Privacy Policy
Last updated: 12/10/2025
1. Introduction
This Privacy Policy describes how Bookable ("we", "our", or "us") collects, uses, and protects your personal data when you use our real estate scheduling platform. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
2. Data Controller
The data controller responsible for your personal data is:
Bookable Oy
c/o Rodi Elias Cetin
Länsiviitta 5
02330 ESPOO
Finland
Y-tunnus: 3581444-2
Email: support@bookable.fi
Phone: +358 445405927
3. Personal Data We Collect
3.1 Realtor Accounts
When you create a realtor account, we collect:
Identity Data: Full name, email address, phone number
Authentication Data: Password (encrypted), OAuth tokens (Google, Microsoft)(encrypted)
Professional Data: Agency affiliation, account status, approval information
Calendar Data: Google Calendar integration (email, OAuth tokens, event IDs)
Preferences: Language preference (Finnish, English, Swedish), notification settings
Profile Data: Avatar image, email signature, Linear CRM ID (if applicable)
3.2 Property Viewers (Buyers)
When you request a property viewing, we collect:
Identity Data: First name, last name, email address, phone number
Booking Data: Proposed viewing times, selected time, booking status
Communication: Optional messages about property interest
Access Tokens: Unique tokens for authentication-free booking management
3.3 Property Owners
When your property is listed for viewings, we collect:
Identity Data: Name, email address, phone number
Booking Data: Counter-proposed times, availability preferences
Access Tokens: Unique tokens for booking review
3.4 Automatically Collected Data
Usage Data: Pages visited, features used, interaction patterns
Technical Data: IP address, browser type, device type, user agent
Cookie Data: Session cookies, preference cookies (with your consent)
Audit Logs: Admin actions on accounts, system changes
4. How We Use Your Personal Data
4.1 Legal Basis for Processing
We process your personal data under the following legal bases:
Contract Performance (GDPR Art. 6(1)(b)): To provide our scheduling services to realtors and facilitate property viewings
Consent (GDPR Art. 6(1)(a)): For optional features like marketing communications and analytics cookies
Legitimate Interest (GDPR Art. 6(1)(f)): To improve our services, prevent fraud, and ensure security
Legal Obligation (GDPR Art. 6(1)(c)): To comply with accounting, tax, and other legal requirements
4.2 Specific Purposes
Creating and managing your account
Facilitating property viewing bookings between buyers, owners, and realtors
Syncing with your Google Calendar (with your explicit consent)
Sending booking confirmations and reminders via email
Providing customer support and responding to your inquiries
Improving our platform based on usage patterns and feedback
Ensuring security and preventing unauthorized access
Complying with legal and regulatory requirements
5. Data Sharing and Third-Party Processors
We share your personal data with the following third-party service providers (processors) who help us operate our platform:
ProcessorPurposeData SharedLocationSupabaseDatabase & AuthenticationAll user dataEU/USGoogleCalendar Sync & OAuthCalendar events, emailUS (GDPR compliant)n8nEmail NotificationsContact info, booking details, automating eventsEULinearIntegration (optional)Property data, realtor infoFinland
All processors are bound by Data Processing Agreements (DPAs) and comply with GDPR requirements. We do not sell your personal data to third parties.
6. Google Calendar Integration
Realtors can optionally connect their Google Calendar to sync availability and booking events. This integration is powered by Google OAuth 2.0 and the Google Calendar API.
6.1 What Data We Access
When you connect your Google Calendar, we request the following permissions:
Calendar Access: Read busy/free times to show available booking slots
Event Creation: Create calendar events when property showings are booked
Event Deletion: Remove calendar events when bookings are cancelled
Email Address: Identify which Google Calendar to sync (your Gmail address)
Important: We do NOT read the contents or details of your existing calendar events. We only check whether a time slot is busy or free.
