Privacy Policy
Last updated: 23 April 2026
1. Who We Are
Rexabook is a trading-style of Zazu Technologies Ltd, a company registered in England and Wales (company number 08544613), with its registered office at 1 Beech Grove, Darwen, Lancashire, BB3 0AP. We are registered with the UK Information Commissioner's Office (ICO) under registration number ZB949572.
We are the data controller for your account information (the business owner) and a data processor for your clients' personal data, which you control.
Contact: [email protected]
We have assessed that we are not required to appoint a Data Protection Officer under UK GDPR. Data protection queries can be directed to the contact address above.
2. What Data We Collect
2.1 Business Owner Data (you)
When you create an account, we collect:
- Email address and password (hashed with PBKDF2-SHA256)
- Business name and URL slug
- Phone number (optional — used for trial onboarding messages)
- Payment information (processed by Stripe — we never see your full card details)
2.2 Client Data (your customers)
When your clients book appointments, the following data is stored in your isolated tenant database:
- Name, phone number, email address
- Booking history (dates, services, status)
- WhatsApp opt-in/opt-out status and message delivery logs
- Intake form responses (if configured)
- Notes and tags (added by you)
You are the data controller for your clients' data. We process it on your behalf as a data processor.
2.3 Technical Data
We automatically collect:
- IP addresses (for rate limiting and security — not stored long-term)
- Device tokens (for push notifications, if enabled)
- Browser/device type via Cloudflare analytics (aggregated, not individual)
3. How We Use Your Data
| Purpose | Legal basis |
|---|---|
| Providing the booking service | Contract performance |
| Sending booking confirmations and reminders to your clients | Legitimate interest (service delivery) |
| Processing payments via Stripe | Contract performance |
| Sending you trial onboarding and billing communications | Legitimate interest (customer relationship) |
| Rate limiting and abuse prevention | Legitimate interest (security) |
| Push notifications about bookings | Consent (you enable this in the app) |
4. Data Isolation
Rexabook uses a database-per-tenant architecture. Each business gets its own isolated database. Your data is physically separated from other businesses — there are no shared tables, no row-level security policies. Other businesses cannot access your data, and vice versa.
5. Where Data Is Stored
All data is processed and stored on Cloudflare's global network. Cloudflare Workers run in V8 isolates at the edge. D1 databases are SQLite-based and replicated across Cloudflare's infrastructure.
Third-party sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Hosting, database (D1), object storage (R2), CDN, edge compute | USA |
| Stripe Payments UK Ltd / Stripe, Inc. | Payment processing, subscription billing, Stripe Connect payouts | UK / USA |
| Meta Platforms, Inc. | WhatsApp message delivery via Meta Cloud API | USA |
| Postmark (Wildbit, LLC) | Transactional email delivery | USA |
| Twilio, Inc. | SMS delivery (when the SMS add-on is enabled on your account) | USA |
| Google LLC | Firebase Cloud Messaging (push notifications), Google Calendar sync (optional), Google Places reviews (optional) | USA |
5.1 International Transfers
Personal data processed through Rexabook may be transferred outside the United Kingdom to sub-processors based in the United States. Where such transfers occur, they are protected by one or more of the following lawful transfer mechanisms:
- the UK International Data Transfer Addendum to the EU Standard Contractual Clauses;
- the EU-US Data Privacy Framework and its UK extension, where the recipient is self-certified; or
- the UK International Data Transfer Agreement (IDTA).
Copies of the relevant transfer mechanisms are available on request from [email protected].
6. Data Retention
- Active accounts: data retained for the lifetime of the account
- Cancelled accounts: tenant database deleted within 30 days of account closure
- Password reset tokens: automatically expire after 15 minutes
- Rate-limiting data: automatically expires after the rate window (15–60 minutes)
- Stripe data: retained by Stripe per their privacy policy
7. WhatsApp Messaging
7.1 Connecting your WhatsApp Business Account
Rexabook uses Meta's Embedded Signup flow to connect your WhatsApp Business Account (WABA). When you click "Connect WhatsApp" in your dashboard:
- You are redirected to Meta, where you select (or create) the WhatsApp Business Account and phone number you want to use with Rexabook.
- Meta returns an authorisation code to our platform. We exchange this code with Meta's Graph API for a long-lived System User access token scoped to your WABA.
- We store that token encrypted at rest using AES-256-GCM in our global database, alongside the WABA ID and Phone Number ID you selected.
- You can disconnect at any time from the WhatsApp settings page. Disconnecting deletes the stored token from our database.
7.2 How we use your WhatsApp connection
- We send appointment confirmations, reminders, HotSlot cancellation broadcasts and campaign messages on your behalf to the client phone numbers you have stored.
- We receive inbound message webhooks from Meta so we can route client replies (e.g. CONFIRM, CANCEL, YES, STOP) to the correct workflow.
- We log message delivery status (sent, delivered, read, failed) to provide you with campaign and reminder analytics.
- STOP opt-outs are processed automatically and immediately — the affected client is flagged as opted-out and no further WhatsApp messages are sent to them.
7.3 Consent for marketing messages
Transactional WhatsApp messages relating to a specific booking (confirmations, reminders, changes, HotSlot offers) are sent on the lawful basis of the contract or legitimate interest in fulfilling the client's booking request.
Marketing campaign messages (for example, promotional broadcasts through the CRM campaign tool) may only be sent to clients who have given explicit prior consent to receive marketing communications. That consent is collected and recorded by the business owner (our customer) through their own client-facing processes — for example, at the point a client provides their phone number or during check-in. Rexabook stores the resulting opt-in flag against the client record, enforces it at send time, and honours STOP replies automatically and irrevocably. If a client has not opted in to marketing, Rexabook will not send them marketing messages, regardless of any instruction from the business owner.
We do not read, mine or use the content of messages between you and your clients for any purpose other than operating the service (e.g. keyword detection for CONFIRM / CANCEL / STOP / YES). We do not use WhatsApp message content to train machine-learning models.
8. Cookies
The Rexabook promotional site (rexabook.com) does not use tracking cookies. We do not use Google Analytics or similar tracking tools.
The booking application uses localStorage to store your authentication token. This
is essential for the service to function and does not require consent under UK GDPR.
9. Your Rights (UK GDPR)
As a UK-based service, we comply with the UK General Data Protection Regulation. You have the right to:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Erasure — request deletion of your data ("right to be forgotten")
- Portability — receive your data in a machine-readable format
- Object — object to processing based on legitimate interest
- Restriction — request we limit processing of your data
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
For your clients
Your clients should contact you (the business owner) to exercise their data rights, as you are the data controller for their information. If a client contacts us directly, we will direct them to you.
Right to complain to the ICO
If you believe we have not handled your personal data in accordance with UK GDPR, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint. We would appreciate the opportunity to address your concerns before you contact the ICO.
10. Automated Decision-Making
We do not use your personal data, or your clients' personal data, for automated decision-making that produces legal or similarly significant effects, and we do not carry out profiling within the meaning of Article 22 UK GDPR.
11. Security
We take security seriously:
- Passwords are hashed with PBKDF2-SHA256 (100,000 iterations)
- Authentication uses HMAC-SHA256 signed JWTs
- Sensitive tokens (WABA credentials, OAuth tokens) are encrypted with AES-256-GCM at rest
- All traffic is encrypted via HTTPS (Cloudflare edge TLS)
- Worker-to-worker communication is authenticated with shared secrets
- Rate limiting protects against brute-force attacks
- Database-per-tenant isolation prevents cross-tenant data access
12. Children
Rexabook is a business tool and is not intended for use by anyone under 18 years of age. We do not knowingly collect data from children.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 14 days before they take effect. The "last updated" date at the top of this page will always reflect the most recent version.
14. Contact
For privacy-related questions or to exercise your data rights, contact us at: