Privacy Policy
Last updated: June 2026
PrivaBook ("we", "our", "the Service") is a software product developed and operated by Fama Labs (famalabs.co.uk). This Privacy Policy explains how we collect, use, store, and protect information in connection with our AI-powered booking agent service. This policy complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR) where applicable.
1. Who We Are
PrivaBook is a Software as a Service (SaaS) product developed and operated by Fama Labs. We are the data controller for account and configuration data provided by our Clients (independent professionals who subscribe to PrivaBook). Fama Labs is not an employment agency, escort agency, or booking management service. We provide software tools only.
Data Controller: Fama Labs
Contact: hello@famalabs.co.uk
Website: famalabs.co.uk
2. What Data We Collect and Why
2.1 Data provided by Clients (independent professionals)
- Working name or alias, city, availability schedule, service descriptions, and configuration settings
- Screening questions and filtering rules configured by the Client
- Account credentials (stored as encrypted hashes — we never store passwords in plain text)
- Billing information (processed by our payment provider — we do not store card details)
2.2 Data processed on behalf of Clients (end user data)
- WhatsApp phone numbers of end users who contact the Client's booking agent
- Text messages exchanged during the booking process
- Voice messages (audio files) sent by end users when the Client has enabled the audio feature
- Booking records including date, time, and status
- Blacklist entries added by the Client
We process end user data strictly as a data processor acting on behalf of our Clients. Our Clients are the data controllers for their end users' data.
2.3 Technical data
- IP addresses (anonymised in logs — only first three octets retained)
- Server access logs for security monitoring purposes
- Error logs for service maintenance
We do not collect: real names, physical addresses, financial information, identity documents, or any data beyond what is strictly necessary to operate the booking agent.
3. Legal Basis for Processing (UK GDPR Article 6)
- Contract performance (Art. 6(1)(b)): Processing necessary to provide the PrivaBook service to subscribing Clients
- Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, and service improvement
- Legal obligation (Art. 6(1)(c)): Compliance with applicable laws
- Consent (Art. 6(1)(a)): Where explicitly obtained — for example, end users interacting with an AI booking agent
4. Audio Messages and Voice Processing
Important — Audio Feature: If a Client enables the optional audio feature, end users may send voice messages to answer screening questions. The following applies:
- Voice messages are received via WhatsApp and processed by PrivaBook's AI systems
- Audio is analysed for tone, language, and content to apply the Client's configured filters
- The AI analysis is automated and may not be 100% accurate — the Client retains full ability to listen to audio messages and override any automated decision
- Audio files are stored securely and are accessible only to the relevant Client via their private panel
- Audio files are permanently deleted within 30 days of the booking date or upon account cancellation, whichever is earlier
- Audio is never used to train AI models or shared with any third party except as described in Section 8
- End users are informed that their voice message may be analysed by AI before sending
5. AI Technology Disclosure
PrivaBook uses artificial intelligence technology to power its booking agent, including language models provided by Anthropic, PBC ("Claude AI"). By using PrivaBook, Clients acknowledge and accept that:
- AI responses are generated automatically and may occasionally contain errors or inaccuracies
- The AI does not make final decisions — all booking confirmations and cancellations can be overridden by the Client
- Conversation data may be processed by Anthropic's systems in accordance with Anthropic's Privacy Policy and Data Processing Agreement
- PrivaBook does not use conversation data to train AI models
6. WhatsApp and Meta Platforms
PrivaBook uses the WhatsApp Business API provided by Meta Platforms, Inc. By using PrivaBook, you acknowledge that:
- Messages sent through the service are transmitted via Meta's infrastructure
- Meta's WhatsApp Business Terms of Service and Privacy Policy apply to message transmission
- PrivaBook verifies the authenticity of all incoming WhatsApp messages using Meta's signature verification system
- Meta may have access to message metadata in accordance with their own privacy policy
7. Data Retention (UK GDPR Article 5(1)(e))
- Client account data: Retained for the duration of the active subscription plus 30 days after cancellation
- Booking records: Retained for 12 months from the booking date
- Audio files: Deleted within 30 days of the booking date
- Blacklist entries: Retained for 24 months or until the Client deletes them
- Security logs: Retained for 90 days with anonymised personal data
- Financial records: Retained for 7 years as required by UK tax law
Upon account deletion, all personal data is permanently and irreversibly deleted within 30 days, except where retention is required by law.
8. Third-Party Services and Data Processors
We use the following third-party services to operate PrivaBook. Each acts as a data processor under a Data Processing Agreement with Fama Labs:
- Meta Platforms, Inc. — WhatsApp Business API for message delivery (USA — Standard Contractual Clauses apply)
- Railway Corporation — Server hosting and database (USA — Standard Contractual Clauses apply)
- Anthropic, PBC — AI language model for automated responses (USA — Standard Contractual Clauses apply)
- GitHub, Inc. — Code repository (USA — Standard Contractual Clauses apply)
We do not sell, rent, or share personal data with any third party for marketing purposes.
9. International Data Transfers
Some of our third-party service providers are located outside the UK and European Economic Area. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO).
10. Data Security (UK GDPR Article 32)
- All data transmitted to and from PrivaBook is encrypted using HTTPS/TLS
- Personal data stored in our database is encrypted using AES-256 encryption
- Phone numbers and sensitive identifiers are stored as cryptographic hashes
- Access to Client data is protected by JWT authentication and bcrypt password hashing
- Security logs monitor for suspicious activity 24/7
- Automatic alerts are triggered for unusual activity patterns
- API keys and credentials are never stored in source code — stored as encrypted environment variables only
- We conduct regular security reviews of our infrastructure
11. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of access (Art. 15): Request a copy of all personal data we hold about you
- Right to rectification (Art. 16): Request correction of inaccurate data
- Right to erasure (Art. 17): Request deletion of your data — we will permanently delete all your data within 30 days
- Right to data portability (Art. 20): Request your data in a machine-readable format (JSON)
- Right to restrict processing (Art. 18): Request that we limit how we use your data
- Right to object (Art. 21): Object to processing based on legitimate interests
- Right not to be subject to automated decision-making (Art. 22): All automated decisions made by PrivaBook's AI can be reviewed and overridden by the Client
To exercise any of these rights, contact us at hello@famalabs.co.uk. We will respond within 30 days.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.
12. Data Breach Notification (UK GDPR Article 33)
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach. Affected Clients will be notified without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
13. Children
PrivaBook is not intended for use by persons under the age of 18. We do not knowingly collect personal data from minors. If we become aware that a minor has provided personal data, we will delete it immediately.
14. Cookies
PrivaBook's panel uses session cookies strictly necessary for authentication purposes. We do not use tracking cookies or advertising cookies.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify Clients of significant changes via email at least 14 days before they take effect. Continued use of the Service after changes constitutes acceptance of the updated Policy.
16. Contact and Complaints
For any questions about this Privacy Policy or to exercise your rights:
Fama Labs
Email: hello@famalabs.co.uk
Website: famalabs.co.uk
If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO):
Website: ico.org.uk
Helpline: 0303 123 1113