Legal · octobooking.com

Privacy Policy

Version 2.0 · Last updated 30 June 2026

This Privacy Policy explains how Octobooking, a beta service operated by Tomas Bardhi (“we”, “us”, “our”), operating at octobooking.com, collects, uses, and protects personal data in accordance with Regulation (EU) 2016/679 (“GDPR”).

1. Who We Are

The data controller for this platform is Octobooking, a beta service operated by Tomas Bardhi, reachable at privacy@octobooking.com.

Octobooking is currently a free beta operated by an individual. A natural person can be a data controller under the GDPR. Once the operating company is incorporated, its full registered details (company name, registered office, VAT number) will be published here.

2. What Octobooking Is

Octobooking is a cloud-based appointment and booking-management platform for businesses such as barbers, salons, and similar service providers (“Shops”). It is currently offered as a free beta. It is a scheduling tool — it does not process payments on behalf of Shops, does not issue invoices or fiscal documents, and has no connection to any tax authority.

This policy applies to two distinct groups:

  • Shop owners and their staff who register and use the Octobooking platform directly; and
  • End customers of those Shops who interact with the public booking pages.

For end customers’ data, the Shop owner is the independent Data Controller; Octobooking acts only as a Data Processor on their behalf (GDPR Art. 28). See Section 11.

3. Data We Collect

3.1 Shop owners and staff

  • Name, email address, phone number
  • Shop name, location, timezone, opening hours
  • Subscription billing — processed by Stripe; we store only the Stripe customer ID (not active during the free beta)
  • Profile and shop images via UploadThing
  • Session tokens and IP addresses (authentication security and rate limiting only)

3.2 End customers of Shops

Collected by Shops using Octobooking and processed by Octobooking as a Data Processor on the Shop’s behalf:

  • Name, phone number, email address (optional)
  • Booking history: dates, times, services, staff member
  • Free-text notes added by the Shop
  • Payment status (paid / unpaid — reference only; no payment is processed by Octobooking)

3.3 Automatic technical data

  • Session cookies (authentication)
  • Consent cookie — stores your cookie preferences
  • Aggregate, anonymous usage statistics via Vercel Analytics (only if you consent — no personal data collected)

4. Special Categories of Data

Octobooking does not ask for special categories of personal data (GDPR Art. 9 — such as health, religion, or biometric data). However, the free-text notes a Shop may attach to a customer or a booking could, in principle, contain such data (for example, an allergy noted by a salon).

Shop owners, as the controllers of that data, must not record special-category data unless they have a valid legal basis under Art. 9 GDPR. Octobooking does not use these notes for any purpose other than displaying them to the Shop that entered them.

5. Legal Basis and Purposes

The table below covers processing where Octobooking acts as a Data Controller — i.e. for the data of Shop owners and their staff. For end customers’ data, Octobooking acts solely as a Data Processor on the Shop owner’s instruction; the Shop owner is responsible for their own legal basis (see Section 11).

PurposeLegal basis (GDPR Art. 6)
Providing the booking-management service to Shop ownersArt. 6(1)(b) — performance of a contract
Authentication and account security (rate limiting, OTP via Twilio Verify, IP checks, bot detection via Cloudflare Turnstile, phone-risk assessment via Twilio Lookup V2)Art. 6(1)(f) — legitimate interest (platform integrity and fraud prevention)
Subscription billing via Stripe (inactive during the free beta)Art. 6(1)(b) — performance of a contract
Anonymous usage analytics via Vercel AnalyticsArt. 6(1)(a) — consent (via the cookie banner)
Retaining anonymised booking records after account deletionArt. 6(1)(f) — legitimate interest (operational business history; no personal data retained)

6. Sub-Processors

We share personal data only with the providers below, each bound by a written data processing agreement:

ProviderPurposeLocation / Basis
Vercel Inc.Application hosting, CDN, anonymous analyticsUSA — SCC
Neon Inc.PostgreSQL database (where your data is stored)EU (Frankfurt, Germany)
Resend Inc.Transactional email deliveryUSA — SCC
Twilio Inc.Transactional SMS; phone OTP delivery and verification (Twilio Verify); phone-number risk assessment (Twilio Lookup V2)USA — SCC
Cloudflare Inc.Bot and fraud prevention (Turnstile — processes IP address and browser signals at sign-up)USA — SCC
Upstash Inc.Distributed rate limiting (temporarily stores IP addresses / phone numbers, max 10 minutes, to prevent SMS abuse)USA — SCC
Stripe Inc.Subscription payment processing (Shop owners only; inactive during the free beta)USA — SCC
UploadThing (Ping Labs Inc.)Image and file storage (profile and Shop images)Singapore — SCC
OpenFreeMapMap tiles on the public booking page (receives the visitor's IP address to serve the map; loaded only with functional consent)EU (Germany)

SCC = Standard Contractual Clauses, European Commission Decision 2021/914/EU (GDPR Art. 46(2)(c)).

