Privacy Policy

Who This Policy Applies To

This policy applies to two distinct groups:

• Clinic operators ("you" or "subscribers") — businesses and individuals who subscribe to Rebookly's Services. We collect and use your information to operate and deliver the platform.
• Patients of clinics using Rebookly — individuals whose contact and appointment information is processed through the platform on behalf of a subscribing clinic. For patient data, Rebookly acts as a data processor, not a data controller. The clinic is the data controller and is responsible for obtaining patient consent and complying with applicable privacy law.

If you are a patient of a clinic that uses Rebookly and have questions about how your data is handled, please contact that clinic directly. You may also contact us at [email protected] and we will direct your inquiry appropriately.

What Information We Collect

Information you provide as a subscriber

• Contact information — name, email address, phone number
• Business details — clinic name, address, and operational information
• Account credentials and preferences
• Billing and payment information (processed securely through our payment providers)
• Communications you send to us through support, onboarding, or feedback channels

Information collected automatically

• Technical data — IP address, browser type, device information, operating system
• Usage data — pages visited, features used, session duration, clicks, and interactions with the platform
• Cookie and tracking data — as described in the Cookies section below

Patient data processed on behalf of clinics

Through integrations with scheduling software such as Jane App™, Rebookly may process the following patient information on behalf of subscribing clinics:

• Name, phone number, and email address
• Appointment history, upcoming appointments, and cancellation or no-show records
• Communication history between the clinic's AI assistant and the patient
• Consent and opt-out status

Rebookly does not collect, access, or store clinical health records, diagnoses, treatment notes, chart data, insurance information, or any sensitive health information. Our platform interacts only with the administrative and scheduling data required to operate communication and booking workflows.

How We Use Your Information

Subscriber information is used to:

• Provide, operate, and improve the Rebookly platform and Services
• Manage your account, billing, and subscription
• Communicate with you about your account, product updates, and support
• Send service-related notifications and, where consented, promotional communications
• Monitor platform performance and detect fraud or misuse
• Comply with legal and regulatory obligations
• Improve our AI models and automation workflows using aggregated, anonymized data only — we do not use identifiable clinic or patient data to train general AI models

Patient data processed on behalf of clinics is used solely to deliver the communication and booking services the clinic has configured. We do not use patient data for our own marketing or analytics purposes.

AI and Automated Processing

Rebookly uses artificial intelligence and automated systems to handle patient conversations, send follow-up messages, manage booking workflows, and respond to inquiries on behalf of subscribing clinics. This includes:

• AI-generated SMS and chat responses sent to patients under the clinic's configured persona
• Automated detection of booking intent, sentiment, and opt-out signals within conversations
• Automated triggering of follow-up sequences based on appointment data from Jane App™
• Voice AI that may answer or follow up on phone calls on behalf of the clinic

Where Voice AI is enabled, phone calls may be processed by AI systems to detect intent and generate responses. Clinics are responsible for disclosing AI call handling to patients in accordance with applicable law and their own communication policies.

Rebookly's AI does not make clinical, medical, or financial decisions. All automated communication is administrative in nature and is supervised by the subscribing clinic. Clinics retain the ability to review, override, and intervene in any AI-handled conversation at any time.

Cookies and Tracking Technologies

Rebookly's website and platform use cookies and similar technologies for the following purposes:

• Essential cookies — required for the platform to function, including session management and authentication. These cannot be disabled.
• Analytics cookies — help us understand how visitors interact with our website so we can improve it. Data collected is aggregated and anonymized.
• Marketing cookies — used to track the effectiveness of our advertising and to deliver relevant content to visitors. These are only activated with your consent.

You can control non-essential cookie settings through your browser preferences at any time. Disabling certain cookies may affect your experience of the platform. For more information about specific cookies in use, contact us at [email protected].

International Data Transfers

Rebookly's infrastructure relies on third-party cloud and communication platforms, including providers whose servers are located in the United States. As a result, some of your data — and patient data processed on your behalf — may be transferred to, stored in, or processed in the United States or other jurisdictions outside Canada.

While these providers implement robust security measures and are contractually bound to protect the data we share with them, information stored outside Canada may be subject to the laws and lawful access requirements of those jurisdictions, including access by government authorities.

By using our Services, you acknowledge and consent to the transfer and processing of personal information outside of Canada. Where you are acting on behalf of patients as a clinic operator, you are responsible for informing patients of this cross-border data transfer and obtaining any consent required under applicable law.

