Privacy Policy

The data controller for this platform is Octobooking, accessible at octobooking.com.

⚠️ Legal entity details (company name, registered address, VAT number) to be completed before go-live. Contact: privacy@octobooking.com

Octobooking is a cloud-based appointment and booking management platform for businesses such as barbers, salons, and similar service providers ("Shops"). It is a scheduling tool — it does not process payments on behalf of Shops, does not issue invoices or fiscal documents, and has no connection to any tax authority.

This policy applies to two distinct groups:

• Shop owners and their staff who register and use the Octobooking platform directly;
• End customers of those Shops who interact with the public booking pages.

For end customers' data, the Shop owner is the independent Data Controller; Octobooking acts only as a Data Processor on their behalf (GDPR Art. 28). See Section 10.

The table below covers processing where Octobooking acts as a Data Controller — i.e. for the data of Shop owners and their staff. For end customers' data, Octobooking acts solely as a Data Processor on the Shop owner's instruction; the Shop owner is responsible for their own legal basis (see Section 10).

We share personal data only with the providers below, each bound by a written data processing agreement:

SCC = Standard Contractual Clauses, European Commission Decision 2021/914/EU (GDPR Art. 46(2)(c)).

Several sub-processors are based in the United States. All transfers are made under Standard Contractual Clauses (Commission Decision 2021/914/EU), supplemented by encryption in transit (TLS 1.2+) and at rest (AES-256). No data is transferred to countries without an adequacy decision or appropriate safeguards.

• Shop owner account data:For the duration of the account, plus 30 days after deletion. Then permanently deleted.
• End customer PII (name, email, phone, notes):Erased immediately upon account deletion or erasure request — replaced with anonymous placeholders.
• Anonymised booking records (no PII):Up to 2 years from the last booking date, then permanently deleted.
• Session and authentication logs:Maximum 90 days.
• Analytics data:Aggregate only, no personal data, per Vercel's retention policy.

When a Shop owner or end customer deletes their account or submits a valid erasure request, we apply a pseudonymisation procedure:

• All personal identifiers — name, email, phone number, notes — are immediately overwritten with anonymous placeholders.
• The authentication account record is permanently deleted.
• Booking records are retained in anonymised form (dates, service names, no identifiers) for up to 2 years, then deleted.

Shop owners can initiate deletion from their account settings. End customers can request deletion at privacy@octobooking.com.

Non-essential cookies are only set after you give consent via the cookie banner.

You can change your preferences at any time by clearing your cookies (the banner will reappear).

When a Shop owner uses Octobooking to collect and manage their customers' data, the Shop owner is the independent Data Controller for that data (GDPR Art. 4(7)). Octobooking acts only as Data Processor (GDPR Art. 28), processing strictly on the Shop owner's instructions.

Shop owners are responsible for:

• Establishing a lawful basis for collecting their customers' data;
• Providing their customers with an appropriate privacy notice;
• Handling data subject requests from their own customers.

The full terms of this relationship are in the Data Processing Agreement, which each Shop owner accepts when creating a shop.

• Access (Art. 15):Request a copy of the personal data we hold about you.
• Rectification (Art. 16):Ask us to correct inaccurate or incomplete data.
• Erasure (Art. 17):Ask us to delete your personal data. See Section 8.
• Restriction (Art. 18):Ask us to restrict processing in certain circumstances.
• Portability (Art. 20):Receive your data in a structured, machine-readable format, where processing is based on consent or contract and carried out by automated means.
• Objection (Art. 21):Object to processing based on legitimate interest.
• Withdraw consent:Where processing is consent-based (e.g. analytics cookies), withdraw at any time without affecting past processing.

Contact privacy@octobooking.com to exercise any right. We will respond within 30 days.

You have the right to lodge a complaint with the data protection authority in your country of residence:

• Italy — Garante per la protezione dei dati personali (garanteprivacy.it)
• Austria — Datenschutzbehörde (dsb.gv.at)
• All other EU/EEA countries — the supervisory authority of your Member State. Full list on the European Data Protection Board website.

• All data in transit encrypted with TLS 1.2+
• Data at rest encrypted by database provider (AES-256)
• Passwords stored as bcrypt hashes — never plain text
• Production access protected by MFA, restricted to authorised personnel
• Auth APIs protected by multi-layer controls: Cloudflare Turnstile (bot detection), distributed IP rate limiting (Upstash Redis), phone number risk assessment (Twilio Lookup V2), and OTP delivery via Twilio Verify with Fraud Guard
• Multi-tenant isolation: each Shop accesses only its own data

We may update this policy to reflect changes to our service or applicable law. For material changes we will notify registered users by email at least 30 days before the change takes effect. The date at the top of this page always reflects the current version.