Privacy Policy

Who This Policy Applies To

This policy applies to two distinct groups:

• Clinic operators ("you" or "subscribers") — businesses and individuals who subscribe to Rebookly's Services. We collect and use your information to operate and deliver the platform.
• Patients of clinics using Rebookly — individuals whose contact and appointment information is processed through the platform on behalf of a subscribing clinic. For patient data, Rebookly acts as a service provider and agent under Applicable Privacy Law. The clinic is the Health Information Custodian and is responsible for obtaining patient consent and complying with applicable privacy law.

If you are a patient of a clinic that uses Rebookly and have questions about how your data is handled, please contact that clinic directly. You may also contact us at [email protected] and we will direct your inquiry appropriately.

Canadian Privacy Law

Rebookly operates within the framework of Canadian privacy law, collectively referred to in our agreements as Applicable Privacy Law. This includes:

• PIPEDA — the federal Personal Information Protection and Electronic Documents Act, which governs private-sector organizations across Canada
• PHIPA (Ontario) — Personal Health Information Protection Act
• PIPA and HIA (Alberta) — Personal Information Protection Act and Health Information Act
• PIPA BC (British Columbia) — Personal Information Protection Act
• Law 25 (Quebec) — modernized privacy legislation imposing additional obligations for clinics operating in Quebec
• PHIA (Manitoba, Newfoundland and Labrador, and Nova Scotia) — Personal Health Information Acts
• HIPA (Saskatchewan) — Health Information Protection Act
• PHIPAA (New Brunswick) — Personal Health Information Privacy and Access Act
• CASL — Canada's Anti-Spam Legislation, which governs commercial electronic messages

Additional provincial and territorial privacy laws may apply to clinics operating in other jurisdictions. As your clinic is the Health Information Custodian, you remain responsible for complying with the specific legislation that applies to your practice.

What Information We Collect

Information you provide as a subscriber

• Contact information — name, email address, phone number
• Business details — clinic name, address, and operational information
• Account credentials and preferences
• Billing and payment information (processed securely through our payment providers)
• Communications you send to us through support, onboarding, or feedback channels

Information collected automatically

• Technical data — IP address, browser type, device information, operating system
• Usage data — pages visited, features used, session duration, clicks, and interactions with the platform
• Cookie and tracking data — as described in the Cookies section below

Patient data processed on behalf of clinics

Through integrations with scheduling software such as Jane App™, Rebookly may process the following patient information on behalf of subscribing clinics:

• Name, phone number, and email address
• Appointment history, upcoming appointments, and cancellation or no-show records
• Communication history between the clinic's AI assistant and the patient
• Consent and opt-out status

Rebookly does not collect, access, or store clinical health records, diagnoses, treatment notes, chart data, insurance information, or any sensitive health information. Our platform interacts only with the administrative and scheduling data required to operate communication and booking workflows.

How We Use Your Information

Subscriber information is used to:

• Provide, operate, and improve the Rebookly platform and Services
• Manage your account, billing, and subscription
• Communicate with you about your account, product updates, and support
• Send service-related notifications and, where consented, promotional communications
• Monitor platform performance and detect fraud or misuse
• Comply with legal and regulatory obligations
• Improve our AI models and automation workflows using aggregated, anonymized data only — we do not use identifiable clinic or patient data to train general AI models

Patient data processed on behalf of clinics is used solely to deliver the communication and booking services the clinic has configured. We do not use patient data for our own marketing or analytics purposes.

AI and Automated Processing

Rebookly uses artificial intelligence and automated systems to handle patient conversations, send follow-up messages, manage booking workflows, and respond to inquiries on behalf of subscribing clinics. This includes:

• AI-generated SMS and chat responses sent to patients under the clinic's configured persona
• Automated detection of booking intent, sentiment, and opt-out signals within conversations
• Automated triggering of follow-up sequences based on appointment data from Jane App™
• Voice AI that may answer or follow up on phone calls on behalf of the clinic

Where Voice AI is enabled, phone calls may be processed by AI systems to detect intent and generate responses. Clinics are responsible for disclosing AI call handling to patients in accordance with applicable law and their own communication policies.

Rebookly's AI does not make clinical, medical, or financial decisions. All automated communication is administrative in nature and is supervised by the subscribing clinic. Clinics retain the ability to review, override, and intervene in any AI-handled conversation at any time.

Cookies and Tracking Technologies

Rebookly's website and platform use cookies and similar technologies for the following purposes:

• Essential cookies — required for the platform to function, including session management and authentication. These cannot be disabled.
• Analytics cookies — help us understand how visitors interact with our website so we can improve it. Data collected is aggregated and anonymized.
• Marketing cookies — used to track the effectiveness of our advertising and to deliver relevant content to visitors. These are only activated with your consent.

You can control non-essential cookie settings through your browser preferences at any time. Disabling certain cookies may affect your experience of the platform. For more information about specific cookies in use, contact us at [email protected].

International Data Transfers

Rebookly's infrastructure runs on third-party cloud and communication platforms whose servers are located in the United States. As a result, your data — and patient data processed on your behalf — is transferred to, stored in, and processed in the United States.

Information stored outside Canada may be subject to the laws and lawful access requirements of those jurisdictions, including access by government authorities. PIPEDA and provincial health privacy laws permit cross-border processing when adequate safeguards are in place. Rebookly implements those safeguards through encryption, access controls, and vendor selection, and relies on the published Data Processing Agreements and Terms of Service of our sub-processors.

