Islotly - Book Appointments Online

1. Introduction

Islotly ("Islotly," "we," "us," or "our") operates an online appointment booking platform accessible at islotly.com and through related mobile applications and services (collectively, the "Platform"). This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information when you access or use our Platform, whether as a visitor, a customer booking appointments, or a business registering to offer services.

By accessing or using the Platform, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, please discontinue use of the Platform immediately.

This policy applies alongside our Terms of Service and Terms of Use. In the event of any conflict, this Privacy Policy governs with respect to personal information.

2. Who We Are and Who This Policy Applies To

Islotly acts as a data controller with respect to personal information collected directly through our Platform. Where businesses ("Business Partners") use our Platform to manage their customer relationships, those Business Partners are independent data controllers or processors for the personal data of their own clients. Islotly is not responsible for the data practices of Business Partners and encourages you to review the privacy policies of any business whose services you book through our Platform.

This Privacy Policy applies to:

Visitors who browse our website without creating an account
Customers who register an account and book appointments
Business Partners and their staff who register to offer services through the Platform
Any person who contacts us for support or communicates with us

3. Information We Collect

We collect information in the following ways:

3.1 Information You Provide Directly

Full name, email address, phone number, and date of birth
Username and password for your account
Billing and payment information (processed securely by our payment providers)
Booking details including services selected, preferred professionals, dates and times
Communications you send us, including support requests and feedback
Business details provided by Business Partners (business name, address, bank account details for payouts, tax identification numbers, staff information)
Profile photos or images you choose to upload
Responses to surveys, promotions, or marketing communications

3.2 Information Collected Automatically

IP address, browser type, operating system, and device identifiers
Pages visited, time spent on pages, links clicked, and referring URLs
Geolocation data (where you grant permission through your device settings)
Session data and interaction logs
Cookies, pixel tags, and similar tracking technologies (see Section 9)

3.3 Information From Third Parties

Information from social login providers (Google, Facebook) if you choose to sign in via those services
Identity verification data from KYC/AML compliance providers
Fraud detection information from security service providers
Publicly available information to verify Business Partner details

4. How We Use Your Information

We use personal information for the following purposes:

Providing our Services: Creating and managing accounts, processing bookings, sending booking confirmations, reminders, and waitlist notifications
Payment Processing: Facilitating transactions between customers and Business Partners through our payment service providers
Platform Operations: Maintaining, improving, and personalizing our Platform; troubleshooting errors and technical issues
Communications: Responding to inquiries and support requests; sending operational and transactional messages
Marketing: Sending promotional communications and offers where you have provided consent or where we have a legitimate interest; you may opt out at any time
Safety and Security: Detecting, preventing, and responding to fraud, abuse, or security incidents; verifying identity
Legal Compliance: Meeting obligations under applicable laws, regulations, and court orders; enforcing our Terms of Service
Analytics and Research: Understanding how our Platform is used, measuring performance, and improving our services through anonymized or aggregated analytics
Business Transactions: In connection with a merger, acquisition, asset sale, or similar transaction, subject to confidentiality obligations

5. Legal Basis for Processing

Where applicable law requires a legal basis for processing personal data, we rely on the following:

Contract Performance: Processing necessary to provide our services to you, including creating your account and processing bookings
Legal Obligation: Processing required to comply with applicable laws, including anti-money laundering, tax, and data protection laws
Legitimate Interests: Processing necessary for our legitimate business interests, such as improving our Platform, preventing fraud, and conducting analytics, where these interests are not overridden by your rights
Consent: Where you have given explicit consent, such as for marketing communications, location sharing, or the processing of sensitive categories of data. You may withdraw consent at any time without affecting the lawfulness of prior processing

6. How We Share Your Information

We do not sell your personal information. We may share it in the following circumstances:

6.1 Business Partners

When you book an appointment through the Platform, we share relevant booking information (your name, contact details, and booking details) with the applicable Business Partner to fulfill your booking. That Business Partner then becomes an independent controller of that data.

6.2 Service Providers

We engage trusted third-party service providers to perform functions on our behalf, including payment processing, cloud hosting, email delivery, analytics, fraud prevention, and customer support. These providers are contractually bound to process data only on our instructions and in compliance with applicable privacy laws.

6.3 Legal and Regulatory Authorities

We may disclose your information when required by law, court order, subpoena, or other legal process; to protect the rights, property, or safety of Islotly, our users, or the public; or to investigate, prevent, or take action regarding illegal activities, fraud, or violations of our Terms of Service.

6.4 Corporate Transactions

In the event of a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our assets, your personal information may be transferred as part of that transaction. We will notify you via email or a prominent notice on our Platform if such a transfer occurs and if a material change in privacy practices results.

6.5 With Your Consent

We may share your information with third parties for purposes not covered here when we have your explicit consent.

7. Data Retention

We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including providing our services, maintaining your account, complying with legal obligations, resolving disputes, and enforcing our agreements.

Specifically:

Account data is retained for the duration of your account and for up to 6 years after account closure to comply with legal and regulatory requirements
Transaction and booking records are retained for a minimum of 7 years for tax and accounting purposes
Support and communications records are retained for up to 3 years
Health-related data, where collected by a Business Partner through our Platform, is retained for a minimum of 10 years unless longer retention is required by applicable law
Where a complaint, claim, or legal proceeding is pending, data will be retained until its resolution and any applicable limitation period has expired
Anonymized or aggregated data that cannot reasonably identify any individual may be retained indefinitely for analytics and business improvement purposes

8. International Data Transfers

Islotly operates globally and your personal information may be transferred to, stored, and processed in countries other than your country of residence, including the United States, where our primary servers are located. These countries may have data protection laws that differ from your own.

Where we transfer personal data internationally, we implement appropriate safeguards to protect that data, including standard contractual clauses approved by relevant authorities, data processing agreements, and other legally recognized mechanisms. By using our Platform, you consent to the transfer of your information to these countries.

9. Cookies and Tracking Technologies

We use cookies, web beacons, pixel tags, and similar technologies to operate and improve our Platform, analyze usage patterns, and deliver relevant content. Cookies are small data files stored on your device.

We use the following categories of cookies:

Strictly Necessary: Essential for the Platform to function. Cannot be disabled.
Functional: Remember your preferences and settings to personalize your experience.
Analytics/Performance: Help us understand how visitors interact with our Platform using anonymized or aggregated data. Providers include Google Analytics.
Marketing: Used to deliver relevant advertisements and track campaign performance. Applied only with your consent.

You can control cookies through your browser settings. Disabling certain cookies may affect Platform functionality. You may also opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

10. Data Security

We implement technical and organizational security measures designed to protect your personal information against unauthorized access, disclosure, alteration, or destruction. These include HTTPS and TLS encryption for data in transit, access controls and authentication requirements, regular security assessments, and monitoring of our systems.

Payment card information is processed exclusively by our PCI-DSS compliant payment service providers. Islotly does not store full payment card numbers. We store only limited payment information (such as card type, last four digits, and expiry date) as provided to us by our payment processors.

Despite our efforts, no security system is impenetrable and no transmission over the internet is fully secure. We cannot guarantee the security of information transmitted to or through our Platform. You transmit information at your own risk. We are not liable for the circumvention of any privacy settings or security measures on the Platform.

11. Your Privacy Rights

Subject to applicable law, you may have the following rights with respect to your personal information:

Access: Request a copy of the personal information we hold about you
Correction: Request correction of inaccurate or incomplete information
Deletion: Request deletion of your personal information, subject to legal retention obligations
Restriction: Request that we restrict processing of your personal information in certain circumstances
Portability: Receive your personal information in a structured, machine-readable format where technically feasible
Objection: Object to processing based on legitimate interests, including for direct marketing purposes
Withdrawal of Consent: Withdraw consent at any time where processing is based on consent, without affecting prior lawful processing
Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise any of these rights, please contact us at [email protected]. We will respond within the timeframe required by applicable law (generally 30 days). We may need to verify your identity before processing your request.

If we are unable to satisfy your request or if you are not satisfied with our response, you may have the right to lodge a complaint with your local data protection authority.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you additional rights, including:

The right to know what personal information we collect, use, disclose, and sell
The right to delete personal information we have collected about you
The right to opt out of the sale or sharing of your personal information. We do not sell personal information.
The right to correct inaccurate personal information
The right to limit use and disclosure of sensitive personal information
The right to non-discrimination for exercising your CCPA rights

To submit a verifiable consumer request, contact us at [email protected] or call us at the number provided in the Contact section below. You may designate an authorized agent to make requests on your behalf.

13. Canadian Privacy Rights (PIPEDA, Quebec Law 25 & CASL)

If you are a resident of Canada, additional privacy protections apply to you under federal and provincial law. This section describes our obligations and your rights under those frameworks.

13.1 Federal Law — PIPEDA

The federal Personal Information Protection and Electronic Documents Act (PIPEDA) governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activities. Our practices are guided by PIPEDA's ten fair information principles:

Accountability: Islotly is responsible for the personal information under our control. We have designated a Privacy Officer accountable for our compliance.
Identifying Purposes: We identify the purposes for which personal information is collected at or before the time of collection (see Section 4).
Consent: We obtain meaningful consent, either express or implied depending on the sensitivity of the information, before collecting, using, or disclosing your personal information.
Limiting Collection: We collect only the information necessary to fulfill the identified purposes.
Limiting Use, Disclosure, and Retention: Personal information is used or disclosed only for the purposes for which it was collected and is retained only as long as necessary (see Section 7).
Accuracy: We take reasonable steps to keep personal information accurate, complete, and up to date for its intended use.
Safeguards: We protect personal information with security measures appropriate to the sensitivity of the information (see Section 10).
Openness: Our policies and practices regarding personal information management are available upon request and through this Privacy Policy.
Individual Access: Upon written request, we will inform you of the existence, use, and disclosure of your personal information and give you access to it. You may challenge its accuracy and completeness and request amendments.
Challenging Compliance: You may challenge our compliance with these principles by contacting our Privacy Officer (see Section 19).

13.2 Quebec — Law 25 (Act respecting the protection of personal information in the private sector)

Quebec's Law 25 (formerly Bill 64) imposes enhanced obligations on organizations that collect, hold, use, or communicate personal information about Quebec residents. In addition to PIPEDA rights, Quebec residents are entitled to:

Right to be informed: We will clearly communicate the purposes of collection, the categories of third parties with whom information is shared, and any rights of withdrawal, at or before the time of collection.
Right to access and correction: You may request access to your personal information and ask us to correct any inaccuracies.
Right to withdrawal and deletion (right to be forgotten): You may withdraw consent for the collection, use, or communication of your personal information and request its deletion, subject to legal or contractual retention requirements.
Right to data portability: You may request that computerized personal information collected from you be communicated to you in a structured, commonly used technological format.
Right to object to automated decision-making: Where a decision based exclusively on automated processing produces legal or significant effects concerning you, you have the right to be informed and to request human review.
Privacy by default: Where our Platform offers privacy settings, the most privacy-protective option is set as the default.

Islotly has designated a Privacy Officer responsible for the protection of personal information and compliance with Law 25. Privacy Impact Assessments (PIAs) are conducted when required before implementing new projects involving personal information. In the event of a confidentiality incident (privacy breach) that presents a risk of serious harm, we will notify affected individuals and the Commission d'accès à l'information du Québec (CAI) without unreasonable delay.

13.3 Provincial Laws — Alberta and British Columbia

Residents of Alberta and British Columbia are protected by the provincial Personal Information Protection Acts (PIPA) in those provinces, which are substantially similar to PIPEDA. Where provincial PIPA applies, we comply with those provincial requirements including consent, access, and correction rights.

13.4 Canada's Anti-Spam Legislation (CASL)

When sending commercial electronic messages (CEMs) to Canadian recipients, we comply with Canada's Anti-Spam Legislation (CASL). This means:

We only send CEMs with your express or implied consent as defined by CASL.
Every CEM we send clearly identifies Islotly as the sender and includes our contact information.
Every CEM includes a functional, easy-to-use unsubscribe mechanism. Unsubscribe requests are honored within 10 business days.
Transactional and relationship messages (such as booking confirmations and account notifications) are not CEMs and may be sent without CASL consent.

13.5 Privacy Breach Notification

In the event of a breach of security safeguards involving personal information that poses a real risk of significant harm to an individual, we will notify affected individuals and the Office of the Privacy Commissioner of Canada (OPC) as required under PIPEDA's breach notification rules. We maintain records of all breaches for a minimum of 24 months.

13.6 Exercising Your Canadian Privacy Rights

To access, correct, or request deletion of your personal information, or to withdraw consent, please contact our Privacy Officer at [email protected]. We will respond within 30 days. If you are dissatisfied with our response, you have the right to lodge a complaint with:

Office of the Privacy Commissioner of Canada (OPC): www.priv.gc.ca
Commission d'accès à l'information du Québec (CAI): www.cai.gouv.qc.ca (Quebec residents)
Office of the Information and Privacy Commissioner of Alberta: www.oipc.ab.ca (Alberta residents)
Office of the Information and Privacy Commissioner of British Columbia: www.oipc.bc.ca (BC residents)

14. Children's Privacy

Our Platform is not directed to children under the age of 16, and we do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16 without verifiable parental consent, we will take immediate steps to delete that information. If you believe we have collected information from a child under 16, please contact us at [email protected].

15. Third-Party Links and Integrations

Our Platform may contain links to third-party websites, applications, or services, and may integrate with third-party platforms (such as Google Maps or social media). This Privacy Policy does not apply to those third parties. We are not responsible for the privacy practices, content, or security of any third-party sites or services. We encourage you to review the privacy policies of any third parties you interact with through our Platform.

16. Business Partner Responsibilities

Business Partners who use our Platform to manage their operations are solely responsible for their own compliance with applicable privacy and data protection laws with respect to the personal data of their clients. Islotly provides the Platform as a service and is not responsible for how Business Partners collect, use, or disclose personal information beyond what is strictly necessary to provide the Platform's functionality. Business Partners are required to maintain their own privacy notices and obtain any necessary consents from their clients.

17. Marketing Communications

With your consent, or where permitted by applicable law, we may send you promotional emails, newsletters, and other marketing communications. You may opt out of receiving marketing communications at any time by clicking the "unsubscribe" link in any marketing email, or by contacting us at [email protected]. Please note that even after opting out, you will continue to receive transactional and operational messages related to your account and bookings.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where required by law, by providing more prominent notice (such as by email or an in-app notification). Your continued use of the Platform following the posting of changes constitutes your acceptance of the revised policy. We encourage you to review this policy periodically.

19. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Islotly Privacy Team

Email: [email protected]

Support: islotly.com/help

We are committed to working with you to obtain a fair resolution of any complaint or concern. If you are located in a jurisdiction with a supervisory authority for data protection matters, you also have the right to lodge a complaint with that authority.