Bookaiq workspace.
- Configuring appropriate data collection through intake forms and booking settings.
Bookaiq’s processing of data on behalf of Workspace Owners is governed by our Data Processing Addendum.
10a. Outbound Time-Slot Offers
If a business using Bookaiq creates a time-slot offer for you (typically by emailing you a link of the formbookaiq.com/o/…), Bookaiq stores the offer’s metadata — the service, staff, location, and slot times — for up to 90 days. Bookaiq does NOT send the offer email; the business pastes the offer block into their own email.
When you click an offer link, Bookaiq records the click and the booking (if you complete one) server-side. No tracking pixel is embedded in the offer email. No read receipts. No view detection.
If the business providing the offer entered your name or email as a reference, that data is stored alongside the offer for 90 days and then automatically deleted. You can request earlier deletion by contacting support@bookaiq.com.
10b. Health and Sensitive Information
Some businesses using Bookaiq — such as clinics and allied health practices — may configure their intake forms to collect health-related information that is necessary for the booked service. Bookaiq processes that information solely on the instructions of the Workspace Owner, who is the controller of it and is responsible for having any consent or other lawful basis required by applicable law.
Under the Australian Privacy Act 1988, health information is “sensitive information” subject to stricter handling requirements under the Australian Privacy Principles, including consent for its collection. Equivalent rules apply elsewhere (for example, GDPR Article 9 special-category data). The conditions for collecting health and other special-category information through the Service are set out in our Acceptable Use Policy. Bookaiq is not a HIPAA business associate and does not offer a Business Associate Agreement.
11. Children’s Privacy
The Service is not directed at children under 18 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately at support@bookaiq.com and we will promptly delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before they take effect. The “Last updated” date at the top of this policy indicates when it was last revised.
Your continued use of the Service after the effective date of a revised policy constitutes acceptance of the changes.
13. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- All enquiries (privacy, security, support): support@bookaiq.com — add “Privacy request” or “Security” to the subject so we can route it quickly
- Xaiotech Pty Ltd, Perth, Western Australia, Australia