EasyBook logo

EasyBook Partner Privacy Policy

Introduction

At EasyBook AI shpk (referred to as "EasyBook AI", "we", "us" and "our"), we are committed to protecting the privacy of our users. We are the data controller for the personal information we process, in accordance with Albanian data protection law (Law No. 9887, dated 10.3.2008 "On Personal Data Protection" and subsequent amendments) and applicable EU data protection regulations (GDPR).

This Privacy Policy (the "Notice") explains how we collect, manage and protect personal information when you use the EasyBook Partner platform — including the web dashboard at partner.easybook.ai, the EasyBook Partner mobile apps for iOS and Android, and any related EasyBook Partner services (together, the "Partner Services").

The Partner Services are designed for service providers(salons, spas, clinics, studios, trainers, professionals) who use EasyBook AI to manage their business operations — appointments, staff, services, payments, and client communications. Throughout this Notice we refer to you and your business as the "Partner".

A separate privacy policy covers the consumer-facing EasyBook discovery and booking platform at easybook.ai/privacy-policy. The two policies are designed to be read together when relevant.

Contacting us

If you have questions, comments, or requests regarding this Notice, contact us at [email protected]. For matters specifically about personal data, you can reach our Data Protection Officer at [email protected].

What information do we collect & how do we use it?

This section explains what data we collect from you as a Partner and why. For each category, we identify the lawful basis under data protection law.

Automatically collected information

Whenever you use the Partner Services — whether through the web dashboard or the mobile app — we automatically collect certain technical and usage information:

Technical information

IP address, login information, browser type and version, device identifiers, social log-in ID / email address, time zone setting, operating system and platform, hardware version, device settings (language, time zone), file and software names, mobile operator or Internet Service Provider, app version, and on mobile: device model, OS version, battery state, and network type.

Usage information

The full URLs you visit on our platform, clickstream to and through the Partner Services, pages viewed or searched, page response times, length of visits, page interaction (scrolling, clicks, mouse-overs), and any phone number or social media handle used to contact our support team.

Location data

We collect coarse location based on IP address (country / region) to provide localized services and detect fraud. If you grant permission, we may also collect precise GPS coordinates from your device — for example, when you set up a new venue and use the "use my current location" option to autocomplete the venue address, or to provide map-based features within the dashboard. You can revoke this permission at any time in your device settings.

Lawful basis: legitimate interests (operating and securing the platform), and consent (for precise location).

Account creation and authentication

When you create a Partner account or sign in, we collect:

  • First and last name
  • Email address
  • Mobile phone number (optional)
  • Password (stored as a salted hash; we never see your plaintext password)
  • If you sign in with Google or Apple, we receive an authentication token and basic profile information (name, email, user ID; Apple users may choose to hide their email via Apple's private relay).
  • Account preferences (theme, language, timezone, notification preferences)
  • Session and refresh tokens (stored in encrypted HTTP-only cookies)
  • A unique internal user ID we assign to your account

Lawful basis: contract (providing the Partner Services) | legitimate interests (account security).

Business and organization data

To set up your business on the platform, we collect information about your organization and venues:

  • Business / organization name and trading name
  • Business type (e.g. salon, spa, clinic, studio)
  • Venue addresses and coordinates
  • Business contact email and phone
  • Operating hours and time-zone
  • Services, prices, durations, and descriptions you publish
  • Staff names and roles you create within your organization
  • Photos and marketing materials you upload
  • Public reviews and ratings about your business

Lawful basis: contract.

Payments

The Partner Services currently support cash payments only. Clients pay you directly at the time of service; no card, bank, or other payment details flow through the EasyBook platform. You may record transaction amounts and payment status (paid / unpaid / refunded) in the Partner dashboard for your own accounting purposes — this information is treated as ordinary business data under this Notice.

If we introduce online payments in the future, this Notice will be updated before the feature becomes available, and you will be notified of any changes that affect the personal data we process.

Google Calendar integration

If you connect a Google Calendar account, we request the OAuth scopes https://www.googleapis.com/auth/calendar.events and https://www.googleapis.com/auth/calendar.readonly to enable two-way appointment synchronization between your Google Calendar and your EasyBook calendar. We:

  • Read calendar events to detect conflicts and block availability
  • Write new EasyBook appointments to your Google Calendar so they appear in your existing workflow
  • Store an encrypted refresh token so the sync continues to work without re-authentication

We do not use Calendar data for advertising, sell it, or share it with third parties. You can disconnect the integration at any time from your account settings — this revokes our access and deletes the stored refresh token. Our use of Google Calendar data complies with the Google API Services User Data Policy, including the Limited Use requirements.

Lawful basis: consent (the integration is opt-in and revocable).

Google Contacts integration

If you connect Google Contacts, we request the scope https://www.googleapis.com/auth/contacts.readonly for the sole purpose of helping you import existing client contact information into your EasyBook client list. We read contact name, email, and phone number only at the moment of import; we do not maintain an ongoing sync. You can disconnect this integration at any time. Our use of Google Contacts data complies with the Google API Services User Data Policy, including Limited Use.

Lawful basis: consent.

WhatsApp Business notifications

If you configure WhatsApp Business notifications, we use the WhatsApp Business API to send appointment confirmations, reminders, and updates to your clients on your behalf. To deliver these messages we transmit the recipient's phone number, your business name, and the relevant appointment details to Meta Platforms Ireland Limited. Meta processes these messages as a separate data controller under its own terms.

Lawful basis: contract (sending notifications you have configured to your clients on your behalf).

Inviting and managing staff

When you invite staff members (employees, contractors, professionals) to your organization, we collect their first and last name, email, role title, and permissions you assign. Staff accounts are sub-accounts within your organization and inherit the data-protection arrangements that apply to your organization.

Communications with us

When you contact our support team via email, in-app chat, phone, or social media, we keep records of those communications (subject, content, timestamps) to respond to your query, troubleshoot issues, and improve our service.

Lawful basis: legitimate interests (providing support) | contract.

Marketing communications

If you have opted in, we may send you product updates, tips, surveys, and promotional material relating to the Partner Services. You can opt out at any time by using the unsubscribe link in any marketing email, or by updating your preferences in your account settings.

Lawful basis: consent | legitimate interests (existing customer marketing, where permitted by law).

Your customers' personal data (controller / processor relationship)

The Partner Services allow you to record and manage personal data about your own customers — for example, their name, contact details, appointment history, notes, and consultation forms.

For that customer data, you (the Partner) are the data controller and EasyBook AI acts as a data processor on your behalf, processing the data only in accordance with your instructions and the Partner Terms of Service. A Data Processing Agreement (DPA) consistent with Article 28 GDPR forms part of the Partner Terms of Service.

This means: when one of your customers asks to exercise their rights (access, deletion, rectification, etc.) in relation to data you have recorded in EasyBook, that request is directed to you. EasyBook AI will assist you in responding, but we are not the appropriate addressee for those requests. We publish a separate consumer privacy policy at easybook.ai/privacy-policy covering the data we collect directly from consumers who book through the discovery platform.

You are responsible for collecting any consents required from your customers (for example, for processing health-related "special category" data in consultation forms) and for providing them with appropriate privacy information.

What do each of these lawful bases mean?

We must have a relevant lawful basis for each way in which we use your personal information. The main bases we rely on are:

Consent

We rely on consent for marketing communications, optional integrations (Google Calendar, Google Contacts), precise location, and some of the cookies we use. You can withdraw consent at any time — the relevant section above and our Cookie Policy explain how.

Contract

Much of the data we process is necessary to perform the contract between you and EasyBook AI for the Partner Services (the Partner Terms of Service) — for example, providing the dashboard, sending transactional emails, and operating the booking calendar.

Legal obligation

We may process personal information to comply with our legal obligations under Albanian law, EU regulations, tax and accounting requirements, court orders, and lawful requests from competent authorities.

Legitimate interests

We may process personal information where it is necessary for our legitimate interests, provided those interests are not overridden by your rights. Our legitimate interests include:

  • Operating, securing, and improving the platform (detecting fraud, debugging, analytics, capacity planning)
  • Existing-customer marketing where permitted by law
  • Enforcing our agreements with you and recovering amounts owed
  • Defending against legal claims

If you would like further information about how we balance these legitimate interests against your rights, contact us at [email protected].

Who do we share your information with?

We share personal data only as described below.

  • Google — for Calendar and Contacts integrations (only if you opt in), Google Maps (for venue location autocomplete and map display), Google Analytics 4 (if you accept analytics cookies; IP anonymization enabled), and Firebase Cloud Messaging (for push notifications).
  • Apple — for Sign in with Apple (only if you choose this sign-in method) and Apple Push Notification Service.
  • Meta Platforms Ireland — for WhatsApp Business notifications you configure to be sent to your clients.
  • Cloudflare — as our content delivery network and DDoS protection provider; processes IP addresses and request metadata in transit.
  • Infrastructure providers — cloud hosting, database, and backup providers who process data on our behalf under contractual safeguards.
  • Discovery platform (easybook.ai) — when your services are listed on the consumer-facing discovery platform, your public profile, venue, services, prices, and reviews are visible there. Bookings made through the discovery platform flow into your Partner dashboard.
  • Your invited staff — staff members you invite can see organization data appropriate to the role you assign them.
  • Auditors, legal advisers, and other professional advisers when required.
  • Law enforcement, regulators, and courts where required by law, valid legal process, or to protect rights, safety, or property.
  • Successors in a corporate transaction — if EasyBook AI is acquired or transfers assets, your data may transfer to the acquirer subject to this Notice.

We do not sell personal data to third parties for advertising or other commercial purposes.

Where do we store your information?

