Privacy Policy

We collect information in the following ways:

• Account data — name, email address, password (hashed), and business details when you register. If you sign in with Apple, we receive your Apple user identifier and, if you choose to share it, your email address.
• Booking data — appointment times, service details, client records, and notes created through the platform.
• Booking image data — where enabled by a business, client-uploaded booking images and related metadata (file type, size, storage path, booking linkage).
• Booking form data — where enabled by a business, information requested before or after a booking, including typed answers, yes/no or choice answers, consent statements and acceptance records, signature text or signature files, requested documents or images, filenames, file type, file size, secure storage paths, submission status, reminder activity, review status, and retention/deletion metadata.
• Client portal account data — if you choose to create a Cyntree client portal account when making a booking, we store your email address, hashed password, and display name. This account is optional and lets you view all your bookings across any Cyntree business in one place at cyntree.com/portal. Your historical bookings (matched by email address) are accessible once the account is created. You can request deletion of your portal account at any time by contacting us.
• Payment data — payment amounts and transaction references. Card details are handled directly by our payment processors (Stripe or Paystack, depending on your region) and are never stored on our servers.
• In-app purchase data — for subscriptions or add-ons bought in the mobile app, we receive purchase receipts, transaction IDs, product identifiers, subscription status, and renewal/expiry dates from Apple App Store and Google Play (via our subscription infrastructure provider). We do not receive your full card number or bank details from Apple or Google.
• Usage data — pages visited, features used, device type, browser, and IP address for platform analytics and security.
• Communications — messages you send to our support team and any feedback you submit through the platform (including your name, email, and message content).
• Push notification tokens — if you enable push notifications in the mobile app, we store a device token so we can deliver booking alerts and reminders to your device. You can disable notifications at any time in your device settings.
• Calendar sync data — if you connect Google Calendar or Microsoft Outlook, we store encrypted OAuth tokens and connection metadata (e.g. account email, calendar IDs you select for availability and for receiving bookings). We use this only to sync Cyntree bookings to your chosen calendar and to read busy/availability when you enable it. We do not store the contents of your calendar events on our servers beyond what is needed for that sync.

We use your data to:

• Operate, maintain, and improve the Cyntree platform.
• Process bookings, send confirmation and reminder emails, and manage scheduling.
• Store, secure, and display client-uploaded booking images to the relevant business for appointment delivery.
• Send, track, review, and retain booking forms requested by a business, including sending completion reminders, notifying the business when a form is submitted, generating business PDF exports, and applying the business's configured retention settings.
• Process payments and handle refunds via Stripe or Paystack (depending on your region).
• Send push notifications about booking updates, reminders, and account activity when you have opted in via the mobile app.
• Sync your Cyntree bookings to your connected calendar (Google or Outlook) and use your calendar's availability when you enable calendar sync.
• Generate AI-assisted website drafts and moderate website generation instructions for safety checks.
• Provide customer support and respond to your requests.
• Detect and prevent fraud, abuse, and security incidents.
• Power your optional client portal — if you create a portal account, we use your email address to retrieve and display all bookings you have made across any Cyntree business so you can manage your history in one place.
• Comply with our legal obligations under UK law.

AI features currently use a third-party provider (OpenAI). We use this for website generation and content-safety moderation only. If a generation prompt is flagged by our safety checks, the flagged status and prompt text may be retained for review. We do not use AI to process or make automated decisions about your personal data, and we do not share personal data with the AI provider except for the limited information needed for website generation and moderation.

Our legal basis for processing is primarily contract performance (to provide the service you signed up for), legitimate interests (platform security and improvement), and legal obligation where applicable. Where a business asks its client to provide booking form information, that business is responsible for identifying and explaining its lawful basis for collecting the requested information.

