Privacy Policy

This policy applies to two groups:

• Customers: the businesses that sign up to use GiantBooking.
• Callers: the people who phone, text, or chat with a business that uses GiantBooking. When a caller is a patient, the Customer is the Covered Entity and GiantBooking acts as a Business Associate.

We collect only what the service needs to operate:

• Account data: business name, email, phone number, billing details.
• Call data: caller phone number, transcripts, call duration, channel (voice, SMS, web), and the tools the AI ran during the conversation.
• Appointment data: the date, time, provider, service, and patient name or identifier required to book the appointment.
• Agent configuration: your services, providers, hours, cancellation policy, tone, and any custom system prompt you set.
• Audit receipts: every authorized tool call produces a signed receipt containing a timestamp, tool name, parameter hash, and signing key identifier.

We use the data to deliver the service: answer calls, book appointments, fire confirmations, and show you a call log and audit trail. We do not sell your data. We do not use your customer transcripts to train third-party AI models.

• Encryption in transit: TLS 1.2 or newer on all public network traffic, including Twilio webhooks and the WebSocket chat channel.
• Encryption at rest: sensitive columns (caller phone numbers, tenant phone numbers, transcripts, system prompts, cancellation and escalation policies) are encrypted with AES-256-GCM using a 12-byte random nonce per write. The authentication tag detects tampering on read.
• Authorization: every AI tool call goes through a policy gate that checks role, rate limits, scope, and PII redaction rules before the tool runs.
• Audit trail: every authorization decision produces an Ed25519 signed receipt with the signing key id recorded. Receipts are exportable as PDF or JSON for review.

When the service processes Protected Health Information (PHI) on behalf of a Covered Entity, GiantBooking acts as a Business Associate under HIPAA. We will sign a Business Associate Agreement with Customers who require one, and we require BAAs from the sub-processors listed below that touch PHI.

HIPAA compliance is a shared responsibility. Customers remain responsible for their own administrative, physical, and workforce safeguards, including how they configure access to the dashboard, who they authorize to view transcripts, and how they disclose AI interactions to patients.

We use the following sub-processors to deliver the service. Each one is covered by its own privacy and security controls:

• Twilio: telephony (SIP voice in, SMS in and out), US and international.
• LiveKit: real-time voice session infrastructure.
• Deepgram: speech-to-text transcription on live voice streams.
• Cartesia: text-to-speech synthesis for the AI voice.
• Anthropic: Claude large-language models for conversation and intent routing.
• Stripe: subscription billing.
• Clerk: dashboard authentication.

Call logs and transcripts are retained for as long as your account is active, so they remain available for review in the dashboard. You can delete your account at any time from the dashboard or by emailing us, which removes your tenant and all associated call logs, transcripts, and receipts. Audit receipts may be retained in derived form (counts and hashes) for security and abuse prevention for up to 30 days after deletion.

You can:

• Export all of your tenant data and call logs as a JSON file from the dashboard.
• Delete your tenant and every associated record at any time. The deletion cascade removes call logs, transcripts, and receipts.
• Ask us to correct inaccurate data we hold about you.
• Withdraw consent for any optional processing.

To exercise any of these rights, use the dashboard controls or email hello@giantbooking.com.

The service is not directed at children under 13. We do not knowingly collect personal information from children. If a Customer's practice serves minors, the Customer remains responsible for obtaining any parental consent required by law.

We may update this Privacy Policy. Material changes will be announced by email or in the dashboard. The "last updated" date at the top of this page reflects the most recent revision.

Questions about this policy, a BAA, or a data request? Email hello@giantbooking.com.