Privacy Policy

Effective date: May 22, 2026

1. Introduction

This Privacy Policy explains how SavSpot (“SavSpot,” “we,” “us,” or “our”), operated by SJD Labs, LLC, a California limited liability company, collects, uses, discloses, and protects personal information when you visit www.savspot.co, create an account, use the SavSpot booking platform, or otherwise interact with our services (collectively, the “Service”).

SavSpot is a multi-tenant SaaS booking platform. Service businesses (“Tenants”) use the Service to run their booking operations; the customers of those businesses (“Clients”) book appointments and services through Tenant-branded pages. We process personal information about both Tenants and Clients, and our relationship to that data depends on whose information it is — see Section 9 for how we handle Tenant vs. Client data.

2. At-a-glance summary

  • We collect what you give us when you sign up, configure a booking page, book an appointment, or contact support.
  • We collect technical data (IP address, device, cookies) needed to keep you logged in, prevent abuse, and measure aggregate usage.
  • We use sub-processors for payments (Stripe), email (Resend), SMS (Twilio), authentication and database (Supabase), hosting (Vercel), error reporting (Sentry), and product analytics (PostHog). We do not sell or share personal information.
  • You can access, correct, export, or delete your personal information — see Sections 11 and 12.
  • When a Tenant uses SavSpot to serve their Clients, the Tenant is the controller of that Client data and we are a processor acting on the Tenant’s instructions.
  • California residents have additional rights under the CCPA / CPRA — see Section 12.

3. Who we are and how to contact us

The data controller for personal information collected through the Service is SJD Labs, LLC, a California limited liability company. Privacy requests (access, correction, deletion, opt-out, or complaints) should go to privacy@savspot.co. General support is at support@savspot.co. Postal mail:

SJD Labs, LLC
4653 Carmel Mountain Rd, Ste 308 #AA229
San Diego, CA 92130
United States

4. Information we collect

4.1 Information you provide directly

  • Account information — name, email, phone number (optional), a hashed copy of your password (we never store the plaintext), and your role within your business.
  • Business profile — the business’s legal and trading names, address, contact email and phone, category, logo, cover photo, and any branding text you upload.
  • Client information you enter — names, emails, phone numbers, addresses, booking histories, internal notes, and any custom fields you create. This data belongs to your Tenant (see Section 9).
  • Booking and transactional data — the services booked, dates and times, prices, deposits, refunds, and payment statuses.
  • Support communications — messages and attachments you send to us through email, the help center, or chat.

4.2 Information we collect automatically

  • Authentication and session cookies — we set savspot_access, savspot_refresh, and savspot_session cookies to keep you signed in across page loads, scoped to .savspot.co. These cookies are strictly necessary for the Service to function.
  • Log data — IP address, user-agent string, referring URL, timestamps, and the API endpoints you call. Used for security, abuse prevention, and operational debugging.
  • Device data — browser, operating system, and device type as reported by your browser.
  • Product analytics — PostHog records pseudonymous events (which pages you visit, which features you use) so we can understand which parts of the Service are valuable. No payment data and no Client PII is sent to PostHog.
  • Error reports — Sentry captures stack traces and request metadata when something breaks. PII is scrubbed from error payloads before transmission to the extent technically possible.

4.3 Information we receive from third parties

  • OAuth providers (Google, Apple) — if you sign in with Google or Apple, we receive your basic profile (name, email, profile picture) and an opaque provider user ID. We do not receive your password.
  • Stripe — payment status, the last four digits of the card used, the card brand and expiration, and Stripe’s opaque customer and account identifiers. We do not receive or store full card numbers, CVV codes, or bank account numbers.
  • Calendar integrations — if you connect a Google or Outlook calendar, we read free/busy data and create events on your behalf only for accounts you have connected.

5. How we use information

  • To provide, operate, and maintain the Service.
  • To process payments, calculate platform fees, and remit funds through Stripe Connect.
  • To send transactional communications (booking confirmations, reminders, password resets, security alerts). You cannot opt out of these because they are essential to the Service.
  • To send service updates and product announcements where permitted by law. You can opt out of marketing emails via the unsubscribe link or your preference center.
  • To detect, prevent, and investigate fraud, abuse, security incidents, and violations of our Terms of Service.
  • To comply with legal obligations and respond to lawful requests from authorities.
  • To improve the Service via aggregated, de-identified analytics and performance monitoring.

6. Legal bases for processing (GDPR / UK GDPR)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

  • Contract — to deliver the Service you have signed up for (Article 6(1)(b)).
  • Legitimate interests — to secure the Service, prevent abuse, and improve the product, balanced against your privacy rights (Article 6(1)(f)).
  • Consent — for non-essential cookies, marketing communications, and other optional uses where consent is the appropriate basis (Article 6(1)(a)). You may withdraw consent at any time.
  • Legal obligation — to comply with applicable law, including tax, anti-money-laundering, and law-enforcement requirements (Article 6(1)(c)).