Data Sharing and Disclosure

We do not sell or rent personal information. Information may be shared only in the following circumstances:

• Service providers — with trusted third-party vendors who assist in delivering our platform, including infrastructure, messaging, voice, and analytics services. These providers are bound by confidentiality and data protection obligations.
• Legal requirements — when required by law, court order, or regulatory authority, or to protect the rights, property, or safety of Rebookly, our clients, or the public.
• Business transfers — in connection with a merger, acquisition, or sale of assets, where personal information may be transferred as part of the transaction. We will notify affected parties before such a transfer occurs.
• With your explicit consent — in any other circumstance, only with your prior written consent.

Third-party service providers we work with include:

• Cloud infrastructure and hosting (e.g. Amazon Web Services, Google Cloud)
• SMS and voice communication delivery (e.g. Twilio, LeadConnector)
• Automation and CRM infrastructure (e.g. HighLevel)
• Payment processing (handled securely through our billing providers)
• Scheduling integration (Jane App™ by Jane Software Inc.)

All third-party providers are selected for their strong data security practices and are contractually obligated to comply with privacy standards equivalent to Canadian requirements.

SMS Opt-Out Data Retention

When a patient opts out of SMS messaging (for example, by replying STOP), Rebookly retains a record of that opt-out status. This record is kept indefinitely and is not deleted upon a clinic's request, because retaining opt-out records is a legal requirement under the Canadian Anti-Spam Legislation (CASL) and carrier compliance frameworks. Retaining this data protects both the patient and the clinic by ensuring the opt-out is permanently honoured across all future automated workflows.

Data Retention

We retain personal information for as long as necessary to deliver our Services and support our clients' operations, subject to the following:

• Active subscribers — account and usage data is retained for the duration of the subscription and for a period of 30 days following cancellation, during which a data export may be requested.
• Inactive subscriber data — data from accounts with no activity is automatically purged or anonymized after 24 months, unless required for legal or regulatory purposes.
• Patient communication data — retained in accordance with the clinic's configuration and applicable legal obligations. Clinics may request deletion of patient data at any time through the platform or by contacting us.
• Opt-out records — retained indefinitely as described in the SMS Opt-Out section above.
• Billing records — retained for a minimum of 7 years in accordance with Canadian tax and accounting requirements.

Deletion requests will be fulfilled within 30 calendar days, unless the data is required for ongoing legal obligations or regulatory compliance.

Security

We use a combination of administrative, physical, and technical safeguards to protect personal information, including:

• Encrypted connections (TLS) for data in transit
• Encryption at rest for stored data
• Role-based access controls limiting staff access to personal information
• Regular security reviews and vendor assessments

No system is completely secure. In the event of a data breach that poses a real risk of significant harm to individuals, we will notify affected individuals and report the incident to the Office of the Privacy Commissioner of Canada as required under PIPEDA's Breach of Security Safeguards Regulations. We aim to provide notification within 72 hours of becoming aware of a qualifying breach where technically feasible.

Your Rights Under PIPEDA

You have the following rights regarding your personal information held by Rebookly:

• Access — request access to the personal information we hold about you
• Correction — request corrections to inaccurate or outdated information
• Withdrawal of consent — withdraw consent for specific uses where consent is the legal basis for processing
• Deletion — request deletion of your personal data, subject to legal retention obligations
• Portability — request a copy of your data in a portable format where applicable
• Complaint — file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca

To exercise any of these rights, contact our Privacy Officer as listed below. We will respond to all verified requests within 30 calendar days.

Children's Privacy

Our Services are not intended for children under the age of 18. We do not knowingly collect personal information from minors. If we become aware that personal information has been collected from a person under 18 without appropriate consent, we will delete it promptly.

Links to Third-Party Sites

Our website and platform may contain links to third-party websites, including Jane App™ and social media platforms. Rebookly is not responsible for the privacy practices of any third-party site. We encourage you to review the privacy policies of any external site you visit.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or regulatory guidance. The most current version will always be posted at rebookly.ai/privacy-policy. If changes are material, we will notify subscribers by email or through the platform. Continued use of the Services after the effective date of any update constitutes acceptance of the revised policy.

How to Challenge Compliance or Submit a Complaint

If you have questions, concerns, or wish to challenge our compliance with PIPEDA, contact our Privacy Officer directly. If your concern is not resolved to your satisfaction, you may escalate it to the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.

Privacy Officer & Contact

Privacy Officer: Chris Eder
Email: [email protected]
Phone: (587) 801-4659
Address: Calgary, AB, Canada