Privacy Policy

YBook ("we", "us", "our") operates a multi-tenant appointment booking platform. This Privacy Policy explains how we collect, use, and protect your information when you use our service at ybook.app (the "Platform").

1. Information We Collect

Account Information

When you sign in via WorkOS (Google or Microsoft OAuth), we receive your name and email address. You may optionally provide a phone number in your account settings.

Booking Information

When you book an appointment, we collect the date, time, services selected, and any responses to custom booking form fields set by the business. Guest bookings collect your name, email, and phone number.

Customer Records

Business owners may create customer records that include visit history, tags, and notes. This data is managed by the individual business and visible only to that business's team.

Reviews

If you leave a review after an appointment, we store your star rating and comment. Reviews may be displayed publicly on the business's landing page, depending on the business owner's settings.

Inventory & Rental Data

If a business uses inventory tracking, checkout/return records, item condition, and any damage notes are stored in connection with your appointment.

Automatically Collected Information

We collect IP addresses and user agent strings for security purposes. This information is stored in audit logs to detect and prevent unauthorized access.

Cookies

We use a single cookie called session_token to keep you signed in. It is an httpOnly, SameSite=lax cookie with a 30-day expiry. We do not use tracking cookies, advertising cookies, or any third-party analytics cookies.

2. How We Use Your Information

• •Provide and operate the booking platform
• •Process and manage your appointments
• •Send transactional emails (confirmations, reminders, cancellations) via Brevo
• •Send SMS notifications (confirmations, reminders) via Brevo, if enabled
• •Authenticate your identity via WorkOS (Google, Microsoft OAuth)
• •Generate service images using AI (OpenRouter) when requested by business owners
• •Display reviews on business landing pages
• •Maintain audit logs for security (login attempts, signups, admin actions)

3. Information Sharing

With Business Owners

When you book with a business on YBook, the business owner and their team can see your name, phone number, email, booking history, reviews, and any tags or notes they have added to your customer record. They cannot see your bookings with other businesses.

Third-Party Services

We use the following third-party services to operate the Platform:

• •WorkOS — Authentication (OAuth sign-in)
• •Brevo — Transactional email and SMS delivery
• •Neon — PostgreSQL database hosting
• •OpenRouter — AI image generation for service images

We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes. We may disclose information if required by law or to protect the safety and security of our users and the Platform.

4. Cookies

We use a single, essential cookie:

We do not use any tracking, advertising, or analytics cookies.

5. Data Retention

• •Account data is retained while your account is active.
• •Appointment records are retained for business record-keeping purposes.
• •Audit logs are retained for security and compliance purposes.
• •Reviews are retained unless you request their removal.

6. Your Rights

• •Access — View your personal data through your account settings.
• •Update — Change your name, phone number, and notification preferences in your account settings.
• •Opt out — Disable email and SMS reminders through your account settings.
• •Delete — Request account deletion by contacting us at the address below.

7. Security

We take reasonable measures to protect your information, including:

• •Authentication handled by WorkOS with industry-standard OAuth protocols
• •Session tokens stored in httpOnly cookies (not accessible to JavaScript)
• •HTTPS enforced for all connections
• •Rate limiting on authentication and sensitive endpoints
• •Security headers (HSTS, X-Frame-Options, X-Content-Type-Options)

8. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the "Last updated" date at the top of this page. Your continued use of the Platform after changes are posted constitutes your acceptance of the updated policy.

9. Contact Us

If you have questions about this Privacy Policy or want to exercise your data rights, contact us at [email protected].