1. Introduction

These Terms of Service ("Terms") govern your use of the Rexabook platform ("Service"), operated by Zazu Technologies Ltd (company number 08544613), whose registered office is at 1 Beech Grove, Darwen, Lancashire, BB3 0AP ("we", "us", "our"). By creating an account, you agree to these Terms.

Rexabook provides appointment booking software, WhatsApp messaging integration, and related business tools for appointment-based service providers.

2. Account Registration

To use Rexabook, you must:

• Be at least 18 years old
• Provide accurate registration information (business name, email address)
• Keep your login credentials secure — you are responsible for all activity under your account
• Notify us promptly if you suspect unauthorised access to your account

We reserve the right to suspend or terminate accounts that violate these Terms.

3. Free Trial and Billing

New accounts receive a 30-day free trial with full access to Starter tier features. No payment details are required to start. At the end of the trial, continued access requires a paid subscription.

Subscriptions are billed monthly in advance via Stripe. Prices on our marketing site may be displayed on a weekly-equivalent basis for comparison (for example, "£2.50/wk"), but you will be charged the corresponding monthly amount (for example, £10/mo) on a recurring monthly cycle. The exact amount charged is shown during checkout and on the Stripe Customer Portal. Current pricing is listed on our pricing page.

We may change prices with at least 30 days' written notice by email. Price changes take effect at the start of your next billing cycle after the notice period expires.

You may cancel at any time through the Stripe Customer Portal accessible from your dashboard. Cancellation takes effect at the end of the current billing period. We do not provide refunds for partial billing periods.

4. Acceptable Use

4.1 General

You agree not to:

• Use the Service for any unlawful purpose
• Attempt to access other users' data or infrastructure
• Reverse-engineer, scrape, or interfere with the Service
• Upload malicious files or content
• Exceed reasonable usage limits or abuse API endpoints
• Resell or sublicense the Service without our written consent

4.2 WhatsApp messaging rules

When you use the WhatsApp integration, you must comply with Meta's policies and the rules below. Breach of these rules may result in your WhatsApp Business Account being rate-limited or banned by Meta, and may result in immediate suspension of the Service.

• Opt-in required. You must obtain explicit opt-in consent from a client before sending them any WhatsApp message through Rexabook. A booking request placed through your Rexabook booking page is acceptable opt-in for transactional messages (e.g. confirmations, reminders, HotSlot broadcasts) related to that client's bookings; it is not opt-in for marketing campaigns.
• Marketing campaigns require separate consent. You must not send CRM or marketing campaign messages to any client who has not explicitly opted in to marketing communications.
• Honour opt-outs. Rexabook processes STOP replies automatically and immediately. You must not circumvent this (for example, by re-importing opted-out contacts or editing their record to clear the opt-out flag).
• 24-hour customer-care window. Free-form WhatsApp messages may only be sent within 24 hours of a client's last inbound message. Outside that window, Rexabook will only send messages that use an approved WhatsApp message template.
• No prohibited content. You must comply with the WhatsApp Business Policy and Commerce Policy, including the prohibitions on regulated goods, deceptive practices and unsolicited messaging.

5. WhatsApp Integration

Rexabook integrates with the Meta Cloud API for WhatsApp Business messaging. By connecting your WhatsApp Business Account to Rexabook:

• You authorise us to send and receive messages on your behalf through your WABA, using the System User access token obtained via Meta's Embedded Signup flow.
• You remain the owner of your WABA and can disconnect at any time from the WhatsApp settings page. Disconnecting deletes the stored access token from our database.
• Message delivery depends on Meta's infrastructure and policies. We do not guarantee delivery, deliverability or the continued availability of any particular WhatsApp feature.
• Meta may impose rate limits, quality ratings or account restrictions on your WABA. These are outside our control.

Your behavioural obligations when using the WhatsApp integration (opt-in, opt-out, marketing consent, policy compliance) are set out in section 4.2.

6. Client Data and Your Responsibilities

You are the data controller for your clients' personal data (names, phone numbers, email addresses, booking history). Rexabook acts as a data processor on your behalf.

You are responsible for:

• Having a lawful basis to collect and process your clients' data
• Informing your clients about how their data is used
• Responding to data subject access requests from your clients
• Ensuring imported data (e.g. CSV imports) was lawfully collected

See our Privacy Policy for details on how we handle data.

7. Data Processing Addendum

This section sets out the terms on which Zazu Technologies Ltd ("Processor") processes personal data on behalf of you ("Controller") in respect of your clients' personal data, for the purposes of Article 28 of the UK GDPR. It forms part of these Terms and applies for as long as you use the Service.

7.1 Subject-matter and duration

The Processor processes personal data to operate the Rexabook appointment booking platform on behalf of the Controller, for the duration of the Controller's subscription plus any grace period described in these Terms.

