← firstavailable

Privacy & data

The short version: we collect as little as possible, we never sell anything, and we never book on your behalf.

What we collect right now

Nothing personal. There is no account, no login, no sign-up, no advertising, and no behavioural tracking. We don’t set analytics or ad cookies, and we don’t build a profile of you.

• Your location (typed, or from your browser if you tap “use my location”) is used only to run the search you asked for. It is not stored on our servers and not tied to any identity.
• Your searches are not logged to a profile or sold.
• Local storage on your own device remembers only which clinics you’ve hidden — it never leaves your browser.

What leaves your device, and to whom

To do its job the page talks to a few third parties. We tell you exactly which:

• OpenStreetMap — serves the map tiles. Your map view coordinates reach them to draw the map.
• Nominatim (OpenStreetMap) — turns a typed place (“North Vancouver”) into coordinates. The text you type is sent there to resolve it.
• The clinics’ own booking platforms (e.g. Jane) — we read publicly visible appointment availability politely, and link you out to the clinic’s own booking page. See about our bot.

What we deliberately never do

• We never book on your behalf — no payment details, no personal or health information ever touches us. The booking happens on the clinic’s own page.
• We never sell or share your data. This is health-adjacent; that line is bright and permanent.
• No PCI, no clinical data, no ad networks.

Email notifications (coming later)

A future opt-in feature will let you ask us to email you when an appointment opens in your area. When it ships, it will be built to the same posture, by design:

• Email only, opt-in, and transactional. We email you only the alerts you explicitly asked for — never marketing, never “clinics you might like.”
• Minimal data. Your email address and the search you want watched — nothing more. No login required.
• One-click unsubscribe in every message, and your data is deleted when you unsubscribe or the watch expires (within days).

Until that ships, none of it is collected.

Security posture

• Transport: served exclusively over HTTPS with a managed TLS certificate (TLS 1.2+), and HSTS (Strict-Transport-Security) tells browsers to refuse plaintext.
• Hardened response headers: a Content-Security-Policy constrains where scripts, styles and images may load from; X-Content-Type-Options: nosniff, X-Frame-Options: DENY / frame-ancestors 'none' (anti-clickjacking), a strict Referrer-Policy, and a Permissions-Policy that disables every browser capability except the geolocation you opt into.
• Smallest possible attack surface: we hold no payment, identity, or health data, run no third-party trackers or ad networks, and never call any “create booking” endpoint.

Live scans: SSL Labs · Security Headers · Mozilla Observatory

Questions, or want your clinic removed?

Email contact@firstavailable.ca.