Privacy policy

1. 1. General

   1. 1.1. Big Bear Little Goose Ltd ("we" or "us") takes the privacy of your information very seriously. Our Privacy and Data Protection Notice is designed to inform you, the user of our availability and booking service ("Service"), about our practices regarding the collection, use, and disclosure of personal and other information about you or your business that may be provided via this website or collected through our booking form or otherwise.
   2. 1.2. This privacy notice applies to information provided by our members and account holders ("members") and also applies to information processed by us when a person (referred to for convenience as a "Customer") books an appointment or submits data using our Service.
   3. 1.3. This privacy notice is prepared in compliance with applicable data protection legislation, including the EU General Data Protection Regulation ("GDPR"), the Data Protection Act 2018, and the retained EU law version of the GDPR ("UK GDPR").
   4. 1.4. Important Note: If you are using our Service to make a booking with our member or account holder ("account holder"), please note that we are a processor of that data but not the data controller. We will pass the data you provide onto our account holder in accordance with this privacy notice.

2. 2. Our Policy

   1. 2.1. We aim to limit our interaction with your data wherever possible. Our general policy relates to access to your data, seeking only to access that data which is necessary according to the privileges you have granted to the system. Automated processes may scan your data, but only for explicit purposes related to managing your bookings or delivering other services. When working with data originally collected by us, our processes may need to scan and manipulate the information to deliver our service to you. We have systems in place that allow you to limit and control the access you allow to your calendar data.
   2. 2.2. When working with data or content not collected by us and originating elsewhere (e.g., private information entered on your calendar), our policy is to access and process only a limited amount of outline data needed to deliver the service to you (e.g., your 'free/busy' times). We do not review or analyze content. Occasionally, to assist with troubleshooting system problems, we will seek your permission to access your data. Our policy is to minimize the instances of this, judge the necessity on a case-by-case basis, not automate this process, and only do so with the data owner's knowledge and permission.

3. 3. Basis on which we process personal data

   1. 3.1. Personal data we hold about you will be processed either because:
      1. 3.1.1. the processing is necessary for us to deliver our Service (i.e., to comply with our obligations under the contract between us and our account holder);
      2. 3.1.2. the processing is necessary in pursuit of a "legitimate interest", a legitimate interest in this context means a valid interest we or a third party have in processing your personal data which is not overridden by your interests in data privacy and security;
      3. 3.1.3. the processing is necessary to comply with a legal obligation; or
      4. 3.1.4. in certain limited circumstances, because you have consented to the processing for specific purposes.

4. 4. Personal data we collect

   1. 4.1. We may gather and handle the following personal details or information (data that can be uniquely associated with you) about you:
      1. 1. 4.1.1. Log-In Information details and data you provide as an account holder when you sign up for the Service or as a customer of our account holder and you have shared your availability;
         2. 4.1.2. Contact Information contact details we collect from you as an account holder about you or your employees (such as names, addresses, contact addresses, telephone numbers, and email addresses provided to us by you or your employer);
         3. 4.1.3. Calendar Information specific information contained in a third-party service or calendar account (e.g., Google Calendar) linked with your Bookable.page account; please refer to our list of processors in section 9 of this policy for details about those third-party services from whom we may collect data. Any data collected from a third-party service will be used strictly according to this policy;
         4. 4.1.4. Booking Information a record of the bookings made through the Service and details related to each individual booking (time, location, etc.);
         5. 4.1.5. Correspondence Information a record of any correspondence between you and us and other interactions with the Service or the Site;
         6. 4.1.6. Booking Form Information information which may be provided to our account holder using an online booking form;
         7. 4.1.7. Payment Information data related to payment transactions collected where we collect payment on behalf of our account holder (we do not collect credit card information, which is sent directly from the user to our payment processor);
         8. 4.1.8. Technical Information details of your visits to the Site, the resources and pages that you access, and any searches you perform.
   2. 4.2. We collect such information only when you choose to provide it to us. You are not required to provide any personal information to us, and you may withdraw your consent for us to process your data or request that we limit our processing (see section 11 in this policy), but our Service may not function properly without providing such data to us.
   3. 4.3. Information may also be collected through the Service without you actively providing it, using various technologies and methods such as Internet Protocol (IP) addresses and cookies.
   4. 4.4. An IP address is a number assigned to your computer by your Internet Service Provider (ISP) to enable Internet access.
   5. 4.5. We use your IP address to diagnose server problems, report aggregate information, determine the fastest route for your computer to connect to our site, and to manage and improve the site.
   6. 4.6. If you are a customer of our account holder and they have connected with us via Stripe Connect (allowing us to collect payment on the Site), we may have access to your payment history with our account holder, even if you are not a user of the Site. We will not seek to access or process any data other than data specifically related to our users and payments made via the Site. We will restrict access to such information and take steps to remove our access to any irrelevant data.

5. 5. How we use your personal data

   1. Refer to the table below for details on how we handle various types of personal data. Note that some data (including Calendar Information, Booking Information, and Booking Form Information) is processed by us as a "processor", with our account holder acting as the "data controller" (please refer to section 3, Data Processing, for more details on these terms).

      
      

      Purpose / Activity	Type of data	Lawful basis for processing including basis of legitimate interest
      When you (or your employer) register with us to provide the Service to our account holder.	Log-in Information Contact Information	Performance of a contract. Necessary for our legitimate interests (to establish necessary information in order to provide our Service).
      When you use the Service as an account holder to take, manage or administer bookings.	Log-in Information Contact Information Calendar Information Booking Information Booking Form Information Payment Information Correspondence Information	Performance of a contract. Necessary for our legitimate interests (to provide our availability and booking service).
      When you use the Service as a customer, patient, or client of our account holder ("Customer") to make a booking.	Contact Information Calendar Information Booking Information Booking Form Information Payment Information	Performance of a contract. Necessary for our legitimate interests (to provide our availability and booking service).
      When you use the Service as a Customer to provide information related to a booking.	Booking Information Calendar Information Booking Form Information Correspondence Information	Performance of a contract. Necessary for our legitimate interests (to provide our availability and booking service).
      When you use the Service as a customer, patient, or client of our account holder to make payment to our account holder related to a booking.	Payment Information	Performance of a contract. Necessary for our legitimate interests (to provide our availability and booking service).
      To manage our relationship with our account holder, which includes: (a) Notifying our account holder about changes to our terms or privacy notice; (b) Asking them to leave a review or take a survey; (c) Handling complaints.	Log-in Information Contact Information Calendar Information Booking Information Technical Information Communication Information Correspondence Information	Performance of a contract with you. Necessary to comply with a legal obligation. Necessary for our legitimate interests (to keep our records updated and to understand how customers use our Service).
      To verify compliance with our Terms of Use.	Log-in Information Contact Information Booking Information Technical Information Communication Information	Necessary for our legitimate interests (for network security, compliance, and fraud prevention). Necessary to comply with a legal obligation.
      To administer and protect our business, including troubleshooting, data analysis, testing, system maintenance, support, reporting, and hosting of data.	Log-in Information Technical Information Communication Information	Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, fraud prevention, and business reorganisation). Necessary to comply with a legal obligation.
      To use data analytics to improve the Service, Site, marketing, customer relationships, and experiences.	Technical Information Communication Information	Necessary for our legitimate interests (to define customer types for our products and services, to keep our services updated and relevant, to develop our business, and to inform our marketing strategy).
      When you use the Service as a customer, patient, or client of our account holder ("Customer") to overlay your availability.	Log-in Information	Necessary for our legitimate interests (to provide our availability and booking service).

6. 6. Sharing your information

   1. 6.1. We do not disclose any information you provide to any third parties other than as follows:
      1. 1. 6.1.1. If you are an account holder, we will share information about your free and busy times from any linked third-party calendar account (e.g., Google Calendar) with anyone seeking to make a booking using the Service (please note that any data held on third-party calendar services will be subject to their privacy terms);
         2. 6.1.2. If you use the Service to interact with other third-party accounts or services, the Service may send information to those third-party services. Any information sent to a third-party service will be subject to the privacy policies of those services. These third-party services are independent processors (or controllers) of data you choose to provide to them using the Service. Please refer to our list of processors for information about third-party services we may interact with. We refer to these services as "processors in common";
         3. 6.1.3. If you are an account holder, we will share information contained in any booking form or other content created by you with anyone seeking to make a booking using the Service;
         4. 6.1.4. If you are a Customer making a booking, we will supply any information you provide to us to our account holder;
         5. 6.1.5. Payment information may be provided to our payment processors;
         6. 6.1.6. If we are under a duty to disclose or share your personal data in order to comply with any legal obligation (e.g., if required to do so by a court order or for the purposes of fraud prevention or other crime);
         7. 6.1.7. In order to enforce any terms and conditions or agreements for our Services that may apply;
         8. 6.1.8. We may transfer your personal information to a third party as part of a sale of some or all of our business and assets to any third party or as part of any business restructuring or reorganization, but we will take steps to ensure that your privacy rights continue to be protected;
         9. 6.1.9. To protect the rights, property, or safety of Big Bear Little Goose Ltd, our account holders, or any other third parties.
   2. 6.2. Other than as set out above, we shall not disclose any of your personal information unless you give us permission to do so.

7. 7. Security

   1. 7.1. To protect the information we collect from you, we will take all reasonable steps to ensure that:
      1. 1. 7.1.1. Our servers are secured with advanced security mechanisms and can only be accessed via strictly controlled public/private cryptographic keys;
         2. 7.1.2. Our data processing storage facilities are located in secure environments to prevent unauthorized access, and our infrastructure is hosted by Amazon Web Services (AWS);
         3. 7.1.3. All communication with our servers is encrypted through Secure Sockets Layer (SSL), an industry-standard encryption method that ensures data transmitted between your computer and our servers is protected from being easily deciphered even on insecure networks;
         4. 7.1.4. Regular security assessments of our infrastructure are conducted. This includes web vulnerability scans, dependency vulnerability scans, static code analysis, rule-based OS inspection, and manual assessments.

8. 8. Subscriber Personal Data

   1. 8.1. We act as a "data processor" rather than a data controller for certain information we collect, including Calendar Information, Booking Information, and Booking Form Information. Our account holder serves as the data controller for this information, and our terms require them to process this data in compliance with applicable data protection laws.
   2. 8.2. In our Terms of Use, this data is referred to as "Subscriber Personal Data". The handling of Subscriber Personal Data by us is governed by the terms outlined in our Data Processing Agreement ("DPA").

9. 9. Sub-processors and processors in common

   1. 9.1. We utilize several third-party services to which we may transfer personal data in order to provide our Service. The processor list includes:
      1. 1. 9.1.1. Sub-processors that we use in our role as a data processor
         2. 9.1.2. Details of "processors in common", meaning if you use the Service to interact with other third-party accounts or services, the Service may send information to those third-party services or we may communicate with them via API. These are referred to as "processors in common".
   2. 9.2. Please note that a processor in common is not a processor or sub-processor engaged by us; rather, they are an independent controller or processor of data you have authorized to share data with us. The terms under which they process a user's personal data will be subject to the user's separate agreement with them and their own privacy documentation. When we receive data from a processor in common, we will handle it in accordance with the terms of this privacy notice. A complete list of our sub-processors and processors in common can be found at Data Processors.

10. 10. Data Retention

    1. 10.1. Our current data retention policy is to delete or destroy (to the extent we are able to) the personal data we hold about you in accordance with the following:

       
       

       Category of personal data	Length of retention
       Records relevant for tax purposes	8 years from the end of the tax year to which the records relate
       Personal data processed in relation to a contract between you and us	7 years from either the end of the contract or the date you last used our Service, being the length of time following a breach of contract in which a contract party is entitled to make a legal claim
       Personal data held on marketing or business development records	3 years from the last date on which a data subject has interacted with us
       Information relating to an individual booking	12 months following the date of the relevant bookin.

       
       

    2. 10.2. For any category of personal data not specifically defined in this notice, and unless otherwise specified by applicable law, the required retention period for any personal data will be deemed to be 7 years from the date of receipt by us of that data.
    3. 10.3. The retention periods stated in this notice can be prolonged or shortened as may be required (for example, in the event that legal proceedings apply to the data or if there is an on-going investigation into the data).
    4. 10.4. We regularly review the personal data (and the categories of personal data) we hold to ensure it is still relevant to our business and accurate. If we find that certain data is no longer necessary or accurate, we will take reasonable steps to correct or delete this data as needed.
    5. 10.5. If you wish to request that data we hold about you be amended or deleted, please refer to clause 11 below, which explains your privacy rights.

11. 11. Your privacy rights

    1. 11.1. Under the EU GDPR/UK GDPR, you have the following rights concerning the personal data we hold about you:

       
       

       The right to be informed	You have the right to be informed about our data protection and processing activities, as detailed in this notice.
       The right of access	You can make a Subject Access Request ("SAR") to get information about the personal data we hold about you (free of charge, except for reasonable expenses for repeat requests). To make a SAR, please contact us as outlined below.
       The right to correction	If the information we hold about you is incomplete or incorrect, please notify us, and we will update our records as soon as possible, and within one month at the latest. We will take reasonable steps to notify any third parties to whom we have disclosed the same information of the correction.
       The right to erasure (the "right to be forgotten")	If you want us to delete your personal data (although our Service cannot be provided without it), please inform us. Unless we have reasonable grounds to refuse, we will securely delete the personal data within one month. The data may still exist in certain backups but will not be accessible. We will notify any third parties to whom we have disclosed the same information about the erasure.
       The right to restrict processing	You can request that we limit the processing of your personal data in specific ways without requiring us to delete it.
       The right to data portability	You have the right to receive copies of the personal data we hold about you in a commonly used and easily storable format (please specify your preferred format). You may also request that we transfer your personal data directly to a third party (where technically feasible).
       The right to object	You can object to us processing your personal data if you believe it impacts your fundamental rights and freedoms, unless we have overriding legitimate grounds for such processing. You may also object to the use of your personal data for direct marketing purposes (including profiling) or for research or statistical purposes. Please notify us of your objection, and we will stop such processing unless we have overriding legitimate grounds.
       Rights regarding automated decision-making and profiling	You have the right not to be subject to automated decision-making (including profiling) that has legal or similarly significant effects on you. This right does not apply when automated processing is necessary for us to fulfill our contractual obligations to you, is permitted by law, or if you have given explicit consent.
       Right to withdraw consent	If we are processing your personal data based on your consent, you have the right to withdraw your consent at any time. If you have not expressly given your consent to our processing, you also have the right to object (see above).

       
       

    2. 11.2. All SARs and other requests or notifications regarding your above rights may be submitted to us via our contact page.
    3. 11.3. We will endeavor to comply with such requests as soon as possible and within one month of receipt (unless a longer response time is warranted due to the complexity or number of your requests).

12. 12. Data Breaches

    1. 12.1. If the personal data we hold about you is breached, disclosed, or accessed without authorization, we will report it to the Information Commissioner's Office (ICO).
    2. 12.2. If the breach is likely to pose a risk to your data rights and freedoms, we will inform you as soon as possible.

13. 13. Other websites

    1. 13.1. Our Site may contain links and references to other websites. Please note that this Privacy Policy does not apply to those websites.
    2. 13.2. We are not responsible for the privacy policies and practices of sites not operated by us, even if you access them via our Site and/or any service operated by us. We recommend you review the policy of each site you visit and contact its owner or operator if you have any concerns or questions.
    3. 13.3. Additionally, if you accessed this Site via a third-party website, we are not responsible for the privacy policies and practices of the owners or operators of that third-party site. We recommend you review the policy of that third-party site and contact its owner or operator if you have any concerns or questions.

