Privacy Policy

Bookatuprovides booking and business management software to service businesses ("Businesses"). When a Business uses our platform, their clients ("Clients") book appointments through a branded page hosted by us.

For the purposes of data protection law, Bookatu acts as a data controller for the personal information of Business account holders (the people who sign up and administer a Bookatu account). For personal information that a Business uploads or collects about its own Clients, Bookatu acts as a data processor on behalf of that Business, which is itself the data controller.

You can contact us at any time: hello@bookatu.com

2a. Business Account Information

When a Business registers for Bookatu, we collect name, email address, business name, phone number, business address, payment details (handled by Stripe) and any other information provided during signup or later through the admin settings.

2b. Client and Booking Data

When Clients book through a Business page, or when a Business imports its existing client list, we collect and store on behalf of the Business: client name, email address, phone number, booking history, service preferences, loyalty points and any notes the Business records. This data belongs to the Business and is processed under their instructions.

2c. Payment Information

Payments, including booking deposits, are processed by Stripe. We do not store card numbers or payment credentials on our servers. We receive limited payment confirmation data (such as whether a payment succeeded and the last four digits of a card) from Stripe.

2d. Usage Data and Cookies

We collect information about how our platform is used, including IP addresses, browser type, pages visited, referral sources, and session duration. We use cookies and similar technologies to keep you logged in, remember your preferences, and analyse platform performance. You may control cookies through your browser settings, though disabling them may affect platform functionality.

We use personal information to:

• Create and manage Business accounts and provide the Bookatu platform.
• Enable Clients to make, amend and cancel bookings and send confirmation, reminder and post-visit emails on behalf of the Business.
• Send marketing emails to Clients who have given their consent, including win-back offers and birthday promotions, on behalf of the Business.
• Process and reconcile payments and deposits via Stripe.
• Detect and prevent fraud, security incidents and technical issues.
• Improve platform features and monitor performance through anonymised analytics.
• Communicate with Business account holders about their subscription, billing and product updates.
• Comply with legal and regulatory obligations.

Where the General Data Protection Regulation (GDPR) applies, we rely on the following legal bases:

• Contract: processing necessary to provide the services you or the Business has signed up for.
• Consent: sending marketing emails to Clients who have opted in. Consent can be withdrawn at any time via the unsubscribe link in any marketing email.
• Legitimate interests: security monitoring, fraud prevention, product improvement and certain communications with Business account holders, where these interests are not overridden by your rights.
• Legal obligation: record-keeping required by applicable law.

We do not sell personal information. We share it only as described below:

• Stripe: to process payments and deposits. Stripe operates under its own privacy policy at stripe.com/privacy.
• Resend: to deliver transactional and marketing emails on behalf of Businesses. Resend processes recipient email addresses and message content.
• Google:if a Business connects their Google account for calendar sync or OAuth sign-in, relevant appointment and profile data is shared with Google under the Business’s own Google account agreement.
• Cloud hosting and infrastructure: our platform runs on cloud infrastructure. Your data is stored on servers operated by our hosting provider.
• Legal requirements: we may disclose personal information if required by law, court order or to protect the safety and rights of our users.

Our servers and some of our service providers are located outside your country. If you are in the European Economic Area (EEA), the United Kingdom or another jurisdiction with data transfer restrictions, we ensure that appropriate safeguards are in place (such as Standard Contractual Clauses) before transferring your personal information internationally.

We retain Business account data for as long as the account is active and for a reasonable period thereafter to comply with legal obligations and resolve disputes. Client booking data is retained for as long as the Business account is active. When a Business closes its account, we will delete or anonymise the associated Client data in accordance with our data processing agreement with that Business.

We retain emails and notification records for [X] months for audit and deliverability purposes.

We implement technical and organisational measures designed to protect your personal information, including encrypted connections (TLS), hashed passwords, access controls and regular security reviews. No system is completely secure; if you have concerns about the security of your account, please contact us immediately.

Depending on your location, you may have the following rights in relation to your personal information:

• Access: request a copy of the personal information we hold about you.
• Rectification: ask us to correct inaccurate information.
• Erasure: ask us to delete your personal information, subject to our legal obligations.
• Portability: receive a structured, machine-readable copy of the personal information you provided to us.
• Object: object to processing carried out on the basis of legitimate interests.
• Withdraw consent: if we rely on your consent (for example, for marketing emails), you can withdraw it at any time by clicking the unsubscribe link in any email or by contacting us. Withdrawal does not affect the lawfulness of any processing that took place before withdrawal.

To exercise any of these rights, please email hello@bookatu.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

Note for Clients of Businesses: if you are a Client of a salon, spa or other business that uses Bookatu, you should contact that business directly to exercise your rights regarding the data they hold about you. We will assist the Business in responding to your request.

Marketing emails (such as promotional offers and birthday messages) are only sent to Clients who have given explicit consent. Every marketing email includes an unsubscribe link. Clicking it will immediately remove you from future marketing emails from that Business. Booking confirmations and appointment reminders are transactional and will continue regardless of your marketing preference.

We may update this Privacy Policy from time to time. We will notify Business account holders of material changes by email or through the platform. The updated policy will be effective from the "Last updated" date at the top of this page.

For any privacy-related questions, requests or concerns, please contact: