Privacy Policy

1. Two roles: data we control, and data we handle for practitioners

Georgie serves two kinds of people, and our responsibilities differ for each.

When you sign up as a practitioner, we are the controller of your account and business information. This policy describes how we collect, use, and share it.

When you, as a practitioner, add information about your clients, you are the controller of that information and Georgie is your service provider, handling it on your behalf and on your instructions. Depending on where you and your clients are located and the laws that apply, you may be described as a "covered entity," "controller," or similar, and Georgie may be described as a "business associate," "service provider," or "processor." These are different names for the same relationship: your clients' information is yours, and we handle it for you. The terms that govern this handling are set out in our Terms of Service and, where one applies, a Business Associate Agreement or Data Processing Addendum.

One exception: we are the controller of the credentials people use to sign in, such as a hashed password or a linked Google or Apple identity, because we hold them to keep accounts secure. We will not hand a person's sign-in credentials to anyone, including the practitioner whose client they are.

If you are a client of a practitioner who uses Georgie and you have a question about your information, please contact that practitioner directly. We will support them in responding to your request.

2. Definitions

To keep this policy clear, a few terms are used throughout:

• • Practitioner: a wellness professional or business that has a Georgie account. The practitioner is our customer.
• • Client: a person who books with, or is a client of, a practitioner. A client is not Georgie's customer; the client's relationship is with the practitioner.
• • Personal information: information that identifies, relates to, or could reasonably be linked to a particular person or household.
• • Health-related notes: information a practitioner chooses to record about a client's health, treatment, or care, such as SOAP notes. This can include information that some laws treat as sensitive or as protected health information.
• • Stripe: Stripe, Inc. Stripe is our payment processor for your Georgie subscription, and is your payment processor for the payments you take from your clients; Georgie is not a party to those client payments.
• • Service: our website, application, and iOS app.

3. Information you provide

We collect the information you give us, including:

• • Account and business details: your name, email address, password, and your business's name, address, hours, services, and pricing.
• • Client records you enter: your clients' names, contact details (including email address and mobile number), appointment history, and any notes or health-related notes you choose to store.
• • Booking submissions: when a client books with you, the name, contact details, and any notes they provide on your booking page.
• • Payment information: handled by Stripe. We receive limited details such as amounts and payment status. We do not collect or store full card numbers.
• • Communications: information you share when you contact us for support.

Health-related notes should be kept only in the fields built for them, such as a client's notes or SOAP notes. Please do not put health information into fields that are not meant for it, such as a service name, a booking-page message, or the text of an SMS reminder.

4. Information we collect automatically

When you use the Service, we automatically collect some technical information, such as your IP address, device and browser type, the pages you view, and the dates and times of your activity. We use strictly necessary cookies to keep you signed in and to protect the Service. See "Cookies and tracking" below.

5. Information from third parties

If you choose to sign in with Google or Apple, we receive basic profile information, such as your name and email address, according to your settings with that provider. We do not receive your password from them.

6. How we use information

We use information for the following purposes:

• • To provide, operate, maintain, and secure the Service.
• • To process your subscription and to facilitate payments between you and your clients.
• • To send service messages, such as booking confirmations, reminders, and security notifications.
• • To respond to your support requests.
• • To detect, prevent, and address fraud, abuse, and security issues.
• • To understand how the Service is used so that we can improve it.
• • To comply with our legal obligations.

We do not use Your Content, including client records and health-related notes, to train machine-learning or artificial-intelligence models.

If you are in a region with data-protection laws such as the EU or UK GDPR, we rely on the following legal bases: performing our contract with you, our legitimate interests in operating and securing the Service, your consent where we ask for it, and compliance with our legal obligations.

7. What we do not do

We do not sell your personal information, and we do not sell or share your clients' personal information. We do not use your clients' information for advertising.

Phone numbers and SMS opt-in or consent records are used only to deliver the messages you and your practitioner ask us to send. We do not sell or share them, and we do not share them with third parties for their own marketing.

