Skip to main content
Bookify
FeaturesIntegrationsPricingDocsContact
Log inSign up free
Docs

Privacy, GDPR & data

Where your data lives, how to export it, and how to delete your account. All of this is also covered in the formal Privacy Policy and Data Processing Agreement.

Where your data lives

Bookify runs on a Hostinger VPS in the Lithuania (EU) data center. That single machine carries:

  • Primary database (Postgres) — stores accounts, event types, bookings, emails sent, SMS sent, audit log.
  • Redis— caches per-request data (slot lookups, rate limits, job queue state). Nothing PII goes in long-term — it's a working cache.
  • File storage — uploaded org logos live on the same VPS, served as static assets.

Sub-processors

These third parties touch your data because we use them to deliver the service:

  • Resend — sends transactional emails
  • SMSapi — sends SMS reminders
  • Stripe — processes your customers' payments to you
  • PayPal — alternative payment processor
  • Creem — processes your Bookify subscription payments
  • Google / Microsoft / Apple / Zoom — only the ones you explicitly connect for calendar or video sync
  • Cloudflare — DNS + edge proxy
  • Hostinger — EU-region VPS hosting (Lithuania). Runs the Bookify app servers, Postgres database, and Redis.

The full DPA list with addresses and links is at /legal/dpa.

What we don't do

  • We don't sell your data. We don't share it with advertisers.
  • We don't track you across the web. There's no Google Analytics, Facebook Pixel, or similar on the dashboard. Marketing pages may have analytics if you consented to it via the cookie banner.
  • We don't embed tracking pixels in transactional emails. Open rates aren't measured.

Exporting your data

Dashboard → Settings → Privacy & data → Export my data. We pack your account, bookings, event types, and audit-log entries into a JSON ZIP and email you a download link. The link expires after 24 hours.

This satisfies GDPR Article 15 (access) and Article 20 (portability).

Deleting your account

Dashboard → Settings → Privacy & data → Delete my account. We soft-delete immediately:

  • You can't log in anymore.
  • Your public booking page returns 404.
  • Scheduled reminders stop firing.

A daily cron hard-deletes everything 30 days after request — this gives you a window to recover if you change your mind. Reach out to [email protected] during that window to restore. After 30 days the data is gone for good.

This satisfies GDPR Article 17 (right to be forgotten).

Booker data

When someone books with you, their name, email, optional phone, and booking notes are stored against the booking row. They are your data subjects — Bookify processes their info on your behalf as your data processor. Our DPA covers this.

If a booker asks you to delete their data, cancel + delete their booking from the bookings list. We retain the booking shell for accounting (anonymized contact info) for legal-minimum periods only.

Cookies on bookify.one

We use the minimum cookies needed to keep you signed in (session + CSRF), plus a random opaque device identifier used only to layer abuse / rate limiting on top of IP checks (the bk_did cookie — 12-month lifetime, no personal data, not shared with anyone). Analytics and marketing cookies are opt-in via the consent banner — you can review and change your choice anytime:

For the full cookie inventory and the consent lifecycle, see the Cookie Policy.

Encryption

  • OAuth tokens (Google, Microsoft, Zoom) are encrypted at rest with AES-256-GCM.
  • Audit-log IP addresses are stored as SHA-256 hashes, not plaintext.
  • Data in transit uses TLS 1.2+ everywhere.

Requesting something else

For DPA addendums, sub-processor questions, breach notifications, or anything else legal-flavored, email [email protected] and a human responds.