Privacy Policy

1. Information We Collect

Information you give us directly

• Phone number (required to create an account and verify your identity via SMS)
• Name and email address (provided during booking or account setup)
• Service address for your appointment
• Booking preferences (service type, duration, therapist preference, health intake notes)
• Gift card purchase details (recipient name, message)

Information collected automatically

• IP address (used to estimate your delivery zone and apply the correct travel rate; not stored beyond your session)
• Browser type and approximate device type (used only to serve the site correctly)
• Pages visited and time on site (aggregate, anonymous usage data via Cloudflare analytics)

Information we do NOT collect

• Full credit or debit card numbers. Payment is handled entirely by Square, Inc. We receive only a payment token confirming the transaction was approved.
• Social Security numbers or government ID.
• Sensitive health or medical records beyond the voluntary intake notes you provide for your massage session.

2. How We Use Your Information

• To confirm and fulfill your booking -- your name, phone number, address, and service preferences are used to schedule your appointment and communicate with you about it.
• To verify your identity -- your phone number receives a one-time SMS code when you log in or create an account. We use Twilio, Inc. to deliver these messages.
• To process payment -- your card details are tokenized by the Square Web Payments SDK directly in your browser. We pass only the token to Square to complete the charge. We never see, store, or transmit your raw card data.
• To determine your zone-based pricing -- your IP address is used to estimate your general area so we can show the correct travel surcharge for your zone. This lookup happens at the time of your visit and is not retained.
• To manage your account -- we store your name, phone number, booking history, and preferences in our Cloudflare D1 database so you can view past appointments and saved preferences.
• To send transactional messages -- booking confirmations, appointment reminders, and gift card delivery are sent by email via MailChannels. We do not send promotional email without your explicit consent.
• To add your appointment to your calendar -- if you authorize it, we use the Google Calendar API to add your booking as a calendar event. We request only the minimum permission needed and do not read your existing calendar events.

3. IP Geolocation and Zone Pricing

Our website uses your IP address to determine which pricing zone applies to your location. Southern California is divided into zones based on driving distance from our base area in the Antelope Valley. This lookup is performed at page load using a standard IP geolocation service. We do not store your IP address in our database or link it to your account. You can always override the detected zone during booking if it is incorrect.

4. Payment Processing

All card payments are processed by Square, Inc. When you enter your card information on our site, that data is captured directly by Square's Web Payments SDK and never touches our servers. We store only the Square payment token and the transaction result (approved or declined). Square's privacy policy is available at squareup.com.

5. Phone Authentication (SMS)

We use phone number verification to keep your account secure. When you log in or create an account, we send a one-time passcode to your phone via SMS using Twilio, Inc. Your phone number is stored as your account identifier in our database. Twilio's privacy policy is available at twilio.com. Standard carrier message and data rates may apply.

6. Cookies and Session Data

We use a single authentication cookie to keep you logged in across visits. This cookie contains a signed JWT (JSON Web Token) that identifies your session. It is:

• HTTP-only (not readable by JavaScript)
• Secure (only transmitted over HTTPS)
• Set to expire when your session ends or after a defined period of inactivity

We do not use advertising cookies, third-party tracking cookies, or analytics cookies that identify you personally. Cloudflare collects aggregate, anonymized traffic statistics as part of serving the site, but no personally identifiable data is shared with us from that process.

7. Data Sharing and Third Parties

We do not sell, rent, or trade your personal information. We share your data only with the service providers required to operate our business:

Each provider is bound by their own privacy commitments and applicable data protection law. We do not authorize any of these providers to use your data for their own marketing purposes.

8. Data Retention

• Account information -- retained for as long as your account is active. You may request deletion at any time (see Section 10).
• Booking records -- retained for 3 years to support service history and any disputes, then deleted.
• SMS verification codes -- expire within 10 minutes of being sent and are not stored after use.
• Session tokens (cookies) -- expire at the end of your authenticated session or after the defined inactivity window.
• IP geolocation lookups -- not stored. Used only to calculate your zone at the time of your visit.
• Payment tokens -- stored only as a reference to your Square transaction. Raw card data is never stored.

9. Data Security

Your data is stored in a Cloudflare D1 database accessible only through our server-side API. All traffic between your browser and our site is encrypted via HTTPS. Authentication cookies are HTTP-only and secure. We follow security best practices including signed tokens, input validation, and rate limiting on all sensitive endpoints. No system is completely immune to risk, but we take reasonable and industry-standard measures to protect your information.

10. California Privacy Rights (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

• Right to Know -- you may request a summary of the personal information we hold about you and how we use it.
• Right to Delete -- you may request that we delete your personal information. We will honor this request except where retention is required by law or to complete a transaction you initiated.
• Right to Opt Out of Sale -- we do not sell personal information. This right is not applicable, but we honor the spirit of it.
• Right to Non-Discrimination -- exercising any privacy right will not affect your ability to book services with us or the price you are quoted.
• Right to Correct -- you may request correction of inaccurate personal information we hold about you.

To exercise any of these rights, contact us at contact@kenmassage.co. We will respond within 45 days as required by California law.

11. Children's Privacy

Our services are not directed to children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this privacy policy from time to time. When we do, we will update the "last updated" date at the top of this page. Continued use of the site after any change constitutes your acceptance of the updated policy. For material changes, we will make reasonable efforts to notify you.

13. Contact Us

If you have any questions about this policy or want to exercise your privacy rights, reach us at: