1. Data Controller
The data controller for this Service is:
Booking Bible ApS
Torvegade 66
1400 København K, Denmark
CVR: 46504666
Email: privacy@bookingbible.com
When studio operators ("Operators") use BOOKING BIBLE to manage their members, the Operator is the data controller for their member data, and BOOKING BIBLE acts as a data processor. This relationship is governed by our Data Processing Agreement.
2. Data We Collect
Account Data
Name, email address, phone number, date of birth, profile photo, and emergency contact information provided during registration.
Booking and Activity Data
Class bookings, attendance history, check-in records, pass purchases, cancellation history, and class feedback/ratings.
Payment Data
Payment method details are processed and stored by Stripe. We store transaction records, invoice history, and Stripe customer identifiers. We do not store full card numbers or CVV codes.
Health Data
Responses to health questionnaires required for certain class types (e.g., hot yoga). This data is processed with your explicit consent.
Technical Data
IP address, browser type, device information, pages visited, and interaction events collected for analytics, security, and service improvement.
Communication Data
Email delivery status, SMS delivery status, and engagement metrics (opens, clicks) for service communications.
Mobile Application Analytics
When you use the Booking Bible mobile app (iOS or Android), and only if you have given explicit consent within the app, we collect anonymised usage data to improve the application. This includes:
- Which screens you visit within the app
- Whether you started or completed a class booking through the app
- Whether you enabled push notifications
- Technical information: app version, device platform (iOS/Android)
Purpose: Improving the mobile application experience for all users.
Processor: Booking Bible ApS, acting as data processor on behalf of the venue you have connected to. Data is stored by Supabase, Inc. in the EU (eu-central-1, Frankfurt, Germany).
Retention: Usage data is retained for 13 months from collection, then automatically deleted.
Legal basis: Your explicit consent (GDPR Art. 6(1)(a)). You can withdraw consent at any time via Settings → Privacy in the app. Withdrawal does not affect the lawfulness of processing before withdrawal.
No sale or sharing: This data is not sold, shared with third parties, or used for advertising profiling.
3. Purpose and Legal Basis
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing the booking service | Art. 6(1)(b) — Contract performance |
| Processing payments | Art. 6(1)(b) — Contract performance |
| Service communications (confirmations, reminders) | Art. 6(1)(b) — Contract performance |
| Health questionnaires | Art. 9(2)(a) — Explicit consent |
| Marketing communications | Art. 6(1)(a) — Consent |
| Analytics and service improvement | Art. 6(1)(f) — Legitimate interest |
| Legal compliance (tax, accounting) | Art. 6(1)(c) — Legal obligation |
4. Data Retention
- Account data: Retained while your account is active, deleted within 30 days of account deletion request.
- Booking history: Retained for 3 years for service quality and dispute resolution.
- Payment records: Retained for 5 years per Danish bookkeeping law (Bogforingsloven).
- Health questionnaires: Retained for 1 year after last activity, then deleted.
- Analytics data: Aggregated and anonymized after 24 months.
- Audit logs: Retained for 2 years.
Feature-related data retention
When a customer disables a paid feature or downgrades to a tier that no longer includes a feature, data created with that feature (automations, scheduled communications, knowledge entries, etc.) is preserved during a grace period and then deleted. See our Terms of Service §5a for current grace-period durations.
5. Your Rights
Under GDPR, you have the following rights:
- Right of Access (Art. 15) — Request a copy of your personal data.
- Right to Rectification (Art. 16) — Correct inaccurate personal data.
- Right to Erasure (Art. 17) — Request deletion of your data ("right to be forgotten").
- Right to Data Portability (Art. 20) — Receive your data in a machine-readable format.
- Right to Object (Art. 21) — Object to processing based on legitimate interest.
- Right to Restrict Processing (Art. 18) — Request limitation of processing.
- Right to Withdraw Consent (Art. 7) — Withdraw consent at any time for consent-based processing.
To exercise your rights, email privacy@bookingbible.com or use the data export/delete features in your account settings. We will respond within 30 days.
7. Third-Party Processors
We use the following third-party services to provide the Service:
| Service | Purpose | Location |
|---|---|---|
| e-conomic | Danish accounting integration for venue payouts | DK |
| Anthropic | Claude AI for Studio Manager + customer agents | US |
| PostHog Cloud EU | Product analytics — funnels, retention, cohorts, experiments, session replay | EU |
| BunnyCDN | Legacy media CDN (sunsetting) | EU |
| Supabase | Postgres database, Auth, Storage, Realtime | EU (project region) |
| Upstash Redis | Distributed rate-limiting + hot-path cache | EU available |
| Resend | Transactional + marketing email delivery | US |
| Vercel | Application hosting, edge functions, CDN | US edge |
| ClassPass | Class-discovery network for fitness venues | US |
| Cloudflare Turnstile | Bot protection on signup and other public forms | Global edge |
| GitHub | Source control + CI / CD | US |
| Zapier | Workflow automation (varies per Zap) | US |
| BetterStack Uptime | External synthetic uptime monitoring + public status page | EU |
| Sentry | Error monitoring + performance tracing | EU available — currently US |
| Adyen | Enterprise multi-region payment processing | EU (Netherlands) |
| Mollie | European payment processing (alternative to Stripe Connect) | EU (Netherlands) |
| Reepay | Danish-native subscription billing (alternative to Stripe) | DK |
| Stripe | Card + MobilePay processing, Connect marketplace | US + EU |
| Gateway API | Transactional SMS delivery (DK + global) | DK |
| Mux | Live streaming + recording for online classes | US |
The complete sub-processor registry — including data categories, SOC 2 / ISO 27001 posture, sub-sub-processors, and signed DPA links — is published at /legal/sub-processors.
Where data is transferred outside the EU/EEA, we ensure appropriate safeguards through Standard Contractual Clauses (SCCs) or adequacy decisions.
8. Data Protection Officer
For data protection inquiries, contact our Data Protection Officer:
Email: dpo@bookingbible.com
Booking Bible ApS
CVR 46504666
Torvegade 66, 1400 København K, Denmark
9. Supervisory Authority
You have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet):
Datatilsynet
Carl Jacobsens Vej 35
2500 Valby, Denmark
Phone: +45 33 19 32 00
Email: dt@datatilsynet.dk
Website: www.datatilsynet.dk
10. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated via email and a notice on the Service. The "Last reviewed" date in the hero above reflects the most recent revision.