Privacy Policy

OkVisto is operated by NEXA SRL (the “data controller”), registered office at Via Per Strigno 18, Castel Ivano (TN), Italy. VAT / Codice Fiscale: IT02784320224.

For any privacy-related request, email pietro.fabbro@quabo.it.

For the business owner who registers an OkVisto account:

• Email address and name (provided by Google during sign-in)
• Profile picture URL (provided by Google)
• Optional WhatsApp phone number for owner notifications
• Working hours, timezone, language preferences
• OAuth tokens for Google Calendar (encrypted at rest)
• WhatsApp Business API credentials (encrypted at rest)
• Subscription tier, billing period, Stripe customer ID

For your clients (end users) whose phone numbers appear in your calendar events:

• Name (extracted from the calendar event)
• Phone number in E.164 format
• Appointment time, duration, and description
• WhatsApp message history (sent and received) related to their appointment
• Confirmation, cancellation, and reschedule actions

• Service provision: sync calendar events, send WhatsApp reminders, process replies, write back to your calendar.
• Billing: manage your subscription via Stripe.
• Security & fraud: detect abuse, prevent duplicate accounts, secure logins.
• Service improvement: aggregated, non-identifying analytics.

The legal basis is contract performance (with the business owner) and legitimate interest (for the business owner’s communication with their clients, where the business has a pre-existing relationship). For non-essential cookies and analytics we rely on consent.

We share the minimum necessary data with:

• Google LLC — for Google Calendar synchronisation (events read/written on your behalf).
• Meta Platforms (WhatsApp Business Cloud API) — for sending and receiving messages with your clients.
• Stripe Payments Europe — for payment processing. Card details are stored by Stripe, not by us.
• Vercel Inc. — for hosting our application.
• Neon (database) — EU region, our primary database.
• Upstash — for our message queue and rate limiting.
• Anthropic PBC — only when you enable the AI Answers add-on.
• Sentry (if enabled) — for error monitoring.

All providers are bound by appropriate data-processing agreements. Some providers (Google, Stripe, Anthropic) may transfer data outside the EEA, in which case standard contractual clauses or equivalent safeguards apply.

• Account data: while your account is active, plus 90 days after closure.
• Appointment history: 24 months, after which records are anonymised.
• WhatsApp message logs: 90 days for delivery/error troubleshooting.
• Billing records: 10 years (legal retention obligation in Italy).

Under the GDPR, you have the right to:

• Access the personal data we hold about you.
• Request correction or deletion.
• Object to or restrict processing.
• Receive your data in a portable format.
• Withdraw consent (where consent is the legal basis).
• Lodge a complaint with the Italian Garante per la protezione dei dati personali.

To exercise any of these rights, email pietro.fabbro@quabo.it. We respond within 30 days.

If you are an end client receiving an OkVisto-powered WhatsApp message, you may reply STOP at any time to opt out of all future reminders, or reach out to the business that booked you for any other request. We can also action your request directly: email pietro.fabbro@quabo.it with the phone number you received messages on.

We use a small number of essential cookies for authentication and session management. We do not use third-party advertising cookies. If you have JavaScript-based analytics enabled in the future, we will request consent first.

Data is encrypted in transit (HTTPS/TLS) and at rest. OAuth tokens and access tokens are stored encrypted. Access to production systems is restricted to authorised personnel.

The Service is intended for businesses. We do not knowingly collect data from anyone under 16. If you believe a minor has provided us with personal data, contact us and we will delete it.

We may update this Privacy Policy. Material changes will be communicated by email or in-product notice before they take effect.