Back to home

Privacy Policy

Last updated: 6 May 2026

1. Who we are

Bookabee is a booking platform for children's activity providers, operated by Upbeat Software Ltd ("Bookabee", "we", "us", "our"), a company registered in England and Wales with company number 17140434. We are registered with the UK Information Commissioner's Office (ICO) as a data controller under registration number ZC133968.

This policy explains what personal data we collect, how we use it, and the rights you have. If you have any questions, contact us at hello@bookabee.co.

2. Our role: when we are a controller and when we are a processor

Bookabee plays two distinct data protection roles depending on whose data is being processed.

  • We are the controller for personal data of activity providers (the people and companies who use the dashboard), website visitors, and prospects. This policy governs that processing.
  • We are a processorfor personal data of bookers (parents, guardians, children) that activity providers collect through their public booking pages. In that case the activity provider is the controller and decides what data to collect and how long to keep it. We process that data only on the activity provider's instructions, in line with our Data Processing Agreement and this policy. Bookers should also refer to the activity provider's own privacy notice.

3. What data we collect

Activity providers (dashboard users)

  • Name and email address (from registration or Google sign-in)
  • Profile picture (from Google or uploaded)
  • Password (stored only as a bcrypt hash — never in plain text)
  • Company information: name, logo, contact email, website URL, business address
  • Stripe account identifiers and subscription status (we never store card numbers)
  • Communication you send us (e.g. support emails, feedback)

Bookers (parents and guardians)

On behalf of the activity provider, Bookabee collects only the fields the provider has enabled for a given class. This typically includes:

  • Booker name, email address, and/or phone number (at least one of email or phone is required)
  • Child's name and date of birth (where the activity provider has enabled these fields)
  • Year group, photo permission, and any custom questions the provider has set up
  • Special category data: medical conditions, allergies, dietary requirements, or special educational needs and disability (SEND) information. These fields are optional and only collected where the provider has enabled them; bookers must give explicit consent before any such data is submitted.
  • Booking reference, status, and price information

Payment card details are entered directly into Stripe's secure payment interface and are never seen or stored by Bookabee.

Automatically collected data

  • IP address, device and browser information, and approximate location, captured by our hosting and analytics providers for security and product analytics
  • A non-identifying viewer cookie used to count unique class page views
  • Cookies and similar technologies (see section 9)

4. How we use your data

  • To create and operate dashboard accounts and authenticate users
  • To process bookings, take payments, and send transactional emails (confirmations, cancellations, payment-related notices, waitlist communications)
  • To enable activity providers to manage their classes, sessions, customers, and communications
  • To pass safety-relevant information (e.g. allergies, medical conditions) from bookers to the activity provider so they can run sessions safely
  • To operate, secure, and improve the platform, including diagnosing problems and preventing fraud or abuse
  • To send service messages (e.g. account-related notifications). We do not send marketing emails to bookers; activity providers may use Bookabee to email their own bookers in line with their own privacy notice

5. Legal basis for processing

We rely on the following lawful bases under UK GDPR Article 6:

  • Contract (Article 6(1)(b)): processing necessary to provide bookings, payments, and the dashboard service
  • Legitimate interests (Article 6(1)(f)): securing the platform, preventing fraud, debugging, and improving our product. We balance these against your rights and interests.
  • Consent (Article 6(1)(a)): non-essential cookies, optional analytics, and special category booking fields
  • Legal obligation (Article 6(1)(c)): retaining financial records and complying with court orders or regulator requests

For special category data (health, allergies, SEND), we additionally rely on the booker's explicit consent under Article 9(2)(a). Bookers tick a separate consent box before any such data is submitted; we record the date and time of consent. Consent can be withdrawn at any time by contacting the activity provider or us.

6. Who we share data with (sub-processors)

We never sell personal data. We share it with sub-processors who help us run the platform, each bound by a written agreement. Current sub-processors:

  • Neon — managed Postgres database hosting, hosted in the UK (AWS London, eu-west-2)
  • Vercel — application hosting and Vercel Blob file storage (logos, class images, gallery photos)
  • Resend — sending transactional emails and processing inbound replies to @bookabee.co addresses
  • Stripe — payment processing (Stripe Connect direct charges) and subscription billing. Bookers' card details go directly to Stripe.
  • Mapbox — rendering maps for class locations
  • Google — Google Analytics 4 and Google Ads measurement, governed by our cookie consent settings (see section 9)
  • Anthropic and Vercel AI Gateway — powering the in-product chat assistant. Conversations sent to the assistant may be processed by Anthropic.
  • Sanity — content management for our blog (no booking data is shared)

We share booker data with the relevant activity providerwho you booked with — they need it to deliver their service. If you book with multiple providers, your data is partitioned per provider; one provider cannot see another provider's bookings.

We may also share data where required by law, to enforce our terms, or to protect the rights or safety of users.

7. International data transfers

Some of our sub-processors (Stripe, Resend, Vercel, Mapbox, Google, Anthropic) are headquartered or operate in the United States. Where personal data is transferred outside the UK or EEA, we rely on appropriate safeguards under UK GDPR — typically the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision where one is in force.

8. Children's data

Bookabee is not aimed at children, and children do not create accounts or interact with Bookabee directly. Information about a child (name, date of birth, allergies, medical conditions, photo permission, SEND information) is provided by a parent or guardian during booking and is shared only with the activity provider running the relevant class. We treat this data with the same care as adult data and apply the lawful basis described in section 5.

9. Cookies and similar technologies

We use a small number of cookies. Bookabee uses Google Consent Mode v2: by default, analytics and advertising storage are denied until you give consent through our cookie banner.

  • Necessary: authentication and session cookies, anti-CSRF cookies, and a non-identifying viewer cookie for class page-view counting. These are always on.
  • Analytics: Google Analytics 4 (G-F9LM3Y33ST) — only set when you consent to analytics in the banner.
  • Marketing: Google Ads measurement (AW-18139029409) — only set when you consent to marketing in the banner.

You can change your preferences at any time by clearing your cookies and reloading the site, which re-shows the banner.

10. Data retention

  • Booking records and customer data: retained for as long as the activity provider has an active Bookabee account so they can meet their record-keeping needs. The provider can delete a booker's personal fields from any individual booking at any time, or fully delete a booking.
  • Pending bookings that are not paid: automatically expire after 30 minutes; the booking is preserved for the provider's records but the place is released.
  • Provider account data: retained while your account is active. If you close your account, we delete or anonymise your data within 90 days, except where we're required to retain records (e.g. for tax purposes — typically 6 years).
  • Financial records: retained for 6 years to comply with UK tax law.
  • Email logs and security logs: retained for up to 12 months for security and abuse prevention.

You can request earlier deletion at any time (see section 12).

11. Data security

We protect your data using industry-standard measures: TLS encryption in transit, encryption at rest provided by our database and storage providers, bcrypt-hashed passwords, scoped multi-tenant access controls so providers can only see their own data, and least-privilege access for our team. We monitor for unusual activity and patch dependencies promptly.

In the unlikely event of a personal data breach affecting your data, we will notify you and any affected activity providers without undue delay so they can meet their own ICO 72-hour reporting obligation where applicable.

12. Your rights

Under UK GDPR you have the right to:

  • Access a copy of the personal data we hold about you
  • Have inaccurate data corrected
  • Have your data deleted (the "right to erasure")
  • Restrict or object to our processing
  • Receive your data in a portable format
  • Withdraw consent at any time, where processing is based on consent
  • Lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk

To exercise any of these rights, email hello@bookabee.co. We aim to respond within one calendar month, as required by UK GDPR.

If you are a booker (parent or guardian), the activity provider you booked with is the data controller for your data. You should contact them first; we'll help them respond where needed.

13. Automated decision-making

We do not make decisions about you using solely automated means that produce legal or similarly significant effects. The in-product AI chat assistant generates suggestions but does not take any action without a person confirming.

14. Changes to this policy

We may update this policy from time to time. The date at the top reflects the latest revision; for material changes we will notify account holders by email.

15. Contact

Upbeat Software Ltd, registered in England and Wales (company number 17140434).

Privacy questions, data subject requests, and Data Processing Agreement requests: hello@bookabee.co.