NusaBooknusabook
NusaBooknusabook

NusaBook legal

Privacy Policy

What we collect, why we collect it, and the controls you have. Written to satisfy GDPR + CCPA while still being readable.

Last updated: 2026-05-23

1. Who's responsible

For your account information (your email, business profile, billing details), NusaBook is the data controller.

For your customers' personal data that flows through your account (their phone numbers, names, message contents, booking details), you are the controller and NusaBook is the processor acting on your instructions. The terms of that relationship are in our Data Processing Agreement.

2. What we collect — about you (the Operator)

  • Account: email, password hash, full name (if provided), preferred language.
  • Business profile: business name, type, description, country, city, timezone, currency, services, hours, bot personality.
  • WhatsApp + Maps integration: your business WhatsApp number, Google Maps place ID, generated wa.me link.
  • Billing: Stripe customer ID, subscription status, payment history (we never see your card number; Stripe holds it).
  • Usage: sign-in timestamps, IP address (transient), feature usage counts. We do not sell or share this with advertisers.

3. What we collect — about your customers

  • Phone number — needed to send and receive WhatsApp messages.
  • Display name — from their WhatsApp profile, if provided.
  • Detected language — derived from message content to route replies correctly.
  • Conversation history — full message text, both theirs and the AI's replies.
  • Booking details — service, date, time, name they provided, optional notes.

We do not collect customer payment details. Payments happen between your customer and your business directly, outside NusaBook.

4. Why we collect it (legal bases)

Operator data

  • Contract: to provide the Service you signed up for.
  • Legitimate interest: to keep the platform secure, prevent abuse, and improve the product.
  • Legal obligation: tax records, anti-fraud, response to lawful requests.

Customer data (where you are the controller)

We process customer data only on your instructions, to operate the booking flow you configured. You are responsible for having a lawful basis to process your customers' data — typically your customer's consent or your legitimate interest in fulfilling their booking.

5. AI processing

Customer messages and your business profile are sent to Anthropic's Claude API to generate replies. Anthropic does not train models on this data (see Anthropic's API privacy terms). No customer data is sent to advertisers or external analytics tools.

6. Where data lives

  • Application data: Supabase (hosted on AWS, region chosen for your account).
  • Application hosting: Vercel (global edge network; Functions run in selected regions).
  • AI processing: Anthropic API (US-based).
  • WhatsApp routing: Twilio (US-based, with WhatsApp via Meta).
  • Payments: Stripe (US, EU, and other regions per Stripe's infrastructure).

Cross-border transfers (e.g. EU → US) are covered by standard contractual clauses with each sub-processor.

7. How long we keep it

  • Active account data: as long as your account is active, plus 90 days after deletion.
  • Conversation logs: 12 months from the last message in a thread, unless your customer requests earlier deletion via you.
  • Billing records: 7 years (legal/tax retention).
  • Backups: rolling 30-day window, automatically purged.

8. Sub-processors

We use these third-party services to provide NusaBook. Each is contractually required to handle data only as instructed:

  • Supabase — primary database + auth.
  • Vercel — application hosting.
  • Anthropic — AI reply generation.
  • Twilio — WhatsApp message routing.
  • Stripe — subscription billing.

We will publish a list of any new sub-processor at least 30 days before they begin processing data.

9. Your rights (GDPR / CCPA / etc.)

Depending on your jurisdiction, you have rights to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your account and associated data.
  • Export your data in a portable format.
  • Restrict processing for specific purposes.
  • Object to processing based on legitimate interest.
  • Withdraw consent at any time without affecting prior processing.

Self-serve: most rights can be exercised directly from the dashboard. For anything else, email hello@nusabook.com — we respond within 30 days.

If you are an EU resident, you may lodge a complaint with your local Data Protection Authority. If you are in California, you have additional rights under CCPA including the right to know what is collected and to opt out of "sale" of personal information (we do not sell personal information).

10. Security

We use industry-standard safeguards: TLS for data in transit, AES-256 encryption at rest, row-level security in the database, secrets managed in encrypted environment variables, principle-of-least privilege for staff access. No system is perfectly secure; we commit to disclosing breaches that affect your data within 72 hours of confirming the incident.

11. Cookies and trackers

See our Cookie Policy for what we set, why, and how to disable them.

12. Children

NusaBook is for businesses. We do not knowingly process data from children under 16. If you believe we have, email hello@nusabook.com and we will delete it.

13. Changes

We update this policy when our practices change. Material changes are emailed to your account address. The "Last updated" date reflects the most recent revision.

14. Contact

Privacy questions: hello@nusabook.com.

Questions?

Email hello@nusabook.com and we'll respond within two business days.

Privacy Policy — NusaBook