We do not sell your personal data. We share data only with trusted sub-processors required to operate the service:

• Supabase — database hosting and authentication (EU region).
• Stripe — payment processing (PCI-DSS compliant).
• Paystack — payment processing for supported African regions.
• Apple App Store — mobile in-app purchase processing and subscription management for iOS users.
• Google Play — mobile in-app purchase processing and subscription management for Android users.
• RevenueCat — in-app purchase receipt validation and subscription status infrastructure.
• Resend — transactional email delivery.
• Vercel — web hosting and edge delivery.
• OpenAI — AI website generation and moderation of website-generation instructions.
• Google — when you use Calendar Sync, we use Google's APIs (e.g. Google Calendar) under Google's privacy and API terms. We do not sell or share your calendar data with other third parties.
• Microsoft — when you use Calendar Sync with Outlook, we use Microsoft Graph under Microsoft's privacy and terms. We do not sell or share your calendar data with other third parties.

All sub-processors are contractually bound to process data only on our instructions and in accordance with applicable data protection law.

Business owners and authorised workspace members can access the booking, client, image, document, and form data connected to their workspace. If a business downloads a PDF, document, image, or other export from Cyntree, that exported copy is controlled by the business and is no longer governed by Cyntree's in-platform retention settings.

We use essential cookies required for authentication and platform functionality.

• Essential cookies are always active and are required for sign-in, account security, and booking flows.
• Optional analytics cookies (Google Tag Manager, Vercel Analytics, and Vercel Speed Insights) are only enabled after you provide consent through our cookie banner/settings.

We do not use advertising cookies or cross-site profiling cookies. You can withdraw or update your analytics preference at any time.

In our mobile app, browser cookies are not used. The app uses essential device storage/session data to keep you signed in and secure.

We retain your data for as long as your account is active or as needed to provide the service. If you close your account, we will delete or anonymise your personal data within 90 days, except where we are required to retain it for legal, tax, or dispute-resolution purposes (typically up to 6 years under UK law).

Client-uploaded booking images and booking-form documents, images, signatures, and responses may also be deleted under the relevant business retention settings, account controls, policy enforcement, or legal/takedown obligations.

For booking forms, businesses can configure retention periods for uploaded documents/images/signatures, form answers, and abandoned uploads. If a business does not change the default settings, Cyntree is designed to retain submitted form files for 90 days, form answers for 1 year, and abandoned form uploads for 48 hours, subject to operational, legal, security, or dispute-resolution needs.

When form files are deleted under retention settings, Cyntree may keep a minimal audit record, such as filename, file type, size, deletion timestamp, and deletion reason, unless the business has chosen not to keep that audit record. Once form answers or uploads have been deleted under the retention process, they may not be recoverable from the platform.

Backups, logs, and security records may persist for a limited period after deletion from the live service where this is needed for resilience, audit, fraud prevention, or legal compliance. Access to those records is restricted.

We implement appropriate technical and organisational measures to protect your data, including encrypted connections (HTTPS/TLS), hashed passwords, and restricted access controls. However, no method of internet transmission or electronic storage is 100% secure, and we cannot guarantee absolute security.

Booking-form uploads are stored privately and are accessed through time-limited secure links for authorised users. Businesses should still treat any downloaded documents, images, signatures, or PDF exports as confidential and store them securely outside Cyntree.

Under UK GDPR you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure — request deletion of your data ("right to be forgotten"), subject to legal retention requirements.
• Restriction — ask us to limit how we process your data in certain circumstances.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interests.

To exercise any of these rights, contact us at support@cyntree.com. We will respond within 30 days.

If your request concerns information you gave to a business, such as a booking form response or uploaded document/image, you may also need to contact that business directly because it decides why the information was requested. We will assist businesses with platform records where required by applicable data protection law.

Our platform may contain links to third-party websites or integrate with external services. We are not responsible for the privacy practices of those third parties and recommend reviewing their policies independently.

If you connect Google Calendar or Microsoft Outlook for calendar sync, those providers' privacy policies and terms also apply to the data they receive. You can disconnect your calendar from Cyntree at any time in your dashboard or app settings; we will stop syncing and you may revoke access in your Google or Microsoft account settings.

Cyntree is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us immediately and we will delete it.

We may update this policy from time to time. Material changes will be communicated via email or a prominent notice on the platform. The "Last updated" date at the top of this page will always reflect the most recent revision. Continued use of Cyntree after changes constitutes acceptance of the updated policy.

For privacy-related questions or to exercise your rights, contact us at support@cyntree.com.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection.