Privacy Policy

Last updated: 19 May 2026

1. What data we collect

The personal data we hold about you depends on whether you're a customer making bookings, a business owner accepting them, or simply visiting the site. We collect only what we need to run the service.

If you're a customer — guest checkout

Bookr allows you to make a booking without creating an account. When you book as a guest, we collect:

• Name and email address — provided when you enter your details at checkout. Your email is used to send you a one-time passcode (OTP) to verify you control that address before payment is taken. The OTP itself is a short-lived six-digit code; we do not store the OTP after it has been verified or after it expires (whichever is sooner — typically 10 minutes).
• Booking details — specifically: the business you're booking with, the service name and description, the date and time of the appointment, the price you paid, any optional notes you add for the business (for example, "parking at the front"), and — for mobile services where the business travels to you — the address you provide for the visit. Booking details also include the access token issued for your booking link. Access tokens are opaque random strings (not UUIDs) that allow you to view or manage your booking without an account; they are not derived from your personal data.
• Payment data — handled directly by Stripe. We never see or store your full card number. After payment we hold only the last four digits of the card used and the amount charged, as part of the booking record.
• IP address and browser information — logged at the point of checkout for fraud prevention and security purposes.

If you're a customer — with an account

If you choose to create a Bookr account (which allows you to see all your past and upcoming bookings in one place), we additionally hold:

• Account credentials — your email address and a bcrypt password hash. We never store your password in plain text. At the moment you verify your email via OTP during account creation, we link the verified email to the new account record; the OTP itself is discarded immediately on successful verification.
• Booking history — all bookings made under your account, including completed, cancelled, and upcoming ones.
• Reviews you have written — star rating, optional text (up to 500 characters), and the date submitted.
• Account preferences — notification settings, communication preferences, and any saved addresses.
• Social login data (if used) — if you sign in with Apple or Google, we receive your name and email address from that provider solely for the purpose of creating or authenticating your account. We do not receive any other profile data, social graph, contacts, or activity from these providers.

If you're a customer — mobile app users

• Device identifiers — iOS/Android device ID and app instance ID, used to route push notifications and to stabilise the app. We do not use device identifiers for advertising.
• Push notification tokens — generated by Apple or Google and stored against your account while you have notifications enabled.
• Crash reports — submitted automatically via Apple's or Google's crash reporting SDK. These may contain device model, OS version, app version, and a stack trace; they do not contain your name, email, or booking data.
• Location data — only collected if you explicitly grant location permission, and only for mobile-service bookings where the business needs to travel to you. Location is stored as part of the booking record and is not used for any other purpose. Refusing location permission does not affect any other Bookr functionality.

If you're a business owner

• Account & profile: your name, email address, phone number, business name, trading address, service descriptions and pricing, opening hours, photos, social media links, and the cancellation policy you have chosen.
• Identity verification: if you connect Stripe to receive payouts, Stripe collects your identity documents directly under its own privacy policy. Bookr does not receive or store copies of identity documents.
• Bookings and financial records: all bookings you have received, the fees charged, and the payouts owed to you. These are retained for seven years as required by HMRC.
• Onboarding communications: when you complete your business signup, your name and email address are passed to Loops.so (see section 3) to trigger a welcome and onboarding email sequence. This helps you set up your listing effectively. You can opt out of these sequences at any time via the unsubscribe link in the emails or from your account settings under "Communications".

Everyone — technical and usage data

• IP address — logged on every request to our servers, retained for 30 days, used for security monitoring and fraud detection.
• Browser and device type — user-agent string, used to ensure the platform renders correctly and to detect automated traffic.
• Pages visited and actions taken — anonymised usage patterns used to improve the product. We do not use third-party advertising trackers (no Google Analytics, Meta Pixel, or equivalent).
• Broad geographic region — derived from your IP address, used only to show you relevant local time zones and to detect unusual geographic patterns that may indicate account compromise.

1b. Special category data

Some services available on Bookr involve health-related information. For example, dental clinics, physiotherapists, or personal trainers may ask you to add health notes to a booking (such as existing injuries, medical conditions, or treatment history). This type of information is classified as "special category data" under UK GDPR and receives the highest level of protection.

If you choose to add health notes to a booking:

• We process that data on the legal basis of your explicit consent, given at the time you enter the information.
• The notes are shared only with the specific business for that specific booking. They are not visible to other businesses or used for any other purpose.
• You can delete health notes from your booking history or profile at any time. Deletion is effective immediately from our live systems; backup copies are purged within 35 days.
• Health notes in completed bookings are deleted from our systems 90 days after the appointment date, unless you request earlier deletion.
• You are never required to add health notes to make a booking — it is always optional.

2. Why we collect it — and our legal basis

2b. Marketing & communications

We do not currently send marketing emails to customers. If we introduce marketing communications in the future, we will only do so to people who have explicitly opted in via a double opt-in process (you will receive a confirmation email and must click to confirm your subscription). You will always be able to unsubscribe from every marketing email with a single click.

For business owners, we send a welcome and onboarding email sequence via Loops.so when you first sign up. These emails help you configure your booking page, understand your plan features, and get your first bookings. They are sent on the basis of our legitimate interest in helping you succeed on the platform — but you can opt out at any time using the unsubscribe link or via your account settings.

SMS messages are sent only with your explicit consent, and you can opt out at any time by replying STOP or by updating your preferences in account settings.

Push notifications require opt-in at app install. You can withdraw permission at any time through your device OS notification settings or from within the app settings. Withdrawing push notification permission does not affect your ability to use the app.

Transactional messages (booking confirmations, reminders, refund notifications, security alerts) are not marketing and cannot be opted out of while you have an active account, as they are necessary for the operation of the service.

3. Who we share your data with

We share the minimum needed to run the service. Specifically:

• The business you book with sees your name, contact details (email and phone number you provided), and the booking specifics (service, date/time, any notes you added) so they can prepare for your appointment. They cannot see your card details or any data from your other bookings with other businesses.
• Stripe (Stripe Inc., USA) processes all payments on the platform. Stripe handles card data under PCI-DSS and their own privacy policy. Their privacy policy: stripe.com/privacy. For business owners, Stripe also handles identity verification (KYC) for Stripe Connect payouts.
• Resend (Resend Inc., USA) sends all transactional emails (booking confirmations, appointment reminders, cancellation notices, refund notifications, review requests) using Amazon SES infrastructure hosted in eu-west-1 (Ireland). Your name and email address are passed to Resend to deliver each email. Resend privacy policy: resend.com/legal/privacy-policy.
• Supabase (Supabase Inc., Ireland) hosts our database and authentication infrastructure in the EU (eu-west-1, Ireland). Your data is stored on Supabase's servers. Supabase privacy policy: supabase.com/privacy.
• Vercel (Vercel Inc., USA) hosts the Bookr website and serves our web application. Request logs (including IP addresses) pass through Vercel's infrastructure. Vercel privacy policy: vercel.com/legal/privacy-policy.
• Loops.so (Loops Technologies Inc., USA) sends onboarding and product update email sequences to business owners who have signed up to Bookr. We share your name and business email address with Loops for this purpose. A Data Processing Agreement is in place between Bookr and Loops. You can opt out of these sequences at any time via the unsubscribe link in any Loops-delivered email or from your account settings under "Communications". Loops privacy policy: loops.so/privacy.
• Apple / Google receive crash reports and push notification tokens as described in section 1. Their data handling is governed by their own privacy policies. We do not share booking or payment data with Apple or Google.
• Law enforcement and regulators — only when legally compelled by a court order, formal regulatory request, or equivalent legal process under UK law. We will notify you of any such disclosure where we are legally permitted to do so.

We never sell your personal data. Ever. We do not share your data with data brokers, advertising networks, or any commercial third party for marketing purposes.

4. International data transfers

Some of our processors (Stripe, Resend, Vercel, Loops.so) are based in the United States, which means your data may be transferred outside the UK and the EU. When data moves outside the UK, we rely on the UK International Data Transfer Addendum to Standard Contractual Clauses (UK IDTA) or the European Commission's Standard Contractual Clauses (SCCs), both signed with each processor as part of their data processing terms. Supabase stores data within the EU (Ireland), which does not require a transfer mechanism under UK GDPR.

If you would like to receive a copy of the transfer safeguards we have in place with any specific processor, please email support@mybookr.app.

5. How long we keep your data

6. Your rights

Under UK GDPR you have the following rights over your personal data. You can exercise any of them by contacting us at support@mybookr.app.

• Right of access (Subject Access Request) — you can ask us to confirm whether we hold personal data about you and receive a copy of it.
• Right to rectification — if any data we hold about you is inaccurate or incomplete, you can ask us to correct it. For data in your account (name, email, phone), you can update it directly in your profile settings.
• Right to erasure ("right to be forgotten") — you can ask us to delete your personal data. We will delete everything we are not legally required to retain and will tell you precisely what we are keeping and why.
• Right to data portability — you can request a copy of the data you have provided to us in a structured, machine-readable format (JSON or CSV, your choice). This applies to data we process on the basis of your consent or to fulfil a contract with you.
• Right to object — you can object to processing carried out on the basis of our legitimate interests. If you object, we will stop unless we can demonstrate compelling grounds that override your interests, rights, and freedoms.
• Right to restrict processing — you can ask us to restrict how we use your data in specific circumstances: for example, if you contest the accuracy of the data (while we verify it), if the processing is unlawful but you prefer restriction over deletion, or if we no longer need it but you need it for a legal claim. While processing is restricted, we may still store the data but will not use it for any other purpose without your consent.
• Right to withdraw consent — where we rely on your consent (for example, health notes, push notifications, or SMS), you can withdraw at any time. Withdrawal does not affect the lawfulness of processing before you withdrew.

Subject Access Requests — what we include

When you submit a Subject Access Request (SAR), we will compile a response that covers all personal data we hold about you, including:

• Your account details (name, email, phone, account creation date, last login date).
• Your full booking history — for each booking: business name, service, date/time, price paid, fees charged, status (completed/cancelled/refunded), and any notes associated with the booking.
• Payment records — amounts charged and refunded, Stripe charge references (not full card numbers).
• Reviews you have written, including star ratings and text.
• Communication logs — any support emails or messages between you and Bookr.
• Any special category data (health notes) currently held.
• A list of third parties we have shared your data with and the basis for each transfer.
• Your current notification and communication preferences.

We will not include data belonging to third parties that may appear in your records (for example, a business owner's name in a booking confirmation).

How to submit a Subject Access Request

Email support@mybookr.app with the subject line "Data Access Request". Include enough information to verify your identity — typically the email address associated with your account, or for guest bookings, the booking reference from your confirmation email. We will respond within one calendar month of receiving your request. For complex or numerous requests, we may extend this by a further two months — if so, we will notify you within the first month and explain why. There is no fee for a SAR unless the request is manifestly unfounded or excessive.

Requesting deletion

Email support@mybookr.app with the subject line "Deletion Request". We will confirm receipt and begin processing within 5 working days. Booking records that form part of our financial records must be retained for 7 years under HMRC rules — we will delete all data we are not legally required to keep and will provide you with a written summary of what has been retained and the legal basis for each category.

7. Profiling & automated decisions

We use aggregate booking data to improve the platform — for example, to surface relevant services, improve search results, and detect unusual patterns that may indicate fraud (such as repeated chargebacks, account takeovers, or coordinated fake reviews).

We do not use individual profiling to affect your pricing or eligibility to use Bookr. Every customer and every business is charged the same rates for equivalent services.

Fraud-risk flags — such as an account being associated with repeated chargeback abuse — are generated algorithmically but are always reviewed by a human member of the Bookr team before any account suspension or restriction is applied. You will be notified if your account is restricted and will be given an opportunity to respond before any permanent action is taken.

8. Cookies

We use a small number of cookies strictly necessary to keep the service running. We do not use advertising cookies, retargeting pixels, or third-party analytics trackers. The full list of cookies we set is below.

We do not currently use any analytics or performance cookies (no Google Analytics, Hotjar, Mixpanel, or equivalent). If this changes in the future, we will update this policy and, where required by law, ask for your consent before setting non-essential cookies.

You can configure your browser to refuse or delete cookies at any time. Refusing strictly-necessary cookies will prevent you from logging in or completing a booking. Refusing Stripe's cookies may interfere with payment processing.

Full details are also available in our separate Cookie Policy.

9. Children

Bookr is not for under-16s. We don't knowingly collect data from anyone under that age. If you believe we have, email us and we'll delete it.

10. Security

We take the security of your personal data seriously and have implemented a range of technical and organisational measures proportionate to the risks involved.