6.2 How We Use This Data
Show clients only time slots when you're actually available
Automatically add property showing events to your calendar
Automatically remove events when bookings are cancelled
Prevent double-bookings across your professional and personal schedule
6.3 Data Storage & Security
OAuth Tokens: Encrypted with AES-256-GCM before storage
Token Storage: Stored in our secure database with Row Level Security (RLS)
Calendar Data: We do not cache or store calendar event data; it's fetched in real-time
Event IDs: Only stored for active bookings to enable event management
6.4 How to Disconnect
You can disconnect your Google Calendar at any time:
Go to Settings → Calendar in your dashboard
Click "Disconnect Google Calendar"
Your OAuth tokens will be immediately and permanently deleted
We will no longer have access to your calendar
You can also revoke access from Google directly:
Find "Bookable" in the list
Click "Remove Access"
6.5 Data Sharing
Your Google Calendar data is never shared with third parties, sold for advertising purposes, or used for anything other than the property scheduling features described above.
7. International Data Transfers
Some of our service providers (e.g., Google, Supabase) may transfer your data to countries outside the European Economic Area (EEA). When this occurs, we ensure appropriate safeguards are in place, such as:
Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions (e.g., for countries deemed to have adequate data protection)
Certification under the EU-US Data Privacy Framework (where applicable)
8. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy:
Realtor Accounts: Active account duration + 1 year after deletion
Booking Requests: 2 years after booking completion
Audit Logs: 7 years (legal requirement)
Feedback & Ratings: 3 years
OAuth Tokens: Until revoked or account deleted
Inactive Accounts: Accounts with no activity for 3 years may be automatically deleted after email notification
9. Your Data Protection Rights
Under GDPR, you have the following rights regarding your personal data:
✓ Right of Access (Art. 15)
You can request a copy of all personal data we hold about you. Use the "Download My Data" button in your account settings.
✓ Right to Rectification (Art. 16)
You can update most of your personal data directly in your account settings (name, phone, preferences, etc.).
✓ Right to Erasure (Art. 17)
You can request deletion of your account and associated data using the "Delete My Account" option in account settings. Note: Some data may be retained for legal compliance.
✓ Right to Data Portability (Art. 20)
You can export your data in machine-readable format (JSON) via the "Download My Data" feature.
✓ Right to Restrict Processing (Art. 18)
You can request that we limit how we use your data. Contact us at support@bookable.fi.
✓ Right to Object (Art. 21)
You can object to processing based on legitimate interests or for direct marketing purposes.
✓ Right to Withdraw Consent (Art. 7(3))
You can withdraw consent at any time (e.g., for marketing emails or analytics cookies) without affecting prior processing.
✓ Right to Lodge a Complaint (Art. 77)
You can file a complaint with your national data protection authority if you believe we've violated your rights.
To exercise any of these rights, please contact us at support@bookable.fi. We will respond to your request within 30 days.
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data:
Encryption: HTTPS/TLS for all data in transit; encryption at rest via Supabase
Authentication: Strong password requirements, OAuth 2.0, multi-factor authentication options
Access Controls: Row Level Security (RLS) policies, role-based access
Session Management: JWT tokens with 72-hour expiry and auto-refresh
Audit Logging: Tracking of admin actions and sensitive operations
Regular Reviews: Periodic security audits and vulnerability assessments
11. Cookies and Tracking
We use cookies to provide and improve our services. You can manage your cookie preferences via the cookie consent banner that appears on your first visit. Cookie categories:
Necessary Cookies: Essential for authentication and core functionality (cannot be disabled)
Functional Cookies: Remember your preferences like language and layout
Analytics Cookies: Help us understand usage patterns (requires consent)
Marketing Cookies: Show relevant promotions (requires consent)
For more details, see our Cookie Policy.
12. Children's Privacy
Our services are not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make significant changes, we will notify you via email or a prominent notice on our platform. Your continued use of our services after such notification constitutes acceptance of the updated policy.
14. Contact Us
If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:
Data Protection Officer / Privacy Team
Email: support@bookable.fi
Phone: +358 445405927
This Privacy Policy is compliant with GDPR (Regulation (EU) 2016/679) and other applicable data protection laws. Last reviewed: 12/10/2025.