Privacy Policy
Last updated: 24 June 2026
Bookable Ltd ("we", "us", "our") operates the Bookable CRM platform at bookablecrm.com and app.bookablecrm.com. This policy explains how we collect, use, store and protect personal data when you visit our website, use our platform, or interact with us.
We are registered with the UK Information Commissioner's Office (ICO) under registration number ZB591921.
1. Data controller
Bookable Ltd is the data controller for personal data collected through our website and platform. For enquiries about your data, contact us at admin@bookable.online.
2. What data we collect
| Category | Data | Source |
|---|---|---|
| Account data | Name, email address, password (hashed) | You, on sign-up |
| Contact/CRM data | Names, emails, phone numbers, addresses, notes, pipeline stages, case records, documents | You or your connected integrations |
| Billing data | Payment method details, invoices, subscription status | Stripe (our payment processor) |
| Enquiry data | Name, email, message content | You, via our contact form |
| Usage data | Pages visited, features used, IP address, browser type, device info | Automatically collected |
| Integration data | OAuth tokens, calendar events, email metadata, Squarespace contacts and orders | Third-party services you connect (Google, Outlook, Squarespace, etc.) |
3. How we use your data
- To provide and operate the Bookable CRM platform
- To process your subscription and payments
- To respond to enquiries and support requests
- To sync data between your connected third-party services (e.g. Google Calendar, Squarespace)
- To send transactional emails (booking confirmations, login links, notifications)
- To improve our platform and develop new features
- To comply with legal obligations
4. Lawful basis for processing
| Purpose | Lawful basis |
|---|---|
| Providing the platform | Performance of a contract |
| Processing payments | Performance of a contract |
| Responding to enquiries | Legitimate interest |
| Third-party integrations | Consent (you authorise each connection) |
| Platform improvement | Legitimate interest |
| Legal compliance | Legal obligation |
5. Third-party processors
We share personal data only with processors that are necessary to operate the platform:
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting, authentication, edge functions | EU (AWS eu-west) |
| Vercel | Application hosting | Global (edge network) |
| Stripe | Payment processing | US/EU |
| SendGrid | Transactional email delivery | US |
| Daily.co | Video call infrastructure | US |
| Google / Microsoft | Calendar and email sync (when connected by user) | US |
| Squarespace | Website hosting and contact/order sync (when connected by user) | US |
We do not sell personal data to any third party.
6. International transfers
Some of our processors operate outside the UK/EEA. Where data is transferred internationally, we rely on Standard Contractual Clauses (SCCs) or the processor's participation in recognised adequacy frameworks to ensure appropriate safeguards are in place.
7. Data retention
- Account and CRM data: retained for the duration of your subscription, plus 30 days after cancellation to allow reactivation
- Enquiry data: retained for 12 months after your last interaction
- Billing records: retained for 7 years to comply with UK tax and accounting requirements
- Usage logs: retained for 90 days
8. Your rights
Under UK GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure — ask us to delete your data (subject to legal retention requirements)
- Restriction — ask us to limit how we process your data
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest
- Withdraw consent — where processing is based on consent, withdraw it at any time
To exercise any of these rights, email admin@bookable.online. We will respond within 30 days.
9. Cookies
Our platform uses essential cookies required for authentication and session management. We do not use third-party advertising or tracking cookies. Squarespace may set its own cookies on the marketing site — see Squarespace's cookie policy for details.
10. Security
We protect personal data using:
- Encryption in transit (TLS) and at rest
- Row-level security on all database tables
- OAuth 2.0 for third-party integrations (no passwords stored)
- Role-based access controls within the platform
- Regular security reviews of infrastructure and dependencies
11. Data processing for CRM clients
When you use Bookable CRM to manage your own clients' data, you act as the data controller for that data and we act as your data processor. You are responsible for ensuring you have a lawful basis to collect and process your clients' personal data. We process it only on your instructions and in accordance with this policy.
12. Children
Bookable CRM is not directed at individuals under 16. We do not knowingly collect personal data from children.
13. Changes to this policy
We may update this policy from time to time. We will notify registered users of material changes by email. The "Last updated" date at the top of this page reflects the most recent revision.
14. Complaints
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
15. Contact
Bookable Ltd
Email: admin@bookable.online
ICO registration: ZB591921