Privacy policy

Privacy Policy and Data Protection

Version 1.3

Last updated: 15 May 2026

1. IDENTITY OF THE DATA CONTROLLER

In compliance with Regulation (EU) 2016/679 (GDPR), Organic Law 3/2018 (LOPDGDD) and other applicable legislation, users are informed that the personal data processed through the Bookniapp digital platform are controlled by:

Miquel Puente Matute

Tax Identification Number (NIF): 43571582Z

Address: C/ Cinca 104, 7º 3ª, 08030 Barcelona, Spain

Contact email: [email protected]

The Controller ensures full compliance with current data protection regulations.

PROVENANCE OF DATA

Personal data may come from:

• a) information provided directly by the User;
• b) data provided by Businesses in booking/client management;
• c) data generated through use of the platform;
• d) permissions granted by the User on their device.

2. CATEGORIES OF PERSONAL DATA PROCESSED

Bookniapp may process the following categories of personal data:

2.1. Data provided directly by the User

• First and last name
• Email address
• Phone number (optional)
• Password (stored using secure hashing with bcrypt; we never access its content in plain text)
• Profile image (optional)
• Business information (for Business accounts)
• Photos or multimedia content uploaded to the platform
• Professional data optionally provided by the User, collected only when the Business requires invoicing:
  - professional status (isProfessional)
  - identification document (DNI/NIF)
  - business name
  - fiscal address
  These data are requested in line with the data minimisation principle (Art. 5.1.c GDPR).

2.2. Data generated through the use of the Platform

• Booking history
• Calendars and schedules
• Internal business notes
• Push notification tokens
• IP address
• Device identifiers
• Operating system, browser and device model
• Activity logs (access logs, errors, technical events)

2.3. Location data

• Approximate or precise geolocation (with the User’s permission)
• Business addresses on maps
• Coordinates generated through Google Maps APIs

2.4. Third-party data entered by Businesses

Businesses may upload or manage data belonging to their own clients, such as:

• Name
• Phone number
• Email address
• Booking history
• Internal notes

In these cases, the Business acts as the data controller, and Bookniapp acts as the data processor.

2.5. Communication data

• Emails exchanged with Bookniapp
• Support interactions
• WhatsApp communication

2.6. Monitoring and technical diagnostics data (Sentry)

Bookniapp uses Sentry to monitor app errors, performance and stability.

Bookniapp configures Sentry with the sendDefaultPii=false option, so email addresses and usernames are not transmitted. In this context, only technical and usage data are processed: pseudonymised internal identifier (UUID), truncated IP address, technical headers, device type, operating system, app version, error traces, performance metrics and technical navigation events (breadcrumbs).

In sampled sessions or when an error occurs, technical session replay information may be recorded exclusively for debugging and service improvement purposes.

3. PURPOSES OF THE PROCESSING

Personal data will be processed for the following purposes:

3.1. Core functionalities of the service

• Creation and management of the User account
• Management of bookings between Clients and Businesses
• Management of calendars, schedules and availability
• Display of nearby businesses using geolocation
• Sending appointment reminders and push notifications
• Real-time synchronisation of Platform data across devices

3.2. Administrative, contractual and legal purposes

• Providing and maintaining the contracted service
• Ensuring system security, stability and availability
• Preventing fraud and unauthorised access
• Complying with legal, tax and accounting obligations

3.3. Personalisation, continuous improvement and new features

Data may be processed to:

• Personalise the User experience
• Conduct statistical and usage analysis
• Improve navigation, performance and system stability
• Detect technical issues and optimise functionalities
• Develop, test and implement new features, tools or services within Bookniapp
• Enhance the performance of both the website and mobile applications

These operations may involve anonymised or pseudonymised data whenever possible.

3.4. Commercial communication

• Sending newsletters (only to Users who subscribe voluntarily)
• Sending promotional or commercial messages (with explicit consent)

Users may withdraw consent and unsubscribe from these communications at any time, without affecting the lawfulness of prior processing.

3.5. Communication of Data to Businesses for Reservation Management

When a User makes a reservation, Bookniapp communicates the data strictly necessary to the selected Business in order to manage the reservation.

The Business will receive the following Client data: full name, email address, phone number, any notes or comments provided by the Client, and in the case of professional Users, the relevant fiscal information (identification document, business name and fiscal address).

The purpose of this communication is to allow the Business to execute, confirm, modify or cancel the reservation, manage the relationship with the Client, and issue documentation where required.

3.6. Error, performance and service quality monitoring

Data may be processed to detect, diagnose and resolve technical incidents, analyse performance, prevent recurring failures, and improve platform stability and security.

3.7. Export and interoperability

Bookniapp may generate or export booking information in formats compatible with external tools (for example, calendar or PDF) when the User uses these features.

3.8. Third-party data provided by Businesses

When a Business imports or enters third-party data into the platform, it declares that it has a sufficient legal basis and has fulfilled its information obligations toward those third parties.

