Privacy Policy

Effective Date: Feb 18, 2026 Last Updated: Feb 18, 2026

Lawbooker is a registered business name of TD Labs Ltd., an Ontario corporation ("we," "us," or "our"). This Privacy Policy explains how we collect, use, disclose, and protect personal information through our platform at lawbooker.io and app.lawbooker.io (the "Platform"), including our website, application, APIs, and related services.

We provide a scheduling and client intake platform for law firms ("Firm Subscribers"). When individuals book appointments through our Platform ("End Users"), their personal information is collected on behalf of the Firm Subscriber. This Privacy Policy applies to all users of the Platform, including Firm Subscribers, their authorized team members, and End Users.

By using the Platform, you agree to the practices described in this Privacy Policy. If you do not agree, please discontinue use of the Platform.

1. Definitions and Roles

Understanding who is responsible for personal data is important:

• Firm Subscribers are law firms and legal professionals who subscribe to the Platform to manage their scheduling, client intake, and payments. When Firm Subscribers collect and manage their clients' data through the Platform, they act as the data controller (GDPR) or the business (CCPA) for that client data.
• Lawbooker (TD Labs Ltd.) acts as a data processor (GDPR) or service provider (CCPA) when handling End User data on behalf of Firm Subscribers. We act as a data controller for data we collect directly from Firm Subscribers for account management, billing, and Platform operation.
• End Users are individuals who book appointments with Firm Subscribers through the Platform. End Users do not create accounts on the Platform.

If you are an End User with questions about how a specific law firm handles your data, please contact that firm directly. For questions about how Lawbooker processes data, contact us using the details in Section 15.

2. Information We Collect

2.1 Information from Firm Subscribers and Team Members

When you create an account and use the Platform, we collect:

• Account information — name, email address, password (hashed), profile photo, title, bio, and timezone
• Firm information — firm name, address, phone number, website, logo, business hours, practice areas, and timezone
• Billing information — subscription plan, payment method details (processed by Stripe; we do not store full card numbers), invoice history, and seat count
• Calendar credentials — OAuth tokens for connected Google, Microsoft, and Zoom accounts (encrypted at rest)
• Calendar data — busy/free status from connected calendars used solely to calculate appointment availability (we do not read event details beyond what is necessary for scheduling)
• Usage data — features used, booking links created, appointments managed, and Platform interactions

2.2 Information from End Users

When you book an appointment through the Platform, we collect on behalf of the Firm Subscriber:

• Contact information — name, email address, and phone number
• Custom intake fields — information provided in firm-configured fields, which may include address, additional email, phone, date of birth, website, or free-text responses
• Intake question responses — answers to booking-specific questions configured by the Firm Subscriber
• Payment information — payment card details (processed directly by Stripe; we do not store full card numbers), transaction amounts, and payment status
• Booking details — selected date, time, timezone, appointment type, and location preference

2.3 Information Collected Automatically

When you visit or use the Platform, we automatically collect:

• Device and browser information — browser type, operating system, device type, and screen resolution
• Network information — IP address and approximate geographic location
• Usage information — pages visited, features used, referring URLs, and timestamps
• Cookies and similar technologies — as described in Section 11

3. How We Collect Information

We collect information through the following means:

• Directly from you — when you create an account, complete onboarding, configure your firm, create booking links, or book an appointment
• From third-party services — when you connect your Google, Microsoft, or Zoom accounts via OAuth, or when you complete a payment through Stripe
• Automatically — through cookies, server logs, and analytics tools when you interact with the Platform
• From Firm Subscribers — when a firm admin creates your team member account or adds your information as a client record

4. How We Use Your Information

We use the information we collect to:

4.1 Provide and Operate the Platform

• Create and manage Firm Subscriber accounts and team member access
• Process appointment bookings and send confirmation details
• Calculate and display real-time calendar availability
• Generate video meeting links (Google Meet, Microsoft Teams, Zoom)
• Process payments, pre-authorization holds, captures, refunds, and disputes
• Create and maintain client records on behalf of Firm Subscribers
• Send transactional emails (verification, password reset, invitations, booking confirmations)

4.2 Maintain Security and Prevent Fraud

• Verify user identity through email verification and CAPTCHA challenges
• Enforce rate limits to prevent abuse
• Detect and prevent unauthorized access and fraudulent activity
• Log security events for audit and incident response

4.3 Improve the Platform

• Analyze usage patterns to improve features and user experience
• Monitor Platform performance and troubleshoot issues
• Develop new features based on aggregated usage data

4.4 Communicate with Firm Subscribers

• Send service announcements, billing notifications, and account updates
• Respond to support inquiries and feedback
• Provide onboarding guidance and product education

4.5 Legal Compliance

• Comply with applicable laws, regulations, and legal processes
• Enforce our Terms of Service
• Protect the rights, property, and safety of Lawbooker, our users, and the public

5. Legal Bases for Processing (GDPR)

For individuals in the European Economic Area (EEA), United Kingdom, or Switzerland, we process personal data under the following legal bases:

Legal BasisExamplesPerformance of a contractAccount creation, subscription billing, appointment booking, payment processingLegitimate interestsPlatform security, fraud prevention, analytics, service improvement, enforcing our termsConsentConnecting third-party calendar accounts via OAuth, optional marketing communicationsLegal obligationTax record retention, responding to lawful data requests, regulatory compliance

When we process End User data on behalf of a Firm Subscriber, the Firm Subscriber is responsible for establishing the appropriate legal basis. Lawbooker processes this data as a data processor under the instructions of the Firm Subscriber.

6. How We Share Your Information

We do not sell personal information. We share information only in the following circumstances:

6.1 With Firm Subscribers

End User data (contact details, intake responses, payment status) is shared with the Firm Subscriber on whose booking page the appointment was made. The Firm Subscriber controls this data and is responsible for their own use of it.

6.2 With Service Providers

We share data with third-party service providers who process it on our behalf, subject to contractual obligations to protect your data. See Section 7 for details.

6.3 For Legal Reasons

We may disclose information if required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, personal information may be transferred as part of that transaction. We will notify affected users of any change in ownership or control of their personal information.

6.5 With Your Consent

We may share information with third parties when you have explicitly consented to such sharing.

7. Third-Party Service Providers

We use the following categories of third-party service providers:

ProviderPurposeData SharedStripe (San Francisco, USA)Payment processing, subscription billing, connected accounts for firmsBilling details, payment card information (via Stripe Elements), transaction dataGoogle (Mountain View, USA)OAuth authentication, Google Calendar integration, Google Meet links, Google Places for firm lookupOAuth tokens, calendar busy/free status, firm search queriesMicrosoft (Redmond, USA)OAuth authentication, Outlook Calendar integration, Microsoft Teams linksOAuth tokens, calendar busy/free statusZoom (San Jose, USA)Meeting link generationOAuth tokens, meeting creation detailsVercel (San Francisco, USA)Application hosting, file storage (Vercel Blob), analyticsApplication data, uploaded files (logos, photos)Neon (San Francisco, USA)PostgreSQL database hostingAll Platform data (encrypted where applicable)Resend (San Francisco, USA)Transactional email deliveryRecipient email addresses, email contentCloudflare (San Francisco, USA)CAPTCHA (Turnstile) bot protectionIP addresses, browser signalsUpstash (San Francisco, USA)Rate limiting (Redis)IP addresses, request metadata

Each provider is bound by their own privacy policies and, where applicable, data processing agreements. We select providers that maintain appropriate security standards.

8. Data Security

We implement multiple layers of security to protect personal information:

• Field-level encryption — sensitive client data (emails, phone numbers, addresses, and intake responses) is encrypted using AES-256-GCM with versioned ciphertext. This means individual data fields are encrypted, not just the database as a whole.
• HMAC-SHA256 hashing — enables duplicate client detection without decrypting stored data
• Credential encryption — all third-party OAuth tokens are encrypted at rest using AES-256-GCM
• Password hashing — passwords are hashed using industry-standard algorithms; we never store plaintext passwords
• Transport encryption — all data in transit is protected by TLS/HTTPS
• CAPTCHA protection — Cloudflare Turnstile guards authentication endpoints against automated attacks
• Rate limiting — sliding-window rate limits protect against brute-force and abuse across booking, payment, and API endpoints
• Timing-safe verification — OTP and token comparisons use constant-time algorithms to prevent timing attacks
• Input validation — all API inputs are validated using schema validation to prevent injection attacks
• Role-based access control — server-side authorization checks on every protected endpoint ensure users can only access data within their firm and role
• Webhook verification — cryptographic signature verification on all incoming Stripe webhooks
• Security logging — structured security event logs with hashed personally identifiable information for audit purposes

While we use industry-standard measures to protect your information, no system is completely secure. If you become aware of a potential security incident, please contact us immediately.

9. Data Retention

9.1 Firm Subscriber Data

• Active accounts — account and firm data is retained for the duration of the subscription
• Cancelled accounts — data is retained for 30 days after account cancellation to allow for reactivation, after which it is permanently deleted
• Billing records — transaction and invoice data may be retained for up to 7 years to comply with tax and financial reporting obligations

9.2 End User Data

• Client records — retained by the Platform on behalf of the Firm Subscriber for the duration of their subscription. Firm Subscribers may delete individual client records at any time.
• Appointment data — retained for the duration of the Firm Subscriber's subscription
• Payment data — transaction records are retained in accordance with Stripe's data retention policies and applicable financial regulations
• After firm account deletion — End User data associated with a cancelled firm account is deleted within 30 days, except where retention is required by law

9.3 Automatically Collected Data

• Server logs — retained for up to 90 days
• Analytics data — retained in aggregated, non-identifying form

9.4 Deletion Requests

You may request deletion of your personal information as described in Section 12. We will process your request in accordance with applicable law, subject to any legal obligations that require us to retain certain information.

10. International Data Transfers

Lawbooker is operated by TD Labs Ltd. from Ontario, Canada. Our service providers are primarily located in the United States. By using the Platform, your information may be transferred to, stored, and processed in Canada, the United States, or other countries where our service providers operate.

For transfers of personal data from the EEA, UK, or Switzerland:

• Canada is recognized by the European Commission as providing an adequate level of data protection
• For transfers to the United States and other countries, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms, to ensure your data receives an adequate level of protection

For Canadian residents, personal information is handled in accordance with PIPEDA's requirements for cross-border transfers, and we ensure that contractual protections are in place with our service providers.

11. Cookies and Tracking Technologies

11.1 What We Use

TypePurposeDurationStrictly necessary cookiesAuthentication session management, CSRF protection, security tokensSession / persistent (up to 30 days)Functional cookiesUser preferences (timezone, theme, language)Persistent (up to 1 year)Analytics cookiesUnderstanding Platform usage, page views, and feature adoptionPersistent (up to 1 year)CAPTCHA cookiesCloudflare Turnstile bot detection on authentication pagesSession

11.2 Third-Party Cookies

Stripe may set cookies when processing payments through Stripe Elements on booking pages. These cookies are governed by Stripe's Cookie Policy.

11.3 Your Choices

Most web browsers allow you to manage cookie preferences through browser settings. Disabling strictly necessary cookies may prevent the Platform from functioning correctly. You can typically:

• Block all cookies or specific types of cookies through browser settings
• Delete cookies that have already been set
• Configure your browser to notify you when cookies are being set

12. Your Privacy Rights

12.1 Rights for All Users

Regardless of your location, you may:

• Access your personal information that we hold
• Correct inaccurate or incomplete personal information
• Delete your personal information, subject to legal retention requirements
• Withdraw consent where processing is based on consent

To exercise these rights, contact us at the details provided in Section 15.

12.2 Additional Rights Under Canadian Law (PIPEDA)

If you are a Canadian resident, you have the right to:

• Request access to your personal information held by us
• Challenge the accuracy and completeness of your information and have it amended
• Withdraw consent for the collection, use, or disclosure of your information, subject to legal or contractual restrictions
• File a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated

12.3 Additional Rights Under California Law (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, disclose, and sell (we do not sell personal information)
• Delete your personal information, subject to exceptions
• Correct inaccurate personal information
• Opt out of the sale or sharing of personal information (we do not sell or share personal information for cross-context behavioral advertising)
• Non-discrimination for exercising your privacy rights
• Limit use of sensitive personal information to purposes necessary to provide the services

Categories of personal information collected (as defined by the CCPA):

• Identifiers (name, email, phone number, IP address)
• Financial information (payment card details processed by Stripe)
• Internet or electronic network activity (usage data, browser information)
• Professional or employment-related information (firm name, title)
• Geolocation data (approximate location from IP address)

We do not sell personal information and have not done so in the preceding 12 months.

To submit a CCPA request, contact us at the details in Section 15. We will verify your identity before processing your request.

12.4 Additional Rights Under EU/UK Law (GDPR)

If you are in the EEA, UK, or Switzerland, you have the right to:

• Access your personal data and obtain a copy
• Rectification of inaccurate personal data
• Erasure ("right to be forgotten") of your personal data
• Restrict processing of your personal data
• Data portability — receive your data in a structured, machine-readable format
• Object to processing based on legitimate interests
• Withdraw consent at any time where processing is based on consent
• Lodge a complaint with your local data protection authority

For End Users: Where Lawbooker processes your data on behalf of a Firm Subscriber (as a data processor), we may direct your request to the relevant Firm Subscriber, who is the data controller. We will assist the Firm Subscriber in fulfilling your request.

Response timeline: We will respond to rights requests within 30 days (or 45 days for CCPA requests, with extension if needed). We may ask you to verify your identity before processing your request.

13. Children's Privacy

The Platform is not directed at children under the age of 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately, and we will take steps to delete such information.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

• We will update the "Last Updated" date at the top of this policy
• We will notify Firm Subscribers via email or through the Platform
• We will post the revised policy on our website

We encourage you to review this Privacy Policy periodically. Your continued use of the Platform after changes are posted constitutes your acceptance of the revised policy.

15. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:

TD Labs Ltd. (operating as Lawbooker)

• Email: privacy@lawbooker.com
• Mailing Address: 20 Camden St Suite 200, Toronto, ON, M5V 1V1, Canada

For privacy complaints that are not resolved to your satisfaction, you may contact:

• Canada: Office of the Privacy Commissioner of Canada — www.priv.gc.ca
• California: Office of the Attorney General — oag.ca.gov
• EU/UK: Your local data protection authority — list of EU DPAs

This Privacy Policy is governed by the laws of the Province of Ontario, Canada.

‍