Deskmira

Privacy Policy

Last updated: April 20, 2025

1. Who we are

Deskmira (“we,” “us,” or “our”) provides AI-powered front desk software for medical spas. Our service automates Instagram DM replies, qualifies leads, and books paid consultations on behalf of med spa owners. Our website is https://deskmira.com.

2. Information we collect

We collect the following categories of information:

  • Account data: your name, email address, and spa name when you sign up.
  • Spa configuration: operating hours, treatment menu, pricing, FAQs, and brand voice samples you provide.
  • Instagram messages: inbound DMs and outbound replies processed through Meta’s Messaging API on your behalf.
  • Google Calendar data: we create and manage calendar events on your primary Google Calendar when a lead books a consultation. We access only the minimum scope required (calendar.events). We do not read, store, or share your existing calendar events.
  • Payment data: Stripe restricted API keys you provide to collect client deposits. We store these keys encrypted and never access your Stripe account beyond creating checkout sessions for your clients.
  • Usage data: pages visited, features used, and AI pipeline performance metrics (token counts, latency, model versions).

3. How we use your information

  • To operate and improve the Deskmira service.
  • To generate AI draft replies using your spa’s menu, FAQs, and voice samples.
  • To create Google Calendar events when bookings are confirmed.
  • To send you transactional emails (receipts, alerts, password resets).
  • To monitor service health, debug errors, and prevent abuse.
  • We do not sell your data or your clients’ data to third parties.
  • We do not use your data to train AI models.

4. Google API data — limited use disclosure

Deskmira’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

  • We request only the https://www.googleapis.com/auth/calendar.events scope.
  • We use this scope solely to create booking events on your primary calendar when a client completes checkout.
  • We do not read, index, or share your existing calendar events.
  • We do not transfer Google user data to third parties except as necessary to operate the service (e.g. our hosting provider).
  • We do not use Google user data for advertising or to train machine learning models.
  • You can revoke calendar access at any time from your Google Account settings or from the Deskmira integrations page.

5. Data sharing

We share data only with the following categories of third parties:

  • Supabase — database and authentication hosting.
  • Vercel — application hosting.
  • Groq — LLM inference for AI reply generation. Only the lead’s first name and non-PHI context are sent.
  • Meta (Instagram) — to send and receive DMs via the Messenger API.
  • Google — to create calendar events via the Calendar API.
  • Stripe — payment processing via the spa’s own Stripe account.
  • Sentry — error monitoring. Raw message bodies and tokens are never logged.

6. Data retention

We retain your account data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days. Message logs and AI run records are retained for 12 months for debugging and billing purposes, then purged. You may request earlier deletion by contacting us at hello@deskmira.com.

7. Security

We use AES-256-GCM encryption for all stored OAuth tokens and API keys. All data is transmitted over TLS. Access to production systems is restricted to authorized personnel. We do not store protected health information (PHI).

8. Your rights

Depending on your location you may have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data.
  • Revoke any OAuth integration (Instagram, Google Calendar) at any time.

To exercise these rights, email hello@deskmira.com.

9. Cookies

We use session cookies for authentication only. We do not use advertising or tracking cookies.

10. Changes to this policy

We will notify you by email at least 14 days before making material changes to this policy. Continued use of the service after changes take effect constitutes acceptance.

11. Contact

Questions about this policy? Email us at hello@deskmira.com.