Privacy Policy

Last updated: 25 January 2026

1. Introduction

BookEngine (“we”, “our”, or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our booking platform.

We operate as a data processor for business owners (our customers) and as a data controller for our own business operations. This policy covers both roles.

2. Information We Collect

2.1 Business Owner Information

When you create a BookEngine account, we collect:

  • Email address (for authentication and notifications)
  • Business name and type
  • Contact information (phone, address)
  • Business logo and branding preferences
  • Service offerings and pricing
  • Availability and scheduling preferences

2.2 Customer Booking Information

When customers make bookings through our platform, the following data may be collected (as configured by each business):

  • Name and email address (required for all bookings)
  • Phone number
  • Custom fields as configured by the business (e.g., vehicle registration, notes)
  • Uploaded files (documents, images) if requested by the business
  • Booking history and preferences

2.3 Payment Information

Payment processing is handled by Stripe. We do not store credit card numbers or full payment details on our servers. We only store:

  • Transaction references and payment status
  • Amount paid and refund information
  • Stripe customer and payment intent IDs

2.4 Technical Information

We automatically collect:

  • IP address and approximate location
  • Browser type and version
  • Device information
  • Pages visited and actions taken
  • Cookies and similar tracking technologies (see our Cookie Policy)

3. Third-Party Services

3.1 Google Calendar Integration

If you connect your Google Calendar, we access the following data using Google's OAuth 2.0 authentication:

  • Calendar list: To let you choose which calendar to sync with
  • Calendar events (read): To check for busy times and prevent double-bookings
  • Calendar events (write): To create booking events on your calendar

Data retention: We store OAuth tokens securely to maintain your calendar connection. Calendar event data is queried in real-time and not permanently stored on our servers.

Revoking access: You can disconnect Google Calendar at any time from your settings page, or revoke access directly from your Google Account permissions.

3.2 Stripe Payment Processing

Payments are processed through Stripe Connect. When you connect Stripe:

  • You create an account directly with Stripe
  • Stripe handles all payment card data securely
  • We receive transaction confirmations and payment status updates
  • Customer payment data is subject to Stripe's Privacy Policy

3.3 SendGrid Email Service

We use SendGrid to send transactional emails (booking confirmations, reminders, notifications). Email addresses and message content are processed by SendGrid according to their privacy policy.

3.4 Vercel Blob Storage

Customer-uploaded files (documents, images) are stored securely on Vercel Blob storage. Files are:

  • Accessible only via unique, unguessable URLs
  • Associated with specific bookings
  • Retained according to our data retention policy

4. How We Use Your Information

We use the collected information to:

  • Provide and maintain our booking platform
  • Process bookings and payments
  • Send booking confirmations and reminders
  • Sync with connected calendars
  • Provide customer support
  • Improve our services and develop new features
  • Detect and prevent fraud or abuse
  • Comply with legal obligations

5. Data Sharing

We do not sell your personal information. We share data only:

  • With service providers: As described above (Stripe, SendGrid, Google, Vercel)
  • Between business and customer: Booking information is shared with the relevant business
  • For legal compliance: When required by law or to protect our rights
  • With consent: When you explicitly agree to share information

6. Data Retention

We retain your information for as long as necessary to provide our services:

  • Business accounts: Until you delete your account
  • Booking records: 7 years (for tax and legal compliance)
  • Uploaded files: Until the associated booking is deleted or upon request
  • OAuth tokens: Until you disconnect the integration
  • Analytics data: 26 months

7. Your Rights (GDPR)

Under the UK GDPR, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data (“right to be forgotten”)
  • Restrict processing: Request limitation of data processing
  • Data portability: Receive your data in a portable format
  • Object: Object to certain types of processing
  • Withdraw consent: Withdraw consent at any time where processing is based on consent

To exercise these rights, contact us at privacy@bookengine.io.

8. Data Security

We implement appropriate security measures including:

  • Encryption in transit (HTTPS/TLS)
  • Encryption at rest for sensitive data
  • Secure authentication (magic links, no password storage)
  • Regular security reviews
  • Access controls and audit logging

9. International Transfers

Your data may be processed in countries outside the UK/EEA. We ensure appropriate safeguards are in place, including Standard Contractual Clauses where applicable.

10. Children's Privacy

Our services are not directed to children under 16. We do not knowingly collect personal information from children. If you believe we have collected such information, please contact us.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through our platform. Continued use of our services after changes constitutes acceptance.

12. Contact Us

For privacy-related inquiries, contact us at:

Email: privacy@bookengine.io

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.