Effective May 16, 2026
Privacy Policy
1. Who we are
Pantazi Software is the data controller for the personal data processed via Bookify. Contact: [email protected].
2. What we collect
From you, the account holder
- name, email, optional profile photo, time zone, language;
- organization name + booking slug, working hours, event types;
- OAuth tokens for calendar and video integrations (encrypted at rest with AES-256-GCM);
- payment account identifiers from Stripe Connect / PayPal (we never see card numbers).
From people booking with you
- name, email, optional phone, optional notes provided on the booking form;
- time zone, preferred meeting time;
- payment status (from Stripe / PayPal webhooks; no card data).
Automatic
- session cookies (strictly necessary);
- SHA-256 hashed IP addresses in our audit log;
- a random, opaque device identifier (
bk_didcookie, 12-month lifetime) set on public booking endpoints — used onlyas one input to abuse / rate limiting alongside your IP; it doesn't identify you personally and is never shared with third parties; - analytics + marketing cookies only after you opt in via the consent banner — never by default.
3. Why we process it (legal bases)
- Contract (Art. 6(1)(b) GDPR) — running your account, sending booking emails, processing payments through your merchant account.
- Legal obligation (Art. 6(1)(c)) — tax records, accounting.
- Legitimate interest (Art. 6(1)(f)) — security logging, abuse prevention, product analytics on aggregated data.
- Consent (Art. 6(1)(a)) — non-essential cookies, marketing emails. You can withdraw consent at any time.
4. Who we share it with (sub-processors)
See our full list at /legal/dpa. In short: Resend (email), SMSapi (SMS), Stripe + PayPal (your customer payments), Creem (our subscription billing), Google, Microsoft, Apple, Zoom (your calendar + video integrations), Cloudflare (DDoS + DNS), and Hostinger International Ltd. (EU-region VPS hosting). We never sell or share data with advertisers.
5. International transfers
Bookify infrastructure runs on Hostinger International Ltd.VPS servers in the European Union (Lithuania). Some sub-processors (Stripe, PayPal, Resend, Google, Microsoft, Zoom) are based outside the EU and rely on the EU Commission's Standard Contractual Clauses or adequacy decisions for transfers.
6. Retention
- account + organization data: while the account is active;
- soft-deleted accounts: permanently removed 30 days after deletion request;
- booking records: kept while the host's account is active, then deleted with the account;
- audit log: 12 months;
- accounting / invoice data: 7 years (legal obligation).
7. Your rights
Under GDPR you have the right to:
- access your data (Article 15);
- have inaccurate data corrected (Article 16);
- have your data deleted (Article 17);
- restrict processing (Article 18);
- data portability — get a machine-readable copy of your data (Article 20). Use Dashboard → Settings → Data export;
- object to processing based on legitimate interest (Article 21);
- lodge a complaint with your supervisory authority (in Romania: ANSPDCP, at dataprotection.ro).
California residents have the parallel right under CCPA / CPRA to access, delete, and opt out of "sale or sharing" — we don't sell or share, so there's nothing to opt out of.
8. Security
- OAuth tokens encrypted at rest with AES-256-GCM;
- IPs hashed with SHA-256 in the audit log;
- HTTPS everywhere; HSTS enabled;
- strict Content-Security-Policy and other security headers;
- least-privilege Postgres roles; nightly off-site encrypted backups.
9. Cookies
See our cookie policy for the categories and how to manage consent.
10. Changes
We'll announce material changes by email at least 30 days before they take effect.