Legal
Privacy Policy
This privacy policy explains what personal data Bookvella processes while it is operated as a non-commercial student portfolio project with public access.
1. Controller
Bookvella is currently operated as a non-commercial student portfolio project from Berlin, Germany. Privacy requests can be sent to support.bookvella@gmail.com. Additional project information is available in the Project Notice / Impressum.
This policy is written for the current product state. If Bookvella is later run commercially, offers paid plans, or actively onboards real users, this policy should be reviewed by a lawyer and updated before launch.
2. Project scope
Bookvella demonstrates booking software for independent service providers. It includes host accounts, public booking pages, service listings, availability tools, booking confirmations, guest verification, reviews, uploads, and optional calendar connections.
Bookvella does not currently process payments, sell paid plans, run advertising, use analytics cookies, or broker contracts between hosts and guests.
3. Data collected
Host account data
- Name, email address, password hash, timezone, public slug, and login/session records.
- Profile details such as display name, image, cover image, headline, category, location, about text, website, Instagram, and visibility settings.
- Service details such as title, description, images, duration, price display, location, preparation notes, public link, visibility, and availability settings.
- Calendar connection metadata and encrypted provider tokens if a host connects Google or Outlook Calendar.
Guest booking data
- Guest name, email address, optional phone number, optional note, timezone, selected service, selected time slot, cancellation token use, and rescheduling actions.
- Email verification data used to confirm bookings with one-time codes.
- Review content submitted after a booking, including rating, display name, comment, service reviewed, and submission time.
Technical and security data
- IP address, request timestamps, browser/device metadata, server logs, rate-limit events, and error information.
- Strictly necessary cookies and localStorage entries used for authentication, session detection, security, and preferences. See the Cookie Policy.
4. Purposes and legal basis
| Purpose | Examples | Legal basis |
|---|---|---|
| Operate requested features | Accounts, public booking pages, bookings, availability, cancellations, rescheduling, reviews, dashboards | GDPR Art. 6(1)(b), contract or steps requested by the user |
| Security and abuse prevention | Session security, rate limiting, CSRF protection, fraud/spam prevention, server logs | GDPR Art. 6(1)(f), legitimate interests |
| Transactional emails | Verification codes, password reset, booking confirmation, cancellation, reschedule, review links | GDPR Art. 6(1)(b), service operation requested by the user |
| Calendar sync | Reading busy times and writing booking events when a host connects a calendar | GDPR Art. 6(1)(a), consent, and Art. 6(1)(b), requested feature operation |
| Legal and moderation handling | Responding to lawful requests, investigating abuse, enforcing terms | GDPR Art. 6(1)(c) or Art. 6(1)(f), depending on the situation |
5. Retention
- Account/profile data: kept while the account exists, then deleted or anonymized after account deletion unless retention is legally required.
- Booking records: kept while needed for booking history, cancellation/rescheduling records, dispute handling, and project operation.
- Verification codes: short-lived and invalid after expiry, use, or too many failed attempts.
- Review data: kept while the related account/service exists, unless removed or hidden by the host or deleted as part of an account request.
- Uploaded images: kept while attached to an account or service and removed when no longer needed or when deletion workflows complete.
- Server/security logs: normally kept only as long as needed for security, debugging, and abuse prevention, unless a longer period is required for an incident.
6. Service providers
Bookvella may use infrastructure, email, authentication, and calendar providers to run the project. The exact providers depend on production configuration.
Bookvella's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
| Provider/category | Role | Data involved |
|---|---|---|
| Hosting/VPS provider | Hosts the web app, API, database, uploaded files, and deployment stack | Account, booking, log, and upload data |
| SMTP/email provider | Sends verification, password reset, booking, cancellation, rescheduling, and review emails | Email address, message content, booking context |
| Google Sign-In and optional Google Calendar connection when configured and chosen by the user | Google identity data and calendar metadata/tokens | |
| Microsoft | Optional Outlook Calendar connection when configured and chosen by the user | Microsoft account/calendar metadata and tokens |
7. International transfers
If a provider processes personal data outside the EU/EEA, Bookvella relies on a lawful transfer mechanism such as an adequacy decision, the EU-US Data Privacy Framework where applicable, Standard Contractual Clauses, or another mechanism allowed by GDPR.
8. Your rights
You may request:
- access to your personal data,
- correction of inaccurate data,
- deletion of data where legally possible,
- restriction of processing,
- data portability,
- objection to processing based on legitimate interests,
- withdrawal of consent where processing is based on consent.
You may also complain to a data protection supervisory authority in the EU/EEA country where you live, work, or believe an infringement happened.
9. Contact
Privacy requests: support.bookvella@gmail.com. Abuse, security, and content reports: Contact / Report.
Version 1.2. Last updated May 27, 2026. Effective May 27, 2026.