8. How we share information

We share information only in these circumstances:

• • Service providers: companies that help us run Georgie and handle information on our behalf under contract. The current list, including what each one does, is in "Service providers we use" below.
• • At your direction: client information is shared as you instruct, such as sending a booking confirmation to your client.
• • Legal reasons: to comply with the law, respond to lawful requests, enforce our Terms, or protect the rights, safety, and security of our users and others.
• • Business transfers: if Georgie is involved in a merger, acquisition, or sale of assets, information may be transferred as part of that transaction, and the recipient will be bound by terms at least as protective as this policy.

We will give practitioners advance notice before we add a new service provider that materially handles client information, so they have a chance to raise any concern.

9. Service providers we use

We use a small number of trusted providers to run Georgie. Each one handles information only as needed to provide its service to us, under a contract that requires it to protect that information.

• • Amazon Web Services: hosting and storage of the Service, with encryption in transit and at rest. United States.
• • Stripe: payment processing for your subscription and for the payments you take from your clients. Stripe handles card data directly; we do not store full card numbers.
• • Amazon Web Services End User Messaging, and our email delivery provider: sending email and SMS service messages, such as booking confirmations and reminders.
• • Google and Apple: sign-in, if you choose to use it.

We keep this list current. If you would like to be notified when we make a material change to our service providers, or if you need this information for your own vendor review, email us at privacy@georgiescheduler.com.

10. Cookies and tracking

Georgie uses only cookies that are necessary for the Service to work, including cookies that keep you signed in, protect against fraud, and remember basic state such as whether you are signed in. We do not use cookies for advertising or for third-party tracking.

Because we use only strictly necessary cookies, we do not currently engage in any activity that counts as "selling" or "sharing" your personal information under US state privacy laws, and we have nothing to opt out of for advertising purposes. If we ever add analytics or other non-essential cookies, we will update this policy first and provide the choices the law requires, including honoring browser-based opt-out signals as described in "Your privacy choices."

11. How we keep information secure

Georgie runs on Amazon Web Services, with encryption in transit and at rest. Our protections include access controls, rate limiting on sensitive endpoints, session management tied to your device, and audit logging. Our security controls are aligned with the SOC 2 Common Criteria and architected for the HIPAA Security Rule. We are not certified, and we never claim to be.

No method of storing or transmitting data is completely secure, so while we work hard to protect your information, we cannot guarantee absolute security.

If we confirm a security incident that affects your information, we will notify you without undue delay, as required by applicable law, and give you the information you reasonably need to meet your own notification obligations, such as those under the HIPAA Breach Notification Rule or state breach-notification laws.

12. Health information and HIPAA

Georgie is built for wellness practitioners, and many practitioners record health-related notes about their clients. Here is how we handle that.

Georgie is not a HIPAA covered entity. The practitioner decides whether their practice is subject to HIPAA or similar health-privacy laws, and the practitioner remains responsible for their own compliance. As described above, the practitioner is the controller of their clients' information, including any health-related notes, and Georgie handles it on the practitioner's behalf.

If you are a practitioner subject to HIPAA and you intend to store protected health information in Georgie, a Business Associate Agreement should be in place. Contact us at privacy@georgiescheduler.com to put one in place.

Stripe processes payments and does not sign a Business Associate Agreement, because payment processors are not business associates under HIPAA. Do not put any health information into payment fields, such as a charge description.

One note on the design of your work: health-related notes belong in the client-notes and SOAP-note fields. Avoid placing health information into SMS or email reminder text, which is delivered through your client's carrier and inbox and is not the place for sensitive details.

13. Messages: email and SMS

Georgie sends two kinds of messages.

Service messages are part of the Service: booking confirmations, appointment reminders the practitioner has set up, account notices, and security alerts. Because these keep the booking working, they are not promotional, and you cannot opt out of them while you have an active relationship through Georgie.

For SMS specifically: message frequency depends on your appointments, message and data rates may apply, and you can reply STOP to any text to stop receiving texts, or HELP for help. Carriers are not liable for delayed or undelivered messages, and neither Georgie nor your practitioner can guarantee carrier delivery.

Consent for reminders is collected by the practitioner. If you are a practitioner, you are responsible for obtaining each client's consent to receive email and SMS reminders before they are sent, and for honoring opt-out requests, as set out in our Terms of Service.

14. How long we keep information

We keep your account and client information for as long as your account is active and as needed to provide the Service.

When your account is closed, you will have 30 days to export Your Content. After that, we delete or de-identify Your Content, including client records and health-related notes, within 90 days, except where we need to keep certain records longer to meet legal, accounting, or security obligations. Those longer-kept records include transaction records, kept for up to seven years for tax purposes, and audit logs, kept for up to six years in line with HIPAA Security Rule expectations.

If you are a practitioner, deleting client records inside Georgie removes them from your active account; backups are overwritten on our normal backup cycle.

15. Your privacy choices

We do not sell or share your personal information, and we do not sell or share your clients' personal information.

Some browsers and extensions can send a Global Privacy Control (GPC) signal that asks sites not to sell or share personal information. We honor GPC and similar opt-out preference signals where the law requires it. Because we already do not sell or share, there is nothing further you need to do, but if that ever changes, this signal will be treated as a valid opt-out request.

You can also opt out of non-essential emails from us at any time using the link in the email or by contacting us. We will still send the service messages needed to operate your account.

16. Your rights

You can review and update your account information at any time from within Georgie. Depending on where you live, you also have privacy rights described below. To exercise any of them, email us at privacy@georgiescheduler.com. We may need to verify your identity before we act, and we will respond within the time the law allows.

If you are in California or another US state with a comprehensive privacy law, you have the right to: know and access the personal information we hold about you; correct inaccurate information; delete your information; and opt out of the sale or sharing of your information and of targeted advertising (we do none of these). We will not discriminate against you for exercising these rights. You may use an authorized agent to make a request on your behalf, and if we deny a request you may appeal by replying to our response or emailing us at privacy@georgiescheduler.com. We aim to respond to these requests within 45 days, and will tell you if we need an extension.

The categories of personal information we collect, and the purposes we use them for, are described in "Information you provide," "Information we collect automatically," and "How we use information" above. We collect identifiers, account and commercial information, internet and device activity, and, where a practitioner enters it, health-related notes, which some laws treat as sensitive personal information.

If you are in the EU, UK, or another region under the GDPR, you have the right to: access your information; correct it; erase it; restrict or object to certain processing; receive a portable copy; and withdraw consent where we relied on it. You also have the right to complain to your local supervisory authority. We aim to respond within one month.

If you are a client of a practitioner, the practitioner controls your information, so please direct your request to them. We will support them in responding.

17. International users and data transfers

Georgie is operated from the United States, we process information there, and the Service is intended for users in the United States. If you use the Service from outside the United States, your information will be transferred to and processed in the United States and other countries where we and our providers operate, which may have data-protection laws different from those in your own country.

Many US state laws and the GDPR require opt-in consent before health-related or other sensitive information is processed. If you are a practitioner, you are responsible for obtaining your clients' consent to store their information, including any health-related notes, as set out in our Terms of Service.

If you are a practitioner who needs a Data Processing Addendum for your own compliance, contact us at privacy@georgiescheduler.com.

18. Children's privacy

The Service is intended for practitioners and is not directed to children. We do not knowingly collect personal information directly from children. Practitioners are responsible for any client information they enter, including for clients who are minors, and for obtaining any consents required, such as from a parent or guardian.

19. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will post the new version and change the "last updated" date above. If the changes are material, we will give practitioners notice by email or within the app before they take effect. Your continued use of the Service after a change takes effect means you accept the updated policy.

20. Contact us

Questions about your privacy or this policy? We are happy to help.

• • Email: privacy@georgiescheduler.com
• • Mail: [Legal Entity Name], [mailing address]