Crystal Vision Holdings LLC, a Florida limited liability company doing business as BookedSmarter ("BookedSmarter," "we," "us," or "our"), provides an AI-powered receptionist service to business customers. This Privacy Policy explains what personal information we collect, how we use and share it, how long we keep it, and your rights — including your rights under the California Consumer Privacy Act, as amended by the CPRA ("CCPA").
This Policy applies to: (a) visitors to bookedsmarter.com; (b) business customers who subscribe to the Service ("Customers"); and (c) individuals who call a phone number powered by the Service ("Callers" or "End Users"). We are a US-only service. We do not knowingly direct the Service to residents of the EU/EEA, UK, or other jurisdictions outside the United States.
1. Categories of Personal Information We Collect
In the past 12 months we have collected the following categories of personal information, as defined by the CCPA:
| Category | Examples | Sources |
|---|---|---|
| Identifiers | Name, email, phone number, IP address | Customer signup; Caller phone metadata |
| Commercial information | Subscription tier, billing history, services purchased | Customer account; Stripe |
| Internet/network activity | Login times, portal page views, device/browser type | Cookies; server logs |
| Audio/electronic information | Recorded phone calls and AI-generated transcripts and summaries | Inbound calls to Customer numbers we service |
| Professional information | Business name, business address, industry category | Customer signup |
| Inferences | Predicted intent from call content (e.g., booking vs. info request) | Derived from transcripts |
| Sensitive personal information (CCPA-defined) | Account login credentials; voice recordings to the extent voice is treated as biometric in some contexts | Customer signup; inbound calls |
We use sensitive personal information only to provide the Service and for the purposes permitted by CCPA § 7027(m); we do not use it to infer characteristics. We do not knowingly collect personal information from anyone under 16.
2. How We Use Personal Information
- Provide, operate, and maintain the AI receptionist Service: answer calls, transcribe calls, process bookings, transfer calls, and send SMS and email confirmations and reminders on behalf of Customers.
- Authenticate accounts, bill Customers, manage subscriptions, and provide support.
- Improve the Service, including improving AI quality, using de-identified or aggregated data; we do not use identifiable Caller data to train models without Customer instruction.
- Detect and prevent fraud, abuse, and security incidents.
- Comply with legal obligations and enforce our Terms of Service.
3. How We Share Personal Information
We share personal information only as described here. We do not sell personal information, and we do not share it for cross-context behavioral advertising.
- With our Customers: End-User call and booking data is shared with the Customer whose phone number was called; that Customer is the controller of the data.
- Service providers (subprocessors): We share only what is necessary to operate the Service, with the providers listed in our Subprocessor List (currently Twilio, Stripe, ElevenLabs, Anthropic, Resend, Railway, and Cloudflare). We give at least 30 days' notice on that page before adding or replacing a subprocessor.
- Legal: When required by law, subpoena, or court order, or to protect rights, safety, or property.
- Business transfers: In connection with a merger, acquisition, or asset sale, subject to this Policy (we will provide notice).
4. Data Retention
| Data type | Retention |
|---|---|
| Call audio recordings | 90 days |
| Call transcripts, call logs, and audit logs | 12 months |
| Customer account data | Life of subscription + 90 days, then deleted, except records required for tax/audit |
| Billing records | 7 years (tax/audit) |
| SMS logs | 18 months (compliance and dispute resolution) |
| Server logs | 90 days |
We retain personal information only as long as necessary for the purposes described, unless a longer retention is required by law. Customers may request earlier deletion by emailing [email protected].
5. Cookies
We use only strictly necessary cookies for authentication and session management, plus minimal first-party analytics. We do not use advertising or cross-site tracking cookies and do not share data with third parties for behavioral advertising.
6. Security and Breach Notification
We use administrative, technical, and physical safeguards including encryption in transit (TLS 1.2+), an access-controlled managed database, hashed passwords (bcrypt), role-based access control with least privilege, and audit logging of administrative actions. No system is perfectly secure.
If we become aware of a breach of security affecting your personal information, we will notify affected individuals, our affected Customers, and applicable regulators without unreasonable delay and within the timeframes required by applicable law — including the Florida Information Protection Act (Fla. Stat. § 501.171), the California breach-notification statute (Cal. Civ. Code § 1798.82), and other state breach-notification laws. Where we act as a service provider/processor to a Customer, we will notify the Customer of a confirmed breach affecting their data without undue delay and in any event within 72 hours, as set out in our Data Processing Addendum.
