GDPR & Data Protection

Parents who book through Bookabee trust you with their personal data — names, contact details, sometimes children's allergies and medical information. This article explains the data protection setup behind Bookabee and the small amount of work you need to do on your side to stay compliant under UK GDPR.

Who is the data controller?

Under UK GDPR you, the activity provider, are the data controller for your bookers' personal data. Bookabee is the data processor — we hold the data on your behalf and process it only on your instructions. We are the controller for your own dashboard account data (your name, email, login).

Where your data is stored

• Booking data, customer records, classes, and sessions: Postgres database hosted by Neon in AWS London (eu-west-2) — that's where bookings are persisted at rest.
• Logos, class images, and gallery photos: Vercel Blob storage.
• Transactional emails (and inbound replies): Resend.
• Payments: handled directly by Stripe — Bookabee never sees full card details.
• Application hosting and request handling: Vercel.

While the database is in the UK, some sub-processors that handle data in flight (Vercel for hosting, Stripe for payments, Resend for email, Google for analytics) are headquartered in or operate from the United States. Where personal data is transferred outside the UK we rely on the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses. The full sub-processor list is in our privacy policy.

Data separation between providers

Bookabee is multi-tenant: only members of your company can see your bookers' data. Other Bookabee customers cannot. Every database query is scoped to your company id, enforced both in the application layer and through our access controls.

Emailing participants — no leaked addresses

When you email all confirmed participants of a class from the Email tab, we send a separate individual email to each recipient. No participant ever sees another participant's email address — there are no shared To, Cc, or Bcc fields between bookers. This protects against the most common accidental data leak in group emails and is how we make sure mass communication doesn't breach data-minimisation principles.

Special category data (health, allergies, SEND)

Medical conditions, allergies, dietary requirements, and SEND information are special category data under GDPR. They need an extra lawful basis on top of the normal one — typically explicit consent.

• These fields are off by default. You decide which to enable per class.
• When any of them are enabled, the booking form shows an explicit consent tick box.
• We record the date and time the booker gave consent (the consentedAt timestamp on the booking).
• Bookers can withdraw consent by asking you to delete the data; admins can do this from the booking detail page using "Delete personal data".

Encryption and security

• All traffic is TLS-encrypted (HTTPS).
• Data at rest is encrypted by our database and storage providers.
• Passwords are stored only as bcrypt hashes — never in plain text.
• In the unlikely event of a breach affecting your data, we will notify you without undue delay so you can meet your own ICO 72-hour reporting obligation where applicable.

Retention

Booker data is kept for as long as you have an active Bookabee account so your bookings, customer history, and reporting stay intact.

• You can delete a booker's personal fields at any time from the booking detail page using "Delete personal data" — the anonymous booking record stays so your numbers don't change.
• You can fully delete a booking from the dashboard if you need to.
• Pending bookings that aren't paid auto-expire after 30 minutes.
• If you close your Bookabee account we delete or anonymise your data within 90 days, except where we're required to retain financial records (typically 6 years for UK tax law).

Bookers' rights

Bookers have the right to access, correct, delete, restrict, port, and object to processing of their data, and to withdraw consent. Under UK GDPR you have one calendar month to respond to a data subject access request.

• For access or correction requests: bookers can look up their booking by reference at /bookings and update some fields themselves; you can export their data from the dashboard.
• For deletion requests: use "Delete personal data" or "Delete booking" from the booking detail page.
• If you need help responding to a request, email hello@bookabee.co.

What you need to do on your side

• Register with the ICO as a data controller. Most small providers pay £40–£60 per year. https://ico.org.uk/for-organisations/
• Have a privacy policy that names Bookabee as a processor and link it from your booking pages — there's a "Privacy URL" field in your company settings for this.
• Have a contact email set in company settings so bookers know how to reach you with data requests.
• Make sure any team members you add to the dashboard genuinely need access — review the Users page from time to time.