Home/Legal/Privacy Policy

Privacy Policy

How we collect, use, and protect personal data.

Last updated: 2026-04-15

1. Data controller

Bookify (the “Service”) is operated from Luxembourg. For personal data we collect about business owners, employees, and visitors of bookify.lu, we act as the data controller within the meaning of the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”).

For personal data that a business uploads about its own clients or staff (names, phone numbers, booking history, sales), we act as a data processor on behalf of that business, which remains the controller of its client list.

2. What we collect

From business users

  • Account: name, email, password hash, phone, role.
  • Studio profile: business name, address, photos, services, opening hours, social links.
  • Billing: subscription plan, billing address, last four digits of card and Stripe customer ID (card numbers are stored by Stripe, not by us).
  • Operational: bookings, sales, clients, messages, payouts.
  • Technical: IP address, browser, device, log timestamps.

From clients

  • Identity: name, email, phone number.
  • Booking details: services chosen, appointment time, notes you send to the business.
  • Payment: handled by Stripe; we receive a transaction reference and the last four digits of the card.
  • Reviews you submit after a visit.

From visitors

  • Pages viewed, referrer, approximate location derived from IP, and the cookies described in our Cookie Policy.

3. Why we use it

  • Provide the Service (Art. 6(1)(b) GDPR, performance of contract): create your account, run bookings, process payments, send confirmations, deliver receipts.
  • Communicate with you (Art. 6(1)(b) and (f)): transactional emails, support replies, important product notices.
  • Improve the Service (Art. 6(1)(f), legitimate interest): aggregated usage statistics, debugging, fraud prevention.
  • Comply with the law (Art. 6(1)(c)): tax, accounting, anti-money-laundering, court orders.
  • Marketing (Art. 6(1)(a), consent): only when you have opted in. You can withdraw consent at any time.

4. Who we share it with

We share data only with vetted processors that help us run the Service:

  • Supabase (database and authentication, hosted in the EU).
  • Hetzner (image storage and infrastructure, hosted in Germany).
  • Stripe (payments and subscription billing).
  • Resend (transactional email delivery), and messaging providers for SMS or WhatsApp reminders where enabled.
  • Google (sign-in with Google, Maps, Analytics where enabled with your consent).

We do not sell personal data. We never share data with advertisers.

5. International transfers

Whenever a processor is located outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses or an adequacy decision to safeguard the transfer.

6. How long we keep it

  • Account data: while your account is active, and up to 30 days after deletion (then it is permanently removed from production systems).
  • Bookings, invoices and sales: 10 years to meet Luxembourg accounting and tax obligations.
  • Support emails: up to 3 years.
  • Server logs: up to 90 days.

7. Your rights

Under the GDPR you have the right to:

  • Access the personal data we hold about you;
  • Have it corrected if it is inaccurate;
  • Have it deleted, subject to our legal retention obligations;
  • Restrict or object to certain processing;
  • Receive a portable copy in a common, machine-readable format;
  • Withdraw consent at any time when consent is the basis;
  • Lodge a complaint with the Luxembourg supervisory authority, the CNPD (cnpd.public.lu).

To exercise any of these rights, write to privacy@bookify.lu. We respond within 30 days.

If a business that uses Bookify holds your data as a client and you want to exercise your rights against that business, please contact the business directly. We will help them honour the request.

8. Security

We encrypt data in transit (HTTPS) and at rest, hash passwords, scope every database query to the owning tenant (row-level security), and review access logs. No system is perfectly secure: in case of a personal data breach we will notify the CNPD within 72 hours and inform affected users without undue delay where the law requires.

9. Children

Bookify is not directed at children under 16. We do not knowingly collect their data. If you believe a child has created an account, write to us and we will delete it.

10. Changes

We may update this policy. Material changes will be announced by email or in-product notice. The “Last updated” date at the top tells you when the current version took effect.

11. Contact

Data protection questions: privacy@bookify.lu.