By using our Services, you acknowledge and consent to the transfer and processing of personal information outside of Canada. Where you are acting on behalf of patients as a clinic operator, you are responsible for informing patients of this cross-border data transfer and obtaining any consent required under applicable law. We provide template language you can include in your own privacy notice.

Data Sharing and Disclosure

We do not sell or rent personal information. Information may be shared only in the following circumstances:

• Sub-processors — with trusted third-party vendors who assist in delivering our platform, including infrastructure, messaging, voice, and analytics services.
• Legal requirements — when required by law, court order, or regulatory authority, or to protect the rights, property, or safety of Rebookly, our clients, or the public.
• Business transfers — in connection with a merger, acquisition, or sale of assets, where personal information may be transferred as part of the transaction. We will notify affected parties before such a transfer occurs.
• With your explicit consent — in any other circumstance, only with your prior written consent.

Sub-processor categories

Rebookly relies on the following categories of sub-processors:

• Automation and CRM infrastructure — platform services that power our unified inbox, automations, and integrations
• SMS and voice communication — telecommunications carriers and infrastructure providers that deliver messages and calls
• Cloud hosting — enterprise-grade cloud infrastructure providers
• Scheduling integration — Jane App™ by Jane Software Inc., which remains the source of truth for your schedule
• Payment processing — payment providers that handle billing securely and never expose card data to Rebookly

Our sub-processors operate under their own published Data Processing Agreements and Terms of Service, which include commitments to security, confidentiality, and breach notification practices consistent with Canadian privacy expectations. An updated list of named sub-processors is available on request.

SMS Opt-Out Data Retention

When a patient opts out of SMS messaging (for example, by replying STOP), Rebookly retains a record of that opt-out status. This record is kept indefinitely and is not deleted upon a clinic's request, because retaining opt-out records is a legal requirement under the Canadian Anti-Spam Legislation (CASL) and carrier compliance frameworks. Retaining this data protects both the patient and the clinic by ensuring the opt-out is permanently honoured across all future automated workflows.

Data Retention

We retain personal information for as long as necessary to deliver our Services and support our clients' operations, subject to the following:

• Active subscribers — account and usage data is retained for the duration of the subscription and for a period of 30 days following cancellation, during which a data export may be requested.
• Inactive subscriber data — data from accounts with no activity is automatically purged or anonymized after 24 months, unless required for legal or regulatory purposes.
• Patient communication data — retained in accordance with the clinic's configuration and applicable legal obligations. Clinics may request deletion of patient data at any time through the platform or by contacting us.
• Opt-out records — retained indefinitely as described in the SMS Opt-Out section above.
• Billing records — retained for a minimum of 7 years in accordance with Canadian tax and accounting requirements.

Deletion requests will be fulfilled within 30 calendar days, unless the data is required for ongoing legal obligations or regulatory compliance.

Security

We use a combination of administrative, physical, and technical safeguards to protect personal information, including:

• Encrypted connections (TLS) for data in transit
• Encryption at rest for stored data
• Role-based access controls limiting staff access to personal information
• Regular security reviews and vendor assessments

No system is completely secure. In the event of a data breach that poses a real risk of significant harm to individuals, we will notify affected individuals and report the incident to the Office of the Privacy Commissioner of Canada as required under PIPEDA's Breach of Security Safeguards Regulations. We aim to provide notification within 72 hours of confirming a qualifying breach, where technically feasible.

Your Rights Under PIPEDA

You have the following rights regarding your personal information held by Rebookly:

• Access — request access to the personal information we hold about you
• Correction — request corrections to inaccurate or outdated information
• Withdrawal of consent — withdraw consent for specific uses where consent is the legal basis for processing
• Deletion — request deletion of your personal data, subject to legal retention obligations
• Portability — request a copy of your data in a portable format where applicable
• Complaint — file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca

To exercise any of these rights, contact our Privacy Officer as listed below. We will respond to all verified requests within 30 calendar days.

Children's Privacy

Our Services are intended for use by adults. Rebookly does not knowingly collect personal information directly from children under the age of 14 without appropriate parental or guardian consent. Where a clinic provides us with appointment information for a minor patient, the clinic is responsible for obtaining any required consent from a parent or guardian in accordance with applicable law.

If we become aware that personal information has been collected from a person under 14 without appropriate consent, we will delete it promptly.

Links to Third-Party Sites

Our website and platform may contain links to third-party websites, including Jane App™ and social media platforms. Rebookly is not responsible for the privacy practices of any third-party site. We encourage you to review the privacy policies of any external site you visit.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or regulatory guidance. The most current version will always be posted at rebookly.ai/privacy-policy. If changes are material, we will notify subscribers by email or through the platform. Continued use of the Services after the effective date of any update constitutes acceptance of the revised policy.

How to Challenge Compliance or Submit a Complaint

If you have questions, concerns, or wish to challenge our compliance with PIPEDA, contact our Privacy Officer directly. If your concern is not resolved to your satisfaction, you may escalate it to the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.

Privacy Officer & Contact

Privacy Officer: Chris Eder
Email: [email protected]
Phone: (587) 801-4659
Address: Calgary, AB, Canada

Jane App™ is a trademark of Jane Software Inc. Rebookly is an independent service provider and is not affiliated with, endorsed by, or officially partnered with Jane Software Inc.