Back to Home

Privacy Policy

Last updated: February 2026

1. Introduction and Data Controller

This Privacy Policy explains how BookNimble Oy ("BookNimble", "we", "us", or "our") collects, uses, stores, and protects personal data when you use the BookNimble platform at booknimble.com and associated services. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Finnish data protection legislation.

The data controller for personal data processed through the BookNimble platform is:

  • Company: BookNimble Oy
  • Business ID: 3597833-2
  • Address: Helsinki, Finland
  • Email: privacy@booknimble.com

2. Definitions

In this Privacy Policy:

  • "Platform" refers to the BookNimble website, application, and all associated services at booknimble.com.
  • "Provider" refers to service providers (businesses and professionals) who register on the platform to manage bookings and accept payments from their customers.
  • "Customer" refers to individuals who book services through a Provider's booking portal on the platform.
  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined by the GDPR.

3. Information We Collect

3.1 From Service Providers

When you register and use BookNimble as a Provider, we collect:

  • Account information: Name, email address, phone number, and password
  • Business information: Business name, business type, and contact details
  • Financial information: Stripe Connect account details for receiving payments (managed by Stripe)
  • Portal content: Business logo, brand colours, service descriptions, pricing, and availability schedules
  • Team data: Names, email addresses, roles, and permissions of team members you invite
  • Usage data: How you interact with the platform dashboard, features used, and settings configured

3.2 From Customers

When you book services through a Provider's portal, we collect:

  • Contact information: Name, email address, and phone number
  • Payment information: Payment card details are collected and processed directly by Stripe — BookNimble stores only the card brand, last four digits, and expiry date for display purposes
  • Booking information: Service selected, appointment date and time, session notes, and any responses to custom intake forms set by the Provider
  • Attendee information: When booking for others (e.g., a child or family member), we collect the attendee's name, age, email, phone, and any form responses
  • Referral data: Referral codes used or generated, and referral credit balances
  • Account activity: Booking history, cancellation history, store credit balance, and gift card transactions

3.3 Automatically Collected Information

When you use the platform, we automatically collect certain technical information:

  • Device and browser information: Browser type, operating system, and device type
  • Log data: IP address (anonymised for analytics), pages visited, time spent, and referring URL
  • Cookies: Essential cookies for authentication and session management (see Section 11)

4. Legal Basis for Processing

We process personal data based on the following legal grounds under GDPR Article 6:

  • Performance of a contract (Art. 6(1)(b)): Processing necessary to provide the platform services, process bookings, and handle payments — this applies to both Provider accounts and Customer bookings
  • Legitimate interests (Art. 6(1)(f)): Processing necessary for our legitimate business interests, including improving the platform, preventing fraud, ensuring security, and generating aggregated analytics — balanced against your fundamental rights and freedoms
  • Legal obligations (Art. 6(1)(c)): Processing necessary to comply with legal requirements, including financial record-keeping, tax obligations, and responding to lawful requests from authorities
  • Consent (Art. 6(1)(a)): Where applicable, such as for optional marketing communications — you may withdraw consent at any time without affecting the lawfulness of processing performed before withdrawal

5. How We Use Your Information

We use personal data for the following purposes:

  • Processing and managing bookings between Providers and Customers
  • Processing payments securely through Stripe and transferring funds to Providers
  • Sending transactional communications: booking confirmations, reminders, cancellation notices, and payment receipts
  • Operating customer referral programs and gift card systems as configured by Providers
  • Providing customer relationship management features to Providers (booking history, notes, contact records)
  • Generating business analytics and revenue reports for Providers (using aggregated and anonymised data where possible)
  • Authenticating users and maintaining account security
  • Detecting and preventing fraud, chargebacks, and platform abuse
  • Providing customer support and resolving disputes
  • Improving, maintaining, and developing the platform's features and performance
  • Complying with legal and regulatory obligations

6. Information Sharing and Sub-processors

We share personal data only when necessary and with the following categories of recipients:

  • Service Providers you book with: When you make a booking, your contact details, booking information, and form responses are shared with the relevant Provider so they can deliver the service
  • Stripe (Payment Processing): Stripe, Inc. processes all payment transactions, stores payment method details, and manages Provider payouts. Stripe is PCI DSS Level 1 certified. See Stripe's Privacy Policy
  • Google Cloud / Firebase (Infrastructure): Our database and authentication services are hosted on Google Cloud infrastructure (Firebase). Data is stored in the EU (europe-west1 region). See Firebase Privacy
  • Amazon Web Services — SES (Email Delivery): We use AWS Simple Email Service to send transactional emails (confirmations, reminders, receipts). Data processed in EU (eu-north-1 region). See AWS Privacy
  • Twilio (SMS Delivery): Where Providers enable SMS notifications, we use Twilio to deliver booking reminders and notifications. See Twilio's Privacy Policy
  • Vercel (Hosting): The platform is hosted on Vercel's infrastructure. See Vercel's Privacy Policy
  • Legal and regulatory authorities: When required by law, court order, or to protect our legal rights
  • Business transfers: In connection with a merger, acquisition, reorganisation, or sale of assets, personal data may be transferred to the acquiring entity

