1. Introduction
Bookify.hu (hereinafter: "Service", "Bookify", "we") is an online appointment booking SaaS platform that provides booking management, client management, and payment processing tools for service providers (businesses), and enables their clients (end users) to book appointments online.
This Privacy Policy has been prepared in accordance with the EU General Data Protection Regulation No. 2016/679 (GDPR), Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Infotv.), and Act CVIII of 2001 on Electronic Commerce Services (Ektv.).
2. Controller Details
- Name: HorizonLabs Korlátolt Felelősségű Társaság
- Registered address: 4244 Újfehértó, Debreceni út 44.
- Company registration number: 15-09-094737
- Registering court: Nyíregyházi Törvényszék Cégbírósága
- Tax number: 33071532-2-15
- EUID: HUOCCSZ.15-09-094737
- Email: hello@bookify.hu
- Phone: +36 20 549 2533
- Data protection contact: hello@bookify.hu
3. Definitions
- Service Provider User: A natural or legal person (business) who registers on the Bookify platform to manage their services online.
- End User (Client): A natural person who books an appointment through a Service Provider User, or whose data is recorded by the Service Provider User.
- Team Member: An employee or administrator invited by a Service Provider User.
4. Personal Data We Collect and Process
4.1 Service Provider User (Business) Data
- Full name (first name and last name)
- Email address
- Password (managed by Firebase Authentication — not stored on our servers)
- Profile photo (avatar URL)
- Business name, description, phone number, address, country
- VAT status
- Social media links (Facebook, Instagram, TikTok, Twitter/X, LinkedIn, YouTube)
- Timezone setting
- Payment data — Stripe customer ID, subscription ID, Stripe Connect account ID (bank card data is not stored directly)
- Subscription plan, currency, trial period dates
- Authentication method (password, Google OAuth, Facebook OAuth)
- Referral code (if registered through a referral)
4.2 End User (Client) Data Collected During Booking
The following data is recorded during appointment booking:
- Client name
- Email address
- Phone number (optional or mandatory — set by the Service Provider)
- Notes (text comment on the booking)
- Questionnaire responses (responses to custom forms)
- Booking history (date, service, status)
- Tip amount (optional, for online payments)
Data sharing with the Service Provider: The above data (name, email address, phone number, booking history) is made available to the relevant Service Provider User with whom the client booked. The client consents to this by submitting the booking.
Booking statistics: Clients' booking habits (e.g. number of bookings, times, return rate) are used to create aggregate statistics and business reports. This processing is part of the analytics functionality provided to the Service Provider User.
Residential and geolocation data: The residential address and geolocation data of booking clients are not recorded or stored by our system.
4.3 Team Member Data
- Email address (via invitation)
- Name, password (during registration)
- Role (employee, admin, booker)
- Working hours settings
4.4 Automatically Collected Technical Data
- IP address
- Browser type (User Agent)
- HTTP request log (URL, method, status, response time)
5. Legal Basis and Purpose of Processing
| Processing purpose | Legal basis (GDPR) | Retention period |
|---|---|---|
| Registration and account management | Art. 6(1)(b) — contract performance | Until account deletion |
| Appointment booking management | Art. 6(1)(b) — contract performance | 5 years after completion (accounting obligation) |
| Payment processing (Stripe) | Art. 6(1)(b) — contract performance | 8 years (accounting law) |
| Email notifications (booking confirmation, reminders) | Art. 6(1)(b) — contract performance | Not archived after sending |
| SMS notifications (Twilio) | Art. 6(1)(a) — consent / (b) — contract | Not archived after sending |
| Google Calendar synchronisation | Art. 6(1)(a) — explicit consent | Until disconnected |
| Booking habits — statistics and reports | Art. 6(1)(f) — legitimate interest (business analytics) | 5 years after booking completion |
| AI text generation | Art. 6(1)(a) — consent | Not stored — generated in real time |
| Bug reporting | Art. 6(1)(f) — legitimate interest | Until bug resolved |
| Server logging (HTTP log) | Art. 6(1)(f) — legitimate interest (security) | 30 days |
6. Data Transfers and Processors
We use the following third-party service providers (data processors) to operate the Service:
| Provider | Purpose | Transfer location | Safeguards |
|---|---|---|---|
| Stripe, Inc. | Payment processing, subscription management, Stripe Connect | USA / EU | EU–US Data Privacy Framework, SCCs |
| Twilio, Inc. | Sending SMS notifications | USA / EU | EU–US Data Privacy Framework, SCCs |
| Google LLC | Google OAuth authentication, Google Calendar sync (in case of two-way sync, external calendar events — title, description, time — are also stored) | USA / EU | EU–US Data Privacy Framework, SCCs |
| Google Cloud Platform (GCP) | File and image storage (Cloud Storage) | EU (europe-west) | EU data centre, EU–US Data Privacy Framework |
| Verpex | Transactional email sending (SMTP), domain hosting | EU | EU-based provider |
| Billingo (Octosoft Kft.) | Electronic invoice generation — only if the Service Provider User has activated the Billingo integration | Hungary (EU) | Hungarian data processor, GDPR-compliant |
| Számlázz.hu (KBOSS.hu Kft.) | Electronic invoice generation — only if the Service Provider User has activated the Számlázz.hu integration | Hungary (EU) | Hungarian data processor, GDPR-compliant |
| National Tax and Customs Administration (NAV) | Online invoice data reporting — direct transfer of issued invoice data to the NAV Online Invoice system, based on statutory obligation | Hungary | Statutory obligation (Act CL of 2017 — Art.), not a third-party data processor |
| OpenRouter / Google Gemini | AI text generation (optional feature) | USA / EU | Only public business description is transferred |
| GitHub, Inc. | Bug reporting (Issues) | USA | EU–US Data Privacy Framework |
Important: Bank card data is not stored directly. The entire payment process is handled by Stripe in accordance with the PCI DSS standard.
7. Data Security Measures
- Password authentication is managed by Firebase Authentication (Google) — passwords are not stored on our servers. Google handles password hashing using its own secure algorithm.
- Authentication is JSON Web Token (JWT) based, with a 7-day expiry, signed with a server-side secret key.
- HTTPS encrypted data transfer on all communication channels.
- In the case of Google OAuth authentication and Google Calendar synchronisation, access tokens and refresh tokens are stored encrypted in the database.
- File uploads are protected with type and size validation (max. 5 MB, image formats only).
- Regular backups and logging.
8. Your Rights (GDPR Articles 15–22)
Under EU data protection law, you have the following rights:
- Right of access (Art. 15) — You may request information about what personal data we process about you.
- Right to rectification (Art. 16) — You may request correction of inaccurate data.
- Right to erasure ("right to be forgotten", Art. 17) — You may request deletion of your personal data where processing is no longer necessary for the original purpose.
- Right to restriction (Art. 18) — You may request restriction of processing under certain conditions.
- Right to data portability (Art. 20) — You may request your data in a machine-readable format.
- Right to object (Art. 21) — You may object to processing of your personal data based on legitimate interest.
- Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
To exercise your rights, please contact us at hello@bookify.hu. Requests will be fulfilled within 30 days.
9. Right to Lodge a Complaint
If you believe that the processing of your personal data has caused you harm, you may contact the following authority:
- National Authority for Data Protection and Freedom of Information (NAIH)
- Address: 1055 Budapest, Falk Miksa utca 9-11.
- Website: www.naih.hu
- Email: ugyfelszolgalat@naih.hu
- Phone: +36 (1) 391-1400
You may also seek judicial remedy under the Infotv. and Act V of 2013 on the Civil Code.
10. Cookies
The Bookify platform uses functional cookies to manage user sessions and authentication (JWT token storage). These are strictly necessary for the operation of the service.
We do not use analytical or marketing cookies.
11. Service Provider User as Independent Data Controller
Service Provider Users (businesses) registered on the Bookify platform are considered independent data controllers in relation to the personal data of their own clients. Bookify acts as a data processor in this regard pursuant to Article 28 GDPR. The Service Provider User is obliged to properly inform their own clients about data processing.
12. Children's Personal Data
The Bookify service is not intended for persons under the age of 16. We do not knowingly collect personal data of children under 16. If we become aware that we are processing data of a person under 16, we will delete it without delay.
13. Changes to This Privacy Policy
We reserve the right to modify this Privacy Policy at any time. Registered users will be notified of material changes by email, and visitors to the website will be informed by a notice posted on the site. The modified policy takes effect on the date of publication.
14. Contact
For data protection questions or requests, please contact us:
- Email: hello@bookify.hu
- Phone: +36 20 549 2533
