AAlera
Join waitlist

Privacy

Your data. Your clients. Your business.

Short version: we collect what the product needs to run, we never sell your client list, and you can export or delete everything any time. The long version is below.

Last updated May 13, 2026

Section 01

What we collect

  • Account information: your phone number, business name, persona (barber, hairstylist, nail tech, makeup artist), email if provided, address, timezone, branding color, and anything else you choose to add to your booking page.
  • Business information: your services, prices, availability windows, intake forms, booking policies, deposit / cancellation / no-show / tip rules, broadcasts, scheduled broadcasts, gift cards you've sold, prepaid packages, retail inventory, expenses, the appointment records you create, and the photos you upload (services, portfolio, design catalog).
  • Client information: contact details (name, phone, email, optional birthday), visit history, tags you assign, notes and structured preferences (shape, length, base brand), and — when you enable these features — allergens, scalp/skin sensitivities, and patch-test results. See “Health-adjacent data” below for how we treat the last three.
  • Booking-page activity: when a client books with you, we collect the information they provide (name, phone, email, intake responses, inspiration photos, optional design pick) so the appointment can be created and confirmed.
  • Payment information: when you connect a Stripe account and accept payments, Stripe collects card details and identity-verification data directly. We do not see card numbers — we only see the Stripe-side identifiers (payment-intent IDs, charge IDs, refund IDs, transfer IDs) and the dollar amounts captured, refunded, tipped, and applied to no-show fees. Gift-card and package-credit balances are stored on Alera.
  • Receipt images: when you upload a receipt to the Expenses screen, we store the image on our infrastructure and send it to AWS Textract for OCR so we can pre-fill the amount, vendor, and date. Receipts stay attached to the expense row you create.
  • Device and usage data: technical signals like IP address, browser, OS, screen we are showing, and error logs we use to keep the product working. We do not build advertising profiles from this.
  • API key metadata: when you mint a per-tenant API key (Profile → Settings → API keys) we store its sha-256 hash (never the plaintext), its display prefix, the label you set, the list of origins you allowlisted for it, the timestamp of its most recent use, and a one-way hash of the IP that last presented it. The hash is one-way so we can show you "last used 3 minutes ago from this fingerprint" without retaining raw IPs.
  • We collect only what the product needs to run. We do not buy data about you or your clients from third parties.

Section 02

Health-adjacent data

  • If you record allergens, scalp/skin sensitivities, patch-test results, or any other condition-related notes against a client, we treat those fields with elevated care: they live in the same encrypted database as the rest of your account, but they are visible only to you, surfaced contextually at booking time as a heads-up, and exported with your client list when you export.
  • Alera is not a medical or health record system. The features above exist to help you avoid an allergic reaction or a missed contraindication — they are not a substitute for clinical judgment. You decide what to record and you remain responsible for whatever services you provide.
  • We do not sell, share, or use this data for any purpose other than making it available to you on the appointment screens and exports.

Section 03

How we use it

  • To run the product: showing your bookings, sending reminders, rendering your booking page, and answering support questions.
  • To improve the product: aggregate, de-identified usage patterns tell us which features need work and which screens cause confusion.
  • To keep your account secure: detecting suspicious sign-in attempts, fraud, and abuse.
  • To communicate with you: occasional product updates and account notices. You can turn off non-critical messages at any time.
  • To comply with the law: respond to lawful requests, defend against claims, and meet tax and audit obligations.

Section 04

What we never do

  • We do not sell your client list or sell access to your clients.
  • We do not send marketing to your clients. Any SMS that goes from Alera to a client was something you set up. Reminders, confirmations, or broadcasts you composed.
  • We do not share your data with marketplaces, lead-generation networks, or directories that list booking pros.
  • We do not advertise to your clients on your behalf or on ours.

Section 05

How we share data

  • Subprocessors: we use the following vendors to run the product. Each only sees what's needed for its function and cannot use your data for its own purposes. Current list: Amazon Web Services (compute, database, storage, identity, receipt OCR via AWS Textract); Stripe (payment processing for deposits, balances, tips, no-show fees, gift cards, packages — Stripe is the data controller for card-related personal data); Twilio (SMS delivery for sign-in codes, reminders, broadcasts, and direct client replies); Resend (transactional email delivery); OpenAI (language translation only — when a client visits a booking page in a non-English locale, the merchant text and intake-form labels are sent for translation; client phone numbers and PII never leave Alera); Cloudflare-class CDN networks for static assets.
  • Your authorized integrations: when you connect a third-party tool (e.g., Google or Apple Calendar via the iCal feed token), we share the data needed for that integration to work. You can disconnect at any time.
  • Your embedded site: when you mint a per-tenant API key and embed Alera into your own marketing site, that site's server can call Alera's booking endpoints on your behalf. The data flowing back to your site is limited to what's needed to render the booking surface for a visitor: class schedule, capacity, the booking confirmation for the person they just booked. Your embedded site never receives other clients' information. You are responsible for the security of the API key on your infrastructure.
  • Legal: when required by law, valid legal process, or to protect Alera, our users, or the public from harm. We push back on overbroad requests.
  • Successor entities: if Alera is ever acquired or merged, your data moves with the product, subject to this policy. We will tell you in advance.

