Stillway Privacy Policy
Effective Date: May 27, 2026 Last Updated: June 9, 2026
Stillway, Inc. (“Stillway,” “we,” “us,” or “our”) operates the Stillway platform (the “Platform”), which provides scheduling, booking, and practice management software for service professionals. This Privacy Policy explains how we collect, use, disclose, and protect information when you interact with:
-
stillway.ai — our marketing website
-
app.stillway.ai — the Stillway App (practice management application)
-
book.stillway.ai — client booking pages
Collectively, these are the “Services.”
This policy applies to all users of the Services, including service providers (“Customers”), their staff and practitioners (“Authorized Users”), and individuals who book appointments (“Clients”).
Google API Services User Data Policy
Stillway's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Google API Scopes We Request
When you connect a Google account to Stillway, we request only the permissions necessary for the specific feature you are enabling. The scopes we use, and the purpose of each, are as follows:
-
openid,email,profile— Used to authenticate practitioners and staff signing in to the Stillway console and admin console. These scopes verify your identity and allow you to sign in to or create your Stillway account. These are standard OpenID Connect scopes and are non-sensitive. -
https://www.googleapis.com/auth/calendar.events(sensitive) — Used solely to read blocked/busy availability from your connected calendar and to write confirmed appointments back to that calendar so bookings do not conflict with existing events. Stillway reads only blocked/busy time to block that time in the app; it does not store or use event titles, descriptions, attendees, or any other event contents. -
https://www.googleapis.com/auth/calendar.calendarlist.readonly(sensitive) — Read-only access used to list your Google calendars so you can choose which calendar to sync with Stillway. -
https://www.googleapis.com/auth/business.manage(sensitive) — Used to read and display your organization's Google Business Profile reviews within Stillway's Google Business Reviews feature. Responding to a review is done by you directly on Google — Stillway links out to your Google Business Profile and does not post replies on your behalf.
Limited Use Requirements
Stillway's use of data obtained through Google APIs complies with the Google API Services User Data Policy's Limited Use requirements:
- Use of Google user data is limited to providing or improving user-facing features that are prominent in the requesting application's user interface.
- Transfer of Google user data is only permitted (a) as necessary to provide or improve user-facing features prominent in the application's UI, (b) to comply with applicable law, or (c) as part of a merger, acquisition, or sale of assets with prior user consent.
- No use of Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
- No humans read Google user data unless (a) we have the user's affirmative agreement for specific messages, (b) it is necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) the data has been aggregated and anonymized.
AI/ML Use of Google User Data
Stillway does not use Google user data to develop, improve, or train generalized AI/ML models. Stillway uses only blocked/busy calendar time to block that time in its own scheduling app; it does not feed Google user data (including calendar event titles, event contents, or Google Business Profile data) into any large language model or AI/ML model.
1. Information We Collect
1.1 Information You Provide
Account and business information (Customers and Authorized Users): Name, email address, phone number, password or authentication credentials, business name, business address, professional licensing information, EIN (for SMS registration), and business profile details.
Account and booking information (Clients): Name, email address, phone number, appointment preferences, service selections, and intake form responses submitted during account creation and service booking.
Payment information: Billing address and payment card details. Payments are processed by third-party payment processors (currently Stripe or Square). Stillway does not receive or store full credit card numbers.
Communications: Messages sent through the Platform, including SMS conversations between Customers and Clients, chat widget interactions, email communications, and support requests.
Clinical and session documentation (Customers): SOAP notes, session notes, intake form data, and other documentation entered by practitioners. This information is provided by and controlled by the Customer.
1.2 Information Collected Automatically
Usage data: Pages visited, features used, session duration, clicks, and referring URLs.
Device data: IP address, browser type and version, operating system, app version, and device identifiers.
Cookies and similar technologies: We use cookies and similar tracking technologies as described in Section 8 (Cookies and Tracking Technologies).
1.3 Information from Third Parties
Calendar integrations: When a Customer connects a third-party calendar (such as Google Calendar), we access only the availability data necessary to prevent scheduling conflicts.
AI assistants: When a Client books through ChatGPT or another AI assistant integrated with Stillway, we receive the booking request data exchanged during that conversation (see Section 9 — AI Usage Policy below).
Payment processors: We may receive transaction status and limited account information from Stripe or Square in connection with payment processing.
2. How We Use Your Information
We use information collected through the Services to:
-
Fulfill the purpose for which you provided it.
-
Any other purpose disclosed by us at the time you provide the information.
-
Operate, maintain, and improve the Platform and the Services.
-
Maintain the security and stability of the Platform and the Stillway App.
-
Create and manage accounts for Customers, Authorized Users, and Clients.
-
Facilitate appointment scheduling and booking between Clients and Customers.
-
Send appointment confirmations, reminders, follow-ups, and other transactional communications via SMS and email.
-
Enable two-way messaging between Customers and Clients where the feature is enabled and/or available.
-
Process payments and manage billing and subscriptions.
-
Provide AI-assisted features including conversational booking, appointment recommendations, and note summarization.
-
Provision dedicated phone numbers and manage A2P 10DLC registration for Customers.
-
Provide customer support and onboarding assistance.
-
Analyze usage to improve Platform reliability and performance.
-
Detect, investigate, and prevent fraud, abuse, or violations of our terms and other “bad actor” activity.
-
Comply with court order, applicable law or regulation, or other legal obligations.
-
If we believe it is necessary to protect the rights, property, or safety of Stillway (or our personnel, contractors, vendors, representatives, or agents), Customers, Authorized Users, Clients, or others.
3. How We Share Your Information
3.1 Between Customers and Clients
When a Client books an appointment, we share the Client’s name, contact information, and appointment details with the relevant Customer. Customers are independently responsible for their own privacy practices regarding information they receive through the Platform.
3.2 With Service Providers (Subprocessors)
We share data with third-party service providers who assist in operating the Platform. These providers are bound by data processing agreements and may only use data as necessary to provide services to Stillway. Current subprocessors include:
| Subprocessor | Purpose | Data Processed |
|---|---|---|
| Amazon Web Services | Cloud infrastructure | All Platform data |
| Stripe | Payment processing | Payment and transaction data |
| Square | Payment processing | Payment and transaction data |
| Twilio | SMS messaging | Phone numbers, message content |
| SendGrid | Email delivery | Email addresses, message content |
| OpenAI | AI-assisted features | Booking conversation data, note content for summarization |
A current list of subprocessors is maintained at stillway.ai/trust.
3.3 AI Processing
When you use one or more optional AI-assisted features (such as conversational booking), which may use interactive prompts, relevant data is processed by our AI partners through API integrations that may use one or more of the following to perform tasks, analyze data, or make or assist in making decisions: programmed analytical methods, generative AI, algorithmic AI, machine learning, or other advanced algorithms. You should only use AI-assisted features for purposes of enhancing productivity, efficiency, and decision-making; and you must recognize the limitations of AI tools, avoid over-reliance, and carefully review any output for errors, omissions, or otherwise problematic output. Stillway does not use Customer or Client data to train public AI models, and our AI subprocessors are contractually prohibited from using data submitted through Stillway’s API for model training purposes. See Section 9 for our complete AI Policy.
3.4 Legal Requirements
We may disclose information if required by law, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, or to detect and/or prevent fraud.
3.5 Business Transfers
If Stillway is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will use our commercially reasonable efforts to notify you before your information becomes subject to a materially different privacy policy.
3.6 No Sale of Personal Information
Stillway does not sell personal information. Stillway does not share personal information for cross-context behavioral advertising.
4. SMS and Messaging
4.1 Transactional Messaging
When a Client provides a phone number during booking and “opts in” to text notifications, Stillway may send transactional SMS messages on behalf of the Customer, including appointment confirmations, reminders, and cancellation notices. These messages are sent to fulfill the booking transaction and do not require separate marketing consent.
4.2 Two-Way Messaging
Where enabled by the Customer’s Subscription Plan, Clients and Customers that have “opted in” to text communications may exchange SMS messages through the Platform. Message content is stored within the Platform and associated with the Client’s record within the Customer’s account.
4.3 Marketing Messages
Marketing messages are only sent with the recipient’s consent. Clients may opt out of marketing messages at any time by replying STOP or by updating their communication preferences.
4.4 Opt-Out
All SMS messages include opt-out instructions. Clients may text STOP at any time to stop receiving messages from a specific number. Opt-out requests are processed automatically. Clients may also manage communication preferences through the booking interface.
4.5 Message Data
SMS message content, sender and recipient phone numbers, and timestamps are stored within the Platform. This data is accessible to the Customer whose account is associated with the conversation. Stillway retains message data in accordance with the data retention practices described in Section 6.
5. Health Information
5.1 Platform Role
Stillway is designed primarily for appointment scheduling, practice management, and operational workflows. The Platform is not an electronic health record (EHR) system and should not be used to store any Client’s protected health information (PHI), personal information, or other confidential or other information or data that is unrelated to the Services.
5.2 Information Entered by Customers
Customers may use Platform features (such as SOAP notes and intake forms) to document information related to client care. This information is entered and controlled by the Customer. Stillway processes this information on the Customer’s behalf as a service provider.
5.3 HIPAA
Stillway is not a healthcare provider and does not independently determine the purposes or means of processing health information. For Customers who are Covered Entities or Business Associates under the Health Insurance Portability and Accountability Act (“HIPAA”), Stillway offers a Business Associate Agreement (“BAA”) that may be accepted through the Stillway App. For questions, contact legal@stillway.ai.
Without an executed BAA, Stillway makes no representations regarding HIPAA compliance, Customer should not share any PHI with Stillway through the Platform or Stillway App, and Customer assumes all responsibility for determining whether the Platform is appropriate for or meets Customer’s regulatory requirements and compliance.
5.4 Safeguards
Regardless of HIPAA status, Stillway applies technical and business process safeguards to clinical and session documentation.
6. Data Retention
We retain personal information for as long as reasonably necessary to operate the Services, fulfill the purposes described in this policy, and comply with legal obligations.
Account data: Retained while the account is active and for a reasonable period afterward to support re-activation, continuing obligations to Customers, financial and tax audits, and comply with applicable legal and regulatory requirements.
Booking and appointment data: Retained while the Customer’s account is active. Following account termination, Stillway may retain or delete this data in accordance with the Customer Agreement.
Clinical documentation (SOAP notes, intake forms): Retained while the Customer’s account is active. Customers are responsible for maintaining their own records in compliance with applicable retention requirements under applicable laws or regulations.
SMS message data: Retained while the Customer’s account is active.
Usage and analytics data: Retained in anonymized or aggregated form and may be kept indefinitely for product improvement, development, and other legally permissible purposes.
Audit logs: Retained for a minimum of 7 years to support compliance and security investigations.
You may request deletion of your personal information as described in Section 10.
7. Data Security
We implement commercially reasonable administrative, technical, and organizational measures to protect personal information from accidental loss and from unauthorized access, use, alteration, and disclosure, including:
-
Encryption in transit (TLS) and at rest.
-
Role-based access controls limited to personnel with a business need.
-
Audit logging and infrastructure monitoring.
-
Automated detection and redaction of sensitive information in system logs.
-
Secure cloud infrastructure hosted on Amazon Web Services.
No system is perfectly secure, and the transmission of information via the internet is not completely secure. Although we do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted through the Services. If you believe your account or data has been compromised, contact security@stillway.ai immediately.
8. Cookies and Tracking Technologies
8.1 What We Use
We use cookies and similar technologies across our Services for the following purposes:
Strictly necessary cookies maintain your session, authenticate your login, and enable core Platform functionality. These cannot be disabled without breaking the Services.
Analytics cookies help us understand how visitors interact with our websites and the Platform. We use third-party product analytics tools on the Stillway App (app.stillway.ai) and our marketing website (stillway.ai). The current list of analytics subprocessors is maintained at stillway.ai/trust. Analytics data is used to improve Platform performance and user experience.
Preference cookies remember your settings and choices (such as language or display preferences) to provide a more personalized experience.
We do not use advertising or cross-site tracking cookies. We do not serve third-party ads on any of our Services.
8.2 Analytics on the Marketing Website
Our marketing website (stillway.ai) uses analytics tools to collect usage data such as pages visited, time on site, referral sources, and general location derived from IP address. This data is collected automatically and is used solely for understanding site traffic and improving our marketing content.
8.3 Managing Cookies
You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. Note that disabling strictly necessary cookies may prevent you from using the Platform or all or a portion of its functionality.
California residents: Stillway does not sell personal information or use cookies for cross-context behavioral advertising. Because we do not engage in these practices, no opt-out mechanism is required under the CCPA/CPRA. For more information about your California privacy rights, see Section 10.2.
8.4 Do Not Track
Some browsers send a “Do Not Track” (DNT) signal. There is no industry standard for how to respond to DNT signals. We do not currently alter our data collection practices in response to DNT signals.
9. AI Usage Policy
Stillway uses artificial intelligence to help patients book appointments and to assist providers with their practice. This section explains how we use AI, what it can and cannot do, and how we protect you.
9.1 How We Use AI
9.1.1 AI-Assisted Booking
Stillway’s optional core AI feature enables patients to book appointments using natural language through ChatGPT and other AI assistants. When you interact with our AI booking tools:
-
Your natural language request is interpreted by the AI to extract appointment details (service type, preferred date/time, provider preferences).
-
The AI searches available slots matching your request.
-
A structured booking request is created and sent to your chosen provider.
-
You receive confirmation via SMS or email.
The AI assists with scheduling logistics — it does not provide medical advice, diagnoses, or treatment recommendations.
9.1.2 AI in Customer Tools
We may use AI to assist Customers with:
-
Suggested responses to common client questions.
-
Schedule optimization recommendations.
-
Automated appointment reminders and follow-ups.
Providers are informed when AI-generated suggestions are presented and always retain control over their responses.
9.2 What Our AI Does Not Do
Stillway’s AI:
-
Does not provide medical advice. AI responses are limited to scheduling and logistics.
-
Does not make clinical decisions. No AI output should be construed as a clinical recommendation. Only a primary care physician or a qualified healthcare or medical professional is qualified to make medical decisions.
-
Does not retain personal conversation history across separate sessions with third-party AI assistants (e.g., ChatGPT).
-
Does not autonomously take actions without confirmation. Bookings initiated through AI require explicit patient confirmation.
9.3 AI Partners
Stillway integrates with the following AI providers:
| Provider | Use Case | Privacy Policy |
|---|---|---|
| OpenAI | ChatGPT booking integration | openai.com/privacy |
When you interact with our ChatGPT integration, your conversation is subject to OpenAI’s privacy policy in addition to ours. We share only the data necessary to process your booking request.
9.4 Data Used by AI
When you use AI-assisted features, the following data may be processed by our AI partners:
-
Booking requests in natural language (e.g., “Book a 60-minute massage next Tuesday afternoon”).
-
Available provider slots returned to complete the booking.
-
Note content submitted by providers for AI-assisted summarization.
We do not send sensitive health information (e.g., medical history, diagnoses) to AI partners as part of the booking process. You should not include sensitive health information in booking requests made through AI assistants.
9.4.1 Training Data
Stillway does not use Customer or Client data to train public AI models. Our AI subprocessors (including OpenAI) are contractually prohibited from using data submitted through Stillway’s API integrations for model training or improvement purposes. AI processing is performed through API calls with zero-retention configurations where available.
9.5 Human Oversight
We maintain regular human oversight of our AI systems:
-
AI booking flows are reviewed by our engineering and product teams for accuracy and safety.
-
We monitor AI interactions for errors, biases, or harmful outputs.
-
Clients and Customers should contact our support@stillway.ai team if they discover that AI-assisted interactions produce incorrect or unexpected results.
9.6 AI Accuracy and Limitations
AI systems are not perfect. Our AI may occasionally:
-
Misinterpret ambiguous booking requests.
-
Suggest unavailable time slots due to real-time availability changes (or offline booking practices).
-
Generate incomplete or inaccurate information.
Always review your booking confirmation carefully for errors, omissions, or otherwise problematic output. If a booking doesn’t match your intent, contact support@stillway.ai to correct it.
9.7 Opting Out of AI Features
If you prefer not to use the optional AI-assisted booking feature, you can book directly through the Stillway web interface at stillway.ai without using AI features.
10. Your Rights and Choices
10.1 All Users
You may:
-
Access the personal information we hold about you.
-
Correct inaccurate or incomplete information.
-
Delete your personal information, subject to legal retention requirements.
-
Opt out of marketing communications by clicking “Unsubscribe” in any marketing email or replying STOP to any marketing SMS.
-
Delete your account, which will permanently remove your account and associated data from our production systems, subject to our backup policies and any legal or security obligations that require us to retain certain information.
To exercise these rights, contact privacy@stillway.ai.
10.2 California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions permitted by law.
Right to Correct: You may request correction of inaccurate personal information.
Right to Opt Out of Sale/Sharing: Stillway does not sell personal information or share it for cross-context behavioral advertising. No opt-out is necessary.
Right to Limit Use of Sensitive Personal Information: To the extent we process sensitive personal information (such as health-related information entered by Customers), we use it only as necessary to provide the Services.
Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
Categories of personal information collected: Identifiers (name, email, phone, IP address); commercial information (transaction history, subscription details); internet activity (usage data, device data); professional information (licensing, business details); and sensitive personal information (health-related information entered by Customers, precise geolocation derived from IP addresses).
Verifiable requests: To submit a CCPA/CPRA request, contact privacy@stillway.ai. We will verify your identity before fulfilling the request. You may designate an authorized agent to make a request on your behalf.
10.3 Customers (Data Export)
Customers may export their data at any time using the Platform’s export functionality. See the Customer Agreement for details regarding data access following account termination.
11. Children’s Privacy
The Services are not directed to children under 16 years of age. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, contact privacy@stillway.ai and we will delete it promptly. In the limited circumstances where we might need to collect the personal data of minors included as part of a reservation made by a parent, when processing personal data of minors, we strictly adhere to the principles of legality, necessity, clear purpose, openness, transparency, and security, and we take strict measures to protect such data.
12. International Transfers
Stillway is based and intended for use in the United States. If you are located outside the United States, your information will be transferred to and processed in the United States. By using the Services, you consent to this transfer. If you access or use the Services from outside the United States, you do so at your own risk and are solely responsible for compliance with the laws and regulations applicable in your jurisdiction.
13. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will post the revised policy with an updated effective date at its published URL. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.
14. Contact
Stillway, Inc. Attn: Privacy Team privacy@stillway.ai
For security matters: security@stillway.ai
For legal matters: legal@stillway.ai