Privacy Policy
Last updated: 11 July 2026
This policy explains what personal data the Bookly online booking service collects, why, and what rights you have. The data controller is [Your business / legal entity], contactable at [contact email].
1. What we collect
Booking details you enter: your name, email address, phone number, and the service, staff member, date and time you choose.
Technical data needed to run the service safely: your IP address (used only for short-term rate limiting to prevent spam bookings) and small cookies that remember your language, theme, and — for shop owners — a signed dashboard session.
2. Why we use it (legal bases)
To create and manage your appointment, and let the shop contact you about it — this is necessary to perform the booking you request (contract).
To keep the service secure and prevent abuse — this is our legitimate interest. We do not use your data for advertising and we do not sell it.
3. Cookies
We use only functional cookies: your chosen language, your light/dark theme preference, and an authenticated session cookie for the owner dashboard. There are no third-party advertising or tracking cookies.
4. Who we share it with
The shop you book with, so it can prepare for and honour your appointment.
Our hosting and database provider (Supabase) processes the data on our behalf as a data processor. We do not sell or otherwise share your personal data. [List any other processors, e.g. email or SMS providers, once you add them.]
5. How long we keep it
We keep booking records for as long as needed to run the service and meet legal or accounting obligations. [State your retention period here, e.g. delete or anonymise bookings after N months.]
6. Where your data is stored
Data is stored on Supabase infrastructure in the [region, e.g. EU (Frankfurt)] region. If any processor is located outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses. [Confirm and adjust to your actual setup.]
7. Your rights
You can ask to access, correct, delete, restrict, or export your personal data, and object to certain processing. To exercise these, contact us at [contact email].
If you are in the EU and believe your data is mishandled, you may complain to your supervisory authority — in Slovenia, the Information Commissioner (Informacijski pooblaščenec).
8. Security
Access to the database is restricted to our server using secret keys that are never exposed to your browser, row-level security is enabled on every table, and traffic is encrypted in transit. No system is perfectly secure, but we take reasonable measures to protect your data.
9. Changes and contact
We may update this policy; the date at the top shows the latest revision. Questions or requests? Contact [Your business / legal entity] at [contact email].