Privacy policy
This policy explains what we collect, why, the legal bases we rely on, and the choices and rights you have — including under the EU/UK GDPR and California’s CCPA/CPRA. We keep it plain on purpose.
Who we are
BookByOnline provides booking, payments and scheduling software. For your own account data we act as a data controller; for the booking and customer data you process through the platform we act as a processor on your behalf. Contact us at privacy@bookbyonline.com.
What we collect
Account details you give us (name, email, business), booking and payment data processed on your behalf, support messages, and — only with your consent — analytics and marketing usage data. We never use pre-ticked boxes.
Why we use it & legal bases
To provide the service and take payments (performance of a contract); to send confirmations and reminders (contract); to keep the platform secure and improve core features (our legitimate interests); and, only where you consent, for analytics and marketing (consent — which you can withdraw at any time).
Cookies & tracking
Non-essential cookies load only after you allow them. You can change or withdraw your choice any time via “Your Privacy Choices” in the footer, and we honor the Global Privacy Control (GPC) browser signal as an opt-out of sale/sharing. See our Cookie Policy for details.
Sharing & processors
We share data only with the sub-processors that run the service — payments (Stripe), email/messaging (Resend), hosting (Vercel) and our database (Supabase) — under contract. We do not sell your personal information for money.
International transfers
Where data is processed outside your region, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and equivalent UK transfer mechanisms.
Data retention
We keep account and booking records while your account is active and as needed to meet legal, tax and accounting obligations, then delete or anonymize them. Deleted customer records are anonymized rather than erased where retention is legally required.
Your GDPR rights
You can access, correct, export, delete, restrict or object to processing, and withdraw consent at any time. Email privacy@bookbyonline.com — we respond within 30 days. You may also complain to your local supervisory authority (in the UK, the ICO).
Your California rights (CCPA/CPRA)
California residents can know, delete and correct their personal information, opt out of its “sale” or “sharing”, and limit use of sensitive information — with no discrimination for exercising these rights. We don’t sell data for money, but some ad-related sharing may qualify as a “sale/share”: opt out via “Your Privacy Choices” or by sending a GPC signal, which we honor automatically.
Security
Data is encrypted in transit and at rest, access is scoped per merchant, and we keep audit logs. We support SSO and 2FA on higher plans.