BackLegal

Privacy Policy

How we handle your personal data and your customers' personal data when you use BookHero. No fine print.

Last updated: May 30, 2026

1. Who is the data controller

This Privacy Policy explains how Globaluminate, Lda ("BookHero", "we", "us") collects, uses, shares and protects personal data when you use BookHero (the "Service"). We are the controller for the personal data described below, except for personal data you upload about your customers, where you are the controller and we act as your processor.

Privacy contact: help@bookhero.app

Postal address: Globaluminate, Lda, Av. Peregrinação 6, 4 Esq, 1990-357 Lisboa, Portugal · NIPC 518729877

2. Personal data we collect

  • Account data: name, email, password (hashed), language preference, account creation date.
  • Business profile data: business name, address, phone number, services, opening hours, team members.
  • Billing data: subscription plan, billing identifiers and payment metadata returned by our payment processor. We do not store full card numbers on our servers.
  • Customer data you upload: information about your end customers (name, contact details, appointment history, notes). You are the controller of this data.
  • Communications: messages you send to our support team and operational emails we exchange with you.
  • Technical data: IP address, device and browser information, log data, cookies and similar identifiers needed to operate the Service securely.

3. How we use personal data and legal bases (GDPR)

We use personal data for the following purposes, each with a corresponding legal basis under Article 6 of the GDPR and, for users in the United Kingdom, the equivalent provisions of the UK GDPR and the Data Protection Act 2018:

  • Provide the Service (contract): create and maintain your account, run bookings, send transactional messages on your behalf, process payments, provide support.
  • Service security and integrity (legitimate interests): prevent fraud and abuse, monitor and improve performance, keep logs, investigate incidents.
  • Communicate with you (contract / legitimate interests): send operational notices, billing notices and important changes.
  • Comply with legal obligations (legal obligation): tax, accounting and other regulatory duties.
  • Marketing (consent): if we ever send marketing communications, we will rely on your consent and you can withdraw it at any time.

4. Data we process on your behalf (processor role)

When you upload data about your customers, you decide what is collected, why and for how long. We process this data only to provide the Service to you and according to your instructions and these Terms. You are responsible for informing your customers, having a valid legal basis, and handling their requests under the GDPR. We will support you with reasonable measures, as required by Article 28 GDPR.

5. Subprocessors and third parties

We rely on a small number of trusted providers to deliver the Service. The current list is:

  • Cloud database and authentication: Supabase (EU region), stores account, business and customer data and handles authentication.
  • Transactional email: Resend, delivers operational and transactional emails on our behalf.
  • Messaging: WhatsApp, delivers booking notifications to your end customers.
  • Payments: Stripe handles subscription billing; full card data does not reach our servers.
  • Hosting and infrastructure: Vercel hosts and serves the application.
  • Analytics and marketing: Google (Google Analytics 4 and Google Ads), only with your consent, to measure site usage and campaigns. These services load only after you accept the matching categories in the cookie banner. Transfers to the United States rely on the EU-US Data Privacy Framework and Standard Contractual Clauses.

We may change subprocessors over time to improve the Service. Material changes will be reflected in this Policy.

6. International transfers

Our primary infrastructure (database, authentication and hosting) operates inside the European Union. Some providers transfer data to the United States, notably Meta (WhatsApp) and Google (Analytics and Ads). For those transfers we rely on appropriate safeguards under the GDPR: the EU-US Data Privacy Framework where the provider is certified, together with Standard Contractual Clauses approved by the European Commission. For users in the United Kingdom, transfers out of the UK additionally rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as the EU clauses alone do not cover UK transfers.

7. How long we keep data

  • Account and business data: while your account is active and for up to 12 months after deletion, to handle disputes, comply with law and finalise billing.
  • Billing and tax records: at least 10 years, as required by Portuguese tax law.
  • Logs and security data: typically up to 12 months.
  • Customer data you upload: for as long as you keep it in the Service. When you delete it or close your account, we delete it within a reasonable period, except where we are required to keep a copy by law.

8. Your rights under the GDPR

You have the right to:

  • access the personal data we hold about you;
  • rectify inaccurate or incomplete data;
  • erase your personal data ("right to be forgotten");
  • restrict or object to certain processing;
  • receive your data in a portable format;
  • withdraw consent at any time, where processing is based on consent;
  • lodge a complaint with your local supervisory authority: in the United Kingdom this is the Information Commissioner's Office (ICO, ico.org.uk); our lead EU authority is the Portuguese CNPD (www.cnpd.pt).

To exercise these rights, contact help@bookhero.app. We will respond within the deadlines required by the GDPR (normally one month).

If you are an end customer of one of our users (for example, you booked an appointment with a business that uses BookHero), please contact that business first, they are the controller of your data. We act only as their processor and will support them in handling your request.

9. Cookies and similar technologies

We use cookies and similar technologies that are strictly necessary to operate the Service: authentication and session management, language preference, and basic security. These do not require consent. We also use analytics and marketing cookies (Google Analytics 4 and Google Ads) only if you accept them in the cookie banner; these load only after your consent, and you can change or withdraw your choice at any time in that banner.

10. Security

We take technical and organisational measures to protect personal data, including encryption in transit, access controls, isolated environments per tenant and routine backups. No system is perfectly secure; if you believe your account has been compromised, contact help@bookhero.app immediately.

11. Children

The Service is not directed to people under 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with data, please contact help@bookhero.app and we will delete it.

12. Changes to this Policy

We may update this Policy as the Service evolves. Material changes will be communicated by email or in the application. The "Last updated" date at the top reflects the most recent version.

13. Contact

For any privacy question or to exercise your rights under the GDPR, write to help@bookhero.app or to Globaluminate, Lda, Av. Peregrinação 6, 4 Esq, 1990-357 Lisboa, Portugal.