Privacy Policy

1. Introduction and Identity of the Data Controller

Welcome to Remindly ("we", "us", or "our"). Remindly operates the website goremindly.com and the associated SaaS platform that sends automated WhatsApp appointment reminders by integrating with Google Calendar (the "Service").

For the purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the Israeli Privacy Protection Law 5741-1981 and its regulations (including the Privacy Protection Regulations (Data Security) 5777-2017), and all other applicable data-protection legislation, Remindly is the data controller responsible for the personal data described in this Policy.

Contact us at any time:
Privacy inquiries: privacy@goremindly.com
General support: support@goremindly.com

2. Data We Collect

2.1 Account and Business Data

• Full name and email address of the account holder
• Business name, business type, and timezone
• Password (stored as a bcrypt hash — never in plain text)
• Subscription and billing information (processed by Stripe; we store only plan type and status)

2.2 Client Data (End-Client Personal Data)

As a user of the Service, you may enter personal data about your own clients, including:

• Client name
• WhatsApp phone number
• Appointment date, time, and notes (as extracted from Google Calendar)
• Reminder status and client responses (CONFIRM / CANCEL)

Important: You, as the business operator, act as the data controller of your clients' personal data. Remindly processes this data solely on your behalf as a data processor. You are responsible for having a lawful basis to collect and share your clients' phone numbers with us and for informing your clients that their data will be used to send WhatsApp reminders.

2.3 Google Calendar Data

• Calendar event titles, descriptions, start and end times
• Google account email (for OAuth authentication)
• OAuth access and refresh tokens (stored encrypted)

We request read-only access to your Google Calendar. We do not modify, delete, or create calendar events. Access can be revoked at any time from your Google Account settings.

2.4 Usage and Technical Data

• IP address and browser user-agent (for security and fraud prevention)
• Session tokens (stored as secure, httpOnly cookies)
• Service usage logs (API calls, reminder delivery status)
• Error and diagnostic logs

2.5 Data We Do NOT Collect

• Special category data (health, religion, political opinions, etc.)
• Payment card numbers (handled exclusively by Stripe)
• WhatsApp message content beyond confirmation/cancellation replies

3. Legal Basis for Processing (GDPR Article 6)

4. How We Use Your Data

• To create and manage your Remindly account
• To sync your Google Calendar and detect upcoming appointments
• To send WhatsApp reminder messages to your clients at 48 hours and 24 hours before each appointment
• To display appointment status, confirmation, and cancellation data in your dashboard
• To process payments and manage your subscription
• To provide customer support
• To detect and prevent fraud, abuse, or unauthorized access
• To comply with applicable legal obligations
• To improve and develop the Service (using aggregated, anonymized data only)

We never sell your personal data or your clients' personal data to third parties. We do not use personal data for automated profiling or decision-making that produces legal or similarly significant effects.

5. Data Sharing and Third-Party Processors

We share data only with trusted sub-processors necessary to operate the Service, all bound by data-processing agreements consistent with GDPR Article 28:

We may also disclose data when required by law, court order, or governmental authority, or to protect the rights, property, or safety of Remindly, its users, or the public.

6. International Data Transfers

Some of our sub-processors are located in the United States. Where data is transferred outside the European Economic Area (EEA), the United Kingdom, or Israel, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Binding Corporate Rules or other approved transfer mechanisms

You may request a copy of the relevant transfer safeguards by contacting us at privacy@goremindly.com.

7. Data Retention

Upon account deletion, all personal data (except data required to be retained for legal or regulatory reasons) is permanently deleted within 30 days.

8. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

Under GDPR / UK GDPR (EU & UK residents)

• Right of access (Art. 15): Obtain a copy of all personal data we hold about you.
• Right to rectification (Art. 16): Correct inaccurate or incomplete data.
• Right to erasure / "Right to be forgotten" (Art. 17): Request deletion of your data where there is no compelling reason to continue processing.
• Right to restrict processing (Art. 18): Ask us to limit how we use your data.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing.
• Rights related to automated decision-making (Art. 22): We do not carry out solely automated decision-making with legal or similarly significant effects.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

Under Israeli Privacy Protection Law (Israeli residents)

• Right to access your personal data held in our database
• Right to correct inaccurate data
• Right to object to use of data for direct marketing
• Rights under the Privacy Protection Regulations (Data Security) 5777-2017

Under CCPA / CPRA (California residents)

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information
• Right to opt-out of the sale or sharing of personal information (we do not sell data)
• Right to non-discrimination for exercising your rights
• Right to correct inaccurate personal information
• Right to limit use and disclosure of sensitive personal information

Right to Lodge a Complaint

If you believe we have not handled your data lawfully, you have the right to lodge a complaint with:

• Your local EU/EEA data protection authority
• The UK Information Commissioner's Office (ICO) — ico.org.uk
• The Israeli Privacy Protection Authority (Reshut HaGanat HaPratiyut) — gov.il/ILPPA

9. Cookies and Tracking Technologies

We use the following cookies:

We do not use advertising cookies, cross-site tracking, or third-party analytics cookies (e.g., Google Analytics). The session cookie is strictly necessary for the Service to function and does not require consent under ePrivacy Directive Article 5(3).

10. Data Security

We implement technical and organizational measures appropriate to the risk, including:

• Passwords hashed using bcrypt with a minimum cost factor of 12
• All data in transit encrypted via TLS 1.2+
• Database access restricted to application-layer only (no public access)
• OAuth tokens stored encrypted at rest
• HMAC signature verification on all incoming webhooks
• Rate limiting on all authentication endpoints
• HTTP security headers (HSTS, CSP, X-Frame-Options, etc.)
• Input validation using Zod on all API endpoints
• Access logs retained for 90 days for incident response

In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify affected users without undue delay and, where required, notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Article 33–34).

11. Children's Privacy

The Service is intended for use by business operators and is not directed at children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately at privacy@goremindly.com and we will delete it promptly.

12. Data Processing Agreement (DPA)

If you use the Service in a professional or commercial capacity and are subject to GDPR, you may require a Data Processing Agreement (DPA) pursuant to GDPR Article 28. Please contact us at privacy@goremindly.com to request our standard DPA. We will execute it within 10 business days.

13. Your Clients' Data — Your Responsibilities

When you add your clients' phone numbers to appointment descriptions in Google Calendar, you confirm that:

• You have a lawful basis under applicable law to collect and process your clients' phone numbers
• You have informed your clients that they will receive WhatsApp appointment reminders
• You have obtained any consent required by applicable law for WhatsApp marketing or service communications
• You will honor deletion requests from your clients and promptly remove their data from Remindly

We recommend that you include a notice in your booking confirmation communications informing clients that they will receive WhatsApp reminders via the Remindly platform.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Send an email notification to all registered account holders at least 14 days before the changes take effect
• Where required by law, seek your consent before implementing the changes

Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

15. Contact Us

We will respond to all privacy-related requests within 30 days. For complex requests, we may extend this by up to an additional 60 days and will notify you of the extension within the initial 30-day period.