Privacy Policy

Scope

This Privacy Policy applies to BookMySpa client services, BMS - Therapist, related public pages, notifications, booking flows, payment flows, support channels, and platform operations. BookMySpa helps clients discover and book physical spa services and helps therapists manage spa approval requests, profile details, availability, assigned schedules, reviews, and therapist-owned QR generation.

BookMySpa acts as a technology and marketplace facilitator. The physical spa services are delivered by the relevant spa, therapist, staff member, or service provider.

Personal Data We Collect

• Account and contact data: full name, phone number, optional email, role, login identifiers, Cognito identifiers, OTP authentication state, and account status.
• Client booking data: selected spa, service, service option, add-ons, therapist preference, assigned therapists, room, appointment time, booking source, booking channel, status, cancellation, reschedule, no-show, and check-in records.
• Package data: package purchases, wallet value, remaining balance, package validity, redemption history, package liability records, and package-related payment or refund records.
• Payment data: payment amount, currency, method, Razorpay order/payment/refund identifiers, cash collection references, settlement status, refund status, payment failure details, and reconciliation records. BookMySpa does not store full card numbers, CVV, netbanking credentials, or UPI PINs.
• Therapist data: profile details, experience years, bio/skills, profile photo, selected/requested spa, approval status, availability, schedule, assigned booking records, QR generation activity, reviews visible to the therapist, and therapist priority subscription/payment state.
• Media and user content: profile photos, spa/service/room/therapist images uploaded through authorized workflows, ratings, review comments, support messages, and import files uploaded by authorized business users where applicable.
• Device and technical data: device token, app platform, app version/build, push notification preference, secure session data, IP-derived request metadata, API logs, diagnostics, security logs, and fraud-prevention signals.

How We Use Personal Data

• To create and authenticate accounts using phone OTP and maintain role-based access for clients, therapists, spa managers, and super admins.
• To process bookings, holds, confirmations, QR check-in, cancellation, reschedule, no-show, package redemption, ratings, and booking history.
• To process online payments through Razorpay, record cash payments at spas, issue or track refunds, reconcile ledgers, calculate platform receivables and spa payouts, and maintain finance records.
• To operate therapist signup, spa approval requests, therapist profile editing, availability management, assigned schedules, reviews, QR generation, and priority subscription state.
• To send OTPs, booking confirmations, reminders, cancellation notices, payment receipts, refund updates, app update notices, and support responses.
• To prevent fraud, protect users and spas, debug failures, enforce terms, respond to disputes, comply with legal obligations, and preserve audit trails.

Consent, Legal Uses, And User Duties

Where consent is required, we request it through app registration, profile, notification, payment, media upload, or other relevant flows. You may withdraw consent where the processing is optional, but withdrawal may prevent us from providing account, booking, payment, notification, or support features. Some processing is required for contractual performance, legal compliance, fraud prevention, dispute handling, tax/accounting records, or enforcement of legal claims.

You must provide accurate information, must not impersonate another person, and must not submit false or frivolous requests or complaints.

Sharing And Processors

We share data only as needed to operate the platform, comply with law, or protect rights. Recipients may include the relevant spa, assigned therapist, spa manager, payment processor, cloud provider, OTP provider, notification provider, email provider, professional advisers, and lawful authorities.

Service providers may include AWS, AWS Cognito, MSG91, Razorpay, Firebase/FCM, Apple Push Notification service, AWS SNS, S3, CloudFront, RDS, ZeptoMail or other transactional email providers, monitoring/logging tools, and app store operators. These providers process data under their own security and compliance obligations.

Payments

Online payments are handled by Razorpay or another approved payment processor. Payment instruments such as card, UPI, wallet, and netbanking credentials are entered into processor-controlled interfaces. BookMySpa stores transaction references, amount, status, method labels, refund identifiers, reconciliation metadata, and audit records needed for booking, package, refund, tax, payout, and dispute workflows.

Security

We use HTTPS for data in transit, role-based access controls, AWS-managed infrastructure controls, restricted credentials, logging, and operational safeguards. No system is perfectly secure, and users must keep their device, phone number, OTP, and account access secure. Report suspected unauthorized access to support@bookmyspalon.com.

Retention

We keep personal data only as long as needed for the purposes described in this policy or as required for legal, tax, accounting, audit, payment, refund, fraud-prevention, security, dispute, and regulatory reasons. Booking, payment, package, refund, payout, QR audit, rating moderation, and compliance records may be retained after account deletion where required or reasonably necessary.

Deleted accounts are removed, deactivated, or anonymized where possible. Some records may remain in non-identifying or legally retained form so that BookMySpa, spas, therapists, payment processors, and regulators can understand historical transactions.

Account And Data Deletion

BookMySpa clients can initiate deletion from the BookMySpa app Profile section. BMS - Therapist users can initiate deletion from the BMS - Therapist Profile or pending approval screen. You can also use the public deletion page at https://bookmyspalon.com/data-deletion.

Deletion may be blocked until active bookings, unsettled payments, pending refunds, active package balances, active package liability, assigned therapist bookings, or therapist priority payment/refund states are resolved.

Your Rights And Grievances

Subject to applicable law, you may request access, correction, updating, erasure, withdrawal of consent, grievance redressal, and nomination for rights exercise where available. Submit requests through in-app controls, the deletion page, or the contacts listed above. We may verify identity before acting on a request.

Consumer and privacy grievances can be submitted through Grievance Redressal. We aim to acknowledge consumer complaints within 48 hours and resolve them within one month where applicable.

Children And Minors

BookMySpa and BMS - Therapist are not intended for users under 18 years old. Users under 18 must not create accounts, book services, buy packages, make payments, submit reviews, upload content, request spa approval, or register as therapists.

If BookMySpa learns that an under-18 account exists, we may restrict, suspend, or delete the account, subject to legal, payment, dispute, fraud-prevention, security, accounting, tax, and audit retention requirements.

Parents or lawful guardians may contact support@bookmyspalon.com for privacy or deletion requests concerning a minor.

Changes

We may update this policy as the platform, law, or operations change. Material changes will be posted on this page and may also be communicated through the app or other reasonable means.