4. LEGAL BASIS FOR THE PROCESSING

The legal bases for processing are:

a) Performance of a contract

For:

• account and profile management,
• booking management,
• notification services,
• access to the Platform,
• including the communication of Client data to the Business for reservation management.

b) User consent

For:

• newsletters and marketing communications,
• analytics cookies,
• geolocation,
• push notifications,
• mobile app permissions.

c) Legitimate interest

For:

• security and fraud prevention,
• service improvements,
• technical monitoring of errors and performance,
• proactive maintenance of security and service continuity,
• technical traceability for incident resolution,
• anonymised analytical insights,
• platform performance optimisation.

d) Legal obligation

For:

• retention of records,
• accounting and tax compliance,
• obligations imposed by authorities.

5. DATA RETENTION

Personal data will be retained:

• for the duration of the contractual relationship,
• while the User maintains an active account,
• as long as required by legal or tax obligations,
• and, where applicable, for up to 5 years for audit or fraud-prevention purposes.

Once the account is deleted, the User's personal data are erased in accordance with Art. 17 GDPR. Associated bookings are anonymised (without name, email address or phone number) and retained only in aggregated form for statistical purposes and to comply with the accounting obligations of the affected Businesses, for a maximum of 5 years.

The above retention periods may be extended where a longer legal retention obligation exists, or while legal liabilities may arise.

Once the retention periods end, data will be deleted, blocked or anonymised as appropriate.

Cookie consent log: Bookniapp keeps a technical record of every consent decision (version, chosen option, country code and anonymous technical markers) in its own infrastructure for a maximum of 24 months, as proof of consent under Art. 7.1 GDPR. Records are deleted automatically once that period expires.

6. RECIPIENTS AND TECHNICAL SERVICE PROVIDERS

To provide Bookniapp’s services, data may be shared with service providers acting as data processors, including:

6.1. Infrastructure and backend

• Supabase — database, authentication, storage and real-time synchronisation. Servers located in Paris, France (European Union), ensuring processing within the EEA without the need for Standard Contractual Clauses (SCC).
• Google Cloud Run (auxiliary services/functions, where applicable).

The main authentication system in the app is Supabase Auth.

6.2. Geolocation and Maps

• Google Maps Platform (Maps, Geocoding, Places APIs)

6.3. Analytics and web positioning

• Google Analytics 4 (web) — only with user consent.
• Google Search Console and Bing Webmaster Tools (web). Indexing services that do not install cookies or scripts in the User's browser; they only analyse aggregated crawl data their bots already collect when indexing the site.
• Microsoft Clarity (Microsoft Corporation, USA) — web heatmaps and session recordings, only with user consent.

Additionally, Bookniapp collects anonymised or pseudonymised usage events directly within its Supabase (EU) infrastructure for internal statistical analysis. These data are not transferred to Google Analytics or to any third party; they remain in the environment controlled by Bookniapp with encryption in transit and at rest.

6.4. Communications and payments (current or future)

• Apple Push Notification Service (Apple Inc.) for delivering push notifications on iOS devices.
• Firebase Cloud Messaging (Google LLC) for delivering push notifications on Android devices.

6.5. Website hosting

• Hostinger
• Cloudflare (Turnstile captcha)

6.6. Communication of Data to Businesses with Which the User Makes a Reservation

When a User makes a reservation, the corresponding Business becomes the data controller for the Client information it receives.

Bookniapp acts solely as a technological intermediary and does not control or supervise the subsequent processing carried out by the Business.

6.7. Monitoring and observability

Sentry (Functional Software, Inc.) for error monitoring, performance monitoring and technical diagnostics.

6.8. Social sign-in

Google Sign-In and Sign in with Apple, when the User chooses to authenticate with the corresponding account.

Some providers may operate only in certain channels (web or app) and/or in specific functionalities.

All service providers implement GDPR-compliant safeguards, including Standard Contractual Clauses (SCC) where necessary.

7. INTERNATIONAL DATA TRANSFERS

Bookniapp may transfer personal data outside the European Economic Area due to the use of certain third-party providers, particularly in:

• The United States
• Other jurisdictions recognised under GDPR-compliant agreements

These transfers rely on:

• Standard Contractual Clauses approved by the European Commission
• Additional security measures
• Data encryption in transit and at rest
• Risk assessment in accordance with GDPR requirements

The legal basis for each international transfer is assessed provider by provider (adequacy decision, standard contractual clauses or another valid mechanism), applying supplementary measures when necessary.

8. USER RIGHTS

Users may exercise the following rights at any time:

• Right of access
• Right to rectification
• Right to erasure
• Right to object
• Right to data portability
• Right to restriction of processing
• Right to withdraw consent
• Right to lodge a complaint with the relevant Data Protection Authority

To exercise these rights, Users may contact: [email protected]

Before filing a complaint with the AEPD, we recommend that the User first contact Bookniapp at [email protected] to resolve the matter. If the response is not satisfactory, the User may turn to the Spanish Data Protection Agency (AEPD), the supervisory authority in Spain, via its electronic site (https://www.aepd.es).

