Privacy Policy

Last updated: 2026-03-08

Introduction

Spoot ("we", "our", "us") operates the spoot.it website and the Spoot application. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service, including our WhatsApp Business API integration.

Scope

This policy applies to all Spoot services: the spoot.it website, the app.spoot.it dashboard (including the installable PWA), the public booking pages, and any WhatsApp messaging interactions processed through our platform. It covers two categories of individuals: Professionals (users who create a Spoot account to manage their business) and End-Clients (customers who interact with professionals via WhatsApp or the public booking page).

Legal Basis for Processing

We process personal data under the following legal bases: (a) Contract performance — to provide our scheduling and booking services; (b) Consent — when you connect your WhatsApp Business account or opt in to marketing communications; (c) Legitimate interest — to improve our services, prevent fraud, and ensure platform security; (d) Legal obligation — to comply with applicable laws, including tax and financial regulations. For users in the European Economic Area, we comply with the General Data Protection Regulation (GDPR). For users in Brazil, we comply with the Lei Geral de Proteção de Dados (LGPD).

Information We Collect

Professional Account Data

When you create an account, we collect your email address, name, business name, phone number, profession, working hours, services offered, and currency preference. This information is necessary to provide our scheduling and booking services.

End-Client Data

When end-clients book appointments (via WhatsApp or the public booking page), we collect their name, phone number, and appointment details. This data is stored on behalf of the professional and is used solely for appointment management and reminders.

WhatsApp Messaging Data

When a professional connects their WhatsApp Business account, we process incoming messages from their clients to provide AI-powered booking assistance. We store the sender's phone number, message content, and timestamps. Message content is processed by our AI assistant (powered by Anthropic) to understand booking intent and is stored in temporary conversation memory. We do not sell or share message content with third parties beyond what is necessary to provide the service.

Payment Data

Payments are processed by Stripe. We do not store credit card numbers or bank account details on our servers. We retain Stripe customer IDs, subscription status, and transaction history for billing purposes.

Usage & Analytics Data

We use product analytics tools to understand how our service is used. This includes page views, feature usage, session duration, browser type, device information, and approximate location (derived from IP address). Analytics data is used solely to improve the product and is not shared with advertisers. You can opt out of analytics tracking at any time.

How We Use Your Information

We use the collected information to: provide and maintain our scheduling service; process appointment bookings via WhatsApp and the public booking page; send appointment reminders and notifications (via WhatsApp and push notifications); process subscription payments through Stripe; power AI-assisted conversations for booking management; improve and personalize your experience; prevent abuse and ensure platform security; comply with legal obligations.

Data Sharing & Sub-Processors

We share your data only with trusted third-party service providers necessary to operate Spoot. These include providers for: database and authentication; payment processing; messaging (WhatsApp); AI-powered conversation; product analytics; and error monitoring. All providers process data on our behalf under strict contractual obligations and appropriate data protection agreements. We never sell your personal data to third parties.

International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States, where our service providers operate. When transferring data outside the European Economic Area or Brazil, we rely on Standard Contractual Clauses and other legally approved transfer mechanisms to ensure adequate protection.

Data Security

We implement industry-standard security measures including: encrypted connections (TLS/SSL) for all data in transit; row-level access controls on our database ensuring users can only access their own data; secure passwordless authentication; and cryptographic signature verification on all incoming webhooks. While no method of transmission over the Internet is 100% secure, we strive to protect your personal information.

Data Retention

We retain your personal data for as long as your account is active or as needed to provide our services. Conversation memory (WhatsApp chat context) is stored temporarily and automatically purged. Appointment and client data is retained for the duration of the professional's account. You may request deletion of your account and all associated data at any time by contacting us at privacy@spoot.it.

Your Rights

Depending on your location, you may have the right to: access and receive a copy of your personal data; correct inaccurate or incomplete data; delete your personal data ("right to be forgotten"); object to or restrict processing; request data portability in a machine-readable format; withdraw consent at any time without affecting the lawfulness of prior processing. To exercise any of these rights, please contact us at privacy@spoot.it. We will respond within 30 days.

Cookies

We use essential cookies for authentication and session management. Our analytics tools may set first-party cookies to distinguish unique users and sessions. We do not use advertising or third-party tracking cookies.

Marketing Communications

We may send you service-related emails (e.g., account verification, subscription changes). Promotional communications are only sent with your explicit consent and include an unsubscribe link in every message.

Third-Party Links

Our service may contain links to third-party websites or services. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal information.

Children's Privacy

Our service is intended for business professionals aged 18 and older. We do not knowingly collect personal information from children under 18. If we become aware that we have collected data from a minor, we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a prominent notice on our website. The "Last updated" date at the top of this page indicates when the policy was last revised.

Governing Law

This Privacy Policy is governed by the laws of Brazil. For users in the European Economic Area, the provisions of the GDPR shall apply. Any disputes arising from this policy shall be resolved in the courts of Florianópolis, Santa Catarina, Brazil.

Contact Us

If you have questions or concerns about this Privacy Policy, or wish to exercise your data rights, please contact us at privacy@spoot.it.