book'd is a done-for-you AI booking automation service built for independent life insurance agents. We deploy book'd CRM workflows that contact, nurture, and book appointments with leads generated through Meta Ads, Facebook Groups, and Instagram. This policy explains what data we handle, why, and what rights you have over it.
Information We Collect
Information About Our Clients (Insurance Agents)
When you sign up for book'd as an independent insurance agent, we collect:
- Name, email address, and phone number
- Business name, license state(s), and carrier affiliations
- Billing information (processed securely through our payment processor)
- Meta Ads account credentials and ad account IDs (for workflow integration)
- book'd sub-account details provisioned on your behalf
- Communications with our team via email, SMS, or support channels
- Usage data, session logs, and analytics from our platform and dashboards
Information About Leads (End Consumers)
When our automated workflows contact leads on your behalf, we process the following lead data supplied by you or collected through your advertising campaigns:
- Full name and contact information (phone number, email address)
- Geographic information (state, ZIP code) for product eligibility
- Life insurance interest signals, coverage preferences, and demographic data submitted via ad lead forms
- Conversation history and appointment scheduling interactions (SMS, email, voice)
- Opt-in timestamps, consent records, and communication preferences
- Call recordings where permitted by applicable state law and with required disclosures
Automatically Collected Information
- IP addresses, browser type, device identifiers, and operating system
- Pages visited, features used, and time spent within our platform
- Referral URLs and campaign attribution data
- Cookies and similar tracking technologies (see below)
Cookies and Tracking Technologies
We use cookies and similar technologies for session management, analytics, and platform functionality. You may disable cookies through your browser settings, though some features of the platform may not function correctly without them. We do not use cookies to serve targeted advertising on our own website.
How We Use Information
To Deliver and Operate the book'd Service
- Provision and configure book'd sub-accounts and automation workflows on your behalf
- Deploy, monitor, and optimize SMS, email, and voice follow-up sequences
- Import leads from Meta Ads, Facebook Groups, and Instagram into your CRM workflows
- Schedule and confirm appointments between leads and you as the agent
- Track campaign performance, booking rates, and workflow activity
To Communicate With You
- Onboarding instructions, workflow updates, and platform notifications
- Billing receipts, renewal reminders, and account alerts
- Support responses and service announcements
- SMS and email updates you have opted into regarding your account
To Improve Our Service
- Analyze aggregated performance data to refine workflow templates
- Identify technical issues and improve platform reliability
- Develop new features based on agent usage patterns
To Comply With Legal Obligations
- Maintain consent records required under the TCPA
- Respond to lawful requests from government authorities
- Enforce our Terms of Service and protect against fraud or misuse
We process client data on the basis of contractual necessity (to deliver the service you purchased), legitimate interests (platform analytics, fraud prevention), and legal obligation (TCPA, CCPA, and applicable regulatory requirements). Lead data is processed under your direction as the data controller, with book'd acting as a data processor.
SMS / Text Message Consent (TCPA)
The Telephone Consumer Protection Act (TCPA) governs automated text messages and calls. book'd workflows send SMS messages and may place automated or pre-recorded calls. Agents using book'd are responsible for obtaining proper TCPA-compliant consent before leads are enrolled in automated outreach sequences.
Consent Requirements for Lead Communications
book'd workflows contact leads via SMS, email, and in some cases automated voice calls. Under the TCPA, prior express written consent is required before sending marketing-related automated text messages or placing calls to a cell phone using an automatic telephone dialing system (ATDS) or an artificial or prerecorded voice.
Agents using our service warrant and represent that:
- All leads enrolled in book'd workflows have provided prior express written consent to receive automated SMS and/or voice communications from the agent or on the agent's behalf
- Consent disclosures used in Meta Ads lead forms and other collection points clearly identify the nature of the automated communications leads may receive
- Consent records are retained for a minimum of four (4) years and can be produced upon request
- Agents will not enroll leads into workflows who have revoked consent or submitted a Do Not Call request
SMS Message Disclosures
All SMS campaigns deployed through book'd workflows include the following standard disclosures:
- The sending agent's name and business identity
- Instructions to reply STOP to opt out of further messages at any time
- Instructions to reply HELP for assistance
- Message and data rates notice where required by carrier guidelines
Opt-Out Handling
When a lead replies STOP, UNSUBSCRIBE, CANCEL, END, or QUIT, they are immediately and automatically removed from all SMS sequences. This is handled at the platform level within our book'd workflows. Opt-out requests are honored within the time periods required by law and carrier guidelines (typically within 10 minutes of receipt). Agents must not manually re-enroll opted-out contacts without fresh consent.
