Legal
Privacy and Data Policy
Effective date: April 15, 2026
1. Overview
CoreBookin is committed to protecting your personal data. This Privacy Policy explains what data we collect, how we use it, who we share it with, and how long we retain it. It applies to all users of the Platform: business owners, staff, and customers.
2. Data We Collect
Account and Identity Data
When you create an account we collect your email address and a hashed password. Business owners additionally provide a business name, URL slug, phone number, address, and timezone. Staff members provide their name and email. This data is processed through Supabase Auth, our authentication provider.
Booking and Operational Data
We store booking records including service details, scheduled times, staff assignments, attendance status, and any notes associated with a booking. This data belongs to the business account that created it and is accessible to the business owner and their staff.
Communication and Notification Data
When the business sends notifications to customers we log delivery attempts, delivery status, and provider-level lifecycle events (sent, delivered, failed). These notification delivery logs are retained for 365 days from the date of the event.
SMS Consent Data
If a business has the SMS add-on enabled, we collect and store explicit SMS consent records for each recipient. A consent record includes the customer's identity, the business context, the phone number, the timestamp, the source flow, and the consent text version presented. Consent is never pre-checked or assumed. Consent history is retained for a minimum of 365 days.
Billing and Webhook Data
Payment events are processed by Stripe, our payment processor. We receive webhook notifications from Stripe to update your entitlement state (e.g., activating or expiring the SMS add-on). We store webhook ingestion records for 180 days. CoreBookin does not store full card numbers or primary account numbers.
Usage and Technical Data
We may collect standard server-side request logs (IP address, user-agent, route accessed, response time) for operational monitoring and security purposes. These are not used for behavioral advertising.
3. How We Use Your Data
- To authenticate you and maintain your session.
- To deliver the scheduling, booking, and communication features of the Platform.
- To send transactional notifications (booking confirmations, reminders, updates) on behalf of the business.
- To process and verify entitlement state changes triggered by payment events.
- To detect fraud, investigate security incidents, and enforce our Terms.
- To fulfill legal or regulatory obligations.
We do not sell your personal data. We do not use your data for third-party advertising.
4. Third-Party Processors
We share data only with the processors required to operate the Platform:
- Supabase — database, authentication, and storage infrastructure. Data is stored in Supabase-managed PostgreSQL. Supabase is subject to its own DPA and SOC 2 compliance program.
- Stripe — payment processing and billing event webhooks. Stripe processes payment card data under PCI-DSS standards.
- SMS Provider (Twilio) — delivery of SMS notifications to customers who have provided explicit consent. SMS traffic is subject to US carrier registration requirements (10DLC / campaign registration).
All processors are bound by contractual data processing obligations consistent with applicable privacy law.
5. SMS Communications and Opt-Out
SMS messages are only sent to customers who have provided explicit, unambiguous, and auditable consent. Each SMS message identifies the business sending it and includes an opt-out instruction.
Replying STOP to any SMS immediately suppresses all future messages from that business to that phone number. Replying HELPreturns support guidance. Both actions are logged for audit purposes. Quiet-hours rules based on the recipient's local timezone are enforced automatically.
6. Data Retention
| Record Type | Retention Window | Owner |
|---|---|---|
| Notification delivery logs | 365 days | Operations + Security |
| SMS consent and suppression records | 365 days minimum | Operations + Security |
| Stripe webhook ingestion records | 180 days | Operations |
| Booking and business operational data | Duration of account + 90 days after closure | Operations |
| Account and identity data | Duration of account + 30 days after closure | Engineering + Security |
7. Your Rights
Depending on your jurisdiction you may have the right to access, correct, port, or request deletion of your personal data. To exercise any of these rights, contact us at [email protected].
For customers of a business using CoreBookin, your primary relationship for data access requests is with that business. CoreBookin will cooperate with verified requests and direct you appropriately.
8. Security
CoreBookin enforces tenant isolation at the database layer using Row Level Security (RLS). API routes enforce authorization boundaries. Webhook authenticity is verified before processing. Credentials are never logged or stored in plain text.
Despite these measures, no system is completely secure. In the event of a data breach affecting your information, we will notify you as required by applicable law.
9. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notice before they take effect. Continued use of the Platform after the effective date constitutes acceptance.
10. Contact
Privacy-related inquiries: [email protected]