14. 14. Transferring your information outside of Europe

    1. 14.1. As part of the services we offer, the information you provide to us may be transferred to, processed, and stored in countries or international organizations outside the UK or European Economic Area ("EEA"). For example, this may occur if any of our servers or service providers are located in a country outside the UK/EEA. In each case, we will take steps to ensure that the relevant transfer is subject to appropriate safeguards as required by the EU GDPR/UK GDPR, and that your privacy rights continue to be protected as outlined in this privacy notice.
    2. 14.2. Currently, our server infrastructure is located in the United States. For more information on the safeguards in place for this and our other data processors, please see Data Processors.
    3. 14.3. We may also communicate with individuals or organizations outside the UK or EEA in delivering our services. For instance, with national supervisory bodies, if you use our Site or service while you are outside the UK or EEA, your information may be transferred outside the UK or EEA to provide you with those services, or occasionally your information may be stored on devices used by our staff outside the UK or EEA (but staff will be subject to our internal cybersecurity policies).

15. 15. Notification of changes to our Privacy Notice

    1. 15.1. We will post details of any changes to our Privacy Notice on the Site to ensure you are always aware of the information we collect, how we use it, and under what circumstances, if any, we share it with other parties.

16. 16. Contact us

    1. 16.1. If you would like to contact us with your views about our privacy practices, or with any inquiry related to your personal information, you can do so via our contact page.

17. 17. Cookie policy

    1. 17.1. Like most websites and applications, Bookable.page uses cookies to help provide you with the best experience whilst using our service. The cookies we use are split into the following categories:
       1. 17.1.1. Essential cookies - these are an essential part of our service and affect how you can use our site (e.g., security & authentication).
       2. 17.1.2. Performance cookies - these are used for analytics (e.g., understanding usage on our website).
       3. 17.1.3. Functionality cookies - these collect information about your device to help you customize our service (e.g., remembering your timezone settings or accessing inline help).
    2. 17.2. On your first visit to our site from your browser, we will display a notice to notify you that we are using cookies. We will only load the Essential cookies and Functionality cookies until you have clicked the "Accept" button on our cookies notice. If you click the "Accept" button, our Performance cookies will be loaded.
    3. 17.3. Below is a list of the cookies currently set by our domain (first-party cookies):

       
       

       Cookie	Type	Purpose
       Bookable.page	Essential	Login/Logout app authentication
       Stripe	Essential	Handle payments within our service
       Hubspot	Essential	Records cookie preference
       HelpScout	Functionality	In-app chat and help docs
       Google Analytics	Performance	Collects information about how our website and service are used
       G2	Performance	Collects information about how our website and service are used
       Mixpanel	Performance	Collects information about how our website and service are used
       Hotjar	Performance	Collects information about how our website and service are used
       Mouseflow	Performance	Collects information about how our website and service are used
       Hubspot	Performance	Collects information about how our website and service are used

       
       

    4. 17.4. In addition to cookies set by domains we control (first-party cookies), you may also see cookies set by third parties (third-party cookies). These are set when you interact with certain parts of our service, such as viewing one of our help videos (YouTube) or signing in via Facebook, and are used by these third-party services to understand your preferences and sometimes tailor the content they show you.
    5. 17.5. Do I have to accept cookies?
       You are free to reject or disable cookies if you wish. How you disable cookies depends on the browser or device you are using. The help feature on most browsers will tell you how you can manage and/or disable cookies. If you disable cookies on your browser, certain features or parts of our service may not function correctly or may provide a degraded experience.
    6. 17.6. Cookies used for tracking and analytics
       We use analytic tools, such as Google Analytics, to understand how our site is used and where we can make improvements to provide you with the best experience. You can opt-out of this analytics tracking by following the links below:
       1. 17.6.1. Opt out of Hotjar Analytics using their one-click opt-out option.
       2. 17.6.2. Opt out of Mouseflow using their one-click opt-out option.
       3. 17.6.3. Opt out of Google Analytics using their opt-out browser tool.
       4. 17.6.4. Not clicking the "Accept" button in our cookies notice.

Effective 20th June 2024