Privacy Policy

Last updated: 18 March 2026

Who we are

Basil Bookings is a scheduling and payments platform for solo service providers, operated from Stamford, United Kingdom. When this policy refers to "we", "us", or "our", it means Basil Bookings.

What data we collect

We only collect data that is necessary to provide the service. We do not use analytics, tracking pixels, or advertising cookies.

Account information

  • Email address
  • First name and last name
  • Business name and business address
  • Booking page slug (your unique URL identifier)
  • Business logo (if uploaded)

Services and availability

  • Service names, descriptions, durations, prices, and currencies
  • Availability windows (day of week, start time, end time)

Booking information from your clients

  • Client name and email address
  • Selected service, date, and time slot
  • Optional notes
  • Payment status and payment identifiers

Payment credentials

  • Your Stripe API key and webhook secret, which are encrypted at rest using AES-256-GCM and only decrypted in memory when processing a payment

How we use your data

  • To display your public booking page so clients can book your services
  • To process payments through your connected Stripe account
  • To send you authentication emails (magic links) so you can sign in
  • To send booking confirmation emails to you and your clients
  • To manage your subscription to Basil Bookings
  • To notify you when a subscription payment fails

Authentication

We use passwordless magic link authentication. When you sign in, we send a one-time link to your email that expires after 15 minutes. We do not store passwords. Magic link tokens are hashed with SHA-256 before storage. A session token is stored in your browser's local storage and sent with each request. You can revoke it at any time by logging out.

Third-party services

We share data with the following services only as needed to operate the platform:

Stripe

We use Stripe to process subscription payments for your Basil Bookings account, and to process booking payments on your behalf through your own Stripe account. Data shared with Stripe includes your name, email address, booking amounts, currency, and your client's email address. Stripe's privacy policy is available at stripe.com/privacy.

Mailgun

We use Mailgun's EU infrastructure to send transactional emails, including magic link sign-in emails, booking confirmation emails, booking notification emails, and payment failure notifications. Data shared with Mailgun includes recipient email addresses, names, and email content. Mailgun's privacy policy is available at mailgun.com/legal/privacy-policy.

Cookies and tracking

We do not use cookies, tracking pixels, or third-party analytics on our marketing site or application. The only client-side data we store is your authentication token in local storage, which is removed when you log out.

Data security

  • Stripe API keys and webhook secrets are encrypted at rest using AES-256-GCM
  • Authentication tokens are cryptographically random and magic link tokens are hashed with SHA-256 before storage
  • All connections to third-party services use HTTPS
  • Email is sent via Mailgun's EU infrastructure

Data retention

Your account data and booking records are retained for as long as your account is active. Magic link tokens expire after 15 minutes and are marked as used once redeemed. If you wish to have your data deleted, please contact us and we will remove your account and associated data.

Your rights

Under UK data protection law, you have the right to access, correct, or delete your personal data. You may also request a copy of the data we hold about you. To exercise any of these rights, contact us at the address below.

Changes to this policy

We may update this policy from time to time. When we do, we will revise the "Last updated" date at the top of this page.

Contact

If you have questions about this privacy policy or how we handle your data, please email us at support@basilbookings.com.