7. International Data Transfers

Your data is stored in the EU (Neon, Frankfurt). Several sub-processors are based in the United States, and our image storage (UploadThing) is in Singapore — neither benefits from an EU adequacy decision. All such transfers are made under Standard Contractual Clauses (Commission Decision 2021/914/EU), supplemented by encryption in transit (TLS 1.2+) and at rest (AES-256). No data is transferred to any country without an adequacy decision or appropriate safeguards.

8. Data Retention

  • Shop owner account data:For the duration of the account, plus 30 days after deletion, then permanently deleted.
  • End-customer personal data (name, email, phone, notes):Erased immediately on account deletion or a valid erasure request — replaced with anonymous placeholders.
  • Anonymised booking records (no personal data):Up to 2 years from the last booking date, then permanently deleted.
  • Session and authentication logs:Maximum 90 days.
  • Analytics data:Aggregate only, no personal data, per Vercel’s retention policy.

9. Account Deletion and Erasure

When a Shop owner or end customer deletes their account or submits a valid erasure request, we apply a pseudonymisation procedure:

  • All personal identifiers — name, email, phone number, notes — are immediately overwritten with anonymous placeholders.
  • The authentication account record is permanently deleted.
  • Booking records are retained in anonymised form (dates, service names, no identifiers) for up to 2 years, then deleted.

Shop owners can initiate deletion from their account settings. End customers can request deletion at privacy@octobooking.com.

10. Cookies

Non-essential cookies are only set after you give consent via the cookie banner. You can change or withdraw your choices at any time using the “Cookie preferences” link in the site footer.

CookieCategoryPurposeDuration
better-auth.session_tokenEssentialAuthenticated session management7 days
better-auth.session_dataEssentialEncrypted session data7 days
NEXT_LOCALEEssentialRemembers your language preference1 year
octopus_consentEssentialStores your cookie consent choices1 year
sidebar_stateEssentialRemembers the dashboard sidebar state (Shop owners only)7 days
Vercel Analytics (_va_*)Analytics — consent requiredAnonymous, aggregate page-view statistics; no personal dataSession / 1 year

The “Functional” consent option does not set a cookie; it controls whether the location map loads on a Shop’s public booking page. Loading the map shares your IP address with our map-tile provider, OpenFreeMap (hosted in the EU). With functional consent declined, a placeholder is shown instead of the map.

11. Shop Owners as Independent Controllers

When a Shop owner uses Octobooking to collect and manage their customers’ data, the Shop owner is the independent Data Controller for that data (GDPR Art. 4(7)). Octobooking acts only as Data Processor (GDPR Art. 28), processing strictly on the Shop owner’s instructions.

Shop owners are responsible for:

  • Establishing a lawful basis for collecting their customers’ data;
  • Providing their customers with an appropriate privacy notice;
  • Handling data subject requests from their own customers.

The full terms of this relationship are in the Data Processing Agreement, which each Shop owner accepts when creating a Shop.

12. Your Rights (GDPR Art. 15–22)

  • Access (Art. 15):Request a copy of the personal data we hold about you.
  • Rectification (Art. 16):Ask us to correct inaccurate or incomplete data.
  • Erasure (Art. 17):Ask us to delete your personal data. See Section 9.
  • Restriction (Art. 18):Ask us to restrict processing in certain circumstances.
  • Portability (Art. 20):Receive your data in a structured, machine-readable format, where processing is based on consent or contract and carried out by automated means.
  • Objection (Art. 21):Object to processing based on legitimate interest.
  • Withdraw consent:Where processing is consent-based (e.g. analytics cookies), withdraw at any time without affecting past processing.

Contact privacy@octobooking.com to exercise any right. We respond within one month, extendable by up to two further months for complex requests, in which case we will inform you.

13. Supervisory Authorities

You have the right to lodge a complaint with the data protection authority in your country of residence:

14. Security

  • All data in transit encrypted with TLS 1.2+
  • Data at rest encrypted by the database provider (AES-256)
  • Passwords stored as bcrypt hashes — never plain text
  • Production access protected by MFA, restricted to authorised personnel
  • Auth APIs protected by multi-layer controls: Cloudflare Turnstile (bot detection), distributed IP rate limiting (Upstash Redis), phone-number risk assessment (Twilio Lookup V2), and OTP delivery via Twilio Verify with Fraud Guard
  • Multi-tenant isolation: each Shop accesses only its own data

15. Changes to This Policy

We may update this policy to reflect changes to our service or applicable law. For material changes we will notify registered users by email at least 30 days before the change takes effect. The version and date at the top of this page always reflect the current version.

Contact

For any privacy question or to exercise your rights: privacy@octobooking.com

Governed by Regulation (EU) 2016/679 (GDPR) and applicable EU Member State law.