1. Introduction
Terapiku ("we," "our," or "us") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, store, and protect your information when you use our therapist booking management system.
2. Information We Collect
We collect the following types of information:
- Account Information: Name, email address, phone number, and password when you register as a therapist
- Booking Information: Customer names, contact details, appointment dates and times, treatment types, and service locations
- Google Calendar Data: When you connect your Google Calendar, we access calendar event data to create, update, and delete appointment events
- Usage Data: Information about how you use our system, including login times and feature usage
3. How We Use Google Calendar Data
⚠️ Important: We use limited Google Calendar access (calendar.events scope) for booking synchronization only.
What we DO with your Google Calendar:
- ✅ Create Events: Automatically add booking appointments to your Google Calendar with appointment details
- ✅ Update Events: Modify events when bookings are rescheduled by customers
- ✅ Delete Events: Remove events when bookings are cancelled
- ✅ Monitor Changes: Receive notifications when calendar events change to prevent double bookings and maintain synchronization
What we DO NOT do with your Google Calendar:
- ❌ We DO NOT read your personal calendar events unrelated to our bookings
- ❌ We DO NOT access calendars other than the one you explicitly authorize
- ❌ We DO NOT share your calendar data with any third parties
- ❌ We DO NOT use your calendar data for marketing or advertising purposes
- ❌ We DO NOT sell or rent your calendar data
4. Data Storage and Security
We take the security of your data seriously:
- 🔐 Secure Database: Your data is stored in encrypted MongoDB databases with restricted access
- 🔐 Token Encryption: Google Calendar access tokens are stored securely and encrypted
- 🔐 HTTPS: All data transmission uses secure HTTPS protocol
- 🔐 Access Control: Only authorized system processes can access your data
- 🔐 Password Protection: User passwords are hashed using industry-standard bcrypt encryption
5. Data Retention
- Booking Records: Retained for business and accounting purposes as long as your account is active
- Google Calendar Tokens: Stored as long as you keep the Google Calendar integration active
- Account Data: Retained until you request account deletion
- Backups: Database backups are retained for disaster recovery purposes and deleted according to our backup retention policy
6. Your Rights and Control
You have complete control over your data:
- ✅ Disconnect Anytime: You can disconnect Google Calendar integration at any time from your dashboard, which immediately revokes our access
- ✅ Delete Account: Request deletion of your account and all associated data
- ✅ Access Data: Request a copy of your personal data
- ✅ Correct Data: Update or correct any inaccurate information
- ✅ Export Data: Export your booking and customer data
7. Third-Party Services
Our system integrates with the following third-party services:
- Google Calendar API: For calendar synchronization (governed by Google Privacy Policy)
- WhatsApp Business API: For sending booking notifications to customers
- Payment Gateway: For processing subscription payments (governed by their respective privacy policies)
Each third-party service has its own privacy policy and data handling practices. We recommend reviewing their policies.
8. Data Sharing and Disclosure
We DO NOT sell, trade, or rent your personal information to third parties. We may disclose your information only in the following circumstances:
- Legal Requirements: When required by law, court order, or legal process
- Service Providers: To trusted service providers who assist in operating our system (under strict confidentiality agreements)
- Business Transfer: In the event of a merger, acquisition, or sale of assets (with prior notice to users)
9. Compliance and Standards
We comply with:
- ✅ Google API Services User Data Policy: Including the Limited Use requirements
- ✅ Malaysia Personal Data Protection Act (PDPA) 2010: Malaysian data protection regulations
- ✅ Industry Best Practices: For data security and privacy protection
10. Children's Privacy
Our service is not intended for users under 18 years of age. We do not knowingly collect personal information from children.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any significant changes by:
- Posting the new Privacy Policy on this page
- Updating the "Effective Date" at the top
- Sending an email notification for material changes