Privacy Policy
Last updated: 12 June 2026
This Privacy Policy is provided in English. A summary in your language is available on request - contact [email protected].
1. Who We Are
Rexabook is a trading-style of Zazu Technologies Ltd, a company registered in England and Wales (company number 08544613), with its registered office at 1 Beech Grove, Darwen, Lancashire, BB3 0AP. We are registered with the UK Information Commissioner's Office (ICO) under registration number ZB949572.
We are the data controller for your account information (the business owner) and a data processor for your clients' personal data, which you control.
Contact: [email protected]
We have assessed that we are not required to appoint a Data Protection Officer under UK GDPR. Data protection queries can be directed to the contact address above.
2. What Data We Collect
2.1 Business Owner Data (you)
When you create an account, we collect:
- Email address and password (hashed with PBKDF2-SHA256)
- Business name and URL slug
- Phone number (optional - used for trial onboarding messages)
- Payment information (processed by Stripe - we never see your full card details)
2.2 Client Data (your customers)
When your clients book appointments, the following data is stored in your isolated tenant database:
- Name, phone number, email address
- Booking history (dates, services, status)
- Email message delivery logs (sent / delivered / bounced)
- Marketing-email opt-in and opt-out flags (recorded when the client opts in or out via the booking flow, the self-serve notification preferences, or an unsubscribe link in a marketing email - see §7.3)
- Intake form responses (if configured)
- Notes and tags (added by you)
You are the data controller for your clients' data. We process it on your behalf as a data processor.
2.3 Technical Data
We automatically collect:
- IP addresses (for rate limiting and security - not stored long-term)
- Device tokens (for push notifications, if enabled)
- Browser/device type via Cloudflare analytics (aggregated, not individual)
3. How We Use Your Data
| Purpose | Legal basis |
|---|---|
| Providing the booking service | Contract performance |
| Sending booking confirmations and reminders to your clients | Legitimate interest (service delivery) |
| Processing payments via Stripe | Contract performance |
| Sending you trial onboarding and billing communications | Legitimate interest (customer relationship) |
| Rate limiting and abuse prevention | Legitimate interest (security) |
| Drafting suggested replies to contact-form enquiries using the AI Receptionist (on the contact-form / email channel only - see §7.4) | Legitimate interest (service delivery, when the AI is enabled for the conversation) |
| Push notifications about bookings | Consent (you enable this in the app) |
4. Data Isolation
Rexabook uses a database-per-tenant architecture. Each business gets its own isolated database. Your data is physically separated from other businesses - there are no shared tables, no row-level security policies. Other businesses cannot access your data, and vice versa.
5. Where Data Is Stored
All data is processed and stored on Cloudflare's global network. Cloudflare Workers run in V8 isolates at the edge. D1 databases are SQLite-based and replicated across Cloudflare's infrastructure.
Rexabook does not currently send WhatsApp or SMS messages. The sub-processors below cover the channels and integrations that are active at launch; the list will be updated if and when additional channels (WhatsApp, SMS, voice) are re-enabled.
Third-party sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Hosting, database (D1), object storage (R2), CDN, edge compute, transactional email (Cloudflare Email Sending) | USA |
| Stripe Payments UK Ltd / Stripe, Inc. | Payment processing, subscription billing, Stripe Connect payouts | UK / USA |
| Google LLC | Firebase Cloud Messaging (push notifications, when you install the owner mobile app), Google Calendar sync (optional), Google Places reviews (optional) | USA |
5.1 International Transfers
Personal data processed through Rexabook may be transferred outside the United Kingdom to sub-processors based in the United States. Where such transfers occur, they are protected by one or more of the following lawful transfer mechanisms:
- the UK International Data Transfer Addendum to the EU Standard Contractual Clauses;
- the EU-US Data Privacy Framework and its UK extension, where the recipient is self-certified; or
- the UK International Data Transfer Agreement (IDTA).
Copies of the relevant transfer mechanisms are available on request from [email protected].
6. Data Retention
- Active accounts: data retained for the lifetime of the account
- Cancelled accounts: tenant database deleted within 30 days of account closure
- Password reset tokens: automatically expire after 15 minutes
- Rate-limiting data: automatically expires after the rate window (15–60 minutes)
- Stripe data: retained by Stripe per their privacy policy
7. Email Messaging
7.1 What email we send
Rexabook sends email on two distinct paths:
- To your clients (on your behalf, from your business) - relating to a specific booking: booking confirmations, booking reminders, reschedule notifications, and cancellation notifications. The customer-facing inbox also receives the AI-receptionist draft replies described in §7.4.
- To you (the business owner) - about your account: account-setup messages during onboarding, trial-nurture and billing communications, owner / staff / quota / low-balance notifications, and the daily digest.
Email is delivered through Cloudflare Email Sending, a transactional email service operated by Cloudflare, Inc. as listed in §5.
