Privacy Policy · Needlebird

01Plain-English summary

Didactic Initiatives LLC, a California limited liability company (“Needlebird”), runs a booking platform for beauty and wellness businesses. We collect data to run that service. We don’t sell your data or your clients’ data, and we don’t use it to train AI models. Where the law gives California residents specific rights, we honor them.

02Who this applies to

This Policy describes how we handle personal information in two distinct roles:

Controller — for tenant staff and admin accounts that sign up to use Needlebird directly. We decide how this data is used.
Processor — for end-client booking data that tenants enter into Needlebird. The tenant is the controller; we process this data on the tenant’s behalf under our Terms of Service.

If you booked an appointment with a Needlebird-powered business and want to exercise rights over your data, contact that business directly. We will assist them.

03Data we collect

Tenant staff & admins (we are the controller)

Email address and a hashed password.
First name, last name, and (optional) phone number used for SMS account, security, and service notifications.
Role assignments inside your tenant.
Last sign-in IP address and timestamp, recorded by our authentication system.

End clients (we are the processor)

First and last name; optional email address; optional phone number used by the tenant to send SMS appointment confirmations, reminders, and related transactional messages.
Free-text notes the tenant adds to a client’s record.
Appointment history: which staff, location, service, date, time, and notes.
No-show count.

Billing & subscription

Customer and subscription identifiers held by our payment processor (when paid plans are active). Card data is collected and stored by that processor; we never see full card numbers.

Logs

Standard server logs (IP, user agent, timestamp, requested URL, status code) retained for security and debugging.

04How we use it

To provide and operate the Service: authentication, booking, scheduling, communications.
To bill tenants and process payments through our third-party payment processor.
To send transactional messages (confirmations, reminders, password resets).
To maintain security, detect abuse, and comply with legal obligations.
To improve the Service in aggregate. We do not use Customer Data to train AI models.

05Who we share it with

We share personal information only with service providers (“processors”) under contract, and only as needed to operate the Service:

Cloud infrastructure provider

Hosting, primary database, storage, and content delivery (US regions).

Payment processor

Subscription billing and payment processing.

Email delivery provider

Transactional email (confirmations, password resets).

SMS delivery provider

Transactional SMS (appointment reminders).

We update this list in the same release that adds or removes a processor. The list above reflects the stack at the date listed at the top of this page.

We do not sell personal information, and we do not share it for cross-context behavioral advertising.

Mobile information. No mobile information — including phone numbers and SMS opt-in data — is shared with third parties or affiliates for marketing or promotional purposes. Sharing of phone numbers and SMS content is limited to the subprocessors listed above (specifically our SMS delivery provider) for the sole purpose of delivering the messages you have opted in to receive, and to legal compliance.

06Retention & deletion

We keep tenant account data for as long as the account is active. After termination, we provide a reasonable export on request and delete remaining data within 30 days, except where law requires us to keep records longer (e.g., tax, fraud investigation).

Customer Data deletion is initiated by the tenant. End clients should contact the booking business directly.

07Security

We use industry-standard safeguards: TLS in transit, encryption at rest, hashed passwords, least-privilege access controls, and audit logging on sensitive actions. No system is perfectly secure; we will notify affected users and regulators of material breaches as required by law.

08Your rights (CCPA / CPRA)

If you are a California resident, you have the right to:

Know what personal information we collect about you and how it is used.
Request deletion of your personal information.
Correct inaccurate personal information.
Receive a portable copy of your personal information.
Not be discriminated against for exercising these rights.

We do not sell or share personal information for cross-context behavioral advertising, so we do not offer an opt-out. To exercise any right, email hello@needlebird.com. We respond within 45 days.

09Children

The Service is not directed to children under 13, and we do not knowingly collect personal information from them. If you believe we have, contact us and we will delete it.

10Changes to this Policy

We may update this Policy. Material changes will be announced via email or in the Service. The “Effective” date above always reflects the latest version.

11Contact

Questions, requests, or complaints? Email hello@needlebird.com.