When data have been entered or directly processed by a Business within Bookniapp to manage bookings or clients, Users may also exercise their rights against that Business as data controller.

8.1. Data portability and access

The User may exercise their right to data portability and access by downloading a full JSON dump of their data directly from Profile → Account settings → Export my data.

8.2. Account deletion and right to erasure

The User may delete their account at any time from Profile → Account settings → Delete account, without the need to contact Bookniapp. Deletion is immediate and irreversible.

When the account is deleted, Bookniapp proceeds as follows:

Data deleted immediately:

• User profile (first name, last name, email, phone, picture).
• Professional data (DNI/NIF, business name, fiscal address).
• Active sessions, authentication tokens and MFA keys.
• Push notification tokens.
• Images uploaded to the platform (profile, business, services, calendars, events, classes).
• Client and booking data managed by the Business (when a Business deletes its account).
• Pending requests, suggestions and communications.

Data retained in anonymised form:

• Historical past bookings: detached from the User's identity but retained without personal data for statistical purposes and the accounting obligations of the affected Businesses (up to 5 years).

Data retained due to legal obligations:

• Tax information associated with issued invoices (up to 6 years, Art. 30 Spanish Commercial Code).
• Access and security logs (up to 12 months, Art. 32 GDPR).

The User may also exercise their right to erasure by writing to [email protected]. In such cases, Bookniapp will respond within one month of receipt at the latest, in accordance with Art. 12.3 GDPR.

Before deleting the account, we recommend that the User exercise their right to data portability by downloading a copy of their data from Profile → Account settings → Export my data.

9. SECURITY AND CONFIDENTIALITY

Bookniapp applies technical and organisational measures appropriate to the risk to protect the confidentiality, integrity and availability of personal data.

These measures include:

• encryption of data in transit and at rest,
• secure authentication mechanisms (Supabase Auth),
• role-based access controls,
• activity logging and audit trails in Supabase,
• secure hosting on Google Cloud,
• firewalls and intrusion prevention systems,
• regular backups and redundancy.

9.1. Data breach notification

In the event of a security breach involving a risk to the rights and freedoms of the User, Bookniapp will notify the Spanish Data Protection Agency (AEPD) within a maximum of 72 hours after becoming aware of it and, where applicable, will inform affected Users without undue delay, in accordance with Articles 33 and 34 of the GDPR.

9.2. Multi-factor authentication (MFA)

Bookniapp offers multi-factor authentication (TOTP), available to all users from Profile → Account settings → Two-step authentication. This additional layer strengthens protection against unauthorised access, even if the password is leaked.

10. PRIVACY IN THE MOBILE APPLICATION

The Bookniapp mobile application may request access to:

• Geolocation
• Push notifications
• Camera
• Gallery/Photos
• Contacts (for client import by Businesses)

Permissions may be revoked by the User at any time through the device settings.

11. MINORS

Bookniapp is a service aimed at professionals and businesses. Use of the Platform requires the User to be a legal adult (18 years or older), in line with Spanish legislation applicable to service contracting and to the holding of business activities.

Bookniapp does not knowingly collect or process data from minors. During the registration process, the User confirms that they meet the legal age requirement.

If a minor is identified as having registered without the corresponding legal authorisation, the account will be deleted and any associated data will be erased without delay.

12. AUTOMATED DECISION-MAKING AND PROFILING

Bookniapp does not engage in automated decision-making that produces legal or similarly significant effects.

The Platform may use basic logic for:

• displaying nearby businesses
• sorting results by relevance
• sending automated reminders

These do not produce significant effects on the User.

13. AFFILIATE PROGRAMME

Bookniapp operates an Affiliate Programme open to web agencies, independent sales representatives, business consultants and other profiles who wish to collaborate in promoting the platform.

13.1. Data collected in the application form

The following personal data are collected via the affiliate application form:

• First and last name
• Company or organisation name
• Contact email address
• Phone number (optional)
• Description of professional activity
• Any additional information provided voluntarily

13.2. Purpose of processing

• Assessing and managing applications to join the programme.
• Contacting the applicant to communicate the outcome of their application.
• Where approved, managing the commercial relationship arising from the affiliate agreement.

13.3. Legal basis

Processing is based on:

• Pre-contractual measures (Art. 6.1.b GDPR): assessing the application and, where applicable, formalising the affiliate agreement.
• Legitimate interest (Art. 6.1.f GDPR): internal management and monitoring of the programme.

13.4. Retention period

Data from unsuccessful applications will be retained for a maximum of 12 months from receipt. Data relating to active affiliates will be retained for the duration of the agreement and subsequently for the applicable statutory periods.

13.5. Recipients

Data will not be disclosed to third parties except where required by law. Processing is carried out internally by the Bookniapp team, with access to Supabase systems acting as data processor.

14. CHANGES TO THIS POLICY

Bookniapp may update this Privacy Policy at any time.

Any significant changes will be communicated clearly to Users.

When changes are substantial, Bookniapp may request explicit acceptance of the new version in order to continue using the service.

15. CONTACT

For privacy-related questions or rights requests send us an email to [email protected]