// Legal

Privacy Policy

Last updated: April 2026

Our commitment

Bookwell handles sensitive medical scheduling data. This policy explains exactly what we collect, how we use it, and the controls you have over your data and your patients' data.

Bookwell complies with HIPAA (where applicable), GDPR for users in the European Economic Area, and equivalent data-protection regulations. We never sell your data or your patients' data.

Data we collect

Practice account data — when you register:

  • Name, email address, and phone number
  • Clinic name, address, and specialty
  • Billing information (processed via Stripe — we never store card numbers)
  • Profile photo (optional)

Patient booking data — entered by you or your patients:

  • Patient name, contact details, and appointment history
  • Appointment date, time, type, and status
  • Private notes you add to patient records (visible only to you)
  • Reminder delivery logs (sent / delivered / opened)

Usage and analytics data — collected automatically:

  • Pages visited, features used, session duration
  • Device type, browser, OS (anonymised)
  • Error logs to diagnose and fix issues

How we use your data

  • To operate and deliver the Bookwell service
  • To send appointment confirmations and reminders to your patients on your behalf
  • To process payments and issue receipts
  • To provide customer support
  • To send product updates (you can unsubscribe at any time)
  • To detect and prevent fraud, abuse, or security incidents
  • To comply with legal obligations

We do not use patient data for advertising, profiling, or any purpose other than delivering the contracted service.

Data storage & security

All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Infrastructure is hosted on SOC 2 Type II certified providers with physical access controls, automated backups, and 99.9% uptime SLA.

  • Patient records are logically isolated per practice account
  • Access logs retained for 12 months for audit purposes
  • Passwords hashed with bcrypt — we never store plaintext credentials
  • Two-factor authentication available for all accounts

Data sharing

We share data with a limited set of trusted sub-processors to operate the service:

  • Stripe — payment processing (PCI-DSS Level 1 certified)
  • Twilio — SMS reminder delivery
  • AWS / Google Cloud — infrastructure and storage
  • Postmark — transactional email delivery

All sub-processors are bound by data processing agreements and prohibited from using your data for their own purposes. We do not share data with advertisers, data brokers, or analytics companies.

Data ownership

You own your data. All practice data, patient records, and appointment history belong to you. Bookwell acts as a data processor on your behalf, not a data owner.

Export a full copy of your data in CSV or FHIR format any time from account settings. Upon account deletion, all data is permanently purged within 30 days.

Your rights

  • Access — request a copy of all personal data we hold about you
  • Correction — ask us to correct inaccurate or incomplete data
  • Deletion — request permanent deletion of your account and associated data
  • Portability — export your data in machine-readable format
  • Objection — opt out of any non-essential data processing

To exercise any right, email privacy@trybookwell.com. We respond within 30 days.

Cookies

Bookwell uses strictly necessary cookies for authentication and session management, and optional analytics cookies to improve the product. You can manage cookie preferences via the banner on first visit. We do not use advertising or third-party tracking cookies.

Contact

Questions about this policy or a data request? Email privacy@trybookwell.com or write to the registered office of Meihua Future Manufacturing LIMITED.

Terms of ServiceHelp & Support