Privacy Policy
(for the Bookcessful.com booking
system)
Effective date: 2026-02-20
This Privacy Policy describes how the operator (Controller)
of the Bookcessful.com booking system (Service) processes
personal data.
1. Controller
Controller:
The company operating the Service
Klick Team Kft.
1045 Budapest, Széchenyi tér 10.
01 09 423745
27059021241
hello@bookcessful.com
2. Purpose of processing
Data is processed to operate the Service securely and reliably, in
particular for:
- Creating and managing user accounts
-
Operating the booking system
– for administrators
– for customers making a booking
- Providing sign-in and access control
-
Maintaining contact (notifications, system
messages)
-
Providing security functions
(password, session handling, audit mechanisms)
-
Google Calendar integration and synchronization
Google OAuth is used only to connect a user's Google Calendar to
their account in our appointment booking admin interface. After
explicit consent, the application receives OAuth tokens and uses
the
https://www.googleapis.com/auth/calendar.events
scope to create, update, and delete booking-related calendar
events, and to keep availability synchronized between our system
and Google Calendar. OAuth is not used for “Sign in with
Google”; it is used exclusively for calendar integration and
scheduling sync.
3. Personal data processed
Processing is limited to the fields stored in the Service’s
users table:
| Field |
Content |
Purpose of processing |
| id |
Technical identifier |
User identification |
| name |
Full name (optional) |
User and admin identification; supporting billing and
communication processes
|
| email |
Email address |
Login, booking notifications |
| email_verified_at |
Verification timestamp |
Security and authentication |
| password |
Encrypted password |
Account login |
| phone |
Phone number (optional) |
Contact, booking notifications |
| is_admin_global |
Admin privilege flag |
Managing admin permissions |
| remember_token |
Token enabling automatic sign-in |
Convenience feature, login session |
|
created_at /
updated_at
|
Creation and modification timestamps |
Technical logging, security audit |
The Service does not process special categories of personal
data.
4. Legal basis
Under Article 6(1) GDPR:
-
Contract performance – data essential to use
the Service;
-
Legitimate interest – system security and abuse
prevention;
-
Legal obligation – e.g. invoicing, accounting;
-
Consent – optional data (e.g. phone number).
5. Processors
Third parties engaged for the technical operation of the Service
(e.g. hosting, email).
Processors act only under documented agreements and in compliance
with GDPR.
-
Google (Google Calendar API) – calendar
integration provider;
shared personal data: Google Calendar event data required for
user-requested calendar operations (create, update, delete,
sync);
purpose: performing calendar actions explicitly requested by the
user. Google user data is not sold, shared, transferred to third
parties/processors, or used for advertising, and is disclosed
only if required by applicable law, regulation, legal process,
or enforceable governmental request.
-
Barion – online card payment gateway;
shared personal data: name, email address, billing details,
transaction amount and payment identifier;
purpose: processing and confirmation of online card payments,
fraud prevention, and transaction security.
-
szamlazz.hu – online invoicing provider;
shared personal data: name, billing name/address, tax ID (if
applicable), email address, purchased service details and
invoice data;
purpose: issuing invoices and fulfilling accounting/legal
obligations.
-
Postal – open-source email platform;
shared personal data: name and email address, and message
metadata required for delivery (e.g. sending date, status);
purpose: sending transactional emails (such as booking
confirmations and system notifications) and ensuring
deliverability.
6. Storage period
-
While the user account is active: all data is
retained.
-
After account deletion: personal data is
permanently deleted within 30 days, except for data retained for
accounting obligations.
- Security logs: maximum 12 months.
7. Access to data
Access to personal data is restricted to:
- authorised staff of the Controller (administrators),
- processors (technical providers),
- the data subject personally.
Access is role- and account-based within the Service.
8. Security measures
The Service protects personal data through multiple layers:
- passwords stored with bcrypt hashing;
- HTTPS encryption;
- access control (admin privileges, tokens);
- logging and audit functions;
- regular updates and vulnerability management.
9. Data subject rights
The data subject has the right to:
- receive information about processing;
- request access to their data;
- request rectification or erasure;
- request restriction of processing;
- data portability;
- object to processing based on legitimate interest.
Requests can be submitted to the Controller’s email address.
10. Remedies
In case of complaints, the data subject may contact:
Nemzeti Adatvédelmi és Információszabadság Hatóság
(NAIH)
Address: 1055 Budapest, Falk Miksa utca 9–11.
Web: www.naih.hu
11. Other provisions
The Controller reserves the right to modify this Privacy Policy.
Changes take effect upon publication within the Service.