Privacy Policy

The data controller is Bookify S.à r.l., Luxembourg. Contact: privacy@bookify.lu.

Studio Owners (business accounts):

• Name, email address, business name, industry
• Billing information (processed and stored by Stripe — we receive only masked card data)
• Studio data: services, staff, bookings, client records, audit logs
• IP address and session data for security and fraud prevention

Additionally, if you use the in-dashboard support chat, the full conversation transcript is saved by Bookify. This data is retained for [retention period to be confirmed before public launch] to improve support quality and assist in dispute resolution. This data is controlled by Bookify and is not shared with your customers or third parties except as listed in the Subprocessors section below.

Consumers (end customers booking services):

• Name, email, phone (as provided during booking)
• Booking history and deposit payment records
• Device type and session token (for optional consumer login)

We process data under the following GDPR bases:

• Contract performance (Art. 6(1)(b)) — to deliver the platform to Studio Owners and process bookings for Consumers
• Legitimate interests (Art. 6(1)(f)) — fraud prevention, security, platform analytics
• Legal obligation (Art. 6(1)(c)) — tax records, financial regulations
• Consent (Art. 6(1)(a)) — marketing communications and non-essential cookies

Your data is stored in the EU via Supabase (PostgreSQL database hosted in Europe). Payment data is processed by Stripe, Inc. under Standard Contractual Clauses for international transfers.

We do not sell your data to third parties.

As a data subject in the EU, you have the right to:

• Access — request a copy of the data we hold about you
• Rectification — correct inaccurate data
• Erasure — request deletion ("right to be forgotten"), subject to our legal retention obligations
• Restriction — restrict how we process your data
• Portability — receive your data in a machine-readable format
• Object — object to processing based on legitimate interests
• Withdraw consent — at any time for consent-based processing

To exercise any right, email privacy@bookify.lu. We respond within 30 days.

We use cookies and similar tracking technologies. See our Cookie Policy for full details. You can manage your preferences at any time via the cookie banner.

We implement technical and organisational measures including TLS encryption, JWT-based authentication, role-based access control, and audit logging. Stripe holds PCI-DSS Level 1 certification for payment data.

You have the right to lodge a complaint with your local supervisory authority. In Luxembourg, this is the Commission Nationale pour la Protection des Données (CNPD) — cnpd.public.lu.

We will notify users of material changes via email or an in-app notice at least 14 days before they take effect.

We use the following sub-processors to deliver the Bookify service. These sub-processors may process personal data on our behalf, including data belonging to your customers.


We will update this list and notify affected Studio Owners at least 30 days before adding a new sub-processor. To object to a new sub-processor, contact us at privacy@bookify.lu.