• Encryption in transit: all traffic to and from Bookr is encrypted using TLS 1.2 or higher. HTTP connections are automatically redirected to HTTPS. There is no unencrypted access path to any part of the platform.
• Encryption at rest: database backups are encrypted at rest. We rely on Supabase's infrastructure-level encryption for data stored in the database. Stripe encrypts all payment data under PCI-DSS requirements.
• Row-level security (RLS): our database uses row-level security policies enforced by Supabase. This means that even within our own backend, database queries are scoped to the authenticated user — a customer can only read their own bookings, and a business owner can only read bookings made with them. RLS prevents application-layer bugs from inadvertently exposing data belonging to another user.
• Access controls: access to production systems (database, hosting infrastructure, email provider) is restricted to authorised team members only. All production access is protected by two-factor authentication (2FA) and is logged. Access logs are reviewed periodically for anomalous activity.
• No full card numbers: Bookr never stores, transmits, or has access to full card numbers, CVV codes, or PINs. All card processing is delegated to Stripe under PCI-DSS Level 1 compliance.
• Access token design: booking access tokens are cryptographically random opaque strings. They are not derived from your personal data and cannot be used to infer any information about your identity or booking history.
• Penetration testing: we intend to conduct formal penetration testing of the platform prior to public launch and on an annual basis thereafter. Results of testing are acted on promptly and are not published publicly, but we will disclose the date of our most recent test to customers on request.
• Breach response: no system is unbreakable. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it and will notify affected individuals without undue delay, in line with our obligations under UK GDPR Article 33 and 34.

If you discover a security vulnerability in Bookr, please report it responsibly to hello@mybookr.app. We will acknowledge receipt within 2 working days and will not take legal action against researchers acting in good faith.

11. Changes to this policy

We'll update this page when our practices change. The "Last updated" date at the top will move. For material changes (anything that meaningfully affects your rights or how we use your data) we'll email account holders at least 30 days before the change takes effect. Non-material changes (typos, clarifications that don't change substance) may take effect immediately on publication.

12. Contact & complaints

For any privacy matter, email support@mybookr.app. We aim to acknowledge privacy queries within 2 working days and to resolve them within 14 days. For complex matters we may need longer; we will keep you informed of progress.

If you're not satisfied with our response, you have the right to complain to the UK Information Commissioner's Office (ICO). The ICO is the UK's independent supervisory authority for data protection. You can contact them at ico.org.uk or by telephone on 0303 123 1113. We would always prefer to hear from you first so we can try to put things right, but your right to go to the ICO is unconditional.

14b. Businesses as data controllers

When a customer makes a booking with you through Bookr, we share limited customer data with you — specifically, the customer's name, email address, phone number, and the booking details — so that you can prepare for and deliver the appointment. At this point, you become an independent data controller for that personal data under UK GDPR, separate from Bookr.

As a data controller in your own right, you have legal obligations that are entirely your responsibility. In particular:

• Lawful basis: you must have a lawful basis for any use of customer data beyond delivering the specific booking. Delivering the booking is covered by performance of a contract. Any other use (for example, sending marketing messages) requires a separate lawful basis — usually explicit consent obtained directly from the customer.
• Purpose limitation: you may use the data only for the purposes for which it was shared — namely, to prepare for and deliver the booked appointment and to follow up on it where the customer has consented. You may not use it for unrelated marketing, profiling, or any commercial purpose outside the booking relationship.
• Data minimisation and security: you should not retain customer data beyond what you need for the booking and any legitimate follow-up. You must keep it secure (for example, not storing customer names and contact details in unprotected spreadsheets, messaging apps, or public cloud storage).
• Prohibited data sharing: you may not transfer, sell, or share customer data with any third party, including uploading Bookr-acquired email addresses to Meta Custom Audiences, Mailchimp, ActiveCampaign, or any similar marketing or advertising platform. Doing so is a serious breach of UK GDPR and of Bookr's Terms of Service, and may result in immediate account termination and referral to the ICO.
• Handling data requests: if a customer contacts you directly to exercise their data rights (access, erasure, etc.) in respect of data you hold about them as a result of Bookr bookings, you must respond to that request. Bookr can assist you in understanding your obligations but cannot respond to rights requests on your behalf in relation to data that is solely under your control.
• Retention and deletion: when you no longer need customer data for a booking, you should delete it. You may have your own legal obligations to retain certain records (for example, HMRC requires businesses to keep financial records for 6 years from the end of the relevant tax year). Outside of those specific legal obligations, retention of customer personal data beyond its purpose is a compliance risk.
• Privacy notice: if you run a business of a scale that requires it, you should have your own privacy notice covering how you handle customer data acquired through Bookr bookings. Bookr's privacy policy covers Bookr's own processing only; it does not cover yours.

If you have questions about your data protection obligations as a business using Bookr, the ICO's website at ico.org.uk has extensive free guidance. For complex situations, independent legal advice is recommended.