Privacy Policy

Effective date: May 9, 2026  |  Last updated: May 9, 2026  |  Version: 1.3

Stay Bookd is a trade name of 2811940 Alberta Inc. ("we", "us", "our"), a corporation based in Calgary, Alberta, Canada. We build and operate AI-powered automation tools for service businesses, including voice agents, AI assistants, automated lead response systems, database reactivation, and custom integrations.

This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with our services. We are committed to complying with Alberta's Personal Information Protection Act (PIPA) and, where applicable, the federal Personal Information Protection and Electronic Documents Act (PIPEDA). References to "applicable privacy legislation" in this policy include both.

1. Our Role

Stay Bookd operates in two capacities depending on the context:

• As a controller: For personal information we collect directly (including business client account data, our own marketing and outreach contacts, and call recordings or lead data we source on our own initiative), we are the organization accountable under PIPEDA and Alberta PIPA for purposes, consent, and safeguards.
• As a service provider: For personal information about end-customers of our clients that we process on a client's behalf, the client is the accountable organization for collection purposes and consent. We remain accountable under PIPEDA Principle 4.1.3 and Alberta PIPA for safeguarding such information while in our custody and processing it only per client instructions.

As a condition of our services, our business clients are contractually required to: maintain their own privacy policies disclosing the use of AI automation, call recording, and third-party data processing; obtain any necessary consents from their customers prior to activating our services; and comply with all applicable privacy and anti-spam legislation.

2. Information We Collect

From business clients:

• Business name, owner name, email address, phone number
• Billing information processed via Stripe (we do not store card numbers — Stripe is PCI-DSS Level 1 certified; card data never touches our servers)
• Business configuration data (hours, booking links, staff routing preferences)

From end-customers of our clients (callers, leads, and contacts):

• Phone numbers and call metadata
• Call recordings and transcripts (see Section 4)
• SMS message content sent or received through our systems
• Appointment and booking details (name, date, service type)
• Lead inquiry data submitted via web forms or social media platforms
• CRM records used for re-engagement (Database Reactivation), where the client has provided such records and represented and warranted in writing that valid consent exists under CASL and applicable privacy law for outreach to those contacts

From client business operations (Executive Assistant and Bespoke services):

• Operational data the client provides to us for execution of automation tasks (for example: email content, calendar events, internal documents, task lists, or other business records the client connects via integrations or shares with us)
• The scope of operational data accessed is defined by the individual service agreement and the integrations the client authorizes

From social media platforms (when Meta integrations are enabled):

• Facebook and Instagram message content from leads and customers who initiate contact
• Lead data from Meta Lead Ads forms (name, email, phone, form responses)
• Meta Page and Instagram account identifiers required to operate the integration

Automatically collected from our website:

• Server log data (pages visited, browser type, IP address). We do not currently use third-party advertising or cross-site tracking cookies on this website.

Minors: Our services are intended for adults operating businesses. We do not knowingly collect personal information from individuals under the age of 16. If we become aware we have collected such information, we will delete it promptly.

3. How We Use Personal Information

• Deliver, operate, and maintain our services
• Respond to inbound leads and customer inquiries on behalf of our clients
• Book appointments and route customers to scheduling systems
• Send SMS notifications and follow-up messages on behalf of our clients
• Process billing and manage client accounts
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations
• Generate anonymized, aggregated, non-identifiable analytics to improve our services

We do not sell personal information. We do not use end-customer personal information to train or fine-tune general-purpose third-party AI models without a lawful basis or client authorization. We may use aggregated, anonymized, and non-identifiable data derived from our services to monitor performance, improve our systems, train and improve our own service-specific models, and develop new features.

4. Call Recording Disclosure

Our voice agent services record and transcribe calls for the purpose of delivering the service (booking appointments, answering questions, routing callers). Our voice agent is designed to disclose at the start of each call that the caller is interacting with an AI system and that the call may be recorded. Clients are responsible for ensuring disclosures meet requirements in their jurisdictions.

Call recordings are stored by our telephony provider and accessed by us via secure URLs provided by that provider. We do not store audio files on our own infrastructure. Recordings are retained for the period required to deliver the service and may be reviewed for quality assurance or dispute resolution. Our business clients are solely responsible for ensuring all required disclosures are made to callers in the jurisdictions where they operate.

5. AI-Generated Communications Disclosure

Where our automated systems send responses via voice calls, SMS, Facebook Messenger, Instagram DM, email, or other channels on behalf of our clients, those messages are generated or assisted by AI. Our clients determine whether and how to disclose this to their customers. We recommend clients include appropriate disclosure in their customer communications.

6. Third-Party Service Providers (Subprocessors)

We share personal information with third-party service providers only as necessary to deliver our services. These providers are subject to data processing terms requiring them to protect personal information and use it only for the purposes we specify.

We use third-party service providers in the following categories:

• Payment processing (PCI-DSS certified providers)
• Telephony, call recording, and SMS messaging
• AI processing on paid enterprise API tiers, where data is not used to train AI models and is governed by a data processing addendum
• Productivity and workspace integrations (email, calendar, document storage, CRM, scheduling, task management)
• Email outreach and communications platforms
• Cloud infrastructure hosting
• Meta Platforms (Facebook, Instagram) — lead and messaging integrations via the Meta Graph API, used solely to deliver the agreed services and in compliance with Meta's Platform Terms

A current list of specific subprocessors is available to business clients on request under their service agreement.

7. Cross-Border Data Transfers

Some of our service providers store or process data outside Canada, including in the United States. We use contractual safeguards designed to provide a level of protection comparable to that required under PIPEDA and Alberta PIPA. When personal information is processed outside Canada, it is subject to the laws of the host jurisdiction, including lawful access by foreign courts, law enforcement, and national security authorities (for example, under the U.S. CLOUD Act). By using our services, you acknowledge that your information may be transferred to and processed in these jurisdictions.

8. Meta Platform Integrations

Where clients enable Meta integrations, our services access the following through the Meta Graph API and webhook subscriptions:

• Meta Lead Ads (Marketing API): We retrieve lead form submissions to enable immediate automated follow-up on behalf of our clients.
• Facebook Messenger: We send and receive messages on behalf of our clients' Pages to respond to customer inquiries (inbound-reply only, within the standard 24-hour messaging window).
• Instagram Messaging: We manage incoming direct messages on behalf of our clients' Instagram accounts to respond to leads (inbound-reply only, within the standard 24-hour messaging window).

Meta permissions used: When you connect your Facebook Page or Instagram Business account, we may request the following Meta permissions: leads_retrieval, ads_management, ads_read, business_management, pages_manage_ads, pages_manage_metadata, pages_messaging, pages_read_engagement, pages_show_list, instagram_business_basic, and instagram_business_manage_messages (or as updated in our Meta App Dashboard). We use this access solely to operate the inbound-reply automation you have configured.

Data we do NOT collect from Meta: Stay Bookd does not access friends lists, contact lists, photos, posts, broader profile data, ad spend beyond lead source attribution, or any Meta platform data not directly required to operate the contracted service.

Data accessed through Meta's APIs is used solely to provide the agreed service to the client whose account is connected. We do not use Meta platform data to: target or retarget advertising; build user profiles beyond what is necessary to deliver the service; sell, license, or transfer data to any third party for their own purposes; or for any purpose not expressly permitted under Meta's Platform Terms and the specific API permissions granted. We comply with Meta's Platform Terms and Developer Policies.

Meta data retention and deletion: Lead data and message transcripts received through Meta integrations are retained for up to 90 days after a client disconnects their Meta assets or terminates services, then deleted or anonymized. Users whose data we process via Meta integrations may request earlier deletion by emailing info@staybookd.ca with the subject "Meta Data Deletion Request." We will confirm receipt within 5 business days and complete deletion within 30 days, processing such requests in coordination with the relevant business client and in accordance with Meta's Data Deletion requirements. Users may also contact the relevant Facebook Page or Instagram account operator directly.

9. CASL — Commercial Electronic Messages

Where our services send commercial electronic messages (SMS, email) on behalf of our clients, we do so only where our clients have represented to us that valid express or implied consent exists under Canada's Anti-Spam Legislation (CASL). Our clients are contractually responsible for maintaining consent records and ensuring CASL compliance for all messages sent through our platform. Every commercial electronic message sent through our platform identifies the sending business (and Stay Bookd where we send on the client's behalf), includes a current mailing address, includes at least one of: phone number, email address, or web URL, with all contact information valid for at least 60 days after the message, and includes a functioning unsubscribe mechanism, as required by CASL s.6(2) and the Electronic Commerce Protection Regulations (CRTC) s.2.

If you have received automated communications through one of our client's systems and wish to opt out, you may reply STOP to any SMS message — our system is designed to honor STOP and equivalent opt-out keywords automatically — or contact the business directly. We honor opt-out requests promptly and maintain suppression lists to prevent further automated contact.