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

7. International Data Transfers

BookNimble primarily stores data within the European Economic Area (EEA). Some of our sub-processors (Stripe, Twilio, Vercel) may transfer data to the United States or other countries outside the EEA. Where such transfers occur, they are protected by appropriate safeguards as required by the GDPR, including Standard Contractual Clauses (SCCs) approved by the European Commission or adequacy decisions.

You can request information about the specific safeguards applied to international transfers by contacting us at privacy@booknimble.com.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • All data is encrypted in transit using TLS/HTTPS
  • Payment data is handled exclusively by Stripe (PCI DSS Level 1 compliant) — we never store full card numbers
  • Authentication tokens are cryptographically signed and expire automatically
  • Portal customer sessions use secure, HTTP-only cookies
  • Access to production systems is restricted to authorised personnel only
  • Firebase Security Rules enforce per-organisation data isolation
  • Passwords are hashed using industry-standard algorithms (Firebase Authentication)

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this policy:

  • Provider accounts: Data is retained for the duration of the account and for 12 months after account closure, unless longer retention is required for legal or financial reasons
  • Customer accounts: Profile data is retained for the duration of the account. When a Customer deletes their account, personal data is erased and associated booking records are anonymised (names and contact details removed)
  • Booking records: Anonymised booking and payment records are retained for up to 7 years to comply with Finnish accounting and tax regulations (Kirjanpitolaki 1336/1997)
  • Payment records: Financial transaction records are retained as required by applicable tax and accounting laws
  • Log data: Technical logs are retained for up to 90 days for security and debugging purposes

When personal data is no longer needed, it is securely deleted or irreversibly anonymised.

10. Your Rights Under the GDPR

If you are located in the European Economic Area, you have the following rights regarding your personal data:

  • Right of access (Art. 15): You may request a copy of the personal data we hold about you
  • Right to rectification (Art. 16): You may request correction of inaccurate or incomplete personal data
  • Right to erasure (Art. 17): You may request deletion of your personal data. Customers can delete their account directly through the portal. Note that some data may be retained where required by law
  • Right to restriction (Art. 18): You may request that we restrict the processing of your data in certain circumstances
  • Right to data portability (Art. 20): You may request to receive your personal data in a structured, commonly used, machine-readable format
  • Right to object (Art. 21): You may object to processing based on legitimate interests. We will cease processing unless we have compelling legitimate grounds
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, please contact us at privacy@booknimble.com. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority (see Section 14).

11. Cookies and Similar Technologies

We use only essential cookies that are strictly necessary for the platform to function. We do not use advertising, tracking, or analytics cookies.

  • auth-token: Authenticates Provider/admin sessions. Expires after 7 days. Essential for platform access.
  • portal_session_{id}: Authenticates Customer portal sessions. HTTP-only, secure. Expires after 30 days. Essential for account access.
  • test-site-access: Used only on our test environment (test.booknimble.com) to gate access. Not set on the production site.
  • locale: Stores your preferred language. Essential for displaying content in your chosen language.

Because we use only strictly necessary cookies, we do not require cookie consent under the ePrivacy Directive. No personal data is shared with third parties through cookies.

12. Children's Privacy

The BookNimble platform is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. Where a Provider's services involve minors (e.g., children's classes), the booking must be made by a parent or legal guardian, and the attendee data collected is limited to the name and age necessary for service delivery. If you believe we have inadvertently collected data from a child under 16, please contact us at privacy@booknimble.com and we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify registered Providers of material changes by email. The updated policy will be posted on this page with a revised "Last updated" date. We encourage you to review this page periodically.

14. Contact Us and Supervisory Authority

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

  • Company: BookNimble Oy
  • Email: privacy@booknimble.com
  • Address: Helsinki, Finland

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. The relevant authority in Finland is:

  • Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)
  • Address: Lintulahdenkuja 4, 00530 Helsinki, Finland
  • Website: tietosuoja.fi/en
  • Email: tietosuoja@om.fi