Beeopera

Privacy Policy

Last Updated: March 13, 2026

This Privacy Policy describes how Beeopera ("we", "us", "our") collects, uses, stores, and protects your information when you use our booking and scheduling platform ("Service"). By using the Service, you consent to the practices described in this policy.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • First and last name
  • Email address
  • Password (stored only in hashed form; we never store or have access to your plain-text password)
  • Phone number (optional)
  • Profile photo (optional)

1.2 Preferences

You may configure personal preferences, including:

  • Language and timezone
  • Date and time display format
  • UI theme
  • Notification preferences (activity, missed activity, newsletter, marketing, product education)

1.3 Customer Data

If you use the Service to manage customers, you or your team members may store customer information including:

  • First and last name
  • Email address
  • Phone number
  • Photos and file attachments
  • Notes
  • Reservation and scheduling history

You are the data controller for any customer data you store in the Service. You are responsible for ensuring you have the appropriate legal basis to collect and process your customers' personal data.

1.4 Reservation and Scheduling Data

We store reservation details including start and end times, assigned staff, associated customer, status, and any notes you add.

1.5 Notification Data

When we send notifications on your behalf (email, SMS, or in-app), we store the notification content, recipient information, delivery status, and timestamps.

1.6 Session and Security Data

To protect your account and maintain your session, we collect:

  • IP address
  • Browser user agent string
  • Session timestamps and activity data

Session tokens are stored only in hashed form. We never store raw authentication tokens.

1.7 Audit Logs

We maintain an immutable audit log of significant actions performed within the Service (e.g., creating, updating, or deleting records). Audit entries record the user who performed the action, the entity affected, and before/after values. This data is retained for accountability and security purposes.

1.8 Uploaded Files

Files you upload (profile photos, customer photos, attachments, logos) are stored securely in cloud storage. File metadata (name, type, size) is stored in our database.

2. How We Use Your Information

We use the information we collect exclusively to:

  • Provide, maintain, and improve the Service
  • Authenticate your identity and secure your account
  • Send transactional notifications (e.g., reservation confirmations, email verification)
  • Send non-transactional notifications you have not opted out of (e.g., activity summaries, product updates)
  • Process reservations and scheduling on your behalf
  • Generate analytics and usage summaries visible only to you and your team
  • Maintain audit trails for security and accountability
  • Comply with legal obligations

3. How We Do NOT Use Your Information

We want to be unambiguous about the following:

We do not sell your data. Your personal information, customer data, and any other data you store in the Service is never sold, rented, leased, or otherwise transferred to third parties for monetary or other consideration. This applies to all data categories without exception.

We do not use your data for AI or machine learning training. No user data, customer data, notification content, reservation details, uploaded files, or any other information you provide is used to train, fine-tune, or improve artificial intelligence models, machine learning systems, large language models, or any form of automated learning system — whether owned by us or by any third party.

We do not use your data for advertising. We do not build advertising profiles, serve targeted ads, or share your information with advertisers or ad networks.

We do not share your data with data brokers. Your information is never provided to data brokers, data aggregators, or similar entities.

We do not mine your data for insights beyond what we show you. Any analytics we compute are shown exclusively to you and your authorized team members within the Service.

4. Third-Party Services

We use the following third-party services strictly for operating the Service. These providers process data on our behalf under contractual obligations and do not have independent rights to use your data:

ServicePurposeData Processed
Amazon Web Services (AWS) SESEmail deliveryRecipient email address, email subject, email body
Amazon Web Services (AWS) SNSSMS deliveryRecipient phone number, message body
Amazon Web Services (AWS) S3File storageUploaded files (photos, attachments, logos)
PostgreSQLPrimary databaseAll application data
RedisSession cachingSession tokens (hashed), session metadata
RabbitMQInternal message queueEvent data for asynchronous processing

We do not transmit your data to any third-party service not listed above. All third-party services are used solely for infrastructure and operational purposes — never for analytics, advertising, profiling, or AI training.

5. Data Security

We implement the following measures to protect your data:

  • Password hashing: All passwords are hashed using bcrypt before storage. We never store or transmit plain-text passwords.
  • Token hashing: Session tokens and authentication tokens are stored as SHA-256 hashes. Raw tokens exist only in transit.
  • JWT signing: Authentication tokens are signed using HMAC-SHA256 to prevent tampering.
  • Encrypted connections: All data in transit between your browser and our servers is encrypted via TLS/HTTPS.
  • Access control: Multi-tenant architecture ensures strict data isolation between organizations. Role-based permissions control access within each organization.
  • Presigned uploads: File uploads use time-limited presigned URLs — files are transferred directly to secure storage without passing through our application servers.

6. Data Retention

  • Active accounts: Your data is retained for as long as your account is active and you use the Service.
  • Account deletion: When you request account deletion, your account is immediately disabled. After a 30-day grace period (during which you may cancel the deletion), we permanently delete your account by anonymizing your personal information, removing your preferences, revoking all sessions, and deleting all authentication tokens. Anonymized audit records may be retained for security purposes.
  • Customer data: Customer data you store in the Service is retained until you delete it or until your organization is deleted.
  • File deletion: When files are deleted, they are removed from our database and permanently deleted from cloud storage within 30 days.
  • Notification records: Notification history is retained for operational and audit purposes. Suppressed notifications (where the recipient has opted out) are recorded with a suppression marker but are never delivered.

7. Your Rights

You have the right to:

  • Access your personal data stored in the Service
  • Correct inaccurate personal data via your account settings
  • Delete your account and associated personal data (subject to the 30-day grace period described above)
  • Exercise your right to erasure ("right to be forgotten") under GDPR Article 17: upon account deletion, your account is immediately disabled and, after a 30-day grace period, all your personal data is permanently anonymized. Once anonymized, your data can no longer be linked back to you in any way.
  • Export your data upon request
  • Opt out of non-transactional notifications at any time via the unsubscribe link in any email or through your notification preferences

To exercise any of these rights, contact us at the address provided at the end of this policy.

8. Notification Preferences and Unsubscribe

We send the following categories of notifications:

  • Transactional: Essential communications related to your use of the Service (e.g., reservation confirmations, email verification, password resets). These cannot be opted out of as they are necessary for the Service to function.
  • Activity: Notifications about actions taken within your organization.
  • Missed Activity: Summaries of activity you may have missed.
  • Newsletter: Periodic updates about the Service.
  • Marketing: Promotional communications.
  • Product Education: Tips and guidance on using the Service.

You may opt out of any non-transactional notification category at any time by:

  • Clicking the unsubscribe link in any non-transactional email
  • Updating your notification preferences through the link provided in emails

External recipients (customers who do not have an account) may unsubscribe from all notifications via the unsubscribe link included in every non-transactional email.

9. Cookies

We use only strictly necessary technical cookies required for the Service to function (e.g., session authentication). These cookies are essential for security and cannot be used to track your behavior, build profiles, or serve advertisements. We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.

10. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will promptly delete it.

11. International Data Transfers

Your data may be processed in regions where our infrastructure providers operate (including but not limited to the European Union and the United States). We ensure that any international data transfers comply with applicable data protection laws and that adequate safeguards are in place.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the Service or by email. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

13. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

Email: [email protected]