Privacy Policy

This Privacy Policy explains how 10041543 Manitoba Ltd. (operating as "Everybooking," "we," "us," "our") collects, uses, discloses, retains, and protects personal information. It applies to everybooking.com, the Everybooking software-as-a-service application, and related integrations.

Everybooking is incorporated in Manitoba, Canada. We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. For customers in the EEA, UK, or Switzerland, we also comply with the EU General Data Protection Regulation (GDPR) and UK GDPR. For California residents, we comply with the California Consumer Privacy Act (CCPA) as amended by the CPRA.

1. Who is the data controller?

Everybooking acts as the controller of personal data that visitors, prospects, and account owners provide directly (account, billing, support). Everybooking acts as a processor of personal data that our customers (operators) upload to the platform about their own end-customers (e.g., guest records, attendee details, contact information). The terms of our processor relationship are governed by the Data Processing Addendum.

2. What personal data we collect

We collect the following categories:

• Account data: name, email, phone number, business name, business address, password (hashed), profile photo.
• Billing data: billing address, last four digits of payment card, transaction history. Full payment card numbers are tokenized by Stripe and never stored on our servers.
• Usage data: IP address, browser, device, pages visited, features used, API calls, timestamps, error logs.
• Communications data: support messages, sales call transcripts, email correspondence with Everybooking.
• Customer end-user data (Customer Data): personal data about your end-customers that you upload to the platform. We process this on your behalf under the DPA. Examples: guest names, contact info, dietary requirements, booking history.
• Cookies and analytics: first-party cookies for authentication and preferences; analytics cookies for aggregate-level usage reporting. See Section 9.

3. Why we collect it (legal bases)

We process personal data on the following legal bases (GDPR terminology; equivalent grounds apply under PIPEDA and CCPA):

• Contract: to provide the service you signed up for (Article 6(1)(b) GDPR).
• Legitimate interest: to operate and improve the service, prevent fraud, secure our infrastructure, and conduct direct marketing to existing customers about similar services (Article 6(1)(f) GDPR).
• Consent: for non-essential cookies, marketing emails to prospects, and any special category data (Article 6(1)(a) GDPR).
• Legal obligation: tax, accounting, anti-money laundering, and lawful requests from authorities (Article 6(1)(c) GDPR).

4. How long we retain personal data

• Active accounts: for the duration of the subscription plus 30 days after termination for data export.
• Cancelled accounts: account data deleted within 90 days of termination unless retention is required for legal, tax, or regulatory purposes (typically 6 years for invoices and tax records).
• Marketing prospects: until you unsubscribe or 2 years of inactivity, whichever comes first.
• Backups: rolling 35-day backup retention. Data in backups is overwritten in normal course.
• Logs: security and audit logs retained 12 months.

5. Who we share data with (subprocessors)

We share personal data with vetted third-party service providers ("subprocessors") who help us deliver the service. A current list is published at everybooking.com/legal/subprocessors. Current subprocessors include (non-exhaustive):

• Amazon Web Services — hosting and storage (Canada/US regions)
• Stripe — payment processing
• Twilio — SMS and voice infrastructure
• Quo (OpenPhone) — phone system integration (only if you connect it)
• Postmark / SendGrid — transactional email
• Anthropic / OpenAI — AI model inference for quote generation and email classification
• Google Analytics 4 — aggregate analytics
• Sentry — error monitoring

We do not sell personal data. We do not share personal data with advertisers. We share data with subprocessors only to deliver the service, and they are bound by written agreements requiring equivalent privacy and security protections.

6. International transfers

We are based in Canada. Some subprocessors are located in the United States, the European Economic Area, the United Kingdom, Australia, or other jurisdictions. When personal data is transferred outside Canada or the EEA/UK, we rely on adequacy decisions where available, the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and supplemental technical safeguards (encryption in transit and at rest).

7. Security

We implement administrative, technical, and physical safeguards including: encryption in transit (TLS 1.2+) and at rest (AES-256), access controls and least-privilege principles, role-based permissions, audit logging, regular security patching, and scheduled vulnerability scans. We require multi-factor authentication for employee access to production systems. No method is 100% secure, but we will notify affected individuals and authorities as required by law in the event of a breach.

8. Breach notification

In the event of a personal data breach that creates a real risk of significant harm:

• Under PIPEDA, we will notify affected individuals and the Office of the Privacy Commissioner of Canada as soon as feasible.
• Under GDPR, we will notify the lead supervisory authority within 72 hours of becoming aware and affected individuals without undue delay.
• We will notify customers under our processor obligations without undue delay so that they can fulfill their own controller notification duties.

9. Cookies

We use the following cookie categories:

• Strictly necessary: session, authentication, CSRF protection, load balancing. Cannot be disabled.
• Preferences: language, theme, dismissed banners.
• Analytics: aggregate-level traffic measurement (Google Analytics 4 with IP anonymization).
• Marketing: only with your consent and only on public marketing pages, never inside the authenticated app.

You can manage cookie preferences via your browser settings and via the cookie banner.

10. Your rights

Subject to applicable law, you have the right to: access your personal data, correct inaccurate data, request deletion ("right to be forgotten"), object to or restrict processing, request data portability, withdraw consent, and lodge a complaint with a supervisory authority.

How to exercise rights: email privacy@everybooking.com with the request. We will verify your identity and respond within 30 days (PIPEDA) or one month (GDPR), with a possible 60-day extension for complex requests.

California residents (CCPA/CPRA) have additional rights: the right to know categories and specific pieces of personal information collected, the right to delete, the right to opt out of "sale" or "sharing" (we do not sell or share for cross-context behavioral advertising), and the right to non-discrimination for exercising rights.

11. Children

The Everybooking service is intended for businesses and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact privacy@everybooking.com and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to account owners at least 30 days before taking effect, and the "Effective" date at the top will be updated. Continued use of the service after the effective date constitutes acceptance of the updated policy.

13. Contact and Privacy Officer

Privacy Officer: Kevin Penner
Email: privacy@everybooking.com
Mailing address: 10041543 Manitoba Ltd. o/a Everybooking, PO Box 20621 Stn Main, Steinbach, Manitoba R5G 1S1, Canada

For unresolved complaints, you may contact the Office of the Privacy Commissioner of Canada at priv.gc.ca. EEA/UK residents may contact their local supervisory authority.