Privacy Policy

We collect information in the following ways:

• Account data — name, email address, password (hashed), and business details when you register.
• Booking data — appointment times, service details, client records, and notes created through the platform.
• Booking image data — where enabled by a business, client-uploaded booking images and related metadata (file type, size, storage path, booking linkage).
• Payment data — payment amounts and transaction references. Card details are handled directly by our payment processor (Stripe) and are never stored on our servers.
• Usage data — pages visited, features used, device type, browser, and IP address for platform analytics and security.
• Communications — messages you send to our support team.
• Calendar sync data — if you connect Google Calendar or Microsoft Outlook, we store encrypted OAuth tokens and connection metadata (e.g. account email, calendar IDs you select for availability and for receiving bookings). We use this only to sync Cyntree bookings to your chosen calendar and to read busy/availability when you enable it. We do not store the contents of your calendar events on our servers beyond what is needed for that sync.

We use your data to:

• Operate, maintain, and improve the Cyntree platform.
• Process bookings, send confirmation and reminder emails, and manage scheduling.
• Store, secure, and display client-uploaded booking images to the relevant business for appointment delivery.
• Process payments and handle refunds via Stripe.
• Sync your Cyntree bookings to your connected calendar (Google or Outlook) and use your calendar's availability when you enable calendar sync.
• Generate AI-assisted website drafts and moderate website generation instructions for safety checks.
• Provide customer support and respond to your requests.
• Detect and prevent fraud, abuse, and security incidents.
• Comply with our legal obligations under UK law.

AI features currently use a third-party provider (OpenAI). We use this for website generation and moderation only. We do not use AI to process or make decisions about your personal data, and we do not share personal data with the AI provider except for the limited information needed for website generation and moderation.

Our legal basis for processing is primarily contract performance (to provide the service you signed up for), legitimate interests (platform security and improvement), and legal obligation where applicable.

We do not sell your personal data. We share data only with trusted sub-processors required to operate the service:

• Supabase — database hosting and authentication (EU region).
• Stripe — payment processing (PCI-DSS compliant).
• Resend — transactional email delivery.
• Vercel — web hosting and edge delivery.
• OpenAI — AI website generation and moderation of website-generation instructions.
• Google — when you use Calendar Sync, we use Google's APIs (e.g. Google Calendar) under Google's privacy and API terms. We do not sell or share your calendar data with other third parties.
• Microsoft — when you use Calendar Sync with Outlook, we use Microsoft Graph under Microsoft's privacy and terms. We do not sell or share your calendar data with other third parties.

All sub-processors are contractually bound to process data only on our instructions and in accordance with applicable data protection law.

We use essential cookies required for authentication and platform functionality.

• Essential cookies are always active and are required for sign-in, account security, and booking flows.
• Optional analytics cookies (Vercel Analytics and Vercel Speed Insights) are only enabled after you provide consent through our cookie banner/settings.

We do not use advertising cookies or cross-site profiling cookies. You can withdraw or update your analytics preference at any time.

In our mobile app, browser cookies are not used. The app uses essential device storage/session data to keep you signed in and secure.

We retain your data for as long as your account is active or as needed to provide the service. If you close your account, we will delete or anonymise your personal data within 90 days, except where we are required to retain it for legal, tax, or dispute-resolution purposes (typically up to 6 years under UK law).

Client-uploaded booking images are retained with associated booking records unless deleted earlier under account controls, policy enforcement, or legal/takedown obligations.

We implement appropriate technical and organisational measures to protect your data, including encrypted connections (HTTPS/TLS), hashed passwords, and restricted access controls. However, no method of internet transmission or electronic storage is 100% secure, and we cannot guarantee absolute security.

Under UK GDPR you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure — request deletion of your data ("right to be forgotten"), subject to legal retention requirements.
• Restriction — ask us to limit how we process your data in certain circumstances.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interests.

To exercise any of these rights, contact us at support@cyntree.com. We will respond within 30 days.

Our platform may contain links to third-party websites or integrate with external services. We are not responsible for the privacy practices of those third parties and recommend reviewing their policies independently.

If you connect Google Calendar or Microsoft Outlook for calendar sync, those providers' privacy policies and terms also apply to the data they receive. You can disconnect your calendar from Cyntree at any time in your dashboard or app settings; we will stop syncing and you may revoke access in your Google or Microsoft account settings.

Cyntree is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us immediately and we will delete it.

We may update this policy from time to time. Material changes will be communicated via email or a prominent notice on the platform. The "Last updated" date at the top of this page will always reflect the most recent revision. Continued use of Cyntree after changes constitutes acceptance of the updated policy.

For privacy-related questions or to exercise your rights, contact us at support@cyntree.com.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection.