1. Introduction

Bookify.hu (hereinafter: "Service", "Bookify", "we") is an online appointment booking SaaS platform that provides booking management, client management, and payment processing tools for service providers (businesses), and enables their clients (end users) to book appointments online.

This Privacy Policy has been prepared in accordance with the EU General Data Protection Regulation No. 2016/679 (GDPR), Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Infotv.), and Act CVIII of 2001 on Electronic Commerce Services (Ektv.).

2. Controller Details

  • Name: HorizonLabs Korlátolt Felelősségű Társaság
  • Registered address: 4244 Újfehértó, Debreceni út 44.
  • Company registration number: 15-09-094737
  • Registering court: Nyíregyházi Törvényszék Cégbírósága
  • Tax number: 33071532-2-15
  • EUID: HUOCCSZ.15-09-094737
  • Email: hello@bookify.hu
  • Phone: +36 20 549 2533
  • Data protection contact: hello@bookify.hu

3. Definitions

  • Service Provider User: A natural or legal person (business) who registers on the Bookify platform to manage their services online.
  • End User (Client): A natural person who books an appointment through a Service Provider User, or whose data is recorded by the Service Provider User.
  • Team Member: An employee or administrator invited by a Service Provider User.

4. Personal Data We Collect and Process

4.1 Service Provider User (Business) Data

  • Full name (first name and last name)
  • Email address
  • Password (managed by Firebase Authentication — not stored on our servers)
  • Profile photo (avatar URL)
  • Business name, description, phone number, address, country
  • VAT status
  • Social media links (Facebook, Instagram, TikTok, Twitter/X, LinkedIn, YouTube)
  • Timezone setting
  • Payment data — Stripe customer ID, subscription ID, Stripe Connect account ID (bank card data is not stored directly)
  • Subscription plan, currency, trial period dates
  • Authentication method (password, Google OAuth, Facebook OAuth)
  • Referral code (if registered through a referral)

4.2 End User (Client) Data Collected During Booking

The following data is recorded during appointment booking:

  • Client name
  • Email address
  • Phone number (optional or mandatory — set by the Service Provider)
  • Notes (text comment on the booking)
  • Questionnaire responses (responses to custom forms)
  • Booking history (date, service, status)
  • Tip amount (optional, for online payments)

Data sharing with the Service Provider: The above data (name, email address, phone number, booking history) is made available to the relevant Service Provider User with whom the client booked. The client consents to this by submitting the booking.

Booking statistics: Clients' booking habits (e.g. number of bookings, times, return rate) are used to create aggregate statistics and business reports. This processing is part of the analytics functionality provided to the Service Provider User.

Residential and geolocation data: The residential address and geolocation data of booking clients are not recorded or stored by our system.

4.3 Team Member Data

  • Email address (via invitation)
  • Name, password (during registration)
  • Role (employee, admin, booker)
  • Working hours settings

4.4 Automatically Collected Technical Data

  • IP address
  • Browser type (User Agent)
  • HTTP request log (URL, method, status, response time)

5. Legal Basis and Purpose of Processing

Processing purposeLegal basis (GDPR)Retention period
Registration and account managementArt. 6(1)(b) — contract performanceUntil account deletion
Appointment booking managementArt. 6(1)(b) — contract performance5 years after completion (accounting obligation)
Payment processing (Stripe)Art. 6(1)(b) — contract performance8 years (accounting law)
Email notifications (booking confirmation, reminders)Art. 6(1)(b) — contract performanceNot archived after sending
SMS notifications (Twilio)Art. 6(1)(a) — consent / (b) — contractNot archived after sending
Google Calendar synchronisationArt. 6(1)(a) — explicit consentUntil disconnected
Booking habits — statistics and reportsArt. 6(1)(f) — legitimate interest (business analytics)5 years after booking completion
AI text generationArt. 6(1)(a) — consentNot stored — generated in real time
Bug reportingArt. 6(1)(f) — legitimate interestUntil bug resolved
Server logging (HTTP log)Art. 6(1)(f) — legitimate interest (security)30 days

6. Data Transfers and Processors

We use the following third-party service providers (data processors) to operate the Service:

ProviderPurposeTransfer locationSafeguards
Stripe, Inc.Payment processing, subscription management, Stripe ConnectUSA / EUEU–US Data Privacy Framework, SCCs
Twilio, Inc.Sending SMS notificationsUSA / EUEU–US Data Privacy Framework, SCCs
Google LLCGoogle OAuth authentication, Google Calendar sync (in case of two-way sync, external calendar events — title, description, time — are also stored)USA / EUEU–US Data Privacy Framework, SCCs
Google Cloud Platform (GCP)File and image storage (Cloud Storage)EU (europe-west)EU data centre, EU–US Data Privacy Framework
VerpexTransactional email sending (SMTP), domain hostingEUEU-based provider
Billingo (Octosoft Kft.)Electronic invoice generation — only if the Service Provider User has activated the Billingo integrationHungary (EU)Hungarian data processor, GDPR-compliant
Számlázz.hu (KBOSS.hu Kft.)Electronic invoice generation — only if the Service Provider User has activated the Számlázz.hu integrationHungary (EU)Hungarian data processor, GDPR-compliant
National Tax and Customs Administration (NAV)Online invoice data reporting — direct transfer of issued invoice data to the NAV Online Invoice system, based on statutory obligationHungaryStatutory obligation (Act CL of 2017 — Art.), not a third-party data processor
OpenRouter / Google GeminiAI text generation (optional feature)USA / EUOnly public business description is transferred
GitHub, Inc.Bug reporting (Issues)USAEU–US Data Privacy Framework

Important: Bank card data is not stored directly. The entire payment process is handled by Stripe in accordance with the PCI DSS standard.

7. Data Security Measures

  • Password authentication is managed by Firebase Authentication (Google) — passwords are not stored on our servers. Google handles password hashing using its own secure algorithm.
  • Authentication is JSON Web Token (JWT) based, with a 7-day expiry, signed with a server-side secret key.
  • HTTPS encrypted data transfer on all communication channels.
  • In the case of Google OAuth authentication and Google Calendar synchronisation, access tokens and refresh tokens are stored encrypted in the database.
  • File uploads are protected with type and size validation (max. 5 MB, image formats only).
  • Regular backups and logging.

8. Your Rights (GDPR Articles 15–22)

Under EU data protection law, you have the following rights:

  • Right of access (Art. 15) — You may request information about what personal data we process about you.
  • Right to rectification (Art. 16) — You may request correction of inaccurate data.
  • Right to erasure ("right to be forgotten", Art. 17) — You may request deletion of your personal data where processing is no longer necessary for the original purpose.
  • Right to restriction (Art. 18) — You may request restriction of processing under certain conditions.
  • Right to data portability (Art. 20) — You may request your data in a machine-readable format.
  • Right to object (Art. 21) — You may object to processing of your personal data based on legitimate interest.
  • Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.

To exercise your rights, please contact us at hello@bookify.hu. Requests will be fulfilled within 30 days.

9. Right to Lodge a Complaint

If you believe that the processing of your personal data has caused you harm, you may contact the following authority:

  • National Authority for Data Protection and Freedom of Information (NAIH)
  • Address: 1055 Budapest, Falk Miksa utca 9-11.
  • Website: www.naih.hu
  • Email: ugyfelszolgalat@naih.hu
  • Phone: +36 (1) 391-1400

You may also seek judicial remedy under the Infotv. and Act V of 2013 on the Civil Code.

10. Cookies

The Bookify platform uses functional cookies to manage user sessions and authentication (JWT token storage). These are strictly necessary for the operation of the service.

We do not use analytical or marketing cookies.

11. Service Provider User as Independent Data Controller

Service Provider Users (businesses) registered on the Bookify platform are considered independent data controllers in relation to the personal data of their own clients. Bookify acts as a data processor in this regard pursuant to Article 28 GDPR. The Service Provider User is obliged to properly inform their own clients about data processing.

12. Children's Personal Data

The Bookify service is not intended for persons under the age of 16. We do not knowingly collect personal data of children under 16. If we become aware that we are processing data of a person under 16, we will delete it without delay.

13. Changes to This Privacy Policy

We reserve the right to modify this Privacy Policy at any time. Registered users will be notified of material changes by email, and visitors to the website will be informed by a notice posted on the site. The modified policy takes effect on the date of publication.

14. Contact

For data protection questions or requests, please contact us:

  • Email: hello@bookify.hu
  • Phone: +36 20 549 2533