Your privacy, plainly explained.

This policy explains how Appoint by Vulcan collects, uses, and protects personal data — both for the professionals who use our platform to manage their scheduling and for the people who book time with them.

Effective date: May 1, 2026Last updated: April 2026Applies to: appoint.byvulcan.com

Who We Are

Vulcan Apps operates Appoint by Vulcan at appoint.byvulcan.com, an online scheduling platform that allows professionals ("Hosts") to create booking pages and manage appointments. Appoint is part of the By Vulcan product ecosystem at byvulcan.com.

For inquiries: privacidade@byvulcan.com

Two roles in one platform. When you use Appoint as a Host, we act as your data controller. When a person books time with you (an Invitee), you are the controller of that Invitee's data and we act as your data processor. If you are an Invitee with questions about your data, please contact the Host who invited you to schedule.

Data We Collect

A — Host Account Data (we are controller)

Category	Examples	Purpose
Identity	Name, email, password (hashed)	Authentication and account management
Profile & Branding	Brand name, logo, color palette, slug	Personalizing your public booking page
Availability	Weekday rules, buffer times, timezone	Computing available booking slots
Calendar credentials	Google OAuth tokens (encrypted AES-256)	Reading busy times and creating calendar events
Payment	Subscription plan, transaction reference (no card data)	Billing and plan management
Service usage	Event types created, bookings confirmed, features used	Analytics, product improvement, support
Device & network	IP address, browser, operating system	Security and fraud prevention

Card data: We never collect or store credit card numbers. All payments are processed by Paddle (international) and Asaas (Brazil), both PCI DSS certified.

B — Invitee Booking Data (Host is controller, we are processor)

Category	Examples	Purpose
Contact	Full name, email address, WhatsApp number	Booking confirmation, reminders, cancellation
Scheduling	Chosen date/time, timezone, duration	Creating and managing the appointment
Custom form answers	Responses to Host-configured questions	Providing context to the Host before the meeting
LGPD consent	Timestamp and acceptance of data processing terms	Legal basis documentation
Cancellation & reschedule tokens	Secure one-use tokens embedded in emails	Allowing self-service changes without authentication

C — Smart Routing Qualification Data

When a Host activates Smart Routing, Invitees answer a pre-booking qualification form before selecting a time slot. This data includes:

→Answers to qualification questions defined by the Host
→AI-generated qualification score (0–100) and reasoning, produced by Google Gemini Flash
→Pass/fail outcome and any disqualification reason

Smart Routing data is collected only on behalf of the Host (processor role). We process this data only to return a qualification decision.

D — No-Show Risk Data

At the moment of booking, Appoint computes a rule-based no-show risk score using: lead time, day of week, hour of day, the Invitee's historical cancellation rate, and booking source. This score informs Hosts and may trigger additional reminders. No automated legal decisions are made from this score (LGPD Art. 20 / GDPR Art. 22).

E — Meeting Summary Data (via Meeting Intelligence Integration)

If the Host connects a compatible meeting intelligence tool, meeting transcripts may be sent to Appoint via a secure webhook. Appoint uses Google Gemini Flash to extract summaries, action items, key topics, and sentiment — stored linked to the booking and accessible only to the Host.

How We Use Your Data

For Hosts

→Provide, maintain, and improve the scheduling platform
→Authenticate your identity and secure your account
→Generate and display your public booking page
→Sync appointments with your connected Google Calendar
→Export action items to Google Tasks after meetings (when enabled)
→Process payments and manage your subscription plan
→Send transactional communications (booking alerts, security notices, billing updates)
→Display analytics dashboards (bookings, no-show rates, routing outcomes)
→Send marketing communications only with your explicit, revocable consent

For Invitees (on behalf of Hosts)

→Create and confirm the booked appointment
→Send booking confirmation and reminder emails
→Send WhatsApp reminders if a phone number was provided
→Allow self-service cancellation and rescheduling via secure tokenized links
→Apply the Smart Routing qualification process (if configured by the Host)
→Forward booking data to the Host's integrated calendar

AI policy: AI features process data only to deliver the specific service requested. We do not use your content to train generative AI models without explicit consent.

Legal Basis for Processing

Legal Basis	Applies to
Contract performance	All data necessary to provide the scheduling service to Hosts and Invitees
Consent	Invitee LGPD consent collected at booking; marketing emails to Hosts; optional analytics
Legitimate interests	Security monitoring, fraud prevention, no-show risk scoring, product analytics
Legal obligation	Tax, accounting, and regulatory compliance obligations

Google Calendar & Tasks Integration

When a Host connects their Google account, Appoint requests the following OAuth scopes — shown in Google's consent screen at the time of connection, never at login:

Scopes requested (incremental authorization):
https://www.googleapis.com/auth/calendar.events — to create and update meeting events in the Host's and Invitee's calendars.

https://www.googleapis.com/auth/tasks — to export action items from meeting summaries as Google Tasks.

Calendar access

→Read existing calendar events to compute real-time availability (busy/free)
→Create a calendar event when a booking is confirmed
→Update the event if the booking is rescheduled or cancelled
→We do not read, store, or analyze the content of existing calendar events

Tasks access

→Export action items from AI-generated meeting summaries as Google Tasks
→Each task includes assignee name, description, and due date where provided
→Triggered manually by the Host after reviewing the meeting summary

OAuth tokens are stored encrypted (AES-256-GCM) and never shared with third parties. Access can be revoked at any time from Settings → Calendar or directly from your Google Account permissions page.