7. Your Privacy Rights
7.1 California residents (CCPA / CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, disclose, and sell or share.
- Access and obtain a copy of your personal information.
- Correct inaccurate personal information.
- Delete personal information we hold about you, subject to legal exceptions.
- Opt out of the sale or sharing of personal information.
- Limit the use of sensitive personal information.
- Non-discrimination for exercising any of these rights.
To exercise any right, email [email protected]. We will verify your identity using account information already on file (typically by confirming control of the associated email or phone) and respond within 45 days. You may authorize an agent to submit a request on your behalf (attach written authorization). We will not require you to create an account to submit a request.
7.2 Do Not Sell or Share My Personal Information
BookedSmarter does not sell personal information for money or other valuable consideration, and does not share personal information for cross-context behavioral advertising — the activities that trigger the CCPA right to opt out. We have not done so in the past 12 months and have no plans to. Disclosures to subprocessors strictly to operate the Service on our behalf are not a "sale" or "share." To submit a confirmation or opt-out request anyway, email [email protected] with your name, the email or phone associated with your record, and your request type.
7.3 Other US states
Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws have similar rights; the process above applies.
8. Health Information and Medical-Privacy Posture
BookedSmarter is built for cash-pay, non-clinical businesses. We are not a HIPAA "business associate," we do not enter into Business Associate Agreements, and we do not knowingly create, receive, maintain, or transmit Protected Health Information (PHI) governed by HIPAA. Our Customers — including medical spas offering cash-pay aesthetic services — represent and warrant in our Terms of Service that they do not bill insurance, do not operate as HIPAA covered entities, and do not route PHI or clinical health detail through the Service, and we instruct the AI receptionist not to solicit or confirm clinical detail (such as diagnoses, medications, or conditions).
We nevertheless recognize that information captured on a call may, in some cases, constitute "medical information" or "consumer health data" under state laws that reach beyond HIPAA (for example, the California Confidentiality of Medical Information Act and the Washington My Health My Data Act). Where such laws apply to data we process, we handle it with the security, retention-minimization, breach-notification, and access-assistance measures described in this Policy and in our Data Processing Addendum, and we apply data-minimization controls so that the AI captures the service requested and contact details rather than clinical narrative. If you believe clinical health information about you was captured on a call, contact the business you called (the controller of that data); we will assist that business in honoring your request.
9. Caller-Specific Notice
If you called a phone number serviced by BookedSmarter, you heard a recording-and-AI disclosure at the start of the call. By continuing the call after that disclosure, you consented to the recording and to interacting with our AI on behalf of the business you called. The business you called is the controller of your information; we process it on their behalf. To exercise rights over your call data, contact that business directly; we will assist them in fulfilling your request.
10. Children
The Service is not directed to children under 16, and we do not knowingly collect their personal information. If you believe we have, contact us and we will delete it.
11. Google User Data and API Services
When you connect your Google Calendar to BookedSmarter through our Integrations page, we access your Google Calendar data solely to provide the booking features you enable. BookedSmarter's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements.
We request the following Google OAuth scopes, and only for the connected business owner's own calendar:
- calendar.calendarlist.readonly — to list the calendars on your connected Google account so you can choose which one the AI receptionist should sync. This does not read your event details.
- calendar.freebusy — to determine open time ranges (busy/free only, with no event titles or attendees) when answering availability questions.
- calendar.events — to create and update the appointments the AI receptionist books on your behalf.
We do not:
- use your Google Calendar data for advertising, or to develop, improve, or train generalized AI or machine-learning models;
- sell your Google Calendar data, or share it with third parties except as needed to provide the Service at your direction or as required by law;
- access, read, or modify any Google account other than the one you explicitly connect;
- retain Google Calendar data longer than necessary to deliver the booking service.
You can revoke BookedSmarter's access at any time from your Google Account permissions page, or by disconnecting the integration in the BookedSmarter portal. On disconnection we delete the stored Google credentials and any cached availability data.
12. Changes to This Policy
We may update this Policy from time to time. We will post the updated version with a new effective date and update the "Last Updated" date; if changes are material, we will provide additional notice (e.g., email to Customers).
13. Contact
12550 Biscayne Blvd, Suite 812, North Miami, FL 33181, United States
Email: [email protected]