MassageHubMassageHub

Privacy Policy

Last updated: 2 April 2026

1. Who we are

MassageHub is a practice management platform for independent massage therapists. It is operated by Paul Bailey (“we”, “us”, “our”). If you have any questions about this policy, contact us at hello@massagehub.app.

2. Who this policy applies to

This policy covers two types of users:

  • Therapists — independent massage therapists who create an account to manage their practice
  • Clients — people who book appointments through a therapist's MassageHub booking page

3. Data we collect

Therapists

  • Name, email address, and profile information
  • Business details: services, pricing, locations, availability
  • Payment account information (via Stripe — we do not store card numbers)
  • Google Calendar OAuth tokens (if you choose to connect Google Calendar)
  • iCal feed URLs for calendar blocking (stored encrypted)

Clients

  • Name, email address, and phone number
  • Appointment history and SOAP notes (recorded by the therapist)
  • Intake form responses
  • Address (for mobile appointments)
  • Payment information (via Stripe — we do not store card numbers)

4. Google Calendar integration

Therapists may optionally connect their Google Calendar account. When connected, MassageHub uses Google's OAuth 2.0 to request permission to create and delete calendar events on the therapist's behalf.

Specifically:

  • When a client books an appointment, MassageHub creates an event in the therapist's Google Calendar containing the appointment details (service, client name, phone number, and location)
  • When a booking is cancelled, MassageHub deletes the corresponding event from Google Calendar
  • MassageHub does not read, store, or share any existing Google Calendar events
  • OAuth tokens (access token and refresh token) are stored encrypted in our database and used solely to create and delete MassageHub appointment events
  • Therapists can disconnect Google Calendar at any time from Settings → Integrations, which revokes MassageHub's access and removes all stored tokens

MassageHub's use of Google Calendar data is limited to the purposes described above. We do not use Google Calendar data for advertising, profiling, or any purpose other than managing the therapist's appointment schedule.

MassageHub's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5. How we use your data

  • To provide and operate the MassageHub service
  • To send appointment confirmations, reminders, and cancellation notifications
  • To process payments via Stripe
  • To create and manage Google Calendar events on behalf of connected therapists
  • To improve the platform and fix issues

We do not sell your data to third parties or use it for advertising.

6. Data storage and security

Data is stored in Supabase (PostgreSQL), hosted in the EU. Sensitive fields — including calendar URLs, OAuth tokens, and payment-related data — are encrypted at rest using AES-256-GCM. All data is transmitted over HTTPS.

7. Third-party services

  • Supabase — database and authentication
  • Stripe — payment processing
  • Resend — transactional email
  • Twilio — SMS notifications
  • Google Calendar API — calendar integration (therapists only, opt-in)
  • Vercel — hosting

8. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data
  • Withdraw consent (e.g. disconnect Google Calendar) at any time
  • Lodge a complaint with the ICO

To exercise any of these rights, contact us at hello@massagehub.app.

9. Cookies

We use two categories of cookies:

  • Strictly necessary — session and authentication cookies required for the service to function. These are set automatically and do not require consent.
  • Analytics & marketing — we use Google Analytics 4 to understand how our site is used, and Meta Pixel for marketing measurement. These cookies are only set if you consent via the banner shown on your first visit. You can decline or withdraw consent at any time by clearing your browser cookies.

Therapists may also configure their own Google Analytics, Google Ads, or Meta Pixel tracking on their booking pages. In that case, the therapist is the data controller for that tracking, and the same consent banner governs whether those scripts load.

10. Changes to this policy

We may update this policy from time to time. The date at the top of this page reflects the most recent revision. Continued use of MassageHub after changes are posted constitutes acceptance of the updated policy.

11. Contact

For any privacy questions or requests, email hello@massagehub.app.