Stillway Privacy Policy
Effective Date: April 12, 2026 Last Updated: April 12, 2026
Stillway, Inc. ("Stillway," "we," "us," or "our") operates the Stillway platform, which provides scheduling, booking, and practice management software for service professionals. This Privacy Policy explains how we collect, use, disclose, and protect information when you interact with:
- stillway.ai — our marketing website
- app.stillway.ai — the Stillway App (practice management application)
- book.stillway.ai — client booking pages
Collectively, these are the "Services."
This policy applies to all users of the Services, including service providers ("Customers"), their staff and practitioners ("Authorized Users"), and individuals who book appointments ("Clients").
1. Information We Collect
1.1 Information You Provide
Account and business information (Customers and Authorized Users): Name, email address, phone number, password or authentication credentials, business name, business address, professional licensing information, EIN (for SMS registration), and business profile details.
Booking information (Clients): Name, email address, phone number, appointment preferences, service selections, and intake form responses submitted during booking.
Payment information: Billing address and payment card details. Payments are processed by third-party payment processors (Stripe, Square). Stillway does not store full credit card numbers.
Communications: Messages sent through the Platform, including SMS conversations between Customers and Clients, chat widget interactions, email communications, and support requests.
Clinical and session documentation (Customers): SOAP notes, session notes, intake form data, and other documentation entered by practitioners. This information is provided and controlled by the Customer.
1.2 Information Collected Automatically
Usage data: Pages visited, features used, session duration, clicks, and referring URLs.
Device data: IP address, browser type and version, operating system, and device identifiers.
Cookies and similar technologies: We use cookies and similar tracking technologies as described in Section 8 (Cookies and Tracking Technologies).
1.3 Information from Third Parties
Calendar integrations: When a Customer connects a third-party calendar (such as Google Calendar), we access only the availability data necessary to prevent scheduling conflicts.
AI-assisted booking: When a Client uses Stillway's AI-assisted booking features, we process the booking request data exchanged during that conversation. AI features are powered by OpenAI.
Payment processors: We may receive transaction status and limited account information from Stripe or Square in connection with payment processing.
2. How We Use Your Information
We use information collected through the Services to:
- Operate, maintain, and improve the Platform.
- Create and manage accounts for Customers, Authorized Users, and Clients.
- Facilitate appointment scheduling and booking between Clients and Customers.
- Send appointment confirmations, reminders, follow-ups, and other transactional communications via SMS and email.
- Enable two-way messaging between Customers and Clients where the feature is available.
- Process payments and manage billing and subscriptions.
- Provide AI-assisted features including conversational booking, appointment recommendations, and note summarization.
- Provision dedicated phone numbers and manage A2P 10DLC registration for Customers.
- Provide customer support and onboarding assistance.
- Analyze usage to improve Platform reliability and performance.
- Detect, investigate, and prevent fraud, abuse, or violations of our terms.
- Comply with legal obligations.
3. How We Share Your Information
3.1 Between Customers and Clients
When a Client books an appointment, we share the Client's name, contact information, and appointment details with the relevant Customer. Customers are independently responsible for their own privacy practices regarding information they receive through the Platform.
3.2 With Service Providers (Subprocessors)
We share data with third-party service providers who assist in operating the Platform. These providers are bound by data processing agreements and may only use data as necessary to provide services to Stillway. Current subprocessors include:
| Provider | Purpose | Data Processed |
|---|---|---|
| Amazon Web Services | Cloud infrastructure | All Platform data |
| Stripe | Payment processing | Payment and transaction data |
| Square | Payment processing | Payment and transaction data |
| Twilio | SMS messaging | Phone numbers, message content |
| SendGrid | Email delivery | Email addresses, message content |
| OpenAI | AI-assisted features | Booking conversation data, note content for summarization |
| PostHog | Product analytics | Usage data, device data (anonymized where possible) |
A current list of subprocessors is maintained at stillway.ai/trust.
3.3 AI Processing
When you use AI-assisted features (such as conversational booking or note summarization), relevant data is processed by our AI partners through API integrations. Stillway does not use Customer or Client data to train public AI models, and our AI subprocessors are contractually prohibited from using data submitted through Stillway's API for model training purposes.
3.4 Legal Requirements
We may disclose information if required by law, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, or to detect and prevent fraud.
3.5 Business Transfers
If Stillway is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a materially different privacy policy.
3.6 No Sale of Personal Information
Stillway does not sell personal information. Stillway does not share personal information for cross-context behavioral advertising.
4. SMS and Messaging
4.1 Transactional Messaging
When a Client provides a phone number during booking, Stillway may send transactional SMS messages on behalf of the Customer, including appointment confirmations, reminders, and cancellation notices. These messages are sent to fulfill the booking transaction and do not require separate marketing consent.
4.2 Two-Way Messaging
Where enabled by the Customer's Subscription Plan, Clients and Customers may exchange SMS messages through the Platform. Message content is stored within the Platform and associated with the Client's record within the Customer's account.
4.3 Marketing Messages
Marketing messages are only sent with the recipient's consent. Clients may opt out of marketing messages at any time by replying STOP or by updating their communication preferences.
4.4 Opt-Out
All SMS messages include opt-out instructions. Clients may text STOP at any time to stop receiving messages from a specific number. Opt-out requests are processed automatically. Clients may also manage communication preferences through the booking interface.
4.5 Message Data
SMS message content, sender and recipient phone numbers, and timestamps are stored within the Platform. This data is accessible to the Customer whose account is associated with the conversation. Stillway retains message data in accordance with the data retention practices described in Section 6.
5. Health Information
5.1 Platform Role
Stillway is designed primarily for appointment scheduling, practice management, and operational workflows. The Platform is not an electronic health record (EHR) system.
5.2 Information Entered by Customers
Customers may use Platform features (such as SOAP notes and intake forms) to document information related to client care. This information is entered and controlled by the Customer. Stillway processes this information on the Customer's behalf as a service provider.
5.3 HIPAA
Stillway is not a healthcare provider and does not independently determine the purposes or means of processing health information. For Customers who are Covered Entities or Business Associates under HIPAA, Stillway offers a Business Associate Agreement (BAA) that may be accepted through the Stillway App. For questions, contact legal@stillway.ai.
Without an executed BAA, Stillway makes no representations regarding HIPAA compliance, and the Customer is responsible for determining whether the Platform is appropriate for their regulatory requirements.
5.4 Safeguards
Regardless of HIPAA status, Stillway applies technical safeguards to clinical and session documentation, including encryption at rest, role-based access controls, audit logging, and automated detection of sensitive health information in system logs and AI processing pipelines.
6. Data Retention
We retain personal information for as long as reasonably necessary to operate the Services, fulfill the purposes described in this policy, and comply with legal obligations.
Account data: Retained while the account is active and for a reasonable period afterward to support re-activation and comply with legal requirements.
Booking and appointment data: Retained while the Customer's account is active. Following account termination, Stillway may retain or delete this data in accordance with the Customer Agreement.
Clinical documentation (SOAP notes, intake forms): Retained while the Customer's account is active. Customers are responsible for maintaining their own records in compliance with applicable retention requirements.
SMS message data: Retained while the Customer's account is active.
Usage and analytics data: Retained in anonymized or aggregated form and may be kept indefinitely for product improvement purposes.
Audit logs: Retained for a minimum of 7 years to support compliance and security investigations.
You may request deletion of your personal information as described in Section 9.
7. Data Security
We implement commercially reasonable administrative, technical, and organizational measures to protect personal information, including:
- Encryption in transit (TLS) and at rest.
- Role-based access controls limited to personnel with a business need.
- Audit logging and infrastructure monitoring.
- Automated detection and redaction of sensitive information in system logs.
- Secure cloud infrastructure hosted on Amazon Web Services.
No system is perfectly secure. If you believe your account has been compromised, contact security@stillway.ai immediately.
8. Cookies and Tracking Technologies
8.1 What We Use
We use cookies and similar technologies across our Services for the following purposes:
Strictly necessary cookies maintain your session, authenticate your login, and enable core Platform functionality. These cannot be disabled without breaking the Services.
Analytics cookies help us understand how visitors interact with our websites and the Platform. We use PostHog for product analytics on the Stillway App (app.stillway.ai) and may use additional analytics tools on our marketing website (stillway.ai). Analytics data is used to improve Platform performance and user experience.
Preference cookies remember your settings and choices (such as language or display preferences) to provide a more personalized experience.
We do not use advertising or cross-site tracking cookies. We do not serve third-party ads on any of our Services.
8.2 Analytics on the Marketing Website
Our marketing website (stillway.ai) uses analytics tools to collect usage data such as pages visited, time on site, referral sources, and general location derived from IP address. This data is collected automatically and is used solely for understanding site traffic and improving our marketing content.
8.3 Managing Cookies
You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. Note that disabling strictly necessary cookies may prevent you from using the Platform.
California residents: Stillway does not sell personal information or use cookies for cross-context behavioral advertising. Because we do not engage in these practices, no opt-out mechanism is required under the CCPA/CPRA. For more information about your California privacy rights, see Section 9.2.
8.4 Do Not Track
Some browsers send a "Do Not Track" (DNT) signal. There is no industry standard for how to respond to DNT signals. We do not currently alter our data collection practices in response to DNT signals.
9. Your Rights and Choices
8.1 All Users
You may:
- Access the personal information we hold about you.
- Correct inaccurate or incomplete information.
- Delete your personal information, subject to legal retention requirements.
- Opt out of marketing communications by clicking "Unsubscribe" in any marketing email or replying STOP to any marketing SMS.
To exercise these rights, contact privacy@stillway.ai.
8.2 California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions permitted by law.
Right to Correct: You may request correction of inaccurate personal information.
Right to Opt Out of Sale/Sharing: Stillway does not sell personal information or share it for cross-context behavioral advertising. No opt-out is necessary.
Right to Limit Use of Sensitive Personal Information: To the extent we process sensitive personal information (such as health-related information entered by Customers), we use it only as necessary to provide the Services.
Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
Categories of personal information collected: Identifiers (name, email, phone, IP address); commercial information (transaction history, subscription details); internet activity (usage data, device data); professional information (licensing, business details); and sensitive personal information (health-related information entered by Customers, precise geolocation derived from IP addresses).
Verifiable requests: To submit a CCPA/CPRA request, contact privacy@stillway.ai. We will verify your identity before fulfilling the request. You may designate an authorized agent to make a request on your behalf.
8.3 Customers (Data Export)
Customers may export their data at any time using the Platform's export functionality. See the Customer Agreement for details regarding data access following account termination.
10. Children's Privacy
The Services are not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact privacy@stillway.ai and we will delete it promptly.
11. International Transfers
Stillway is based in the United States. If you are located outside the United States, your information will be transferred to and processed in the United States. By using the Services, you consent to this transfer. Where required by applicable law, we use appropriate safeguards for international data transfers.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on our Platform at least 30 days before the change takes effect. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.
13. Contact
Stillway, Inc. Attn: Privacy Team privacy@stillway.ai
For security matters: security@stillway.ai For legal matters: legal@stillway.ai