7. How we share information

7.1 Sub-processors

We use the following sub-processors to deliver the Service. Each handles only the data necessary for its function and is bound by written agreements that prohibit other use:

  • Stripe, Inc. — payment processing, payouts to Tenants via Stripe Connect.
  • Supabase, Inc. — managed PostgreSQL, authentication, and object storage for files you upload.
  • Vercel, Inc. — application hosting, edge network, log routing.
  • Resend — transactional and marketing email delivery.
  • Twilio Inc. — SMS delivery for booking reminders and authentication codes.
  • Sentry — application error reporting.
  • PostHog — product analytics.
  • Google LLC, Apple Inc. — OAuth sign-in and calendar synchronization (only for accounts you connect).

We may add or change sub-processors. Material changes will be announced in advance via this page or by email to account owners.

7.2 Between Tenants and their Clients

Information you enter as a Tenant is visible to your team members you have invited. Booking data and Client information is not shared with other Tenants. Multi-tenant data isolation is enforced at the database layer through row-level security.

7.3 Legal compliance and protection

We may disclose information when we believe in good faith that disclosure is necessary to (a) comply with applicable law, court orders, subpoenas, or valid governmental requests; (b) enforce our Terms of Service; (c) protect the rights, property, or safety of SavSpot, our users, or others; or (d) investigate fraud, security, or technical issues.

7.4 Business transfers

If SavSpot is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will provide notice on this site of any change in ownership or material change to the uses of your information.

7.5 What we don’t do

We do not sell personal information for monetary consideration. We do not share personal information for cross-context behavioral advertising. We do not engage in “sale” or “sharing” of personal information as those terms are defined under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (collectively, “CCPA”). We do not process Sensitive Personal Information (as defined under the CCPA) for the purpose of inferring characteristics about a consumer.

8. Cookies and similar technologies

We use the following categories of cookies:

  • Strictly necessary — authentication and session cookies that keep you logged in. These cannot be disabled and the Service cannot function without them.
  • Functional — remember your preferences such as theme, locale, and dashboard layout.
  • Analytics — PostHog cookies, where used, record pseudonymous interaction events to help us improve the Service. Where required by law we ask for consent before setting these.

Do Not Track and Global Privacy Control. Browsers and extensions may send a Global Privacy Control (GPC) signal or a Do Not Track (DNT) signal. We treat a recognized GPC signal as a valid request to opt out of any “sale” or “sharing” of personal information under the CCPA. We do not currently respond to DNT signals because there is no industry consensus on how to interpret them; we will revisit this if a standard emerges.

You can clear cookies through your browser settings. Doing so will log you out and may reset preferences.

9. Multi-tenancy: controller vs. processor roles

When a Tenant uses SavSpot to take bookings from its Clients, two different relationships exist:

  • SavSpot is the controller for personal information about Tenant administrators and team members (the users who sign in to SavSpot to run the business). This Privacy Policy governs that relationship.
  • SavSpot is a processor for personal information about Clients that Tenants enter into the platform — including names, contact details, booking histories, and notes. The Tenant is the controller for that data, decides how it is used, and is responsible for its own privacy notices, lawful basis for processing, and responses to data-subject requests. Our Data Processing Addendum (available on request to privacy@savspot.co) governs that relationship.

If you are a Client of a SavSpot Tenant and have questions about how the Tenant uses your data, contact the Tenant directly. SavSpot will forward verified requests to the relevant Tenant when we cannot act on them ourselves.

10. Data retention

We retain personal information for as long as needed to provide the Service and as required by law:

  • Account data — for the life of your account plus 90 days after deletion to allow recovery.
  • Booking and transaction records — for at least seven (7) years after the transaction to comply with standard accounting, tax, and chargeback-window requirements.
  • Authentication logs — for at least 12 months for security investigations.
  • Marketing preferences and opt-outs — kept indefinitely to honor your choices, even after you delete your account.
  • Backups — rolling 30-day backups; data that has been deleted from production will age out of backups within that window.

11. Your rights (general)

Depending on where you live, you may have the following rights under laws such as the GDPR, UK GDPR, and similar regimes:

  • Access — receive a copy of the personal information we hold about you.
  • Correction — correct inaccurate or incomplete information.
  • Deletion — ask us to delete your account and personal information, subject to legal-retention exceptions.
  • Portability — receive your data in a structured, machine-readable format.
  • Restriction and objection — object to or restrict certain processing.
  • Withdraw consent — withdraw any consent you have given without affecting the lawfulness of prior processing.
  • Non-discrimination — we will not deny, charge for, or downgrade your Service for exercising these rights.
  • Complaint — lodge a complaint with your local supervisory authority. EEA/UK users may contact their data-protection authority directly.

To exercise these rights, email privacy@savspot.co. We may need to verify your identity. We will respond within the timeframes required by applicable law (typically 30–45 days). We may refuse manifestly unfounded or excessive requests, as permitted by law.

