Legal and Compliance Library

Package and Service Credit Terms

BookMySpa packages are service-limited credits for eligible spa services. They are not bank accounts, open stored-value wallets, cash stored-value accounts, payment instruments for unrelated merchants, investment products, or stored-value instruments that can be freely transferred or cashed out.

• Packages are non-transferable unless BookMySpa expressly permits a controlled support action.
• Package value may be redeemed only for eligible services, add-ons, spas, durations, and validity periods shown at purchase or in the app, subject to the purchased package revision and purchase-time rules.
• Package redemption is subject to booking availability, therapist eligibility, room availability, service option support, prime-time package rules, check-in rules, fraud checks, and the reschedule policy.
• Refunds are governed by the Cancellation and Refund Policy, purchase-time package rules, explicit service-credit and economics snapshots, usage history, unused liability, settlement state, and applicable law.
• Package refund calculations must not be inferred from live catalog prices, mutable package templates, payment amount alone, or remaining balance alone.
• Unused value may expire according to the package validity terms shown before purchase, subject to legal review and applicable law.
• Global or multi-spa packages require RBI/PPI legal review before launch and must remain service-limited with no general cash-out path except lawful refund.

Payment Terms

• Online payments are processed by approved payment providers such as Razorpay. BookMySpa stores operational references, not full card numbers, CVV, UPI PINs, or netbanking credentials.
• The final payable amount, taxes/fees where applicable, booking source, package coverage, reschedule cutoff, and eligible non-cancellation refund route must be shown before the user confirms payment.
• The checkout payment disclosure is a payment review and consent aid, not a statutory tax invoice. GST invoices, TCS/TDS, Income-tax Act, 1961 Section 194-O for amounts paid or credited on or before March 31, 2026, Income-tax Act, 2025 Section 393 table-item references for amounts paid or credited on or after April 1, 2026 where applicable, and other statutory tax records are handled through separate CA-reviewed tax workflows.
• Cash payments are allowed only where the app or manager flow permits. Spas are responsible for cash collection accuracy, cash return where required, and local receipt/legal compliance.
• Optional client tips are allowed only after check-in through the in-app flow, must not be preselected or required, and are treated as pass-through therapist earning records rather than booking revenue, package service-credit movement, or platform commission.
• Client tip refunds are support/admin full-refund-only actions. Pending unpaid tip earning lines may be held out of payout eligibility while provider finality is pending, restored if the refund fails, or voided if the refund succeeds.
• Refunds may depend on provider, bank, UPI, card network, wallet, fraud, chargeback, reconciliation, and manual support review.
• BookMySpa may refuse, reverse, hold, suspend, or investigate transactions that appear fraudulent, unlawful, abusive, duplicate, disputed, or inconsistent with booking/package rules.

Community and Safety Standards

BookMySpa is a wellness and appointment operations marketplace. It does not permit use of the platform for sexual services, trafficking, exploitation, harassment, assault, intimidation, stalking, unsafe services, unauthorized medical claims, fake bookings, payment fraud, or any unlawful activity.

• Clients must behave respectfully toward spa staff, therapists, managers, support teams, and other users.
• Therapists and spa staff must obtain appropriate service consent, follow hygiene and safety practices, and refuse unsafe or unlawful requests.
• Spas must maintain local licences, lawful premises, age verification for workers, required registers, safety notices, and local operating conditions.
• BookMySpa may preserve evidence, restrict accounts, disable listings, suspend spas, escalate to platform operators, and cooperate with lawful authorities.
• Emergency safety concerns should be reported to local emergency services first; BookMySpa support is not a substitute for police, medical, or emergency response.

Review and Content Policy

• Reviews must be based on real completed experiences and must not be fake, paid, coerced, retaliatory, defamatory, obscene, discriminatory, threatening, spam, or irrelevant.
• Users must not publish private personal data, medical details, OTPs, payment credentials, explicit content, unlawful offers, or content that encourages illegal activity.
• BookMySpa may hide, remove, preserve, or restrict content and related accounts to protect users, comply with law, investigate fraud, or enforce platform terms.
• Therapists and spas must not pressure clients to leave positive reviews, retaliate for negative reviews, or manipulate ratings.
• Review moderation does not guarantee removal of all negative feedback and is not a warranty of service quality.

Cookie and Tracking Policy

The public website is intended to be a low-tracking surface. If analytics, advertising pixels, session replay, A/B testing, or cross-site tracking are introduced, BookMySpa must update this policy and provide appropriate notice/controls before use.

• Strictly necessary cookies or local storage may be used for security, preferences, authentication, consent records, and app operation.
• Analytics may be used only after privacy review, vendor registration, and notice updates.
• BookMySpa must not use hidden tracking to bypass user choices or create dark-pattern consent flows.

Law Enforcement Request Policy

BookMySpa responds to valid legal requests from competent authorities in accordance with Indian law and platform policies.

• Requests should identify the authority, legal basis, case/reference number, requested records, time period, user/spa/booking/payment identifiers, and urgency.
• BookMySpa may preserve relevant records where legally required, safety-critical, or necessary for investigation or dispute handling.
• Emergency requests involving immediate risk to life, bodily safety, trafficking, exploitation, or child safety should be marked urgent and routed through lawful authority channels.
• BookMySpa may reject informal, overbroad, unverifiable, or legally insufficient requests and may seek clarification.

Spa Merchant Agreement Summary

Each spa must sign a merchant agreement before activation. Commercial terms may be documented separately, but the agreement must include these minimum obligations.

• The spa is the service provider and remains responsible for premises, licences, staff, therapists, hygiene, safety, lawful conduct, taxes, receipts, customer service at the premises, and service quality.
• BookMySpa provides technology, discovery, booking, package, payment, notification, review, compliance, and support tooling as a marketplace facilitator.
• The spa must not use BookMySpa for sexual services, trafficking, exploitation, illegal massage/spa operations, fake services, misleading ads, or unauthorized medical claims.
• The spa must indemnify BookMySpa for claims caused by its staff, therapists, premises, licences, unlawful conduct, cash handling, service quality, or breach of agreement.
• BookMySpa may suspend onboarding, listings, payments, payouts, packages, manager access, or booking acceptance during compliance review or legal risk events.

Spa Onboarding Compliance Declaration

Before activation, every spa should provide and periodically refresh the following compliance information.

• Legal entity name, brand name, registered/operating address, owner/authorized signatory, PAN, GSTIN where applicable, bank account, and tax details.
• Trade/health licence, Shops and Establishments registration, local spa/massage/municipal licence where applicable, fire NOC where applicable, and expiry dates.
• Premises declaration: lawful use, not residential-connected where prohibited, proper lighting, hygiene, common-area CCTV where legally required, separate facilities where required, no locked service-room misuse, and visible licence/safety notices.
• Staff declaration: all workers are at least 18, qualified where local rules require, issued ID cards, recorded in registers, and police/PCC verified where local law or platform policy requires.
• POSH declaration: Internal Committee details where legally required, display notices, and complaint escalation process.

Listing and Advertising Rules

• Listings must accurately describe the spa, services, durations, prices, taxes/fees, add-ons, package eligibility, reschedule windows, refund rules, location, business hours, and provider qualifications where shown.
• Spas must not use misleading claims, false urgency, fake scarcity, hidden fees, bait-and-switch offers, disguised ads, manipulated reviews, or medical/therapeutic claims without lawful support.
• Images must be lawful, consented, non-obscene, non-infringing, and representative of the actual service/place/person.
• BookMySpa may edit, reject, hide, or suspend listings that create consumer, safety, fraud, licensing, or legal risk.

Payment, Payout, and Chargeback Terms

• Spas must honor confirmed bookings, package redemptions, refunds, client tip payout holds where applicable, cash returns, and chargeback investigations recorded through BookMySpa workflows.
• Payout eligibility depends on booking state, check-in status, refund state, settlement, platform commission, receivables, package liability, client tip earning state, earning-run locks, and dispute holds.
• Razorpay Route or any provider-backed settlement routing is an operational payment mechanism and audit trail; it does not replace BookMySpa ledgers, spa statutory obligations, or support/admin refund controls.
• BookMySpa may offset refunds, chargebacks, cash receivables, fraud losses, support adjustments, or platform dues against payable amounts where contractually and legally allowed.
• Spas must provide receipts, tax invoices, service evidence, staff logs, CCTV/common-area records where lawful, and other records needed for disputes or authority requests.
• GST, TCS, TDS, Income-tax Act, 1961 Section 194-O, Income-tax Act, 2025 Section 393 table-item references, invoice sequence, e-invoice/e-waybill, and other statutory tax treatments must remain configurable and CA-reviewed before production activation. Public terms must not hardcode rates or substitute for professional tax advice.

Data Processing and Sharing Addendum

BookMySpa and spas share user and booking data only for platform operation, service delivery, support, legal compliance, safety, payment, refund, audit, and dispute purposes.

• Spas must use client and therapist data only for the relevant booking/service relationship and must not export, resell, spam, harass, or misuse personal data.
• Spas must keep manager/accountant access limited to authorized personnel and report suspected account compromise promptly.
• Spas must assist BookMySpa with privacy, correction, deletion, retention, breach, and grievance requests where spa-controlled data is involved.
• BookMySpa may redact manager-visible PII and restrict exports to reduce privacy risk.

Staff and Therapist Verification Declaration

• All therapists and staff performing services must be at least 18 years old and legally permitted to work.
• Spas must verify identity, age, qualification/certification where applicable, work authorization, and police/PCC/criminal-case declarations required by local rules or platform policy.
• Spas must not onboard anyone with known disqualifying safety, trafficking, sexual offence, child safety, fraud, or premises-law risk unless counsel and lawful authority review permits a different outcome.
• Therapist assignments in BookMySpa must match real approved workers and must not be lent, shared, or impersonated.

Illegal Activity and Safety Undertaking

The spa, owner, manager, accountant, staff, and therapists must undertake that the premises and platform account will not be used for prostitution, trafficking, exploitation, obscene services, unlawful solicitation, child safety violations, harassment, assault, fraud, unauthorized cash collection, or any activity prohibited by law.

• Any known or suspected illegal activity must be stopped, preserved, escalated to BookMySpa, and reported to authorities where required.
• BookMySpa may immediately suspend the spa/listing/account and preserve booking, payment, device, review, SOS, QR, and audit records.
• This undertaking should be accepted by the authorized signatory during onboarding and refreshed on renewal, owner change, manager change, or major compliance incident.

Therapist Code of Conduct

• Provide only lawful, approved wellness/spa services at the assigned spa and booking time.
• Do not offer or accept sexual services, side payments, private bookings, unauthorized offline tips, client harassment, retaliation, fake QR check-in, fake reviews, or profile impersonation. Platform-supported client tips, where enabled, must remain voluntary, post-check-in, and in-app only.
• Keep availability accurate, attend assigned bookings, follow spa hygiene/safety policies, respect client consent, and use SOS/reporting tools for safety concerns.
• Do not collect unnecessary personal, medical, payment, or identity data from clients.
• BookMySpa may suspend therapist access, end eligibility, preserve evidence, and cooperate with spas or lawful authorities for safety/legal incidents.

Therapist Priority Subscription Terms

• Priority may improve ranking only among already approved, eligible, active, and available therapists.
• Priority does not guarantee spa approval, booking volume, income, client selection, continued access, or placement above ineligible therapists.
• Priority can be suspended or cancelled for fraud, policy breach, illegal conduct, payment failure, refund, account deletion, or loss of active spa assignment.
• Priority payments and refunds are processed through approved payment providers and may be retained in historical payment/audit records.

Availability, QR, and Check-In Rules

• Therapists are responsible for keeping availability current and must not mark themselves available for times they cannot lawfully and safely serve.
• Only active approved therapist-spa assignments can appear in booking, schedule, priority ranking, QR generation, or OTP check-in.
• QR codes may be generated only for the therapist's own eligible assigned bookings, on the applicable booking date, through the BMS - Therapist workflow.
• Therapists must not share QR tokens, generate QR for unauthorized users, bypass check-in, falsely mark readiness, or collude in fake bookings.

Safety, SOS, and Incident Guide

• Use emergency services first for immediate danger. In India, the emergency number is 112.
• BMS - Therapist SOS is an in-app escalation tool for spa/platform responders and does not replace police, ambulance, medical, or emergency response.
• Therapists should report harassment, unsafe service requests, illegal conduct, assault, trafficking concerns, or QR/check-in misuse as soon as safe.
• False alarm marking should be used only when the therapist confirms the SOS was accidental or resolved without responder action.
• BookMySpa may preserve location status, device/app metadata, booking context, responder actions, and event history for safety and legal review.

Persona User Guides

Client App Guide

1. Sign in with phone OTP and keep your registered mobile number secure.
2. Browse spas/services in the app, review price, duration, package eligibility, reschedule window, and final payment amount before confirmation.
3. Use My Bookings for reschedule, QR check-in, support, and reviews.
4. Report unsafe, illegal, abusive, or fraudulent conduct through support or grievance channels.

BMS - Therapist Guide

1. Sign in with OTP, complete profile information, request spa approval, and accept therapist terms/code of conduct.
2. Maintain accurate availability and review assigned bookings in spa-local time.
3. Generate QR only for assigned eligible bookings and use SOS/reporting for safety concerns.

Spa Manager Guide

1. Keep spa settings, business hours, services, options, rooms, reschedule rules, packages, and therapist approvals accurate.
2. Confirm cash bookings/payments only when money and inventory state are real and auditable.
3. Use offboarding, refund, SOS, and grievance workflows instead of informal workarounds.

Spa Accountant Guide

1. Use assigned accounting/reporting surfaces only for authorized spas.
2. Reconcile online payments, cash records, package liability, refunds, receivables, and payouts using exported reports.
3. Escalate mismatch, fraud, cash return, chargeback, or settlement issues promptly.

Platform Admin Guide

1. Use platform tools for onboarding, roles, payments, package approvals, moderation, SOS escalation, compliance review, and grievance handling.
2. Do not bypass role scopes, audit trails, migration gates, legal holds, or production safety confirmations.
3. Preserve evidence and route legal/safety matters through the approved SOPs.

Safety and Incident Quick Guide

1. Immediate danger: call local emergency services first.
2. Platform issue: preserve booking/payment/user/spa identifiers and open a support or grievance case.
3. Illegal conduct: restrict access where needed, preserve evidence without alteration, and escalate to the responsible officer/lawful authority path.

Required Compliance Features

These controls require product/schema/API work and are tracked as implementation requirements rather than completed runtime behavior in this static document pass.

• Persona-based legal acceptance/versioning for client, therapist, spa manager, spa accountant, admin, and super admin.
• Spa compliance module with activation blocks for missing/expired critical licences, declarations, officer contacts, POSH data, and local compliance metadata.
• Therapist verification gates for age, identity/qualification metadata, code of conduct, PCC/criminal-case declaration, spa approval, and periodic re-verification.
• Safety/reporting flows for client, therapist, spa, illegal-service, harassment, evidence preservation, suspension, and law-enforcement export logs.
• Grievance case management with consumer, IT intermediary/content, privacy, safety, payment, and law-enforcement SLA categories.
• DPDP data-rights tooling for access, correction, erasure, consent withdrawal, deletion blockers, nomination readiness, retention jobs, processor inventory, and breach register.
• Registered legal acceptance tracking for Client Payment Terms, including version/hash updates when the payment terms section changes.
• Marketplace trust disclosures in app: spa legal name, licence/verification status, provider identity where appropriate, reschedule window, refund route for eligible non-cancellation flows, package eligibility, final price, taxes/fees, and support/grievance links.

Key Legal Sources

• Digital Personal Data Protection Act, 2023
• Digital Personal Data Protection Rules, 2025
• MeitY DPDP Rules, 2025 landing page and corrigendum listing
• Information Technology Act, 2000
• IT Intermediary Rules, 2021, updated February 10, 2026
• PIB consumer/e-commerce note
• CCPA Guidelines for Prevention and Regulation of Dark Patterns, 2023
• PIB dark patterns self-audit advisory
• GST Council FAQ on e-commerce operators and TCS
• Income Tax Department FAQs on Interplay and Transition
• Income Tax Department TDS explainer
• Income-tax Act, 2025 Section 393
• Income Tax Department TDS rates table
• RBI PPI FAQ
• RBI Master Directions on Prepaid Payment Instruments
• Immoral Traffic (Prevention) Act, 1956
• Sexual Harassment of Women at Workplace Act, 2013