Section 06

Where your data lives

  • Data is stored on enterprise cloud infrastructure in the United States, with encryption in transit and at rest.
  • Backups are encrypted and rotate on a rolling schedule.
  • If you are outside the United States and use the product, your data will be transferred to and processed in the US. By using Alera you consent to that transfer.

Section 07

Phone-based sign-in and SMS

  • We sign you in with a one-time code sent to your phone via Twilio. Your number is used to authenticate you and to communicate with you about your account. Codes expire after 5 minutes and we do not store them.
  • Reminders, booking confirmations, cancellations, reschedules, waitlist offers, and direct two-way replies between you and your clients are sent over SMS via Twilio's toll-free number. Message and data rates may apply to recipients on plans that charge for inbound texts.
  • SMS opt-in: clients opt into SMS by checking a separate, dedicated consent checkbox on the booking form when they enter their phone number. The checkbox is initially unchecked and must be ticked deliberately — leaving it unchecked is supported and the client can still complete their booking; we simply will not send SMS to that number. SMS consent is not a condition of using the service, is captured separately from Terms of Service and Privacy Policy acceptance, and is recorded with a timestamp + source URL for audit purposes.
  • SMS opt-out: clients can reply STOP to any message at any time to opt out instantly. Twilio honors STOP automatically across every message from this number. Reply UNSTOP or START to opt back in. Reply HELP for support contact information.
  • We do not send marketing or promotional content over SMS. The toll-free number is registered with US carriers as a transactional-only sender, used solely for appointment-related communication between you and the service provider you booked.
  • We do not sell, rent, share, or otherwise transfer phone numbers or SMS opt-in consent data to any third party for marketing or promotional purposes. Phone numbers are stored solely to fulfill the SMS purposes described in this section.

Section 08

Your choices

  • Access and update: review and edit your account, business, and client data anytime from Profile and Clients.
  • Export: export your client list as CSV or vCard from Profile → Clients → Export. Export your appointment + revenue history as CSV from Insights. No paywall, no waiting period.
  • Delete: delete your account from Profile → Delete account. Active data is purged within 30 days. Backups roll off within 90 days. Records we are legally required to keep — payment-processor reconciliation data, tax records, fraud investigations — may persist longer in restricted form.
  • Sign out everywhere: Profile → Sign out everywhere revokes every device that has an active session.
  • SMS opt-out for clients: clients can reply STOP to any text from your toll-free number to opt out instantly. We honor it across every Alera-pro using that number.
  • Privacy rights (CCPA / GDPR / state privacy laws): depending on where you live, you have rights to access, correct, delete, restrict, or port your personal data, and to opt out of certain uses. Email team@alerabooking.com — we respond within 30 days, usually within 72 hours, and verify identity before acting on a request.

Section 09

Payments and financial data

  • Payments are processed by Stripe under their own privacy policy and PCI-compliant infrastructure. Card numbers, identity-verification documents, and bank details are submitted directly to Stripe and are not visible to Alera at any point.
  • From Stripe's webhooks we store the captured / refunded / tipped / no-show-fee dollar amounts on each appointment, plus the Stripe-side IDs (PaymentIntent, Charge, Refund). These let your /insights and /settings/payments screens reconcile against your Stripe dashboard.
  • Gift-card balances and prepaid-package credits are stored on Alera. When a client buys a gift card or package, Stripe records the purchase; we record the remaining balance and tie it to the appointment when redeemed.
  • If your Stripe account hits the federal threshold for 1099-K reporting, Stripe (not Alera) issues the form. Alera never withholds taxes.

Section 10

Children

  • Alera is not designed for use by children under 13 (or 16 in the EU/UK). We do not knowingly collect data from children below the applicable age. If you believe a child has provided information, email team@alerabooking.com and we will delete it.

Section 11

Cookies and local storage

  • We use a small set of cookies and local / session storage to keep you signed in (a Cognito session cookie), remember your locale, cache booking data while you navigate, and measure how the product is performing. We do not use third-party advertising cookies or cross-site tracking.
  • Refresh tokens issued by Cognito are valid for one year on a sliding window — every successful API call extends them — so day-to-day pros only see a sign-in code once a year. "Sign out everywhere" on Profile revokes them across every device.

Section 12

Pros, clients, and roles

  • When a client books with you through alerabooking.com/{handle}, you are the data controller for that client's contact details and intake responses; Alera is the processor that stores and surfaces the data on your behalf. The terms you set on your booking page (deposit policy, cancellation window, intake fields) govern what gets collected.
  • Clients can ask you for their data, ask you to delete it, or ask you to stop messaging them. Alera supports you with export tools (CSV / vCard from Profile → Clients → Export) and the SMS opt-out keywords described above. If a client emails team@alerabooking.com directly, we route them to the pro they have a relationship with — we don't disclose your client list.

Section 13

Updates to this policy

  • We may update this policy when the product changes. The revision date above always reflects the current version. Material changes get advance notice in the app and by email when relevant.

Section 14

Contact

  • Questions, corrections, or deletion requests: email team@alerabooking.com. We respond within 30 days, usually within 72 hours.

This policy covers Alera and alerabooking.com. We update it when the product changes and mark the revision date above. Material changes get an in-app notice.

Questions about your data?

Email team@alerabooking.com — a real person reads it.

Join the waitlist

Already have early access? Sign in