Privacy Policy

Aptvy ("Aptvy", "we", "us", or "our") provides online scheduling and booking software that businesses use to accept appointments, manage their calendars, and communicate with their customers. This Privacy Policy explains what information we collect, how we use and share it, the choices you have, and the steps we take to protect it. It applies to our website, booking pages, and dashboards (together, the "Service").

By using the Service, you agree to the practices described here. If you do not agree, please do not use the Service.

Aptvy serves two groups: the businesses that use Aptvy to run their scheduling ("Businesses"), and the customers who book appointments with those Businesses ("Customers").

• For Business account information (owner and staff accounts, business profile, and settings), Aptvy is the data controller.
• For Customer booking information, the Business you book with is the controller of that information and decides how it is used. Aptvy processes that information on the Business’s behalf to provide the Service. If you are a Customer and want to access, correct, or delete your booking information, you can contact the Business directly or reach us using the details below and we will assist or route your request.

We collect the following categories of information:

• Business account data: name, email address, and the password you set (passwords are stored only as salted hashes by our authentication provider; we never see your plaintext password). This also includes business profile details such as business name, contact information, services, pricing, availability, and booking-page settings.
• Customer booking data: the name, email address, and phone number a Customer provides when requesting an appointment, along with the service selected, requested date and time, any notes, and their notification preference (email, SMS, or both).
• Communications data: transactional messages we send on a Business’s behalf (booking confirmations, reminders, review requests, account notices) and a log of those send attempts and their delivery status.
• Reviews and feedback: ratings or reviews a Customer chooses to submit after an appointment.
• Technical and usage data: information automatically generated when you use the Service, such as IP address, browser and device type, pages viewed, and timestamps, used to operate, secure, and improve the Service.
• Cookies and similar technologies: see "Cookies and tracking" below.

We do not intentionally collect special categories of sensitive personal information (such as health, biometric, or financial account data). Please do not enter such information into free-text fields.

We use the information we collect to:

• Create and manage Business accounts and authenticate users.
• Process and manage appointment requests, confirmations, reschedules, cancellations, and waitlists.
• Send transactional communications such as confirmations, reminders, review requests, and important account notices by email and, where enabled and consented to, SMS.
• Operate, maintain, secure, debug, and improve the Service.
• Detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms.
• Comply with legal obligations and enforce our agreements.

We do not sell your personal information, and we do not use it for third-party advertising or behavioral ad targeting.

We share information only as described here:

• With the relevant Business: Customer booking information is shared with the Business the Customer books with, so it can fulfill and manage the appointment.
• With service providers (sub-processors) who help us run the Service under contracts that require them to protect the information and use it only to provide their services to us. These currently include: Supabase (database, authentication, and file storage; hosted in the United States), Vercel (application hosting and content delivery), Resend (transactional email delivery), and Twilio (SMS delivery, where SMS messaging is enabled).
• For legal reasons: when we reasonably believe disclosure is required to comply with a law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Aptvy, our users, or the public.
• In a business transfer: if Aptvy is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to this Policy.

We use strictly necessary cookies to keep you signed in and to keep your session secure; these are set as secure, HTTP-only cookies by our authentication provider. We also store small preferences (such as your light/dark theme) locally in your browser. We do not use third-party advertising or cross-site tracking cookies. Because our cookies are essential to the Service functioning, disabling them may prevent you from signing in or booking.

We take reasonable and appropriate measures to protect your information, including encryption in transit (HTTPS/TLS), hashed passwords, secure HTTP-only session cookies, verified authentication tokens, database access controls that isolate each Business’s data, and restricted internal access. No method of transmission or storage is completely secure, so we cannot guarantee absolute security, but we work to protect your information and to address vulnerabilities promptly.

We retain information for as long as needed to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. Business account data is retained while the account is active. Customer booking data is retained according to the needs of the Business you booked with. When information is no longer needed, we take steps to delete or anonymize it. A Business owner can request deletion of their account and associated data as described below.

Depending on where you live, you may have rights to access, correct, update, delete, or obtain a copy of your personal information, to object to or restrict certain processing, and to not be discriminated against for exercising these rights. To exercise any of these rights, contact us at the email below; if your request concerns booking information held by a Business, we may direct or assist you in reaching that Business, who is the controller of that data.

California residents: we do not "sell" or "share" personal information as those terms are defined under the CCPA/CPRA. You may still exercise the access and deletion rights described above. We will verify your identity before fulfilling a request and will not discriminate against you for making one.

EU/UK residents: where applicable, we process personal information under lawful bases including performance of a contract (providing the Service), legitimate interests (operating and securing the Service), consent (where required, such as certain communications), and compliance with legal obligations.

We send transactional messages that are part of the Service (for example, booking confirmations and reminders). You can opt out of marketing emails at any time using the unsubscribe link, and you can reply STOP to opt out of SMS messages where SMS is offered. Note that you may still receive essential account or transactional messages necessary to provide the Service.

The Service is not directed to children under 13 (or the minimum age required in your jurisdiction), and we do not knowingly collect personal information from them. If you believe a child has provided us information, contact us and we will take appropriate steps to delete it.

We operate the Service from, and store information in, the United States. If you access the Service from outside the United States, you understand that your information will be processed in the United States, where data-protection laws may differ from those in your country.

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above and, where appropriate, provide additional notice. Your continued use of the Service after an update takes effect means you accept the revised Policy.

Questions, concerns, or privacy requests can be sent to us at kuceradesigns@gmail.com. If your request relates to information held by a specific Business, you may also contact that Business directly.