This Privacy Policy applies to all Pinkbook services — the booking platform, owner dashboard, client-facing booking pages, and associated features. It describes what personal information we collect, how we use and protect it, who we share it with, and what rights you have. We are committed to transparency and to handling information responsibly.
Pinkbook is a digital booking and business management platform built for beauty and wellness service providers — stylists, estheticians, nail technicians, and similar professionals — and the clients who book their services. Pinkbook can be reached at pinkbook.tech@gmail.com for all privacy-related inquiries.
Pinkbook operates in two distinct data roles depending on context:
When a service provider creates an account, we collect:
Service providers configure their account through the Settings page. This configuration is stored in their account record and includes:
Third-party credentials security: Twilio credentials entered in Settings are stored encrypted in your account record. Pinkbook never exposes them client-side. You are responsible for rotating these credentials if you suspect compromise. Pinkbook is not liable for losses arising from credential exposure by the account holder.
Service providers manage their client list within Pinkbook. Each client record may contain:
Pinkbook stores this data on behalf of the service provider and does not use it for any purpose beyond operating the platform for that provider.
When a client books an appointment, a booking record is created containing:
If a service provider uses the waitlist feature, clients who join provide their name, email address, optional phone number, preferred service, preferred date, and an optional message. This data is retained until the service provider removes it, notifies the client, or closes their account.
When a gift certificate is created or redeemed through the platform, we store the certificate code, monetary value, creation date, redemption status, redemption timestamp, and the email address of the redeemer (if provided).
Pinkbook does not store full payment card details. All payment card processing is handled by Stripe. We retain Stripe session IDs and payment intent IDs as reference identifiers, and store Stripe Connect account linkage details (account ID, payout eligibility flags) to enable service provider payment features. Review Stripe's Privacy Policy for how Stripe independently processes payment data.
Pinkbook sends automated emails (booking confirmations, appointment reminders, password resets, email verifications) on behalf of service providers and directly for account operations. We maintain an operational email log that records:
j***@gmail.com) and domain only — full email addresses are never stored in the logSMS appointment reminders are routed through the service provider's own Twilio account. Pinkbook does not retain SMS message content after dispatch.
The booking flow records anonymized interaction events (e.g., calendar viewed, time slot selected, booking submitted) to help service providers understand how clients engage with their booking page. These events are linked to a one-way hash of the client's email address — not to their name or identity directly. This data is used to power the AI Brain feature (see Section 7).
For security and compliance, Pinkbook maintains append-only audit logs of actions taken by authenticated users. These logs capture the action type (e.g., booking created, settings updated), the IP address of the request, a timestamp, and a reference to the affected record. IP addresses are retained for security investigation purposes only and are not used for advertising or profiling.
Pinkbook uses browser localStorage to persist certain state locally on your device — including authentication tokens, calendar view preferences, working hours drafts, and UI settings. This data is stored on your device and is not transmitted to servers unless explicitly synced. Clearing browser storage will reset locally stored preferences.
We use the information we collect to:
Pinkbook does not sell your personal information to third parties and does not use it for targeted advertising or cross-platform tracking.
We process personal information under the following legal bases, consistent with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation:
Pinkbook shares data with the following third-party services only as strictly necessary to operate the platform:
Used to process deposits and subscription billing, and to facilitate Stripe Connect accounts for service providers. When a payment is initiated, relevant transaction data (amount, booking reference) is transmitted to Stripe. Stripe independently processes payment card data. See Stripe's Privacy Policy.
If a service provider has connected their own Twilio account, appointment reminders are routed through it. The client's phone number and a templated reminder message are transmitted to Twilio for delivery at the time of sending. Pinkbook uses the service provider's credentials for this; it does not maintain a shared Twilio account. See Twilio's Privacy Policy.
When the AI Brain feature is enabled by a service provider, aggregated and pseudonymized behavioral signals (derived from hashed client identifiers and booking pattern data — not names, emails, or phone numbers) may be sent to Anthropic's API to generate business recommendations. Raw personal data is never sent to Anthropic. See Anthropic's Privacy Policy. Service providers may disable AI Brain at any time in Settings.
Automated transactional emails (booking confirmations, reminders, password resets) are delivered through a configured email provider (SendGrid or a custom domain SMTP configuration). The recipient's email address and email content are transmitted to the provider for delivery. Only a masked address and hash are retained in Pinkbook's email log.
Pinkbook's backend, database, and application are hosted on Railway's cloud infrastructure. All platform data resides on Railway-managed servers. Railway acts as a sub-processor under contractual data protection obligations. See Railway's Privacy Policy.
We may disclose personal information when required by applicable law, enforceable court order, or regulatory authority, or when reasonably necessary to protect the rights, safety, or property of Pinkbook or its users.
Pinkbook includes an optional AI Brain feature powered by Anthropic's Claude AI model. This feature is controlled by the service provider and can be enabled or disabled at any time in Settings.
When enabled, the AI Brain:
client_signals table and structured recommendations in the ai_recommendations tableProcessing uses pseudonymized data only. Clients are referenced by hashed identifiers and aggregated booking statistics — not by name, email address, or direct contact details — when generating AI outputs.
Service providers are solely responsible for how they act on AI-generated recommendations. Pinkbook makes no guarantee of accuracy or suitability for any particular business decision.
Disabling AI Brain stops new signal computation. Previously stored signals and recommendations remain in the database until the service provider deletes the associated client records, or until account closure.
We implement the following safeguards to protect your information:
No system can guarantee absolute security. In the event of a breach affecting personal data, Pinkbook will investigate, contain, and notify affected users as required by applicable law.
We retain data for as long as necessary to operate the platform and meet legal obligations:
You may request deletion of your data at any time by contacting pinkbook.tech@gmail.com, subject to retention obligations we are legally required to maintain.
Subject to applicable law, you have the right to:
To exercise any of these rights, contact us at pinkbook.tech@gmail.com. We will respond within 30 days. We may require identity verification before processing a request.
Clients of service providers: Your booking data is controlled by the service provider whose page you booked through. For deletion or access requests, contact that service provider directly. Pinkbook will assist with technical deletion upon confirmed request from the service provider.
Pinkbook does not use tracking cookies, advertising cookies, or third-party analytics scripts. The platform uses browser localStorage to store your authentication token, calendar view preferences, working hours settings, and UI state between sessions on the same device. This data is kept on your device, is never shared with third parties, and is not used for tracking or profiling. Clearing your browser's storage will reset all locally stored preferences.
Pinkbook is not directed at individuals under the age of majority in their jurisdiction (18 in most Canadian provinces). We do not knowingly collect personal information from minors. If you believe a minor has submitted information through the platform, contact us at pinkbook.tech@gmail.com and we will promptly delete it.
Pinkbook's infrastructure is hosted by Railway. Data may be processed and stored on servers in Canada or the United States depending on Railway's infrastructure configuration. When data is transferred internationally — for example, through Stripe, Twilio, Anthropic, or hosting infrastructure — we rely on standard contractual protections and the respective data processing agreements of those providers.
By using Pinkbook, you acknowledge that your information may be transferred to and processed in jurisdictions outside your own. We take reasonable steps to ensure these transfers comply with applicable privacy law.
We may update this Privacy Policy from time to time. For material changes, we will notify affected users via email (to the registered account address) and/or via a prominent in-app notice at least 14 days before the change takes effect. The "Last Updated" date at the top of this page reflects the most recent revision. Continued use of the platform after the effective date constitutes acceptance of the updated policy.
For privacy questions, access requests, deletion requests, or to report a concern regarding your data:
If your privacy concern has not been adequately resolved, you may contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.