Privacy
Last updated · July 12, 2026
This notice explains what personal data ReBooking collects when you sign up as a business, what your customers' data we process on your behalf, and what rights you and your customers have under the EU General Data Protection Regulation.
1. Roles
For data about your own business and staff: we are the Data Controller. For data about your customers: you are the Controller and we are the Processor. The Data Processing Agreement built into these terms governs that processing.
2. What we collect
- Account data: your name, work email, business name, subscription plan, login activity.
- Workspace data: service catalog, calendar, staff, prices, settings.
- Customer records: name, phone, email, address, notes you record. Phone, email, address and notes are stored encrypted at rest with pgcrypto; lookups go through deterministic hashes so we never need to decrypt for search.
- Operational data: server logs (IP, request line, status), error traces, billing events from Stripe, SMS delivery receipts from Twilio.
3. Why we process it
- To run the Service you signed up for (Article 6(1)(b)).
- To meet legal/accounting obligations (Article 6(1)(c)).
- To prevent fraud, abuse, and unauthorised access — our legitimate interest (Article 6(1)(f)).
- To send your customers transactional messages (booking confirmation, reminder, receipt) — your contractual basis with them.
- Marketing messages to your customers are only sent to people you have a consent record for.
4. Where it lives
All data is stored in the EU. Our database, Redis cache, and durable functions run on servers within the EEA. Stripe (US) processes payment card data under the EU-US Data Privacy Framework. Twilio and Resend process SMS and email respectively under their Standard Contractual Clauses.
5. Retention
Customer records are kept for as long as your workspace is active. On account closure we give you 30 days to export, then delete. Audit logs are retained for 24 months for security purposes. Backups roll out within 35 days.
6. Your rights
Access, correction, deletion, restriction, portability, and objection. Email privacy@rebooking.no and we respond within 30 days. You can also lodge a complaint with the Norwegian Datatilsynet.
7. Contact
Data protection: privacy@rebooking.no.