10. Consent

We collect personal information with the knowledge and consent of the individuals concerned, except where otherwise permitted by law. For end-customers of our clients, primary consent is obtained through the client's own customer relationship and applicable disclosures. Our clients are contractually required to obtain all necessary consents before activating our services for their customers.

You may withdraw consent at any time, subject to legal or contractual restrictions, by contacting us as described in Section 15.

11. Data Retention

Retention periods for end-customer data (call recordings, lead data, SMS history, booking details, CRM records used for Database Reactivation, and operational data accessed through Executive Assistant or Bespoke services) are governed by the individual service agreement with each business client. Where the client requires us to store data, we retain it for the period specified in that agreement. Where the client retains data in their own systems, we may have limited or tiered access for support and debugging only. CRM records provided for Database Reactivation are deleted or returned upon completion of the campaign or upon client request, whichever is earlier. Some industries impose minimum retention requirements (for example, healthcare or financial services); clients are responsible for determining their own legal retention obligations.

For our own business records:

• Client billing records: retained for 7 years as required by Canadian tax law
• Stay Bookd's own prospect and outreach records: retained for up to 36 months from last meaningful interaction, then deleted or anonymized, unless a longer period is required by law
• Commercial electronic message transmission logs (sender, recipient, timestamp, opt-out status): retained for at least 3 years to support CASL compliance audits

When information is no longer needed for the purposes for which it was collected, we delete or anonymize it.

12. Data Security

We implement technical and organizational measures proportionate to the sensitivity of the information we hold, including:

• Encrypted data transmission (TLS) for all data in transit
• Role-based access controls with multi-factor authentication for production systems
• Restricted access to personal information on a need-to-know basis
• Confidentiality obligations for personnel with access to personal data
• Periodic review of security practices

No system is perfectly secure, and we cannot guarantee absolute security. We maintain a security incident response process and will notify affected parties as required by law.

13. Breach Notification

In the event of a breach of security safeguards involving personal information, we will assess the risk of significant harm to affected individuals. Where there is real risk of significant harm, we will notify the Office of the Information and Privacy Commissioner of Alberta and, where applicable, the Office of the Privacy Commissioner of Canada, and will directly notify affected individuals, in each case as soon as feasible after determining the breach has occurred, as required by Alberta PIPA and PIPEDA s.10.1(2) and (6). We retain breach records for at least 24 months as required by the Breach of Security Safeguards Regulations (SOR/2018-64), s.6.

If you are a business client and we become aware of a breach affecting personal information we process on your behalf, we will notify you as soon as feasible (and, in any event, within 72 hours of confirmation where commercially reasonable) and provide sufficient information for you to meet your own regulatory notification obligations.

If you believe your personal information has been compromised, contact us immediately at info@staybookd.ca.

14. Your Rights

Under Alberta PIPA and PIPEDA, you have the right to:

• Know what personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your personal information, subject to legal obligations
• Withdraw consent for use of your information
• File a complaint with the Office of the Information and Privacy Commissioner of Alberta (OIPC) at oipc.ab.ca
• File a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca

To exercise any of these rights, contact us at info@staybookd.ca. We will respond to access and correction requests within 30 days as required by PIPEDA s.8(3) and Alberta PIPA s.28. We may extend this period in accordance with PIPEDA s.8(4) and Alberta PIPA s.31 with written notice to you stating the new deadline, the reason, and your right to complain to the OPC or OIPC Alberta.

To withdraw consent, email info@staybookd.ca. Withdrawal may affect our ability to provide services; we will explain consequences before processing the withdrawal.

15. Contact Us

Privacy Officer. Pursuant to PIPEDA Schedule 1 cl. 4.1.1 and Alberta PIPA s.5(3), the Privacy Officer of 2811940 Alberta Inc. (operating as Stay Bookd) is responsible for compliance with applicable Canadian privacy legislation. Contact:

Privacy Officer, Stay Bookd
2811940 Alberta Inc.
Calgary, Alberta, Canada
info@staybookd.ca
staybookd.ca

Stay Bookd is a trade name of 2811940 Alberta Inc., a corporation incorporated under the laws of Alberta, Canada.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify business clients of material changes via email or in-product notice. We will post the updated policy on our website with the effective date and version number. Where required by law, we will obtain fresh consent for materially changed uses of personal information for which we are the accountable organization. End-customers should also review the privacy policy of the business they are interacting with. The current version of this policy is always available at staybookd.ca/privacy.html.