Privacy Policy
Last updated: July 16, 2026
1. Introduction
This Privacy Policy explains how Besmi LLC, an Oregon limited liability company ("Besmi," "we," "our," or "us"), collects, uses, shares, and protects personal information in connection with the Besmi platform at besmi.com and our mobile apps (together, the "Service"). It applies to both the beauty and wellness professionals who use Besmi to run their businesses ("Professionals") and the clients who book with or are managed by those Professionals ("Clients").
2. Our Two Roles: Controller and Service Provider
Besmi plays two different roles depending on whose data is involved:
- As a controller (business). For information about Professionals and their staff — account, business profile, subscription, and payout data — Besmi determines how and why the data is used, and this Policy governs that use.
- As a service provider / processor. For information a Professional collects about their own Clients (appointments, client records, intake responses, messages, photos, payments), the Professional is the controller of that data and decides what to collect and why. Besmi processes it on the Professional's behalf to provide the Service, under the Professional's instructions and our agreements. If you are a Client, direct requests about your data first to the Professional you booked with; we will assist them as required by law.
3. Information We Collect
Information Professionals provide:
- Account and identity data — name, email address, password (managed by Firebase Authentication), and phone number.
- Business profile — business name, page URL, bio, avatar, public contact email and phone, Instagram handle, website, physical business address, service area, time zone, country, and currency.
- Payment and payout data — Stripe Connect account identifiers, payout and charge status, subscription billing details, and limited card metadata (brand, last four digits, expiration). We do not store full card numbers.
- Staff data — for team accounts, each member's name, email, phone, avatar, bio, role, and payout details.
Information about Clients (provided by Clients at booking or by the Professional):
- Contact and identity — first and last name, email, phone number, and (optionally) a client photo, Instagram handle, and birthday.
- Booking and commercial history — appointments, services, deposits, tips, payments, refunds, visit counts, total spend, and notes added by the Professional.
- Communications — SMS and email content exchanged through the platform, including full message history in a conversation.
- Reviews — ratings, review text, and any review photos. We display reviews using a first name and last initial only, and we store a hashed IP address and hashed device identifier with each review for abuse prevention.
- Consent records — when a Client agrees to messaging or booking terms, we store a consent snapshot that includes the IP address, device/browser information, the consent wording and version, and a timestamp.
Intake forms (may include sensitive information):
Professionals can build their own intake forms. Because the Professional designs these forms, they may ask for sensitive details relevant to a service — for example allergies, skin or eye conditions, medications, or pregnancy — and may capture a typed or drawn signature and photos (which can include images of a Client's face). Besmi does not require or independently classify this information; it is collected at the direction of the Professional, who is responsible for having a lawful basis and appropriate consent to collect it. Besmi stores it to make it available to that Professional.
Information we collect automatically:
- Usage and device data — IP address, browser and device type, pages viewed, referring pages, and access times.
- Analytics and cookies — we use Google Analytics 4 and Firebase Analytics, and we store limited information in your browser's local storage (for example, sign-in state, referral attribution, and dismissed prompts). See Section 7.
- Push tokens — if you enable push notifications in our mobile app, we store a device push token.
4. How We Use Information
- Provide, operate, secure, and improve the Service.
- Process bookings, deposits, payments, and payouts, and send appointment confirmations and reminders.
- Send transactional messages (SMS and email) and, where permitted, marketing messages you can opt out of at any time.
- Power the AI messaging assistant that helps Professionals respond to Client texts (see Section 6).
- Provide customer support and respond to requests.
- Detect, prevent, and address fraud, abuse, and security incidents.
- Comply with legal obligations and enforce our Terms.
We do not use Client health-related intake responses, signatures, or photos for our own marketing, and we do not sell them.
5. How We Share Information
We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We share information only as described here:
Between Professionals and their Clients. The Service exists to let a Professional manage bookings and communicate with their Clients, so Client data is available to the Professional (and their authorized staff) the Client booked with.
With service providers (sub-processors) that operate the Service under contract:
- Google / Firebase — authentication, database, file storage, hosting, and analytics.
- Stripe — payment processing, Connect payouts, and in-person "Tap to Pay" card acceptance.
- Twilio — SMS delivery and phone number provisioning.
- SendGrid (Twilio) — transactional and marketing email delivery.
- Google Gemini — the AI messaging assistant (see Section 6).
- Apple Push Notification service and Firebase Cloud Messaging — mobile push notifications.
Optional integrations you turn on. If a Professional connects an integration, data flows to that service at their direction — for example Google Calendar (which receives the Client name and service for synced events), an Instagram profile lookup, or an external AI assistant the Professional authorizes through our connector (such as ChatGPT or Claude), which can then access schedule and client information within the scopes the Professional grants.
Legal and safety. We may disclose information to comply with law, respond to lawful requests, or protect the rights, safety, and property of Besmi, our users, or the public.
Business transfers. If Besmi is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to this Policy.
6. AI Messaging Assistant
Professionals can enable an AI assistant that helps answer inbound Client text messages. When enabled, for each incoming message we send to Google Gemini the message text and recent conversation history, along with context needed to reply — the Client's name and phone number, visit count and total spend, upcoming appointments, and the business's services and settings. The assistant generates suggested replies and booking actions. The assistant identifies itself as automated in the conversation. Professionals are responsible for the messages sent from their account. Health-related intake responses are not included in the AI context.
7. Cookies, Analytics, and Your Choices
We and our analytics providers use cookies and similar technologies (including Google Analytics 4 and Firebase Analytics) to understand how the Service is used and to keep you signed in. Public booking pages may load these analytics as well. You can control cookies through your browser settings, and you can opt out of Google Analytics using Google's browser add-on. We honor the Global Privacy Control (GPC) signal as a valid opt-out of "sharing" where applicable.
8. Text Messages (SMS)
When a Client provides a phone number and agrees to messaging, we send transactional texts (such as booking confirmations and reminders) and, with separate opt-in, marketing texts. Message and data rates may apply. You can reply STOP to opt out of texts at any time, or HELP for help; reply START to opt back in. We record and honor these choices. Email recipients can unsubscribe using the link in any marketing email.
9. Data Retention
We keep personal information for as long as an account is active and as needed to provide the Service, then for a reasonable period afterward to meet legal, tax, accounting, dispute- resolution, and security obligations. Client records are retained for the Professional while their account is active; when a Professional closes their account, associated Client data is deleted or de-identified within a reasonable period, except where we must retain it by law. Payment records held by Stripe are governed by Stripe's retention practices. You may request deletion as described in Section 11.
10. Data Security
We use industry-standard safeguards, including encryption in transit (HTTPS/TLS), secure authentication, tenant isolation, and access controls that route all data changes through authenticated server-side checks. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If we become aware of a breach affecting your personal information, we will notify you and the appropriate authorities as required by law.
11. Your Privacy Rights
Depending on where you live, you may have some or all of the following rights: to know and access the personal information we hold about you; to correct it; to delete it; to receive a portable copy; to opt out of the sale or sharing of personal information (we do not sell or share for cross-context behavioral advertising); and to not be discriminated against for exercising your rights. Where we rely on consent, you may withdraw it at any time.
California residents (CCPA/CPRA). In the past 12 months we have collected the categories of personal information described in Section 3 (identifiers, contact and commercial information, internet/usage activity, approximate location, audio/visual information such as photos and signatures, and, via Professional-designed intake forms, potentially sensitive information). We use it for the purposes in Section 4 and disclose it to the service providers in Section 5 for business purposes. We do not sell it and do not share it for cross-context behavioral advertising. You may exercise your rights, or use an authorized agent, by contacting us below; we will verify your request before acting on it.
How to exercise your rights. Email support@besmi.com with the subject "Privacy Request." If you are a Client, we may direct your request to the Professional who controls your data and assist them in responding.
12. Sensitive Information
Some intake forms may capture sensitive information (such as health-related details) and images including a Client's face, at the Professional's direction. We handle this information only to provide the Service to that Professional, do not use it for advertising, and do not sell it. Besmi does not currently perform facial recognition or collect biometric identifiers; if we introduce such features, we will update this Policy and obtain any consent the law requires before doing so.
13. Children's Privacy
The Service is intended for users 18 and older, and Professional accounts require you to be at least 18. We do not knowingly collect personal information directly from children under 13. A Professional may maintain records about a minor Client on behalf of a parent or guardian; in that case the Professional is responsible for obtaining any required consent. If you believe a child has provided us information without authorization, contact us and we will delete it.
14. International Users and Data Transfers
Besmi is based in the United States, and we store and process information on U.S.-based cloud infrastructure and with U.S. service providers. If you access the Service from Canada or elsewhere, you understand that your information will be transferred to and processed in the United States, where privacy laws may differ from those in your location. For Canadian users, we handle personal information consistent with applicable Canadian privacy law (including PIPEDA) and anti-spam law (CASL).
15. Third-Party Links and Services
The Service may link to third-party sites and services (for example a Professional's social links, a mapping service for directions, or payment pages hosted by Stripe). We are not responsible for the privacy practices of those third parties; their own policies govern their handling of your data.
16. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will post the updated version here and revise the "Last updated" date. Material changes may be communicated by additional notice. Your continued use of the Service after an update means you accept the revised Policy.
17. Contact Us
Besmi LLC (Oregon, USA)
Email: support@besmi.com