EasyBook AI is headquartered in Albania. Most platform data is stored within the European Economic Area (EEA). Some of our service providers (Google, Cloudflare, Apple, Meta) operate globally and may process data in countries outside Albania and the EEA — including the United States. Where personal data is transferred outside the EEA, we rely on appropriate safeguards approved by the European Commission, in particular Standard Contractual Clauses (SCCs); the EU-U.S. Data Privacy Framework where the recipient is certified; and any other mechanism permitted by data protection law.

How do we protect your information?

We use industry-standard technical and organizational measures to protect personal data, including:

  • TLS encryption for all data in transit
  • AES-GCM encryption at rest for sensitive credentials
  • Encrypted HTTP-only session cookies signed with a private secret
  • Hashed passwords (BCrypt); we never store or have access to your plaintext password
  • Role-based access controls and audit logging on internal systems
  • Regular dependency and security scanning
  • Optional multi-factor authentication (TOTP, security keys, recovery codes)

Internet transmissions are never 100% secure. We do our best to protect personal data, but we cannot guarantee absolute security. If you believe your account has been compromised, contact [email protected] immediately.

Multi-factor authentication and security keys

We offer multi-factor authentication (MFA) to help protect your account. If you enable MFA, we may process the following additional data:

  • TOTP (Time-based One-Time Passwords): an encrypted shared secret used to generate verification codes. The secret does not itself contain personal information.
  • WebAuthn / Passkeys / Security keys: when you register a passkey or hardware security key, we store a public key credential and limited device metadata (credential ID, device type). Your private key never leaves your device.
  • Recovery codes: encrypted recovery codes stored as a backup authentication method.

All MFA secrets and credentials are encrypted at rest using AES-GCM. You can manage and remove MFA methods at any time through your account security settings.

Push notifications

We use Firebase Cloud Messaging (FCM) from Google to deliver push notifications to your device (for example, new bookings, cancellations, daily summaries). When you enable push notifications, we collect and store a device push token that uniquely identifies your device for notification delivery.

You can manage push notification preferences at any time through your account settings or your device's operating system. Disabling push notifications does not affect the core functionality of the Partner Services. Your push token is deleted from our servers when you log out or revoke notification permission. For more information, see Google's privacy policy at policies.google.com/privacy.

Cross-border data transfers

Some of the third-party services we use are operated by companies based outside Albania and the European Economic Area. When personal data is transferred outside the EEA, we ensure appropriate safeguards are in place:

  • Google (Analytics, Maps, OAuth, Firebase, Calendar, Contacts) — Standard Contractual Clauses; EU-U.S. Data Privacy Framework certified.
  • Cloudflare — global edge processing of requests under Standard Contractual Clauses.
  • Apple — Standard Contractual Clauses for Sign in with Apple and Apple Push Notification Service.
  • Meta Platforms Ireland (WhatsApp Business) — Standard Contractual Clauses and additional safeguards.

How long is your information kept for?

We generally process personal information:

  • For as long as it is necessary for the purpose for which it was collected (typically, for as long as your Partner account is active)
  • For up to six years after account closure to comply with our legal and tax obligations and to resolve any disputes
  • For longer where the law requires (for example, retention obligations under Albanian tax and accounting law)

We may keep aggregated, anonymized data — which is no longer personal data — for analytics and product improvement indefinitely.

What rights do you have with your personal information?

Under data protection law, you have the following rights in relation to the personal information we hold about you:

  • To receive a copy of your personal information (access)
  • To request correction of inaccurate data (rectification)
  • To request deletion of your data (erasure)
  • To request restriction of processing
  • To object to processing
  • To receive your data in a portable format (data portability)
  • To withdraw consent at any time
  • To lodge a complaint with the Albanian Information and Data Protection Commissioner or your local supervisory authority

To exercise any of these rights, contact [email protected]. We will respond within the time limits set by applicable law (typically one month, extendable to three months for complex requests).

Important:if your request relates to data that your own customers have provided through the Partner Services, that request should be directed to you as the data controller for that data. See "Your customers' personal data" above.

Albanian Information and Data Protection Commissioner:

  • Website: www.idp.al
  • Email: [email protected]
  • Address: Commissioner for the Right to Information and Protection of Personal Data, Rr. "Abdi Toptani", Nd. 5, Tiranë, Albania

Children

The Partner Services are not directed at children. You must be at least 18 years old and legally entitled to operate a business to create a Partner account. We do not knowingly collect personal data from children under 16.

Updating this Privacy Policy

This Notice was last updated on 15 May 2026.

We may update this Notice from time to time and will post any changes on this page. If we make any substantive changes, we will notify you in-app, by email, or through a banner in the Partner dashboard before the changes take effect.

Cookie notice

The Partner Services use cookies and similar technologies (device IDs, in-app codes, pixel tags) to operate the platform, remember your preferences, secure your account, and — with your consent — to measure how the platform is used. See our separate Cookie Policy for full details on the cookies we use and how to manage them.