Last Updated: August 26, 2025
Booko is the processor for Provider-controlled data and an independent controller for platform operations (fraud/security, billing, analytics).
Provide booking, pricing, payments, messaging, analytics tools.
As described in the Privacy Policy/Data Inventory.
For the term of Services and per retention section.
TLS in transit; cloud encryption at rest; access controls and least-privilege for staff; vulnerability management and logging appropriate to the platform.
Stripe (payments), Google (OAuth/Calendar), Google Cloud Storage (assets), Sentry (monitoring), Email provider (Resend/SMTP), optional Supabase (CRM), hosting provider(s). Booko may update sub-processors with notice via website or email.
Standard Contractual Clauses (SCCs) and the UK addendum are used as applicable.
Booko will assist with reasonable data subject requests, DPIAs, and confirmed security incident notifications. Provider may conduct reasonable audits as required by law, subject to confidentiality and scheduling.
Upon termination or written request, Booko will delete or return personal data within ~30 days unless law requires retention. Backups roll off per standard cycles.
Booko will notify without undue delay upon becoming aware of a confirmed personal data breach affecting Provider data and will cooperate on remediation.
If there is a conflict between this DPA and the Terms/Privacy Policy, this DPA controls for processing of Provider personal data.