← Legal

Privacy Notice

Effective Date: April 17, 2026

This Privacy Notice describes how [HOLDCO NAME]("we", "us", or "our"), incorporated in British Columbia, Canada, collects, uses, and shares personal information in connection with the Buuk platform. We are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) and British Columbia's Personal Information Protection Act (PIPA).

1. Who We Are

[HOLDCO NAME] is the data controller for personal information collected from Subscribers and Practitioners. When Subscribers collect personal information from their Customers through Buuk, the Subscriber acts as the data controller and [HOLDCO NAME]acts as a data processor on the Subscriber's behalf.

2. Information We Collect

From Subscribers and Practitioners

  • Name, email address, and hashed password;
  • Business name, role, and phone number;
  • Shop configuration, subscription data, and billing details;
  • Usage data and analytics.

From Customers

  • Name, phone number (stored in E.164 format), and email address;
  • Appointment history and scheduling data;
  • Admin notes and per-shop flags set by Subscribers.

Automatically Collected

  • IP address, browser type, and device information;
  • Timezone and country (collected from Vercel infrastructure headers at signup only);
  • Session data collected by PostHog for analytics and session replay.

3. How We Use Your Information

We use personal information to:

  • Provide, maintain, and improve the Buuk platform;
  • Process payments and manage subscriptions;
  • Send transactional communications, including booking confirmations, appointment reminders, trial expiry notices, password resets, and practitioner invitations;
  • Conduct product analytics to understand how the service is used;
  • Comply with legal obligations and enforce our Terms of Use;
  • Respond to support requests.

We do not sell personal information.

4. Legal Basis

We process personal information on the following bases:

  • Contract performance — to provide the service you have signed up for;
  • Legitimate interests — to improve our product and prevent fraud;
  • Consent — where you have opted in to specific communications;
  • Legal obligation — to comply with applicable law.

5. How We Share Personal Information

We share personal information with:

  • Service providers — Stripe (payment processing), Supabase (database and authentication), PostHog (analytics), our email provider, and Expo/Apple/Google for push notifications. These providers process data on our behalf and are bound by confidentiality obligations;
  • Subscribers — who have access to the Customer data collected through their own booking portal;
  • Legal authorities — where required by applicable law, court order, or to protect our rights;
  • Business transfers — in connection with a merger, acquisition, or sale of assets, subject to confidentiality protections.

6. International Data Transfers

[HOLDCO NAME] is headquartered in British Columbia, Canada. Our third-party service providers may process personal information in Canada, the United States, or other countries. We ensure that contractual safeguards consistent with PIPEDA are in place for any such transfers.

7. Data Retention

  • Active accounts — personal information is retained for the duration of the subscription;
  • Cancelled or deactivated accounts — data is retained for 30 days following cancellation or deactivation, then permanently deleted;
  • Customer profiles — retained if the Customer has a relationship with at least one other active Subscriber;
  • Billing and legal records — retained as required by applicable law.

8. Security

We use TLS encryption for data in transit, hashed passwords, row-level security (RLS) on our database, and access controls to protect personal information. However, no security system is completely secure and we cannot guarantee the absolute security of your data.

9. Your Rights

Subject to applicable law, you have the right to:

  • Access the personal information we hold about you;
  • Request correction of inaccurate information;
  • Request deletion of your personal information;
  • Withdraw consent where processing is based on consent;
  • File a complaint with the Office of the Privacy Commissioner of Canada.

To exercise these rights, contact us at privacy@buuk.app. We will respond within 30 days.

10. Cookies and Tracking

We use session cookies to maintain your login state. Analytics are collected by PostHog and proxied through our own servers to improve resilience. You may configure your browser to refuse cookies, though some features of the platform may not function correctly as a result.

11. Children's Privacy

Buuk is not directed at persons under 18 years of age. If you believe we have inadvertently collected personal information from a minor, please contact us at privacy@buuk.app and we will delete it promptly.

12. Changes to This Notice

We will provide at least 30 days' email notice before making material changes to this Privacy Notice. Your continued use of the service after the notice period constitutes acceptance of the updated Notice.

13. Contact

[HOLDCO NAME]
Privacy Officer
privacy@buuk.app
British Columbia, Canada

Terms of UsePrivacy NoticeService Level Agreement© 2026 [HOLDCO NAME]