Bookingflow
Sign inGet started

Privacy Policy

Last updated: June 9, 2026

No third-party advertisements. BookingFlow does not display third-party ads on our website or inside our product. We do not sell your personal information, and we do not run advertising networks against your data or your callers' data.

1. Who we are

This Privacy Policy describes how BookingFlow LLC ("BookingFlow," "we," "us," or "our"), a limited liability company registered in the State of New Mexico, USA, collects, stores, uses, and shares information when you use our services (the "Services"), including our website at https://bookingflow.org and any related websites, dashboards, or applications that link to this Privacy Policy.

BookingFlow is an online business that provides AI receptionist services to small businesses worldwide. Our AI answers calls, books appointments on connected calendars, qualifies leads, and follows up with customers on behalf of our subscribers.

Questions about this notice? Email us at support@bookingflow.org.

2. Summary of key points

  • What we collect: account details you give us, business configuration data you enter, integration tokens you authorize, and call/recording data that flows through your AI receptionist.
  • Why we collect it: to provide, operate, secure, and improve the Services — never to advertise to you.
  • Sensitive data: we process call recordings and transcripts because that is the core of the Service. We minimize what we keep and protect it with encryption.
  • Sharing: only with vetted service providers (telephony, voice AI, cloud hosting, payments) under contract, or when required by law.
  • Your rights: you can access, export, correct, or delete your data, disconnect integrations, and close your account at any time.
  • Security: encryption in transit and at rest, role-based access controls, and least-privilege defaults. No system is 100% secure, but we treat your data like our own.

3. Information we collect

Information you provide directly.

  • Account information: name, email address, password (hashed), and business name.
  • Business configuration: greeting script, business hours, services offered, FAQs, and other prompts you set up for your AI receptionist.
  • Contact & support: messages you send us through the contact form or by email.
  • Billing: when you purchase a plan, payment is processed by Stripe. We receive limited billing metadata (amount, last four digits of the card, brand, expiry). We do not store full card numbers — see Stripe's privacy policy.

Information collected automatically.

  • Log and device data: IP address, browser type, operating system, referring URLs, timestamps, and feature usage. We use this for security, debugging, and analytics.
  • Cookies and similar technologies: strictly necessary cookies to keep you signed in, plus first-party analytics (Google Analytics) and product analytics (Microsoft Clarity) to understand how the Services are used. You can control cookies in your browser.

Call data processed through the Services.

  • Caller phone number, call duration, timestamps.
  • Audio recordings of calls handled by your AI receptionist.
  • Transcripts and structured data extracted from those calls (name, preferred appointment time, message left, etc.).
  • Appointment data created on your connected calendar.

Call data belongs to the subscriber (the business that owns the phone number). We process it on your behalf so you can review calls, train your AI, and deliver service to your customers.

Information from integrations you authorize.

  • Google OAuth tokens (Google Calendar) to read availability and create, update, or cancel appointments. We request the minimum scopes needed.
  • Telephony numbers we provision for you through Twilio.

4. How we use your information

We use your information only for legitimate business purposes related to operating BookingFlow:

  • Provide, maintain, and improve the Services.
  • Authenticate you, manage your account, and process payments.
  • Operate your AI receptionist: answer calls, book appointments on your connected calendar, send confirmations, and surface call history in your dashboard.
  • Send service-related emails (account changes, receipts, policy updates).
  • Detect and prevent fraud, abuse, and security incidents.
  • Comply with our legal obligations and enforce our Terms.

We do not sell your data, rent it, share it with data brokers, use it to train third-party AI models, or use it for cross-context behavioral advertising.

5. Legal bases for processing (EEA / UK)

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR / UK GDPR:

  • Performance of a contract — to deliver the Services you subscribed to.
  • Legitimate interests — to secure, debug, and improve the Services.
  • Consent — for optional cookies or features that require it; you can withdraw consent at any time.
  • Legal obligation — to comply with tax, accounting, and law-enforcement obligations.

6. Google API services and limited use

BookingFlow uses Google OAuth to access your Google Calendar. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We request only calendar scopes needed to book appointments. We do not transfer Google user data to third parties except as necessary to operate the Service, we do not use it for advertising, and we do not allow humans to read it except with your explicit permission, for security investigations, or where required by law.

7. How we share information

We share information only in the following circumstances:

  • Service providers under contract: telephony (Twilio), voice AI (Vapi), cloud hosting and database (Supabase / Cloudflare), payment processing (Stripe), email delivery (Mailgun), and analytics (Google Analytics, Microsoft Clarity). Each is bound by a data processing agreement and only processes data on our instructions.
  • Legal compliance: when required by subpoena, court order, or applicable law, or to protect our rights, property, or safety.
  • Business transfers: in connection with a merger, acquisition, or sale of assets. We will notify you of any change in ownership or material change in data practices.
  • With your direction: when you explicitly enable an integration or ask us to share your data.

8. Third-party websites and services

Our Services may link to third-party websites or include third-party integrations (Google, Stripe, Twilio, etc.). We are not responsible for the privacy practices of those third parties. We encourage you to review their policies.

9. Cookies and tracking

We use first-party cookies to keep you signed in and to remember preferences. We also use first-party analytics (Google Analytics) and session-replay analytics (Microsoft Clarity) to understand how the Services are used so we can improve them. You can disable cookies in your browser; some features may not work correctly without them.

10. Data retention

We retain account information for as long as your account is active. Call recordings and transcripts are retained for the duration of your subscription so you can review them, and are deleted within 30 days of account closure unless we are legally required to keep them longer (for example, for tax records or active disputes). You may request earlier deletion at any time.

11. Security

We protect your information with administrative, technical, and physical safeguards including TLS encryption in transit, encryption at rest for stored data, hashed passwords, role-based access controls, least-privilege defaults, and ongoing monitoring. We also enforce row-level security policies in our database so customers cannot read each other's data. No method of transmission or storage is 100% secure, but we work hard to keep your data safe. If we become aware of a data breach that affects your personal information, we will notify you as required by applicable law.

12. Your rights

Depending on where you live, you may have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate information.
  • Delete your personal information, subject to legal exceptions.
  • Export a copy of your data in a portable format.
  • Object to or restrict certain processing.
  • Withdraw consent at any time, where we relied on consent.
  • Lodge a complaint with your local data protection authority (EEA/UK residents).

You can disconnect your Google Calendar integration at any time from your account settings, and you can request account deletion by emailing support@bookingflow.org. We will honor verified requests in accordance with applicable law.

13. California, Virginia, and other U.S. state privacy rights

California (CCPA/CPRA), Virginia (VCDPA), Colorado, Connecticut, Utah, and other U.S. state residents have additional rights regarding their personal information, including the right to know what we collect, the right to delete, the right to correct, the right to limit use of sensitive personal information, and the right to opt out of "sale" or "sharing" of personal information. BookingFlow does not sell or share personal information for cross-context behavioral advertising. To exercise any of these rights, email support@bookingflow.org. We will not discriminate against you for exercising your privacy rights.

14. International data transfers

BookingFlow is operated from the United States. If you access the Services from outside the U.S., your information will be transferred to, stored, and processed in the United States and other countries where our service providers operate. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses for international transfers.

15. Children's privacy

The Services are not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

16. Do Not Track

Most browsers offer a "Do Not Track" (DNT) setting. There is no industry-standard interpretation of DNT signals, so we currently do not respond to them. We will update this notice if that changes.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be indicated by a revised "Last updated" date and will be effective when posted. If we make material changes, we will notify you by email or by prominently posting notice in the product. Your continued use of the Services after changes take effect constitutes acceptance of the revised policy.

18. Contact us

BookingFlow LLC
Registered in New Mexico, USA
Email: support@bookingflow.org