Privacy Policy
Last updated: February 2026
1. Controller
What's Booked ("we", "us", "our") is the data controller for personal data processed through this platform. For questions about data protection, contact us at privacy@whatsbooked.com.
2. Data We Collect
2.1 Business Owners (Tenants)
- Account information: name, email address, business name, business type
- Authentication data: managed by Supabase Auth (OAuth tokens, session tokens)
- Business configuration: services, hours, staff, settings
- Usage data: audit logs, feature usage patterns
2.2 Customers (End Users of Businesses)
- Booking information: name, email, phone number, appointment details, notes
- Communication records: reminders, confirmations, feedback responses
- Waitlist entries: preferred dates, notification preferences
2.3 Website Visitors
- With consent: analytics data (PostHog), error tracking (Sentry)
- Without consent: essential cookies for authentication and session management only
3. Legal Basis for Processing (Art. 6 GDPR)
- Contract performance (Art. 6(1)(b)): Processing account data, appointments, and communications necessary to provide our service.
- Legitimate interest (Art. 6(1)(f)): Server-side error tracking (Sentry), security logging, fraud prevention.
- Consent (Art. 6(1)(a)): Analytics cookies (PostHog), session replay, marketing communications.
- Legal obligation (Art. 6(1)(c)): Tax and accounting records, regulatory compliance.
4. AI Processing Disclosure
What's Booked uses artificial intelligence to assist with:
- Email classification and draft generation
- Appointment reminders and confirmation messages
- Customer chat responses (booking assistant)
- Review response suggestions
- Feedback request generation
AI processing is performed by third-party language model providers (see Sub-processors below). Personal data included in AI processing is limited to what is necessary for the specific task (e.g., customer name and appointment time for reminders). AI-generated content is reviewed and can be edited before sending.
5. Sub-processors
| Provider | Purpose | Data Region |
|---|---|---|
| Supabase | Database hosting, authentication | EU (Frankfurt) |
| Moonshot AI (Kimi) | AI language model for content generation | Varies |
| PostHog | Product analytics (with consent only) | US |
| Sentry | Error tracking and performance monitoring | US |
| Resend | Transactional email delivery | US |
| OpenClaw (WhatsApp) | WhatsApp message delivery for notifications | EU |
| Stripe | Payment processing | US/EU |
| Hetzner | Server infrastructure | EU (Germany) |
6. Data Retention
- Active accounts: Data retained for the duration of the service relationship.
- After account deletion: All tenant data deleted immediately via cascade. Backups purged within 30 days.
- Audit logs: Retained for 12 months, then automatically purged.
- Analytics data: PostHog data retained per PostHog's retention policy (typically 12 months).
- Email unsubscribes: doNotContact flag retained indefinitely to respect the preference.
7. Your Rights (Art. 15–21 GDPR)
As a data subject, you have the right to:
- Access (Art. 15): Request a copy of your personal data. Use the "Export Data" feature in account settings or contact us.
- Rectification (Art. 16): Correct inaccurate personal data via your dashboard or by contacting us.
- Erasure (Art. 17): Delete your account and all associated data via Settings > Delete Account, or by contacting us.
- Restriction (Art. 18): Request restriction of processing in certain circumstances.
- Portability (Art. 20): Export your data in a structured, machine-readable format (JSON).
- Objection (Art. 21): Object to processing based on legitimate interest.
- Withdraw consent: For analytics cookies, change preferences via the cookie banner at any time.
8. Supervisory Authority
You have the right to lodge a complaint with your local data protection authority. In Germany, this is the Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI), Graurheindorfer Str. 153, 53117 Bonn, www.bfdi.bund.de.
9. Cookies
We use the following cookies:
- Essential (always active): Supabase auth session cookies, CSRF protection.
- Analytics (consent required): PostHog tracking cookies, Sentry session replay.
- Consent:
fp_consent— stores your cookie preferences (365 days, SameSite=Lax).
10. Security
We implement appropriate technical and organizational measures to protect personal data, including: encryption in transit (TLS), encryption at rest for sensitive tokens, per-tenant data isolation, role-based access control, and regular security audits.
11. Changes to This Policy
We may update this privacy policy from time to time. Significant changes will be communicated via email to account holders. The "Last updated" date at the top of this page indicates the most recent revision.
12. Contact
For privacy inquiries or to exercise your data rights, contact us at privacy@whatsbooked.com.