Message Frequency
SMS message frequency varies based on the workflow cadence configured for each agent. Leads receive an initial disclosure of approximate frequency at the time of opt-in. Standard workflows send between 2 and 10 messages per lead over the course of a follow-up sequence. Appointment reminders and confirmations are sent separately and are considered transactional communications.
SMS to Clients (Agents)
By providing your phone number when signing up for book'd, you consent to receive SMS messages from us regarding your account, onboarding, workflow status updates, and service announcements. Message frequency depends on account activity. You may opt out at any time by replying STOP to any message from us. Standard message and data rates may apply.
Sharing Information
We do not sell personal information. We do not share lead data or client data with third parties for their own independent marketing purposes. We share information only in the following circumstances:
Service Providers
We engage trusted third-party vendors who process data on our behalf and under our instructions, including:
| Vendor / Category | Purpose | Data Shared |
|---|---|---|
| book'd (book'd Inc.) | AI booking automation CRM — workflow engine, SMS, email, and voice automation | Lead contact data, conversation history, appointment records |
| Meta Platforms (Facebook / Instagram) | Lead generation ad campaigns and lead form submissions | Ad account IDs, campaign data, lead form results |
| Telephony Providers (e.g., Twilio) | SMS delivery, phone number provisioning, voice calls | Phone numbers, message content, call records |
| Payment Processor (e.g., Stripe) | Billing and subscription management | Name, email, billing address, payment card details |
| Cloud Infrastructure (e.g., AWS, Render) | Hosting, data storage, and application delivery | All platform data, subject to encryption at rest and in transit |
| Analytics Providers | Platform performance analytics and error monitoring | Aggregated and pseudonymized usage data |
Legal Requirements
We may disclose information if required by law, regulation, court order, or governmental authority, or if we believe disclosure is necessary to protect the rights, property, or safety of book'd, our clients, leads, or the public.
Business Transfers
In the event of a merger, acquisition, reorganization, or sale of assets, personal information may be transferred to the acquiring entity. We will notify affected parties via email or prominent notice on our website and provide an opportunity to opt out where required by law.
With Your Consent
We may share information with third parties when you have provided explicit consent for that specific sharing purpose.
California Privacy Rights (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you specific rights regarding your personal information. This section describes those rights and how to exercise them.
Categories of Personal Information Collected
In the preceding 12 months, we have collected the following categories of personal information from California residents:
| Category | Examples | Collected? |
|---|---|---|
| Identifiers | Name, email, phone number, IP address | Yes |
| Customer Records | Billing info, subscription status | Yes |
| Commercial Information | Services purchased, payment history | Yes |
| Internet / Network Activity | Platform usage, pages visited, session logs | Yes |
| Geolocation Data | State and ZIP code (from lead forms) | Yes (leads only) |
| Professional Information | Insurance license details, carrier affiliations | Yes (clients only) |
| Sensitive Personal Information | None independently collected | No |
| Biometric / Health Data | N/A | No |
No Sale or Sharing for Cross-Context Advertising
We do not sell personal information. We do not share personal information with third parties for cross-context behavioral advertising purposes. We have not sold or shared personal information in the preceding 12 months.
Your California Rights
- Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, our purposes for collection, and the categories of third parties with whom we share it.
- Right to Delete: You may request deletion of personal information we have collected about you, subject to certain exceptions (e.g., completing a transaction, complying with a legal obligation, exercising free speech).
- Right to Correct: You may request correction of inaccurate personal information we maintain about you.
- Right to Opt Out of Sale/Sharing: We do not sell or share personal information; this right is not applicable but is honored.
- Right to Limit Use of Sensitive Personal Information: We do not collect or use sensitive personal information beyond what is necessary to provide the service.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny goods or services, charge different prices, or provide a different level of quality because you exercised a privacy right.
How to Exercise California Rights
To submit a verifiable consumer request, contact us at: privacy@bookd.com or by mail at the address in the Contact Information section. We will verify your identity before processing your request. You may designate an authorized agent to submit requests on your behalf. We respond to verifiable requests within 45 days, with a possible 45-day extension for complex requests.
GDPR — EU & UK Residents
If you are located in the European Union, European Economic Area, or United Kingdom, the General Data Protection Regulation (GDPR) and/or UK GDPR apply to our processing of your personal data. This section describes our obligations and your rights under those frameworks.
For personal data relating to our clients (insurance agents), book'd acts as a data controller. For lead data processed through workflows on behalf of agents, book'd acts as a data processor, and the agent is the data controller. Agents are responsible for their own compliance obligations as data controllers, including obtaining valid legal bases for processing lead data.
Lawful Bases for Processing
- Contractual Necessity (Art. 6(1)(b)): Processing required to provide the book'd service under our Terms of Service — account management, workflow deployment, billing, and support.
- Legitimate Interests (Art. 6(1)(f)): Platform analytics, security monitoring, fraud prevention, and service improvement, where these interests are not overridden by your rights.
- Legal Obligation (Art. 6(1)(c)): Processing required by applicable law, including record-keeping, responding to regulatory inquiries, and TCPA compliance obligations.
- Consent (Art. 6(1)(a)): Where we rely on consent (e.g., marketing communications), you may withdraw it at any time without affecting the lawfulness of prior processing.
Your GDPR / UK GDPR Rights
- Right of Access (Art. 15): Obtain confirmation of whether we process your personal data and, if so, a copy of that data and information about how it is used.
- Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data without undue delay.
- Right to Erasure (Art. 17): Request deletion of your personal data where it is no longer necessary, where consent has been withdrawn, or where there is no other lawful basis.
- Right to Restrict Processing (Art. 18): Request that we limit our processing of your data in certain circumstances (e.g., while accuracy is contested).
- Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller, where processing is based on consent or contract and carried out by automated means.
- Right to Object (Art. 21): Object at any time to processing based on our legitimate interests, including profiling. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
- Right Not to Be Subject to Automated Decision-Making (Art. 22): We do not make decisions that produce legal or similarly significant effects based solely on automated processing.
International Data Transfers
book'd operates primarily in the United States. If you are located in the EU, EEA, or UK, your personal data may be transferred to and processed in the United States. We rely on the following transfer mechanisms to ensure adequate protection:
- Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our Data Processing Agreements with service providers
- UK International Data Transfer Agreements (IDTAs) where applicable for UK data subjects
- Adequacy decisions where the EU or UK has determined that the destination country provides adequate protection
How to Exercise GDPR Rights
Submit a request by emailing privacy@bookd.com. We will respond within 30 days. Complex or multiple requests may be extended to 60 days, with notification of the extension. If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or your country's data protection authority in the EU).
Data Retention
We retain personal information only for as long as necessary to fulfill the purposes described in this policy, comply with legal obligations, resolve disputes, and enforce our agreements.
| Data Type | Retention Period | Basis |
|---|---|---|
| Client account data | Duration of active subscription + 3 years after termination | Contractual obligation, legal compliance |
| Billing and payment records | 7 years from transaction date | Tax and accounting requirements |
| TCPA consent records | 4 years from consent date or last communication | TCPA statute of limitations |
| Lead contact data and conversation history | Active within book'd account; governed by agent's retention policy | Agent's discretion as data controller |
| SMS / call records | 2 years (platform logs); longer if required by state law | Regulatory compliance |
| Platform usage and analytics data | 2 years (aggregated); 90 days (raw session logs) | Legitimate business interest |
| Support communications | 3 years from last interaction | Dispute resolution |
When data is no longer required, we securely delete or anonymize it. Where full deletion is not immediately practicable (e.g., in backup systems), data is isolated and protected from further processing until it can be deleted in accordance with our standard backup rotation schedule.
Security
We implement appropriate technical and organizational measures to protect personal information against unauthorized access, disclosure, alteration, and destruction. Our security practices include:
- Encryption of data in transit using TLS 1.2 or higher
- Encryption of sensitive data at rest using AES-256
- Access controls and role-based permissions limiting data access to authorized personnel only
- Regular security assessments and vulnerability management
- Secure credential management and secrets handling for third-party integrations (Meta, telephony providers)
- Monitoring and logging of access to sensitive systems
- Vendor security reviews prior to onboarding new service providers
No method of transmission over the internet or electronic storage is completely secure. While we take commercially reasonable steps to protect your information, we cannot guarantee absolute security. In the event of a data breach that triggers legal notification obligations, we will notify affected parties and relevant authorities in accordance with applicable law.
Children's Privacy
book'd is a business-to-business service intended for use by licensed insurance professionals. Our platform and services are not directed to individuals under the age of 18, and we do not knowingly collect personal information from anyone under 18 years of age.
If you believe we have inadvertently collected information from a minor, please contact us immediately at privacy@bookd.com and we will take prompt steps to delete the information.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the features we offer. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page
- Notify active clients by email to the address associated with their account
- Where required by law, obtain renewed consent before applying new processing purposes
We encourage you to review this policy periodically. Your continued use of book'd services after the effective date of any changes constitutes your acceptance of the updated policy. If you do not agree with the changes, you may terminate your subscription in accordance with our Terms of Service.
Contact Information
If you have questions about this Privacy Policy, wish to exercise your privacy rights, or need to report a concern, please contact us through any of the following:
For GDPR-related requests from EU or UK residents, you also have the right to lodge a complaint directly with your national data protection authority if you believe your rights have not been adequately addressed. A list of EU supervisory authorities is available at edpb.europa.eu. The UK supervisory authority is the Information Commissioner's Office (ICO) at ico.org.uk.