12. Your California privacy rights (CCPA / CPRA)

If you are a California resident, you have the following rights in addition to those in Section 11. These rights apply to personal information we hold about you as a controller; for Client data Tenants enter into the Service, the Tenant is the controller and we will forward verified requests to them.

12.1 Categories of personal information collected

In the past 12 months we have collected the following CCPA categories of personal information (Cal. Civ. Code §1798.140):

  • Identifiers — name, email, phone number, IP address, OAuth provider IDs, account identifiers.
  • Customer records — business address, billing details (last 4 of card via Stripe).
  • Commercial information — subscription tier, booking and transaction history.
  • Internet or network activity — cookies, session logs, page-view events, device and browser metadata.
  • Geolocation data — approximate location derived from IP address. We do not collect precise geolocation.
  • Inferences — we do not generate inferences about consumers for profiling purposes.

We do not collect or process Sensitive Personal Information under the CCPA other than account credentials (password hashes) used to authenticate you to the Service.

12.2 Sources and business purposes

Sources of collection are described in Section 4. We use these categories of personal information for the business purposes described in Section 5: providing the Service, billing, transactional communications, security, fraud prevention, legal compliance, and product improvement.

12.3 Your California rights

  • Right to know. Request the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with which we share it.
  • Right to delete. Request deletion of personal information we have collected about you, subject to statutory exceptions (for example, transaction records we are required to retain for tax or anti-fraud purposes).
  • Right to correct. Request correction of inaccurate personal information.
  • Right to opt out of sale or sharing. We do not sell or share personal information as those terms are defined under the CCPA. A recognized Global Privacy Control (GPC) signal is treated as a valid opt-out request.
  • Right to limit use of Sensitive Personal Information. We do not use Sensitive Personal Information for purposes that would require this option, but you may request that we limit such use if our practices change.
  • Right to non-discrimination. We will not deny the Service, charge different prices, or provide a different level or quality of the Service because you exercised any CCPA right.
  • Authorized agent. You may designate an authorized agent to submit requests on your behalf. We will require written proof of the agent’s authority and verification of your identity.

12.4 How to submit a California request

Submit a request by emailing privacy@savspot.co with the subject “CCPA Request” and the type of request. We verify requests by matching the request against information we already have on file about your account (typically the email address tied to the account, plus confirmation via that email). We will respond within 45 days; we may extend by an additional 45 days for complex requests and will notify you of any extension.

12.5 California Shine the Light (Cal. Civ. Code §1798.83)

California residents may request, once per year and free of charge, information about the categories of personal information (if any) we have disclosed to third parties for their direct marketing purposes in the preceding calendar year. SavSpot does not disclose personal information to third parties for their own direct marketing.

12.6 California minors (Cal. Bus. & Prof. Code §22581)

Registered users who are California residents under 18 may request removal of content or information they have posted on the Service by emailing privacy@savspot.co. Removal may not result in complete or comprehensive removal as described in Section 22581(c).

13. International data transfers

SavSpot infrastructure is primarily hosted in the United States. If you access the Service from outside the United States, your information will be transferred to, processed, and stored in the United States. Where required by law (for example, transfers out of the EEA or UK), we rely on the European Commission’s Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms with our sub-processors.

14. Children

The Service is not directed to children under 16, and we do not knowingly collect personal information from children under 16. Where required, Tenants serving minors are responsible for obtaining the verifiable consent required by COPPA, GDPR Article 8, or other applicable law. If you believe a child has provided personal information to us without appropriate consent, contact privacy@savspot.co and we will delete it.

15. Healthcare information (HIPAA exclusion)

The Service is not designed for the storage, transmission, or processing of Protected Health Information (“PHI”) or electronic Protected Health Information as defined under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”). SJD Labs, LLC is not a HIPAA Business Associate, does not enter into Business Associate Agreements covering the Service, and does not represent that the Service is HIPAA-compliant.

If you are a Covered Entity or Business Associate under HIPAA, you must not enter PHI into the Service. We may suspend or terminate accounts we reasonably believe are being used to store or transmit PHI in violation of our Terms of Service.

16. Security

We implement technical and organizational measures designed to protect personal information, including: TLS in transit, AES-256 at rest at the database layer, password hashing with bcrypt, row-level security for multi-tenant isolation, optional multi-factor authentication, role-based access controls within our team, audit logging of administrative actions, automated backups, and ongoing dependency scanning. No system is perfectly secure; we cannot guarantee absolute security.

17. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. When we do, we will update the “Effective date” at the top, and for material changes we will provide additional notice (such as an in-product banner or email). Continued use of the Service after the effective date of an updated policy constitutes acceptance of the changes.

18. Contact

Privacy questions or requests: privacy@savspot.co
General support: support@savspot.co

SJD Labs, LLC
4653 Carmel Mountain Rd, Ste 308 #AA229
San Diego, CA 92130
United States