Privacy Policy

Shimaya ("we", "our", "us") operates the Shimaya Business Consulting Platform at shimaya.app and related sub-domains (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

We are committed to protecting your privacy and handling your personal data in an open and transparent manner. This policy applies to all users — consultants who create accounts and their clients who book appointments through our platform.

By using Shimaya, you acknowledge that you have read and understood this Privacy Policy. If you do not agree to the practices described herein, please do not use our Service.

Information you provide directly:

• —Account registration data: full name, email address, and password when creating a Shimaya account.
• —Profile information: biography, timezone, public slug, notification email address.
• —Service package details: package names, descriptions, durations, and pricing you create.
• —Availability settings: days and times you are available for bookings.
• —Client records: names, email addresses, phone numbers, and notes for clients you add manually.
• —Appointment data: scheduling information, service type, status, and notes for each booking.
• —Payment information: billing details processed by our payment processor (Stripe). We do not store card numbers on our servers.
• —Communications: messages you send to us via email or support channels.

Information collected automatically:

• —Log data: IP address, browser type, operating system, referring URLs, pages visited, and timestamps.
• —Device information: device type, unique device identifiers, and mobile network information.
• —Cookies and similar tracking technologies — see our Cookie Policy for details.
• —Usage data: features used, clicks, session duration, and interaction patterns within the platform.

Information from third parties:

• —OAuth providers: if you sign in with Google, we receive your name, email, and profile picture from Google's API.
• —Booking widget: when clients book through your embeddable widget, we collect their name and email.

• —To create and maintain your account and provide the core booking and scheduling Service.
• —To operate the AI booking agent — your service descriptions and availability are sent to Anthropic's Claude API to generate responses. See Section 8 for details.
• —To send transactional emails: appointment confirmations, reminders, and account notifications via Resend.
• —To process payments and send receipts (when billing features are active).
• —To prevent fraud, abuse, and security threats — including rate limiting and suspicious activity detection.
• —To improve the Service by analysing usage patterns in aggregate, anonymised form.
• —To comply with legal obligations and enforce our Terms of Service.
• —To respond to your support requests and enquiries.
• —To send product updates and feature announcements (you may opt out at any time).

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we process personal data under the following lawful bases:

• —Contract performance: processing necessary to provide the Service you signed up for (Art. 6(1)(b) GDPR).
• —Legitimate interests: fraud prevention, security monitoring, and product improvement (Art. 6(1)(f) GDPR).
• —Legal obligation: complying with applicable laws (Art. 6(1)(c) GDPR).
• —Consent: marketing communications — you may withdraw consent at any time (Art. 6(1)(a) GDPR).

We do not sell your personal data. We share data only as described below:

• —Supabase (database & authentication): stores all account, appointment, and client data on servers in the EU. Supabase complies with GDPR and maintains SOC 2 Type II certification.
• —Anthropic (AI processing): your consultant profile, services, and availability are sent to Anthropic's API to power the AI booking agent. Client messages within booking sessions are also processed. Anthropic's privacy policy applies.
• —Resend (email delivery): appointment details are sent to Resend's API to deliver confirmation emails to clients and consultants.
• —Stripe (payment processing): billing information is handled directly by Stripe. We receive only a token confirming payment success.
• —Vercel (hosting): the application runs on Vercel's infrastructure, which processes request data including IP addresses.
• —Law enforcement: when required by valid legal process such as a court order, subpoena, or where we believe disclosure is necessary to prevent imminent harm.
• —Business transfers: in the event of a merger, acquisition, or sale of all or substantially all assets, user data may be transferred to the acquiring entity.

• —Active accounts: we retain your data for as long as your account is active.
• —After account deletion: most personal data is deleted within 30 days. Appointment records may be retained for up to 7 years for legal and tax compliance.
• —Backup data: encrypted backups are purged within 90 days of account deletion.
• —Log data: server logs are retained for 90 days for security monitoring, then deleted.
• —Anonymised analytics: aggregated, anonymised usage statistics may be retained indefinitely.

Depending on your location, you may have the following rights:

• —Access: request a copy of the personal data we hold about you.
• —Rectification: request correction of inaccurate or incomplete data.
• —Erasure ('right to be forgotten'): request deletion of your personal data, subject to legal retention requirements.
• —Portability: receive your data in a machine-readable format (JSON/CSV).
• —Restriction: request that we limit the processing of your data in certain circumstances.
• —Objection: object to processing based on legitimate interests.
• —Withdraw consent: for any processing based on consent (e.g. marketing emails), you may withdraw at any time without affecting prior processing.
• —Lodge a complaint: you have the right to complain to your local data protection authority if you believe we have violated your rights.

To exercise any of these rights, email us at privacy@shimaya.app. We will respond within 30 days (GDPR) or 45 days (CCPA).

Shimaya uses Anthropic's Claude API to power the AI booking agent. When a client interacts with your booking widget, the following data is sent to Anthropic's servers:

• —Your consultant name, public bio, and service package descriptions.
• —Your availability windows (days and times only — no personal calendar data).
• —The text messages sent by the client during the booking conversation.

Anthropic does not use this data to train their models (per their API usage policy). All data is processed under Anthropic's data processing agreement. As a consultant, by using Shimaya you are responsible for ensuring your clients are informed that an AI system may process their messages during booking.

• —All data in transit is encrypted using TLS 1.3.
• —Passwords are hashed using bcrypt via Supabase Auth and are never stored in plaintext.
• —Database access uses row-level security policies (Supabase RLS) ensuring consultants can only access their own data.
• —API endpoints are rate-limited and protected against brute-force, DDoS, and injection attacks.
• —Login is limited to 5 attempts before a 15-minute account lockout.
• —We conduct regular security reviews and promptly patch known vulnerabilities.

Despite our measures, no system is completely secure. If you believe you have discovered a security vulnerability, please report it to security@shimaya.app.

Your data may be processed in countries outside your own, including the United States and the European Union. Where we transfer data outside the EEA, we use Standard Contractual Clauses (SCCs) approved by the European Commission, or rely on the EU-US Data Privacy Framework where applicable.

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if you have an account) and update the "Last updated" date at the top of this page. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.

For privacy enquiries or to exercise your rights:

• —Email: privacy@shimaya.app
• —Response time: within 5 business days for general enquiries, within 30 days for formal rights requests
• —Data Protection Officer: dpo@shimaya.app (EEA/UK users)