WhatsApp & Email Notifications

Appoint sends transactional notifications to Invitees who provide a phone number at booking:

→Booking confirmation — sent immediately after confirmation
→Reminder — sent 24h before the appointment
→High-risk reminder — an additional notice sent 1h before for high no-show risk bookings
→Cancellation notice — sent if the appointment is cancelled by either party

WhatsApp messages are sent via Z-API (primary) or Twilio (fallback). Email is sent via Amazon SES. These are operational messages and cannot be opted out of while a booking is active.

Data Sharing

Your data is not sold to third parties. We share data only with the following subprocessors:

Recipient	Purpose	Data shared
Paddle / Asaas	Payment processing	Host billing info, subscription status
Supabase	Database and authentication	All structured data (stored in your project region)
Cloudflare R2	Asset storage	Host-uploaded files (logos, brand images)
Google APIs	Calendar sync, Tasks, AI (Gemini)	Calendar events; Smart Routing and Summary text via Gemini Flash API
Anthropic	Fallback AI (Claude Haiku)	Logo generation prompts only — no booking or personal data
Amazon SES	Email delivery	Invitee email, name, booking details
Z-API / Twilio	WhatsApp delivery	Invitee phone number, booking date/time
Upstash	Rate limiting and job queue	Booking ID and scheduled send time only
Meeting Intelligence (opt-in)	Meeting transcript processing (when enabled)	Booking ID, transcript text, summary output
Legal authorities	Legal compliance	Only as legally required

Meeting Intelligence Integration

Appoint supports an optional integration with compatible meeting intelligence tools within the By Vulcan ecosystem. When enabled, the integration shares the same infrastructure, privacy governance, and DPO.

→Appointments booked via Appoint are visible in the connected meeting tool's lifecycle
→Meeting transcripts can be sent to Appoint via a secure authenticated webhook
→Action items approved in the meeting tool can trigger a Google Tasks export
→The same Google OAuth tokens are reused — the Host authorizes once
→The integration is opt-in and can be disabled at any time from Settings → Integrations

International Data Transfers

→Standard Contractual Clauses (SCCs) approved by the European Commission
→ANPD adequacy recognition or equivalent safeguards for Brazilian data (LGPD Chapter V)
→Subprocessor certifications: ISO 27001, SOC 2 Type II, PCI DSS where relevant

Cookies & Tracking

→Essential cookies: maintaining your authenticated session and language preferences — cannot be disabled without breaking the service
→Functional cookies: remembering dashboard settings and calendar display preferences
→Analytics cookies: understanding how features are used — only with your explicit consent

Public booking pages use only essential cookies required to process the booking flow.

Data Security

→Encryption in transit (TLS 1.3) and at rest (AES-256)
→Google OAuth tokens encrypted individually per user (AES-256-GCM)
→Cancellation and reschedule tokens are single-use and cryptographically random
→Row-Level Security (RLS) on all database tables — workspace data is logically isolated
→Rate limiting on all public endpoints (Upstash Redis)
→Webhook authentication via HMAC secret for all incoming integrations
→Role-based access control (RBAC) with least-privilege principle

Incident notification: In the event of a personal data breach, we will notify affected Hosts and relevant authorities within: 72 hours (GDPR), per ANPD guidance (LGPD), per applicable law.

Data Retention

Data type	Retention period
Host account and profile data	While active; deleted within 30 days of account closure
Booking records (Invitee data)	Duration of Host account; deleted on account closure or explicit request
Smart Routing responses	Linked to booking record; deleted with the booking
Meeting summaries & transcripts	Linked to booking; Hosts may delete individually
Payment and billing records	Up to 5 years (Brazilian tax law; LGPD legal obligation)
Security and access logs	Up to 12 months for fraud prevention; up to 5 years where legally required

Your Rights

You have the following rights, exercisable by emailing privacidade@byvulcan.com:

📋

Access

Request a copy of your personal data.

✏️

Correction

Correct inaccurate or outdated information.

🗑️

Erasure

Request deletion of data processed on consent.

📦

Portability

Receive data in a machine-readable format.

✋

Objection

Object to processing based on legitimate interests.

⏸️

Restriction

Request limitation of processing.

↩️

Consent withdrawal

Withdraw consent at any time.

🏛️

Complaint

Lodge with ANPD (Brazil) or local authority (EU).

We respond within 15 business days (LGPD) or 30 calendar days (GDPR).

Invitees: Please first contact the Host who created the booking page — they are the data controller for your data. If the Host is unavailable, contact us directly.

Children and Minors

Appoint by Vulcan is not directed at persons under 18. We require parental consent for users under 13 (LGPD / COPPA) and verifiable parental consent for users under 16 in the EU (GDPR). Data collected from minors without appropriate consent will be deleted immediately upon discovery.

Policy Changes

Substantial changes will be communicated by email to registered Hosts at least 15 days before taking effect. The current version is always available at appoint.byvulcan.com/privacy.

Contact & DPO

Data Protection Officer

privacidade@byvulcan.com

Legal

legal@byvulcan.com

General Support

suporte@byvulcan.com

Website

byvulcan.com

Brazilian users may contact the national data protection authority at gov.br/anpd. EU users may contact their local supervisory authority at edpb.europa.eu.