Trust & Compliance

Your customers' data belongs to you. When your business uses BookZync, you are the data controller and we act as your processor — the commitments are written down in our Data Processing Agreement and the providers we rely on are published on the sub-processor list.

• Export your customer data anytime; delete any record from your dashboard.
• On cancellation: 30 days to export, then deletion (unless the law requires longer, e.g. tax records).
• The AI is instructed never to collect medical details — only a name, contact information, and the requested time.

• Encryption in transit (HTTPS/TLS) and at rest on our managed database.
• Strict tenant isolation: every record is scoped to your business; cross-tenant access is treated as not-found by design.
• Administrative access uses two-factor authentication, with step-up verification for sensitive actions.
• Every administrative change is recorded in an audit log.
• Error messages are scrubbed so internal details never leak to a browser.

Payments run through Paddle, our merchant of record. Your card details are encrypted and handled entirely by Paddle — we never see or store card numbers — and Paddle handles each country's taxes (VAT/GST) and currency at checkout. Details in our Refund Policy.

• SMS is consent-based: waitlists and campaigns only text people who opted in.
• STOP is honored automatically: one STOP reply is recorded across our systems, and that person is never texted again by any feature. START re-subscribes them.
• You stay responsible for your own marketing-consent laws (for example TCPA in the US, GDPR in Europe, CASL in Canada) — our Terms spell this out.

• The AI quotes only your real services, prices, and hours — it is instructed never to invent information.
• It never diagnoses or gives medical advice; urgent symptoms are directed to local emergency services.
• It never asks for card numbers, passwords, or IDs in chat — payment happens only in secure checkout.
• You can read every conversation it has and have its behavior adjusted.

We do not yet hold ISO 27001, SOC 2, or HIPAA certification, and we will never imply otherwise. These audits are on our roadmap as we grow — HIPAA-readiness for medical and dental practices is stated plainly on those industry pages today. What you see on this page is what we actually do right now.

Found a vulnerability or have a security question? Email [email protected] and we will respond quickly. Everything else: [email protected].