Legal
Privacy Policy
Last updated: 26 March 2026
M37 Tech Pty Ltd (ABN 88 696 420 363, ACN 696 420 363) ("Booct", "we", "us", or "our") operates the Booct platform (booct.com) — a salon and spa management software-as-a-service. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, whether as a business owner, staff member, or end-customer booking an appointment.
We are committed to complying with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), as well as the General Data Protection Regulation (GDPR) for users located in the European Economic Area.
1. Information We Collect
1.1 Personal Information You Provide
- Account registration: name, email address, phone number, business name, and password.
- Client records: names, contact details, appointment history, treatment preferences, and notes added by service providers.
- Payment information: billing address and payment method details (card numbers are processed and stored exclusively by our payment processor, Stripe — we never store full card numbers).
- Communications: messages you send through the platform, support requests, and feedback.
1.2 Treatment and Health Records
If you use Booct for treatments that involve health-related information — such as skin treatments, medical aesthetics, allergy records, or consent forms — this data is classified as sensitive information under Australian Privacy Principle 6 (APP 6) and as special category data under GDPR Article 9. We collect and process this information only with your explicit consent and solely for the purpose of delivering and recording treatments.
1.3 Automatically Collected Information
- Usage analytics: pages visited, features used, session duration, and interaction patterns (collected via privacy-respecting analytics).
- Device information: browser type, operating system, screen resolution, and language preferences.
- Device fingerprinting: we use limited device fingerprinting to prevent fraud, detect account sharing, and maintain session security. This does not track you across other websites.
- Log data: IP address, access times, referring URLs, and server response data.
2. How We Use Your Information
We use the information we collect for the following purposes:
- Service delivery: operating the platform, processing bookings, managing client records, and facilitating payments.
- Communications: sending appointment reminders (SMS and email), booking confirmations, marketing campaigns (with consent), and account notifications.
- Analytics and improvement: understanding how the platform is used so we can improve features, fix issues, and develop new capabilities.
- Security: detecting and preventing fraud, abuse, and unauthorized access.
- Legal compliance: meeting our obligations under applicable laws, including tax record-keeping and responding to lawful requests.
3. Data Sharing and Third Parties
We do not sell your personal information. We share data only with the following categories of service providers, each of which is contractually required to protect your data:
- Stripe — payment processing. Stripe processes and stores payment card data under its own PCI-DSS compliant infrastructure. See Stripe's Privacy Policy.
- Email delivery providers — transactional and marketing emails (e.g., appointment confirmations, campaign messages).
- SMS providers — appointment reminders and notification messages.
- Sentry — error monitoring and application performance. Sentry may receive limited technical data (error stack traces, device info) to help us diagnose and fix bugs. See Sentry's Privacy Policy.
- Cloud hosting providers — infrastructure for storing and serving the platform.
We may also disclose information where required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Booct, our users, or others.
4. Health and Sensitive Information
Treatment records (including before-and-after photos, allergy information, consent form responses, and clinical notes) are classified as sensitive information under the Australian Privacy Act and as special category data under the GDPR.
- We collect health information only with explicit consent (APP 6 / GDPR Art. 9(2)(a)).
- This data is used exclusively to deliver, record, and manage treatments.
- Access is restricted to the service provider organisation and the individual client.
- Health information is encrypted at rest and in transit.
- You may request deletion of your health records at any time (subject to legal retention requirements).
5. Data Retention
- Active accounts: data is retained for as long as the account remains active.
- After account closure: we retain personal data for up to 12 months to allow for account reactivation, after which it is permanently deleted or anonymised.
- Financial records: transaction data is retained for 7 years to comply with Australian tax law (Taxation Administration Act 1953).
- Treatment records: retained for the duration required by applicable health records legislation (typically 7 years from the last entry, or longer for minors).
- Analytics data: aggregated and anonymised analytics are retained indefinitely. Identifiable analytics data is deleted within 26 months.
- Server logs: retained for up to 90 days for security and debugging purposes.
6. Your Rights
6.1 Under the Australian Privacy Act
You have the right to:
- Access the personal information we hold about you (APP 12).
- Correct information that is inaccurate, out of date, incomplete, or misleading (APP 13).
- Complain to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs.
6.2 Under the GDPR (EEA Users)
If you are located in the European Economic Area, you additionally have the right to:
- Erasure — request deletion of your personal data ("right to be forgotten").
- Portability — receive your data in a structured, machine-readable format.
- Restriction — request that we limit how we process your data.
- Object — object to processing based on legitimate interests or for direct marketing.
- Withdraw consent — where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (or sooner as required by applicable law).
7. Cookies and Tracking Technologies
We use the following types of cookies:
- Essential cookies: required for the platform to function (authentication, session management, security). These cannot be disabled.
- Functional cookies: remember your preferences such as language, timezone, and display settings.
- Analytics cookies: help us understand usage patterns. We use privacy-respecting analytics that do not track you across websites.
We do not use third-party advertising cookies. You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent the platform from functioning correctly.
8. Data Security
We implement industry-standard security measures including:
- TLS 1.2+ encryption for all data in transit.
- AES-256 encryption for data at rest.
- Role-based access controls and multi-tenant data isolation.
- Regular security assessments and dependency auditing.
- Automated intrusion detection and monitoring.
While no system can guarantee absolute security, we take reasonable steps to protect your information against unauthorised access, disclosure, alteration, or destruction.
9. International Data Transfers
Your data is primarily stored and processed in Australia. Where data is transferred to service providers located outside Australia (e.g., Stripe in the United States), we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission (for GDPR compliance).
- Binding contractual obligations that require the same level of data protection as Australian law.
- Assessment of the data protection laws in the recipient country (APP 8).
10. Australian Privacy Act 1988
Booct is an Australian entity subject to the Privacy Act 1988 (Cth). We comply with all 13 Australian Privacy Principles (APPs), including:
- APP 1: Open and transparent management of personal information.
- APP 3: Collection of solicited personal information only where reasonably necessary.
- APP 5: Notification of the collection of personal information (this Policy).
- APP 6: Use or disclosure of personal information only for the purpose of collection, or a directly related secondary purpose.
- APP 8: Cross-border disclosure protections.
- APP 11: Security of personal information.
If you believe we have breached the APPs, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
11. GDPR Compliance
For users in the European Economic Area:
- Legal basis for processing: contract performance (providing the service), legitimate interests (security, analytics), consent (marketing communications, health data), and legal obligation (tax records).
- Data Protection Officer: privacy inquiries can be directed to [email protected].
- Supervisory authority: you have the right to lodge a complaint with your local data protection authority.
12. Children's Privacy
Booct is not directed at children under 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16 without parental consent, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at [email protected].
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the platform at least 30 days before they take effect. Your continued use of Booct after such changes constitutes acceptance of the updated policy.
14. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us:
- Email: [email protected]
- Mail: M37 Tech Pty Ltd, Melbourne, Victoria, Australia
For complaints about how we handle your personal information, you may also contact the Office of the Australian Information Commissioner (phone: 1300 363 992).