Privacy Policy

Effective Date: August 26, 2025

Contact: Booko App Inc., 325 Sharon Park Drive, Menlo Park, CA, Box 105 Unit D-5;support@bookoapp.com

Overview

Booko App Inc. ("Booko," "we," "us") provides dynamic-pricing and booking tools for service providers ("Providers"). This Policy explains what we collect, how we use it, who we share it with, and your choices. It applies to Providers and their end-customers ("Customers"). Where we process personal data on behalf of a Provider (e.g., booking data in Provider tools), we act as the Provider's processor. For our platform operations (security, billing, fraud, analytics), we act as an independent controller.

This Policy is US-centric and incorporates EU/UK concepts where relevant.

What We Collect

  • Provider account data: name, email, business profile (industry, services, phone, website, timezone, banner image), settings and policies.
  • Customer booking data: name, email, booked services, time, location if provided, pricing and payment status; limited IP for security and fraud prevention.
  • Authentication: Google OAuth and email magic links. We store the tokens necessary to operate accounts. We do not store passwords today. If we add password login later, we will store salted, hashed passwords only (never plaintext).
  • Payments: We do not store card numbers. Stripe processes payments for Providers via Stripe Connect. We store payment metadata (amounts, fees, status, Stripe IDs).
  • Calendar: If connected, we sync booking event details with the Provider's Google Calendar.
  • Files: Business banners and branding assets. These URLs may be public. Do not upload personal images without consent.
  • Diagnostics: Error/usage telemetry and sampled replay via Sentry to improve reliability. We minimize data and sample carefully. In EU/UK, replay/marketing pixels require consent.
  • Optional CRM: If enabled by a Provider, basic customer contact data and notes. Providers are responsible for lawful collection and content (no medical records or sensitive categories).

Representative sources in code: NextAuth auth and email magic links; Prisma models for User/Business/Booking/Payment/StripeAccount; Stripe Connect and webhooks; Google OAuth/Calendar; Google Cloud Storage; Sentry instrumentation; optional Supabase CRM.

How We Use Data

  • Provide and improve the service (bookings, dynamic pricing, payments, calendar sync, notifications).
  • Security, abuse, and fraud prevention (e.g., IP checks, rate limiting).
  • Customer support and operational communications.
  • Marketing with consent (email/SMS). Providers using Booko's bulk email/SMS must have valid consent and honor unsubscribe/STOP requests.
  • Aggregated/anonymized analytics and, where permitted, retention of de-identified operational data to evaluate corporate transactions (e.g., merger, acquisition, sale) without disclosing personal data in a manner that constitutes a "sale" under applicable laws without required notices/choices.

Lawful Bases (EU/UK)

  • Contract: performing bookings, payments, platform features.
  • Legitimate interests: security, fraud prevention, debugging, service analytics, improving reliability and quality.
  • Consent: marketing communications; non-essential cookies/replay/marketing pixels.

Sharing and Sub-Processors

We share data with service providers acting on our behalf, including Stripe (payments), Google (OAuth/Calendar), Google Cloud Storage (assets), Sentry (monitoring), email providers (Resend/SMTP), optional Supabase (CRM), and hosting providers. We use appropriate transfer safeguards (e.g., Standard Contractual Clauses and the UK Addendum) when required.

Cookies and Similar Technologies

Essential

Authentication and CSRF cookies; local/session storage for booking and OAuth state.

Non-essential

Sentry Replay and any future marketing pixels (e.g., Meta Pixel) are used only with consent in applicable regions and can be controlled via our consent tools where provided.

Retention

  • Active accounts: retained while your account remains active.
  • After closure: account/profile for ~24 months; bookings/payments for ~7 years (tax/audit); operational logs/replay for ~30–90 days; marketing lists until you opt out or after ~24 months of inactivity.
  • We may de-identify data for analytics. These periods may change with notice and as required by law.

Security

  • TLS in transit and cloud encryption at rest for databases and storage.
  • No payment card numbers stored by Booko (Stripe tokenization).
  • Access controls and least-privilege for staff.
  • If we add password login, passwords will be salted and hashed.

International Transfers

Primary processing is in the United States. When data moves outside your region, we use appropriate safeguards (e.g., SCCs and UK Addendum) as applicable.

Children's Privacy

Booko is not directed to children under 13. Accounts must be created by adults. In the edge case where a minor appointment is scheduled (e.g., child haircut), the Provider is responsible for obtaining appropriate parental/guardian consent and complying with applicable laws. Contact us if you believe a child provided data without appropriate consent.

Your Rights and Choices

  • Access, correction, deletion, and portability (subject to verification and legal limits).
  • Unsubscribe from marketing emails; SMS opt-out via STOP.
  • Manage non-essential cookies/tracking in supported regions via our consent tools.
  • Submit requests to support@bookoapp.com. We may verify identity and aim to respond within ~30–45 days.

State Addenda

We provide additional rights and disclosures for residents of CA/VA/CO/CT/UT and others as laws require (e.g., access, delete, correct, limit use of sensitive data, opt-out of sale/share/targeted advertising where applicable).

Changes and Contact

We may update this Policy; we'll post a "last updated" date and, for material changes, provide notice. Contact: support@bookoapp.com

This policy is general information and not legal advice.