Privacy Policy

Akroo ("we," "us," or "our") provides practice analytics software for health and wellness businesses ("customers"). This Privacy Policy describes how we collect, use, store, and delete data in connection with the Akroo service, including data obtained through practice management software integrations such as Square and Mindbody.

By using Akroo, you agree to the practices described in this policy. If you are a customer using the Mindbody integration, the additional disclosures in Section 5 apply to the data we access through that integration.

Account data: Name, email address, and billing information you provide when creating an Akroo account.

Integration-derived data: When you connect a practice management integration (such as Square or Mindbody), we receive structured records from that system including:

• Client records: name, email, phone, visit history, membership status
• Appointment records: date, time, service type, provider, status (completed, no-show, cancelled)
• Sales records: service purchases, package redemptions, retail transactions
• Staff records: provider names, session counts

Derived analytics: We compute aggregated KPI metrics (retention rate, no-show rate, revenue per client, etc.) from integration data. These aggregated metrics contain no personally identifiable information (PII).

Usage data: Standard web analytics including page views, session duration, and feature usage.

We use data solely to provide the Akroo service to you:

• Computing KPI dashboards and trend analysis for your practice
• Identifying at-risk clients and generating outreach recommendations
• Tracking performance over time relative to industry benchmarks
• Sending you product and account communications

We do not sell, license, share, or use your data to train AI models. We do not use client PII for any purpose other than generating insights for the practice that owns that relationship.

While active: Integration-derived data (client records, appointments, visits, sales) is retained in encrypted storage for the duration of your active subscription. Aggregated KPI data (no PII) is retained for the same period.

On disconnecting an integration: Raw client and transaction records are deleted within 30 days. Client contact data (name, email, phone) in our operational database is deleted immediately. Aggregated KPI metrics (no PII) may be retained for benchmarking unless you request full deletion.

On account cancellation: All data across all systems is deleted within 30 days.

On explicit deletion request: We will fulfill deletion requests within 7 days across all systems, including third-party infrastructure. To request deletion, contact us at privacy@akroo.com.

When you connect Akroo to Mindbody, we access your practice's Mindbody data using the Mindbody Public API under your authorization. We access only the data necessary to compute the KPIs shown in your dashboard.

API-derived data is retained only for the duration of an active integration. Raw client and transaction records are stored in an encrypted data warehouse and deleted within 30 days of you disconnecting your Mindbody integration or cancelling your subscription. Derived analytical metrics (aggregated KPIs with no personally identifiable information) may be retained for benchmarking purposes unless you request full deletion.

We do not sell, license, or share Mindbody API-derived data with any third party. We do not use it for advertising, lead generation, or any purpose outside of providing the Akroo service to you.

Customers can request immediate deletion of all Mindbody-derived data at any time and we will fulfill the request within 7 days across all systems.

We use the following third-party services to operate Akroo. Each processes data only as necessary to deliver the service:

• Snowflake (Snowflake Inc.) — encrypted data warehouse for raw integration data and KPI computation
• Supabase — operational database for KPI metrics and user accounts
• Nango — integration credential management and API proxy (stores OAuth tokens and API keys in encrypted secrets)
• Vercel — application hosting and edge delivery
• Stripe — payment processing (Akroo does not store card data)

No AI or ML model provider processes personally identifiable client data. Aggregated, anonymized KPI data may be used with AI analysis tools; no client names, contact information, or transaction-level records are sent to any AI provider.

All data is encrypted at rest and in transit. Access to raw integration data is restricted to authenticated service accounts. We use row-level security to ensure customers can only access their own data. API credentials are stored in Nango's encrypted secrets store and are never logged or exposed in application code.

Akroo is a business analytics tool and is not a covered entity or business associate under HIPAA. We do not store protected health information (PHI) as defined by HIPAA. If your practice is subject to HIPAA requirements, you are responsible for ensuring that your use of Akroo is consistent with your compliance obligations.

You may request access to, correction of, or deletion of your data at any time. To exercise these rights, contact us at privacy@akroo.com. We will respond within 30 days and fulfill deletion requests within 7 days.

Questions about this policy or your data can be sent to privacy@akroo.com.