Legal Document

Privacy Policy

📅 Last updated: March 5, 2026 🌐 GDPR Compliant

1 Data Controller

Booked Service is the data controller for personal data collected through the Platform.

Contact for data protection inquiries: support@bookedservice.online

We are committed to protecting the privacy of our users and their clients. We collect only the data strictly necessary to provide the service.

2 Data We Collect

Salon Owner / Account Data

  • Name and email address (from Google OAuth login)
  • Business name, address, and contact information
  • Billing information (processed by Paddle — we do not store card data)
  • Subscription and payment history

Staff Data

  • Name and Gmail address (entered by the salon owner)
  • Working hours and availability settings
  • Appointment calendar data

Client / End-User Booking Data

  • Name and phone number (provided when booking)
  • Email address (optional, for confirmation)
  • Appointment details (service, date, time, staff)

Technical Data

  • IP address and browser type (for security and analytics)
  • Usage logs (pages visited, actions taken)
  • Google Analytics data (anonymised)

3 How We Use Data

We use the data we collect to:

  • Provide and maintain the Booked Service platform
  • Process payments and issue invoices via Paddle
  • Send appointment confirmation and reminder emails
  • Sync appointments with Google Calendar
  • Provide customer support
  • Improve and develop new features (using anonymised analytics)
  • Comply with legal obligations

Legal basis: Processing is based on contract performance (Art. 6(1)(b) GDPR), legitimate interest (Art. 6(1)(f) GDPR), and your consent where applicable.

4 Data Sharing

We share data only with the following third parties, strictly as necessary:

  • Paddle.com — payment processing and VAT collection (Merchant of Record)
  • Google LLC — authentication (OAuth 2.0) and Calendar integration
  • Mailgun / email provider — transactional email delivery
  • Hetzner / cloud hosting — server infrastructure (EU-based)
  • Google Analytics — anonymised usage statistics

We do not sell, rent, or share your personal data with advertisers or any third party for marketing purposes. Ever.

5 Cookies

We use the following cookies:

  • Strictly necessary: Session cookie (Laravel session), CSRF token — required for the platform to function
  • Analytics: Google Analytics (_ga, _gid) — anonymised, can be disabled
  • Paddle: Checkout-related cookies for payment processing

You can control cookies via your browser settings. Disabling analytics cookies does not affect the functionality of the service.

6 Data Retention

  • Active accounts: Data is retained for the duration of the subscription.
  • Cancelled accounts: Data is retained for 30 days after subscription expiry, then permanently deleted.
  • Payment records: Retained for 7 years as required by tax law.
  • Anonymised analytics: Retained indefinitely in aggregated form.

You can request immediate deletion of your data at any time by contacting us.

7 Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access — request a copy of your personal data
  • Right to rectification — correct inaccurate data
  • Right to erasure — request deletion of your data ("right to be forgotten")
  • Right to restriction — limit how we process your data
  • Right to portability — receive your data in a machine-readable format
  • Right to object — object to processing based on legitimate interest
  • Right to withdraw consent — where processing is based on consent

To exercise any of these rights, contact us at support@bookedservice.online. We will respond within 30 days.

8 Security

  • All data is transmitted over HTTPS (TLS 1.2+)
  • Passwords are hashed using bcrypt — we never store plain-text passwords
  • Regular encrypted backups stored in the EU
  • Access to production systems is restricted to authorised personnel only
  • We do not store credit card data — all payment processing is handled by Paddle

9 Children

The Booked Service platform is intended for business use by adults (18+). We do not knowingly collect personal data from children under 16.

If you believe a child has provided us with personal data, please contact us immediately and we will delete it.

10 Changes to This Policy

If we make material changes to this Privacy Policy, we will notify you by email at least 14 days before the changes take effect.

Continued use of the Platform after the effective date constitutes acceptance of the updated policy.

11 Contact

For all privacy-related inquiries, data requests, or complaints:

Email: support@bookedservice.online
We respond within 1–3 business days. For data protection complaints, you also have the right to lodge a complaint with your national data protection authority.