Privacy Policy

1. Introduction

mycarrd ("we", "us", or "our") operates the mycarrd platform available at mycarrd.online — a SaaS service that provides dental practices in South Africa with WhatsApp-powered booking websites.

This Privacy Policy explains how we collect, use, store, and protect personal information when you use our platform, and describes the rights you have over your data.

We are committed to compliance with:

• POPIA — the Protection of Personal Information Act 4 of 2013 (South Africa)
• GDPR — the General Data Protection Regulation (EU/EEA users)
• Meta Platform Terms — applicable to our use of the WhatsApp Cloud API
• WhatsApp Business Policy

If you have questions about this policy, contact us at privacy@mycarrd.online.

2. Information We Collect

2a. Practice (Account Holder) Data

When a dentist or practice manager creates a mycarrd account, we collect:

• Full name and email address
• Password (stored as a bcrypt hash — we never store your plaintext password)
• Practice name, physical address, phone number, and website URL
• WhatsApp Business phone number and access credentials (encrypted at rest)
• Subscription status (processed via Whop — mycarrd does not store payment card details)

2b. Patient Data

When a patient submits a booking request through your practice's mycarrd booking page, we collect:

• Patient full name
• Patient WhatsApp-capable phone number
• Requested appointment date, time, and service type
• Any notes added by the dentist or practice staff

Patient data is collected on behalf of the dental practice (the account holder). The practice is the responsible party under POPIA for patient data collected through their booking page.

2c. Technical Data (Automatically Collected)

• IP address and browser user-agent (retained in Vercel serverless function logs for up to 30 days)
• Supabase session tokens (stored in browser localStorage — cleared on logout)
• We do not use advertising cookies or tracking pixels

3. How We Use Your Information

We use the information we collect to:

• Provide the mycarrd platform service to dental practice account holders
• Send appointment confirmation and reminder messages to patients via the WhatsApp Cloud API
• Enable dental practices to view and manage their booking calendar and patient appointments
• Send automated 48-hour appointment reminders and post-appointment Google Review requests
• Respond to data access, correction, and deletion requests
• Fulfil our legal and regulatory obligations

4. WhatsApp & Meta Platform Data

How mycarrd uses the WhatsApp Cloud API

• We send appointment confirmation messages when a dentist confirms a booking
• We send 48-hour advance appointment reminders to patients
• We receive patient responses (e.g. YES/NO/CANCEL) via the WhatsApp webhook
• We send Google Review request links after completed appointments

Meta's own data practices

Meta processes the messages sent through its platform under its own privacy policy. For details on how Meta/WhatsApp handles message data, please refer to the WhatsApp Privacy Policy and Meta Privacy Policy.

What mycarrd does NOT do with Meta data

• mycarrd does not use Facebook Login — we do not access Facebook user profile data
• We do not store Meta user IDs or Facebook account data
• We do not use WhatsApp message content for advertising or profiling

Callback endpoints

As required by Meta's Platform Terms, mycarrd maintains the following callback endpoints:

• Deauthorisation callback: https://mycarrd.online/api/fb-callbacks?type=deauth — called by Meta when a user removes mycarrd from their Facebook account. mycarrd acknowledges this signal; no Facebook user data is stored to delete.
• Data deletion callback: https://mycarrd.online/api/fb-callbacks?type=delete — called by Meta when a user requests deletion of their Meta-platform data. Because mycarrd does not store Facebook user data, this request is acknowledged immediately. To request deletion of your mycarrd account data, contact privacy@mycarrd.online.

5. Data Retention

• Practice account data: Retained for the duration of the active subscription, plus 90 days after account cancellation to allow for account reactivation. After 90 days, account data is permanently deleted.
• Patient booking records: Retained for up to 2 years from the date of the appointment, consistent with standard South African dental record-keeping guidelines. The dental practice (account holder) is responsible for their own legal record-keeping obligations.
• Server logs: Vercel serverless function logs are automatically purged after 30 days.

To request deletion of your personal data before these periods expire, email privacy@mycarrd.online or use the data deletion callback at https://mycarrd.online/api/fb-callbacks?type=delete.

6. Your Rights

6a. South African Users — POPIA (Protection of Personal Information Act 4 of 2013)

If you are a South African resident, you have the following rights under POPIA:

• Right to access — Request a copy of the personal information we hold about you
• Right to correction — Request that inaccurate or incomplete information be corrected
• Right to deletion — Request that your personal information be deleted (subject to our legal retention obligations)
• Right to object — Object to the processing of your personal information
• Right to complain — Lodge a complaint with the Information Regulator of South Africa (inforegulator.org.za)

6b. EU/EEA Users — GDPR (General Data Protection Regulation)

If you are located in the EU or EEA, you have the following rights under the GDPR:

• Right of access (Art. 15) — Request a copy of your personal data
• Right to rectification (Art. 16) — Request correction of inaccurate data
• Right to erasure (Art. 17) — Request deletion of your data ("right to be forgotten")
• Right to restriction of processing (Art. 18) — Request that we limit how we process your data
• Right to data portability (Art. 20) — Request a machine-readable copy of your data
• Right to object (Art. 21) — Object to processing based on legitimate interests
• Right to complain — Lodge a complaint with your local Data Protection Authority

To exercise any of these rights, contact privacy@mycarrd.online. We will respond within 30 days.

7. Data Security

We take reasonable technical and organisational measures to protect your personal information, including:

• Supabase (PostgreSQL) with row-level security (RLS) policies — each practice can only access its own data
• Password hashing — all passwords are hashed with bcrypt via Supabase Auth; plaintext passwords are never stored
• TLS encryption — all data in transit is encrypted using TLS 1.2 or higher
• Isolated serverless functions — API endpoints run in Vercel's isolated serverless environment
• Webhook verification — WhatsApp webhook payloads are verified using HMAC-SHA256 signatures before processing

No system is 100% secure. In the event of a data breach that affects your rights, we will notify affected parties as required by law.

8. Third-Party Services

mycarrd relies on the following third-party services that may process personal data on our behalf:

9. Children's Privacy

mycarrd is a professional B2B SaaS platform directed at dental practices and their adult patients. We do not knowingly collect personal information from persons under the age of 13. If you believe a minor has provided us with personal information, please contact privacy@mycarrd.online and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. The latest version is always available at https://mycarrd.online/privacy-policy.

For material changes that affect how we handle your personal information, we will notify account holders by email at least 7 days before the change takes effect. Continued use of mycarrd after the effective date constitutes acceptance of the updated policy.

11. Contact Us

For any privacy-related questions, data access requests, or complaints, please contact:

We will acknowledge your request within 3 business days and respond fully within 30 days.