Privacy Policy

AttractionBot (“we,” “us,” “our”) is operated by [YOUR LEGAL NAME], a sole proprietorship registered in Ontario, Canada. Contact: hello@theattractionbuilder.com.

This Privacy Policy explains how we collect, use, and share personal information through the AttractionBot service (the “Service”). It applies to information we collect when you use our website, sign in to the portal, or interact with our chat widgets and quizzes embedded on customer sites.

Account information. When you create an AttractionBot account, we collect your email address and business details (business name, location, phone, services).

Customer data you upload. Your services, prices, knowledge base, intake form fields, quiz questions, client records, session notes, photos, and consultation logs. You own this data.

Visitor interaction data. When someone interacts with a chat widget, quiz, or intake form embedded on your site, we collect their messages, answers, email/phone (if they share it), session ID, and a hashed IP address. This data is associated with your bot, not us.

Usage data. Standard server logs (IP, user agent, timestamps, pages visited) for security and debugging.

Payment data.Handled by Stripe, our payment processor. We don't see or store full card numbers — only the last 4 digits and Stripe's subscription status.

• To provide the Service (run AI, send emails/SMS, store records).
• To bill you and manage your subscription.
• To improve the Service (aggregate usage analytics, no individual tracking).
• To communicate with you about your account (transactional emails, security alerts).
• To comply with legal obligations.

We don't sell your data.We don't use your customer data to train AI models. We don't share your data with marketers.

We use the following third-party services to run AttractionBot. Each handles a specific function and has its own privacy and security commitments. By using AttractionBot, you authorize these subprocessors to process the relevant data.

• Anthropic — AI model provider (Claude). Used for chat, consultations, treatment plans, and content generation. Anthropic does not train on data we send via the API.
• Supabase — Database and authentication. Hosted in [region — confirm in production].
• Vercel — Application hosting and edge network.
• Stripe — Payment processing and subscription management.
• Resend — Transactional email delivery.
• Twilio — SMS sending and receiving (Builder tier only; opt-in).
• Square — Booking integration (Builder tier only; only for customers who connect their Square Appointments account).
• Acuity Scheduling, Vagaro — Booking integrations (Builder tier; only when the customer connects their account).

We add new subprocessors only as needed and update this list when we do.

When the Service collects email addresses or phone numbers from your customers (via quizzes, intake forms, or chat), CASL requires explicit consent before sending marketing or promotional messages.

AttractionBot provides consent collection tooling on every lead-capture surface (an unchecked-by-default consent checkbox). However, you(the customer business) are responsible for using it correctly and for the lawfulness of your downstream marketing communications. We don't verify your CASL compliance.

For our own communications with you (the AttractionBot customer), we comply with CASL and CAN-SPAM. You can unsubscribe from marketing emails at any time via the link in every message.

We process personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws. We do not process Personal Health Information (PHI) regulated by Ontario's Personal Health Information Protection Act (PHIPA) or similar laws — see our Terms of Service section prohibiting use by Health Information Custodians.

Your data is primarily stored in Canada and the United States (Supabase, Vercel). Some subprocessors may process data in other regions (e.g. Anthropic in the US, Stripe in the US, Twilio globally). By using the Service you consent to this processing.

We retain your data for as long as your account is active. When you cancel, we retain it for 90 days in case you reactivate, then delete it (with reasonable best-efforts; backups may persist for up to 12 months in compliance with our backup retention policy).

You can request deletion of specific data at any time by contacting us.

• Access. Request a copy of the personal information we hold about you or your customers.
• Correction. Update incorrect or outdated information directly in the portal, or by contacting us.
• Deletion. Request deletion of your data. We comply within 30 days unless we have a legal obligation to retain it.
• Portability. Request an export of your data in a structured format.
• Withdraw consent. You can withdraw consent for processing at any time, though this may mean we can no longer provide the Service.

To exercise any of these rights, email hello@theattractionbuilder.com.

We use industry-standard security: TLS encryption in transit, encryption at rest in our database, hashed IP addresses for visitor records, role-based access controls, and audit logs for sensitive operations. No system is perfectly secure — we'll notify affected users of any breach within 60 days as required by law.

The AttractionBot website uses functional cookies for authentication. We don't use third-party advertising or tracking cookies. Embedded chat widgets on customer sites set a session ID in localStorage so conversations can resume within a single visit; this isn't shared across customer sites.

AttractionBot is not designed for use by children under 18. We don't knowingly collect data from minors. If you believe a minor has submitted information to us, contact us and we'll delete it.

We may update this Privacy Policy from time to time. Material changes will be communicated by email and posted on this page with a new “Last updated” date.

Questions about this Privacy Policy or how we handle your data: hello@theattractionbuilder.com.

You can also contact the Office of the Privacy Commissioner of Canada to file a complaint: priv.gc.ca.