Skip to content

Privacy Policy

Last updated: 1 April 2026

1. Introduction

This Privacy Policy explains how NextBookin ("we", "us", "our") collects, uses, and protects your personal data when you use our platform at nextbookin.com and related subdomains. We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

NextBookin is the data controller responsible for your personal data. Our registered address is TBD. If you have any questions about how we handle your data, you can contact us at privacy@nextbookin.com.

3. Data We Collect

We collect the following categories of personal data:

  • Account information: name, email address, and password hash when you register
  • Business information: business name, address, phone number, services offered, and staff details
  • Booking data: appointment details, service selections, dates, times, and any notes provided
  • Payment information: payment transactions are processed by Stripe; we do not store your full card details
  • Guest booking data: name, email, and phone number provided when booking without an account
  • Usage data: anonymised IP address (truncated to /24 subnet) stored in audit logs for security purposes only. We do not use analytics or tracking cookies.
  • Chatbot conversations: messages exchanged with the booking assistant, retained for up to 1 year
  • Consultation forms: responses submitted to business consultation forms
  • Communications: messages, reviews, and support correspondence

4. How We Use Your Data

We use your personal data to:

  • Provide, maintain, and improve the booking platform
  • Process bookings and send appointment confirmations and reminders
  • Process payments through our payment provider (Stripe)
  • Send account-related notifications and service updates
  • Respond to support requests
  • Analyse usage patterns to improve the Service
  • Prevent fraud and ensure security

5. Legal Basis for Processing

We process your data on the following legal bases:

  • Contract performance: to provide the Service you signed up for
  • Legitimate interests: to improve our platform, prevent fraud, and communicate service updates
  • Consent: for optional marketing communications, which you can withdraw at any time
  • Legal obligation: to comply with applicable laws and regulations

6. Third-Party Services (Sub-Processors)

We use the following third-party services to operate the platform:

  • Stripe (US) — Payment processing. Stripe processes your payment data under their own privacy policy at stripe.com/privacy. Transfers covered by Standard Contractual Clauses.
  • Resend (US) — Transactional email delivery (booking confirmations, password resets, notifications). Privacy policy at resend.com/legal/privacy-policy.
  • Google (US) — OAuth authentication (optional, only if you choose to sign in with Google). Privacy policy at policies.google.com/privacy.
  • Neon (US) — Database hosting (PostgreSQL). Data stored in the EU (aws-eu-west-2, London). Privacy policy at neon.tech/privacy.
  • Hetzner (Germany) — Application hosting infrastructure, located in the EU.
  • Anthropic (US) — AI-powered chatbot assistant for booking support. Privacy policy at anthropic.com/privacy.

We do not sell your personal data to any third party. Where data is transferred outside the EEA, we rely on Standard Contractual Clauses or equivalent safeguards.

7. Cookies

We use the following types of cookies:

  • Essential cookies: required for authentication and session management. These cannot be disabled.
  • Functional cookies: remember your preferences such as language and timezone settings.
  • Preference cookies: remember your theme and display preferences (stored locally in your browser only).

You can control cookie preferences through your browser settings. Disabling essential cookies may prevent you from using the Service.

8. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specific retention periods:

  • Account data: retained while your account is active. Deleted or anonymised within 30 days of account deletion.
  • Booking records: retained for up to 3 years after the appointment date for business record-keeping. Personal data is anonymised on account deletion.
  • Audit logs: anonymised IP addresses retained for 90 days, then automatically purged.
  • Appointment watch requests: retained for up to 1 year, then automatically purged.
  • Chatbot conversations: retained for up to 1 year, then automatically purged.
  • Form submissions: retained for the duration of the business relationship.

When you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law.

9. Your Rights (GDPR)

Under the UK GDPR, you have the following rights regarding your personal data:

  • Right of access: request a copy of the personal data we hold about you
  • Right to rectification: request correction of inaccurate data
  • Right to erasure: request deletion of your personal data
  • Right to restrict processing: request that we limit how we use your data
  • Right to data portability: receive your data in a structured, machine-readable format
  • Right to object: object to processing based on legitimate interests
  • Right to withdraw consent: where processing is based on consent, you may withdraw it at any time

You can exercise data export and account deletion directly from your account settings at Dashboard > Account > Privacy. Alternatively, to exercise any of these rights, contact us at privacy@nextbookin.com. We will respond within 30 days.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit and at rest, access controls, and regular security reviews. Each tenant's data is isolated in separate databases.

11. International Transfers

Where data is transferred outside the UK or EEA, we ensure adequate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

12. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

13. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification. The "Last updated" date at the top indicates the most recent revision.

15. Data Breach Notification

In the event of a personal data breach, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will notify those individuals without undue delay.

16. Complaints

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

17. Contact

For privacy-related questions or to exercise your data rights, contact us at privacy@nextbookin.com.