Volume V. The Promises

Privacy Policy.

Last updated June 2026. Plain English. We collect the minimum we need to run the service.

1. Who we are

Web Relay ("we", "us") is operated from the United States and provides a hosted website, booking, and AI-concierge platform for small businesses. You can reach us anytime at hello@webrelay.app.

2. What we collect from account owners

  • Account info. Name, email, and authentication identifiers (via Clerk).
  • Business profile. Anything you enter about your business — services, hours, blog posts, images.
  • Billing info. Plan and payment status. On the web, card details are handled by Stripe; in our iOS app, subscriptions are purchased through Apple and processed via RevenueCat. In every case we only ever see your plan and payment status — never your card number.
  • Operational data. Activity logs and error reports needed to keep your site healthy.

3. What we collect from your visitors

On your public site we process whatever visitors submit through your forms — contact form fields, booking requests, and chatbot messages. We act as a data processor for this information on your behalf; you are the controller. We also record privacy-first traffic counts (no cookies, no IP storage) for analytics shown in your dashboard.

4. Google user data (Calendar integration)

If you choose to connect your Google account so Web Relay can sync bookings with your calendar, we request the minimum scopes needed for that feature and store the resulting tokens encrypted at rest. Specifically:

  • Scopes requested. calendar.events (to create and delete the specific events Web Relay manages), calendar.readonly (to read your busy times so the public booking page can skip them), plus openid, email, and profile so we can display which Google account is connected.
  • How we use it. We read your calendar's busy times so your public booking page doesn't offer slots when you're already busy, and we create or delete a calendar event when a customer books or cancels through Web Relay. That's the entire use.
  • What we store. The email address of the connected Google account, an OAuth refresh token (encrypted at rest with AES-256-GCM), a short-lived cached access token plus its expiry timestamp (also encrypted), a connected-at timestamp, and the Google event ID of any booking we create (so we can delete it on cancellation). We do not copy your calendar events into our database.
  • Who can see it. Only you (the account owner). Google data is never shown to your site visitors or to other Web Relay tenants.
  • How to revoke. Click "Disconnect" on the Google Calendar card in your booking settings at any time — we delete the stored tokens immediately and stop accessing your calendar. You can also revoke access from myaccount.google.com/connections.
Limited Use disclosure. Web Relay's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

5. Service providers we use

We rely on a small number of vendors to run the service. They process data only on our instructions and only for the purposes below:

  • Replit Deployments — application hosting.
  • Neon / Postgres — database storage.
  • Clerk — authentication.
  • Stripe — payments on the web.
  • Apple — in-app purchases and subscriptions made in our iOS app, governed by Apple's Privacy Policy.
  • RevenueCat — manages and reconciles in-app subscription entitlements between Apple and your account. RevenueCat receives a pseudonymous account identifier and your subscription status, never your name or card details.
  • SendGrid — transactional email.
  • Google — optional Calendar sync when you connect it.

6. How long we keep it

Account and business data live for as long as your account is active. After the cancellation lifecycle described in our Terms reaches day 91, your site goes inactive; data is retained for an additional 90 days in case you want to come back, then deleted. You can request earlier deletion at any time by emailing us.

7. Your rights

You can export your data from the dashboard, correct anything inaccurate by editing your profile, disconnect any integration (including Google) at any time, or ask us to delete your account entirely. Depending on where you live, you may also have rights under GDPR, the UK GDPR, or US state laws (CCPA/CPRA, etc.) — email us and we'll honor them.

8. Security

Data is encrypted in transit (HTTPS) and sensitive credentials (such as Google OAuth refresh tokens) are encrypted at rest with AES-256-GCM. Access to production systems is restricted to authorized engineers.

9. Children

Web Relay is a business tool not directed at children under 13, and we don't knowingly collect data from them.

10. Changes to this policy

We'll notify account owners by email when we make material changes. The "last updated" date at the top always reflects the current version.