Privacy Policy

The data controller is the operator of the booqd Service. For privacy-related inquiries, please contact us at [email protected].

We collect and process the following personal data when you use the Service:

• Registration data: name, email address, password (stored in encrypted form), account type (user or instructor)
• Profile data: phone number, language preference, timezone, profile picture, Instagram handle, business name (for instructors), tax ID (for invoicing)
• Authentication data: when using Google OAuth or Apple Sign-In, the provider ID and email address, as well as encrypted access tokens
• Booking data: booking dates/times, status, attendance history, cancellation details
• Payment data: transaction amounts, payment status, Stripe payment identifiers. Your credit card details are handled directly by Stripe and are never stored on booqd servers.
• Communication data: messages within workspaces, notification preferences
• Device data: device identifiers for push notifications, platform type (iOS/Android), app version
• Files: uploaded profile pictures (stored in WebP format, max 800×800px)

We process your personal data based on the following legal grounds under GDPR Article 6:

• Performance of a contract (Art. 6(1)(b)): processing necessary for registration, booking management, payment processing, and operating the Service
• Consent (Art. 6(1)(a)): sending marketing notifications, optional Google Calendar integration
• Legitimate interest (Art. 6(1)(f)): maintaining Service security, fraud prevention, improving the Service
• Legal obligation (Art. 6(1)(c)): fulfilling invoicing and tax obligations

We use the collected data for the following purposes:

• Operating the Service: account management, booking management, membership tracking
• Processing payments and managing instructor payouts through the Stripe system
• Sending notifications: booking confirmations, reminders, cancellation notices, membership expiry warnings
• Enabling communication between instructors and members within workspaces
• Google Calendar synchronization (when enabled by you)
• Maintaining Service quality and security

We use the following third-party services (data processors) to operate the Service:

• Stripe, Inc. — payment processing, credit card data handling, instructor payouts (Stripe Connect). Stripe Privacy Policy
• Google LLC — OAuth sign-in and Google Calendar integration. Google Privacy Policy
• Apple Inc. — Apple Sign-In authentication. Apple Privacy Policy
• Cloudflare, Inc. — file storage (profile pictures) via Cloudflare R2
• Resend — transactional email delivery (booking confirmations, reminders, password reset, etc.)
• Expo (React Native) — mobile push notification delivery

Data processing agreements with these processors ensure GDPR-compliant handling of your data.

We implement the following technical and organizational measures to protect your data:

• HTTPS (SSL/TLS) encryption for all data transfers
• Passwords stored in encrypted (hashed) form
• OAuth tokens stored with encryption
• Row Level Security (RLS) in the database — workspace data is isolated between tenants
• HttpOnly cookies for session management (not accessible to JavaScript)
• Regular security backups
• Time-limited authentication tokens (password reset, account deletion)

The Service uses the following cookies:

• Session cookie (essential): an HttpOnly cookie to maintain your login session. This cookie is essential for the Service to function and does not require separate consent.
• Language preference: to remember your selected language

The Service does not use analytics, marketing, or tracking cookies. We do not employ third-party tracking technologies (e.g., Google Analytics, Facebook Pixel).

We retain your personal data for the following periods:

• Active accounts: for the duration of your account
• Deleted accounts: upon account deletion, we deactivate your data ("soft delete"). Payment and invoicing records are retained for the legally required period (typically 8 years).
• Booking history: retained in connection with the workspace for instructor record-keeping obligations
• Push notification tokens: automatically deleted after 90 days of device inactivity

Under the GDPR, you have the following rights:

• Right of access: you may request information about what data we process about you
• Right to rectification: you may request correction of inaccurate data
• Right to erasure ("right to be forgotten"): you may request deletion of your data. You can initiate account deletion in your profile settings or by contacting [email protected].
• Right to restriction of processing: you may request restriction of your data processing
• Right to data portability: you may request your data in a machine-readable format
• Right to object: you may object to processing based on legitimate interest
• Withdrawal of consent: you may withdraw your consent at any time for consent-based processing

To exercise your rights, please write to [email protected]. We will fulfill your request within 30 days.

If you believe your data protection rights have been violated, you may file a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH, www.naih.hu).

The Service is not directed at children under 16 years of age. We do not knowingly collect data from persons under 16. If we become aware that we have collected data from a person under 16, we will promptly delete it.

We reserve the right to modify this Privacy Policy. We will notify registered users of significant changes via email. The modified policy takes effect on the date of publication.

For privacy-related questions or requests, please contact us at:

• Email: [email protected]
• General support: [email protected]