7.2 How consent is collected
A client's email address is provided to the business owner at the point the client makes or requests a booking - either directly through the Rexabook public booking page, or via the business owner's own intake process (in person, by phone, or through another channel operated by the business owner). By providing their email address in connection with a booking, the client consents to receive transactional email messages from the business owner relating to that booking.
Rexabook records this consent against the client record in the business owner's isolated tenant database and enforces it at send time. Business owners are responsible, as data controller for their clients' data, for ensuring that the consent they collect is valid under applicable law.
7.3 Opting out
Transactional booking email (booking confirmations, reminders, reschedules, cancellations) is essential to the operation of the Service and cannot be opted out of while the booking remains active. Each transactional booking email includes a "Cancel or manage notifications" link to the customer's self-serve notification preferences, where the customer can cancel the booking or change which optional notifications they receive going forward.
Marketing email (review requests, rebooking nudges, loyalty reward notifications, loyalty stamp-expiry warnings) is opt-in and each message includes an unsubscribe link to the same self-serve notification preferences. Opt-outs are processed automatically and immediately: the client record is flagged as opted-out and no further marketing email is sent to that address, regardless of any instruction from the business owner.
Operational email (account-setup messages to the business owner, trial-nurture emails, billing alerts, owner / staff / quota / low-balance notifications) is sent to the business owner rather than the customer and is necessary to operate the Service. It is not subject to an unsubscribe link; if the business owner wishes to stop receiving these, they can close the account (see §14).
7.4 Message frequency and content
Message frequency varies based on the client's booking activity with a given business owner. Rexabook does not charge recipients for email messages.
We do not read, mine, or use the content of email conversations between business owners and their clients for any purpose other than operating the service. This includes the AI Receptionist feature, which classifies incoming enquiry replies to draft suggested replies in the owner's inbox (the owner reviews every draft before sending, and may disable the AI on a per-conversation basis). The AI Receptionist runs only on the contact-form / email channel at launch; it does not have access to message content on any other channel until those channels are re-enabled in a future update. We do not use email content or addresses to train machine-learning models.
7.5 No sharing of email information with third parties for marketing
No email information - including email addresses, opt-in flags, and consent records - will be shared with third parties or affiliates for marketing or promotional purposes. Information sharing is limited to sub-processors that directly support the delivery of the email service (specifically Cloudflare, Inc., as listed in §5), and is not shared with any third party for their own marketing, promotional, or commercial purposes. This restriction applies to all categories of email sent through Rexabook.
7.6 Retention of email data
Email delivery logs (sent / delivered / bounced status) are retained alongside the corresponding booking record in the business owner's tenant database for the lifetime of the account and are deleted within 30 days of account closure (see §6). Opt-out flags are retained for as long as the client record exists, in order to honour the opt-out.
8. Cookies
The Rexabook promotional site (rexabook.com) does not use tracking cookies. We do not use Google Analytics or similar tracking tools.
The booking application uses localStorage to store your authentication token. This
is essential for the service to function and does not require consent under UK GDPR.
9. Your Rights (UK GDPR)
As a UK-based service, we comply with the UK General Data Protection Regulation. You have the right to:
- Access - request a copy of your personal data
- Rectification - correct inaccurate data
- Erasure - request deletion of your data ("right to be forgotten")
- Portability - receive your data in a machine-readable format
- Object - object to processing based on legitimate interest
- Restriction - request we limit processing of your data
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
For your clients
Your clients should contact you (the business owner) to exercise their data rights, as you are the data controller for their information. If a client contacts us directly, we will direct them to you.
Right to complain to the ICO
If you believe we have not handled your personal data in accordance with UK GDPR, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint. We would appreciate the opportunity to address your concerns before you contact the ICO.
10. Automated Decision-Making
We do not use your personal data, or your clients' personal data, for automated decision-making that produces legal or similarly significant effects, and we do not carry out profiling within the meaning of Article 22 UK GDPR.
11. Security
We take security seriously:
- Passwords are hashed with PBKDF2-SHA256 (100,000 iterations)
- Authentication uses HMAC-SHA256 signed JWTs
- Sensitive tokens (OAuth tokens and any future WhatsApp Business Account credentials, when the WhatsApp integration is enabled in a future update - see terms §5) are encrypted with AES-256-GCM at rest
- All traffic is encrypted via HTTPS (Cloudflare edge TLS)
- Worker-to-worker communication is authenticated with shared secrets
- Rate limiting protects against brute-force attacks
- Database-per-tenant isolation prevents cross-tenant data access
12. Children
Rexabook is a business tool and is not intended for use by anyone under 18 years of age. We do not knowingly collect data from children.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 14 days before they take effect. The "last updated" date at the top of this page will always reflect the most recent version.
14. Contact
For privacy-related questions or to exercise your data rights, contact us at: