Privacy Policy — BKlayer

Data Controller: Gabriel Baldemar Flores Díaz

Trade name: BKlayer

Activity: Booking platform and infrastructure for artificial intelligence agents applied to local businesses.

Economic activity / IAE: IAE code 763/2 — Computer programmers and analysts

NIF: 09140930V

Tax address: Calle Tordesillas, 2 2B, 28925 Alcorcón, Madrid, Spain

Privacy email: privacy@bklayer.com

Contact email: admin@bklayer.com

Website: https://www.bklayer.com

Scope: European Union and international markets.

BKlayer may act in different roles depending on the type of processing:

• For business data, accounts, registered users, security, billing, support, communications and operational improvement of the service, BKlayer acts as a data controller.
• For end-customer data processed on behalf of a business using BKlayer, BKlayer normally acts as a data processor and the business acts as the data controller.
• For certain technical processing, security, abuse prevention, operational logs, legal compliance or defense of rights, BKlayer may act as an independent controller.

3.1 Business and BKlayer user data

We may process the following data:

• Business name and responsible person: account identification and setup.
• Email address: communications, access, support and account recovery.
• Phone number: support, verification and operational contact.
• Business address: geolocation, public search and display on the booking page.
• Opening hours, services, professionals, shifts, capacity and availability: booking calculation and management.
• WhatsApp Business number or messaging channel: integration of the communication channel.
• Google Calendar credentials or permissions: calendar synchronization when the business connects it.
• Service usage data: security, diagnostics, improvement and abuse prevention.

3.2 End-customer data

When a person makes or manages a booking through BKlayer, we may process:

• Name: identification of the booking.
• Phone number: confirmation, communications, reminders and OTP verification.
• Email, if provided: confirmations, communications and delivery of .ics files where applicable.
• Date, time, service, professional, shift, number of people or equivalent data: booking management.
• Optional notes: booking personalization or information relevant to the business.
• WhatsApp conversation history or other integrated channels: booking flow management, support and operational traceability.

Notes are optional. The user should avoid including sensitive data unless it is necessary for the provision of the service. If information related to health, allergies, injuries, accessibility or other personal circumstances is included, such information will be processed only to properly manage the booking and under the applicable legal basis, including explicit consent where appropriate.

We process personal data in accordance with the General Data Protection Regulation, in particular:

• Art. 6.1.b GDPR: performance of a contract or steps prior to entering into a contract.
• Art. 6.1.f GDPR: legitimate interest in providing, protecting, improving and operating the service.
• Art. 6.1.a GDPR: consent, where necessary.
• Art. 6.1.c GDPR: compliance with legal obligations.

Where special categories of data are processed, such as health data voluntarily included by the user in notes, BKlayer and/or the business will apply the corresponding legal basis, including explicit consent where appropriate.

Data will be retained for as long as necessary to fulfill the purposes described and to address possible legal responsibilities.

Planned internal criteria:

• Account data: during the contractual relationship and, afterwards, for the period necessary to address legal obligations or claims.
• Confirmed bookings: up to 3 years.
• Cancelled bookings: up to 1 year.
• WhatsApp history and operational conversations: up to 90 days, unless longer retention is necessary for support, security or compliance.
• OTP codes: up to 30 days.
• Security and operational logs: up to 12 months.

These periods are planned internal criteria and may be applied through automatic or manual technical processes, unless there is a longer legal retention obligation.

BKlayer does not sell personal data.

To provide the service, we may use technology providers acting as subprocessors or service providers, including:

• Vercel: application hosting and deployment.
• Supabase: database, authentication and storage.
• Twilio / WhatsApp Business Platform: WhatsApp channel and transactional messaging.
• Resend: transactional emails.
• Google Calendar API: calendar synchronization when the business connects it.
• OpenAI: natural language processing through models such as GPT-4o mini, when enabled, applying data minimization and avoiding sending unnecessary data.
• Anthropic, OpenAI or other external agent providers: only when the user or business uses compatible integrations to operate bookings through AI agents.

Where any of these providers are located outside the European Economic Area, the relevant safeguards will be applied in accordance with applicable law, such as standard contractual clauses or other valid mechanisms where appropriate.

Users may exercise their data protection rights by writing to: privacy@bklayer.com

Available rights:

• Access.
• Rectification.
• Erasure.
• Portability.
• Objection.
• Restriction of processing.
• Withdrawal of consent where processing is based on consent.

We will respond within the applicable legal period, generally 30 days from receipt of the request.

You may also lodge a complaint with the Spanish Data Protection Agency (https://www.aepd.es) or with your local supervisory authority.

BKlayer applies reasonable technical and organizational measures to protect personal data, including:

• TLS/HTTPS encryption in transit.
• Access controls.
• Principle of least privilege.
• OTP verification for sensitive operations.
• Security and operational logs.
• Environment separation where applicable.
• Progressive security reviews and improvements.

Although we apply reasonable security measures, no system is completely infallible.

When a user contacts a business through WhatsApp integrated with BKlayer:

• Messages may be processed to manage bookings, changes, cancellations, inquiries and support.
• The history may be retained for the period stated in this policy.
• BKlayer normally acts as the business’s processor with respect to end customers.
• Use of WhatsApp is also subject to Meta/WhatsApp terms and privacy policies.
• BKlayer does not use WhatsApp messages for third-party personalized advertising.

Meta/WhatsApp acts as a data processor with respect to messages processed through the WhatsApp Business API, pursuant to Article 28 of the GDPR. Data transfers to Meta's servers in the United States are covered by the EU-U.S. Data Privacy Framework adequacy decision adopted by the European Commission under Article 45 of the GDPR, as well as by Standard Contractual Clauses where applicable.

Businesses using BKlayer through the WhatsApp channel are responsible for informing their end customers about the use of WhatsApp Business API in the processing of their data, in accordance with Article 13 of the GDPR, prior to initiating communication.

BKlayer may offer a public API, MCP server or integrations with artificial intelligence agents to facilitate bookings.

Compatible or planned agents may include:

• Claude / Anthropic.
• ChatGPT / OpenAI.
• OpenClaw.
• Other agents authorized by the user or business.

When these agents are used:

• Only the data necessary to perform the requested action will be transmitted.
• Bookings made or managed through agents have the same rights and safeguards as bookings made directly.
• Critical actions, such as creating, cancelling or rescheduling bookings, require explicit confirmation.
• Use of each external agent may also be subject to the privacy policy of its provider.

BKlayer may use:

• Technical or essential cookies: necessary for session, authentication and platform operation.
• Preference cookies: language, interface and configuration.
• Analytics cookies: measurement and improvement of the site, when enabled and with consent where applicable.

Technical cookies do not require consent. Non-essential cookies will be managed in accordance with applicable law.

BKlayer is not directed to children under 16. If we detect that data from minors has been collected without an adequate legal basis, we will take reasonable steps to delete it.

We may update this policy to reflect legal, technical or operational changes.

Relevant changes will be communicated with reasonable notice where necessary.

The current version will always be available at: https://www.bklayer.com/privacy

Data Controller: Gabriel Baldemar Flores Díaz

Privacy email: privacy@bklayer.com

Contact email: admin@bklayer.com

Website: https://www.bklayer.com/privacy

Indicative response time:

• General inquiries: 72 hours where possible.
• GDPR rights: applicable legal period, generally 30 days.

When a business connects Google Calendar to BKlayer, BKlayer may access limited Google Calendar data needed to synchronize bookings and keep the business calendar operational.

The data processed may include:

• Email address of the connected Google account, so the business can see which account is linked.
• Identifier of the connected calendar, normally the business’s primary calendar.
• OAuth access and refresh tokens, needed to maintain synchronization without asking for authorization on every operation.
• Calendar events related to bookings, including title, date, time, location, service, customer, professional, booking reference and operational notes where necessary.
• Changes to or deletions of events related to bookings, when bidirectional synchronization or Google Calendar webhooks are enabled.

BKlayer uses Google Calendar data exclusively to create, update, delete and synchronize events related to business bookings, and to maintain operational availability where applicable. BKlayer does not sell Google Calendar data, does not use it for personalized advertising and does not use it for purposes unrelated to providing the service.

OAuth tokens are stored in BKlayer infrastructure with access controls and are used only to operate the integration authorized by the business. The business can disconnect Google Calendar from the dashboard settings; when disconnected, BKlayer disables the integration and removes or invalidates the tokens stored in BKlayer. The user may also revoke access from their Google account.

BKlayer does not share data obtained from Google Calendar with third parties except with providers necessary to operate the service infrastructure, such as hosting, database, security, operational logs and Google APIs, always under the applicable safeguards and obligations.

BKlayer's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.