7.2 Nature and purpose of processing

Hosting client and booking records; scheduling and sending appointment-related messages by WhatsApp, SMS and email; processing deposits and gift voucher payments; generating analytics and reports; and performing routine security and backup functions.

7.3 Types of personal data and categories of data subject

• Data subjects: the Controller's clients and prospective clients, and the Controller's staff members.
• Personal data: name, phone number, email address, postal or billing address where provided, booking history, service preferences, intake form responses, notes and tags created by the Controller, message delivery and read status, opt-in / opt-out flags, and device identifiers (where push notifications are enabled). No special category data is intentionally collected; the Controller must not input special category data into notes, tags or intake forms unless it has a lawful basis to do so.

7.4 Processor obligations

The Processor shall:

• process the personal data only on the Controller's documented instructions, including as set out in these Terms, unless required to do otherwise by applicable law;
• ensure that personnel authorised to process the personal data are subject to appropriate obligations of confidentiality;
• implement and maintain appropriate technical and organisational security measures as described in our Privacy Policy (including database-per-tenant isolation, AES-256-GCM token encryption, PBKDF2-hashed passwords, TLS in transit, rate limiting, and least- privilege access);
• assist the Controller, so far as reasonably possible and taking into account the nature of the processing, in responding to data subject requests and in meeting the Controller's obligations under Articles 32 to 36 UK GDPR;
• notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data;
• on termination of the Service, delete the Controller's tenant database and associated personal data within 30 days, save where retention is required by applicable law; and
• make available to the Controller all information reasonably necessary to demonstrate compliance with this section.

7.5 Sub-processors

The Controller provides a general written authorisation for the Processor to engage the sub-processors listed in our Privacy Policy (including Cloudflare, Stripe, Meta, Postmark, Twilio and Google). The Processor will maintain that list and give the Controller notice of any additions or changes by updating the Privacy Policy and, for material changes, sending an email or in-app notice at least 14 days before the change takes effect. If the Controller reasonably objects to a new sub-processor on legitimate data protection grounds, its sole and exclusive remedy is to terminate the Service without penalty.

7.6 International transfers

Where the Processor transfers personal data outside the United Kingdom, it does so under the lawful transfer mechanisms set out in section 5.1 of the Privacy Policy.

7.7 Audit

The Processor will respond to reasonable written audit requests from the Controller with relevant compliance documentation (such as security summaries, sub-processor lists and third-party attestations where available). On-site audits are limited to once in any twelve-month period, at the Controller's cost, on 30 days' written notice, and subject to reasonable confidentiality and security arrangements.

8. Deposits and Payments

Rexabook facilitates card deposits and gift voucher payments via Stripe. We are not a party to the transaction between you and your client. You are responsible for your own refund and cancellation policies.

Gift voucher sales use Stripe Connect. Rexabook charges a 2% platform fee per voucher sold. Funds are transferred to your connected Stripe account.

9. Service Availability

We aim to keep Rexabook available 24/7 but do not guarantee uninterrupted service. We may perform maintenance with or without notice. We are not liable for losses caused by downtime.

10. Intellectual Property

Rexabook, its design, code, and branding are owned by Zazu Technologies Ltd. Your use of the Service does not grant you any intellectual property rights beyond using the Service as intended.

You retain ownership of all content you upload (business profile, photos, client data).

11. Limitation of Liability

To the maximum extent permitted by law, Rexabook's total liability to you is limited to the fees you paid in the 12 months preceding any claim. We are not liable for indirect, incidental, or consequential damages including lost revenue, missed appointments, or data loss. Nothing in these Terms excludes or limits liability that cannot be excluded or limited under applicable law (including for death or personal injury caused by negligence, or for fraud).

12. Indemnification

You agree to indemnify, defend and hold harmless Zazu Technologies Ltd and its officers, employees and agents from and against any claims, losses, damages, liabilities and costs (including reasonable legal fees) arising out of or related to:

• your breach of these Terms, including the acceptable use rules in section 4;
• your violation of any applicable law or third-party rights, including data protection, consumer protection, direct marketing (PECR) or intellectual property laws;
• the content of messages you send through the Service, including any claim that a message was unsolicited, misleading or unlawful;
• your failure to obtain or maintain valid consent from your clients for the processing of their personal data or for messaging; and
• any dispute between you and your client concerning a booking, deposit, refund or service provided (or not provided) by you.

13. Termination

You may close your account at any time by contacting us at hello@rexabook.com. We will delete your tenant database and all associated data within 30 days.

We may suspend or terminate your account if you breach these Terms, with notice where practical.

14. Changes to These Terms

We may update these Terms from time to time. Material changes will be communicated via email or an in-app notice at least 14 days before they take effect. Continued use after changes constitutes acceptance.

15. Governing Law

These Terms are governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

16. Contact

For questions about these Terms, contact us at hello@rexabook.com.