Privacy Policy

Last updated: June 4, 2026

Avayble ("we," "our," or "us") operates a scheduling platform for independent massage providers and their clients. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website, web application, and related services (collectively, the "Service").

1. Information We Collect

We collect information that you provide directly to us when you create an account, book an appointment, or communicate with us:

• Account information: name, email address, phone number, password, and account type (client or provider).
• Profile information: mailing address, emergency contact details, and for clients of massage providers, health-related information that you voluntarily provide. Where a provider uses Avayble's intake-form feature, this may include medical history, current medications, allergies and sensitivities, past surgeries or injuries, current conditions, pregnancy status, contraindications, and similar information requested on the provider's intake form. All such information is encrypted at rest and is visible only to your provider.
• Booking information: appointment dates, times, durations, service types, add-ons, pricing, and appointment locations.
• Location data: addresses provided for appointment locations are geocoded (converted to geographic coordinates) to calculate travel times and provide scheduling functionality.
• Payment information: when payment processing is available, payment details are collected and processed by our third-party payment processor. We do not store your full credit card number on our servers.
• Communications: SMS messages sent through our platform, including appointment reminders and booking confirmations.

We also collect certain information automatically when you use the Service:

• Log data: IP address, browser type, operating system, referring URLs, and access times.
• Session data: we use session cookies to keep you logged in and maintain your preferences. These are essential for the Service to function and are not used for advertising or tracking.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service, including scheduling appointments and calculating travel-time-aware availability.
• Send transactional communications such as booking confirmations, appointment reminders, and cancellation notifications via SMS and email.
• Process payments and send invoices when applicable.
• Respond to your requests and provide customer support.
• Protect against fraud, abuse, and unauthorized access.
• Comply with legal obligations.

We do not use your personal information for advertising, marketing to third parties, or profiling.

3. How We Share Your Information

We do not sell, rent, or trade your personal information. We share your information only in the following limited circumstances:

• Between providers and their clients: when you book an appointment, your name, phone number, appointment details, and location are shared with your service provider (and vice versa) to facilitate the appointment.
• Service providers we use: we use third-party services to operate the platform, including:
  • Google Maps Platform — for geocoding addresses and calculating driving times and distances.
  • Google API Services (OAuth, Calendar API) — for the optional two-way calendar sync described in Section 5. Only providers who explicitly connect their Google account are covered by this integration; clients are not. See Section 5 for the specific scopes used and how Google data is handled.
  • SignalWire — for sending SMS appointment reminders and notifications.
  • Resend — for sending transactional emails (booking confirmations, receipts, password reset) and, where the provider has enabled email outreach, marketing emails sent on the provider's behalf with their name and logo as the visible sender.
  • Stripe — for processing card payments. When a client pays by card, the booking is created through Stripe Connect on the provider's connected account. Stripe collects and stores full card details; Avayble stores only a Stripe payment intent identifier, the gross and net amounts, and a record of whether the charge succeeded. We never see or store full card numbers.
  • MongoDB Atlas — for secure cloud database hosting.
  • Heroku — for application hosting.
  • Cloudinary — for provider logo and image hosting.
  These providers process your data only as necessary to provide their services to us and are bound by their own privacy policies.
• Legal requirements: we may disclose your information if required by law, regulation, legal process, or governmental request.

4. SMS Messaging

Avayble offers an opt-in SMS program for transactional appointment communications. When you opt in, you agree to receive automated text messages for:

• Appointment booking confirmations
• Appointment reminders (24-hour and 1-hour advance notices)
• Cancellation and reschedule notifications
• Account notifications (providers only)

Opt-In: SMS consent is collected during account signup, provider onboarding, or client account claim, when you check a clearly labeled SMS consent checkbox. Your consent status is stored on your account and verified before every message is sent. Consent is voluntary and is not a condition of using the Service.

Opt-Out: You can stop receiving SMS messages at any time by:

• Replying STOP to any message
• Disabling SMS notifications in your account settings
• Contacting us at the email listed below

Help: Reply HELP to any message for assistance, or contact us at the email listed below.

Message frequency varies based on your appointment activity. Standard message and data rates may apply depending on your mobile carrier and plan.

We do not send promotional or marketing messages via SMS through our gateway. All messages sent by Avayble are transactional and directly related to your appointments or account. For complete details on our SMS program, see our SMS Communication Policy.

5. Google API Services

Avayble offers an optional Google Calendar integration available to providers (not clients). When a provider chooses to connect their Google account, Avayble requests access through Google’s OAuth consent flow using only the specific scopes listed below. No Google data is accessed for providers who have not connected their account.

Scopes requested and how each is used:

• https://www.googleapis.com/auth/calendar.events — read and write access to events on the provider’s calendars. We use this scope to (a) read the provider’s existing calendar events so that times marked busy in Google Calendar are blocked off in Avayble’s availability picker, preventing clients from booking on top of pre-existing commitments; (b) write each confirmed Avayble booking onto the provider’s calendar as an event so it appears alongside their other commitments; (c) update or delete those Avayble-created events when the underlying booking is rescheduled or cancelled.
• https://www.googleapis.com/auth/calendar.calendarlist.readonly — read-only access to the list of calendars the provider is subscribed to. We use this scope to populate the calendar-selection picker so the provider can choose which of their calendars to sync into Avayble’s availability blocking.
• https://www.googleapis.com/auth/userinfo.email — read access to the email address associated with the connected Google account. We use this scope to display which Google account is connected in the provider’s settings page and to detect when the connected account changes.

What we store from Google data: for each event we read from the provider’s synced calendars, we store the start time, end time, calendar identifier, event identifier, event title, and (when present) the event’s location, so that the event can be displayed as a blocked time slot in the provider’s schedule. We do not store event descriptions, attendee lists, attachments, or any other event metadata. Stored event data is automatically removed when the source event is cancelled in Google Calendar or when the provider disconnects the integration.

What we store for events we write: the event identifier and calendar identifier of each event Avayble creates on the provider’s calendar, recorded on the corresponding Avayble booking so the event can be updated when the booking is rescheduled and deleted when the booking is cancelled.

Limited Use disclosure. Avayble’s use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We use Google user data only to provide and improve the calendar sync feature described above. We do not use it for any other purpose.
• We do not transfer Google user data to third parties except as necessary to provide or improve the feature (for example, to our hosting and database providers, who process the data only on our behalf), to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
• We do not use Google user data for serving advertisements, including retargeting, personalized advertising, or interest-based advertising.
• We do not allow humans to read Google user data unless we have the provider’s affirmative agreement for specific identified messages, doing so is necessary for security purposes such as investigating abuse, to comply with applicable law, or for internal operations and only on data that has been aggregated and anonymized.
• We do not use Google user data to develop, improve, or train generalized or non-personalized AI and machine-learning models.

Revoking access. Providers can disconnect Google Calendar at any time from their Avayble settings page. Disconnecting revokes Avayble’s stored tokens, stops all webhook subscriptions, and removes the synced calendar data from Avayble. Providers can also revoke Avayble’s access directly from their Google account permissions page; doing so will cause the integration to fail until the provider reconnects through Avayble.

6. Data Storage and Security

Your data is stored in encrypted cloud databases hosted in the United States. We implement industry-standard security measures including:

• Password hashing using bcrypt
• HTTPS encryption for all data in transit
• Secure, HTTP-only session cookies
• Rate limiting to prevent abuse
• Access controls limiting data access to authorized users

While we take reasonable measures to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the Service. If you request account deletion, we will delete or anonymize your personal information within 30 days, except where we are required to retain it for legal, accounting, or compliance purposes.

Appointment records may be retained in anonymized form for analytics and service improvement purposes.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

• Access: request a copy of the personal information we hold about you.
• Correction: request that we correct inaccurate or incomplete information.
• Deletion: request that we delete your personal information.
• Portability: Providers may export their complete account data — including client roster, encrypted notes, intake responses, packages, standing series, bookings, and financial reports — as a downloadable archive directly from account settings at any time and without charge. Clients may request a copy of their own records by contacting their provider in the first instance, or us at the email below.
• Opt-out: opt out of SMS communications at any time.

To exercise any of these rights, contact us using the information below. We will respond within 30 days.

9. California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights, including the right to know what personal information we collect and how it is used, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information.

If the massage provider you book with through the Service is a California Certified Massage Therapist (CMT) — who, as of January 1, 2026 under Assembly Bill 1697, is classified as a "provider of health care" — or any other regulated health-care provider, certain health-related information you share with them through the Service (such as treatment notes, allergies, medical conditions, or treatment preferences) is also protected by the California Confidentiality of Medical Information Act (CMIA, Cal. Civ. Code § 56 et seq.). Under CMIA, your provider is the holder of your medical information, with duties to keep it confidential and to use and disclose it only as permitted by law. Avayble acts as a contractor handling that information on the provider's behalf and maintains reasonable physical, administrative, and technical safeguards consistent with CMIA, including encryption of sensitive fields at rest, encrypted transit, access controls, and breach-notification practices. Requests to access, correct, or delete medical information should be directed to your provider in the first instance; you may also contact us at the email below.

10. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will take steps to delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by updating the date at the top of this page. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

---

Contact Us