1 Data Controller
The data controller within the meaning of the GDPR and the Serbian Personal Data Protection Act is:
Booked β a company registered in the Republic of Serbia
Email:
info@bookedservice.online
For all privacy-related inquiries, please write to the address
above.
This Privacy Policy applies to all users of the Booked platform: business owners, staff members, and end clients who use the booking system.
2 Data We Collect
| Category | Data | Provided by |
|---|---|---|
| Account data | Name, email address, password (hashed), user type | Business owner during registration |
| Business data | Business name, address, city, country, registration/tax number, phone, business email | Business owner (onboarding) |
| Staff data | First name, last name, Gmail address, phone, working hours | Business owner, entered for each employee |
| Booking data | Client email, appointment date/time, service, status | Client during booking |
| Payment data | Subscription plan, status, date β card details held by Paddle | Paddle (we never store card numbers) |
| Technical data | IP address, browser type, access time, error logs | Automatically upon use |
3 Purpose of Processing
We process your data solely for the following purposes:
- Service delivery β account management, appointment scheduling, schedule display
- Communication β email notifications about bookings, system messages
- Billing β subscription processing via the Paddle platform
- Security β protection against misuse, access logging
- Legal obligations β data retention in accordance with Serbian accounting regulations
We do not use your data for targeted advertising and we do not sell it to third parties under any circumstances.
4 Google OAuth 2.0
Staff members log in via Google OAuth 2.0. When a staff member clicks "Sign in with Google", Google returns the following data to us:
- Gmail address (used to identify the user within the system)
- First and last name from the Google account (for display in the interface)
- Profile photo (optional, for avatar display)
Important: We do not request access to Google Calendar, Gmail inbox, contacts, Google
Drive, or any other Google service beyond the identification data listed above. We use only the
openid, profile, and email scopes.
Google Calendar Integration (optional)
If the user explicitly grants permission for Google Calendar integration, we use the
calendar.events scope exclusively to add confirmed bookings as events to the
calendar. We never read, delete, or modify existing events in the user's calendar.
Google Calendar permission can be revoked at any time via Google Account settings.
Our application complies with the Google API Services User Data Policy, including the Limited Use requirements.
5 Paddle Payments
Paddle.com is our payment processor and acts as the Merchant of Record. Paddle collects and processes:
- Credit/debit card details (we never see or store these)
- Billing address and VAT information
- Transaction data for tax calculation purposes
We receive from Paddle only: transaction ID, subscription status, and next payment date β without any financial details.
Paddle's privacy policy is available at: paddle.com/legal/privacy
6 Third-Party Sharing
We share your data exclusively with the following categories of recipients:
| Recipient | Purpose | Location |
|---|---|---|
| Paddle.com | Payment and tax processing | UK / EU |
| Google LLC | OAuth login, optional Calendar integration | USA (Standard Contractual Clauses) |
| DigitalOcean | Server and database hosting | EU (Frankfurt) |
| Mailgun / SMTP | Email notification delivery | EU |
| Pusher | Real-time notifications (WebSocket) | EU |
We do not share data with marketing agencies, data brokers, or any third parties beyond those listed above.
In the event of a lawful order from Serbian or EU authorities, we act in accordance with applicable law and will notify you if permitted to do so.
7 Retention & Deletion
- Active account: Data is retained for as long as the account remains active.
- Upon cancellation: Data is held for 30 days in an inactive state, then permanently deleted.
- Booking data: Retained for 2 years for potential dispute purposes.
- Financial data (invoices): Retained for 5 years in accordance with Serbian legal requirements.
- Security logs: Retained for 12 months.
To request data deletion, please write to info@bookedservice.online. We respond within 30 days.
Account deletion is irreversible. We recommend exporting any necessary data from the dashboard before requesting deletion.
8 Cookies
We use a minimal set of cookies strictly necessary for the platform to function:
| Name | Purpose | Duration |
|---|---|---|
booked_session |
Authentication session, security | Until browser is closed |
XSRF-TOKEN |
CSRF attack protection | Until browser is closed |
remember_me |
"Remember me" option on login | 30 days |
We do not use marketing cookies, behavioral tracking cookies, or third-party advertising cookies.
9 Your Rights
In accordance with the GDPR and the Serbian Personal Data Protection Act, you have the following rights:
Right of Access
You may request a copy of all data we hold about you.
Right to Rectification
You may request correction of inaccurate or incomplete data.
Right to Erasure
You may request deletion of your data ("right to be forgotten").
Right to Object
You may object to the processing of your data in certain circumstances.
Data Portability
You may request your data in a machine-readable format (JSON/CSV).
Right to Restriction
You may request a temporary restriction on the processing of your data.
Submit requests to info@bookedservice.online. We respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Serbian Commissioner for Information of Public Importance and Personal Data Protection.
10 Data Security
We apply the following technical and organisational security measures:
- SSL/TLS encryption for all traffic (HTTPS)
- Passwords stored exclusively in hashed form (bcrypt)
- Database access restricted to the application server (no public access)
- Server-level firewall and cloud firewall (DigitalOcean)
- Fail2Ban protection against brute-force attacks
- Regular encrypted backups
- Two-factor authentication for administrative infrastructure access
In the event of a security incident affecting your data, we will notify you within 72 hours, in accordance with GDPR Article 34.
11 Policy Updates
We will notify you of changes to this Privacy Policy via:
- An email to your registered address
- A notification in the dashboard upon your next login
The "Last updated" date at the top of this page always reflects the current version. For changes that materially affect your rights, we will request your explicit consent.
12 Contact
- Privacy inquiries: info@bookedservice.online
- General support: info@bookedservice.online
- Security incidents: info@bookedservice.online
Serbian Commissioner for Information of Public Importance and Personal Data Protection: www.poverenik.rs