Privacy Policy
Last updated: March 2026
BuukMark OÜ ("BuukMark", "we", "us", or "our") is committed to protecting your personal data. This Privacy Policy explains what information we collect, how we use it, and your rights under the EU General Data Protection Regulation (GDPR) and Estonian data protection law.
1. Who We Are
BuukMark OÜ is an Estonian private limited company providing online booking and scheduling software as a service (SaaS).
Data Controller: BuukMark OÜ, registered in Estonia.
Contact: privacy@buukmark.com
2. Data We Collect
2.1 Account holders (businesses using BuukMark)
- Name, email address, and password (hashed)
- Business name, phone number, and address
- Billing information (handled by Stripe — we never store card numbers)
- Usage data: pages visited, features used, session timestamps
2.2 End customers (people making bookings)
- Full name, email address, and phone number (if provided)
- Booking details: date, time, service, assigned staff member
- Notes or special requests submitted at booking
- Booking history and visit count
2.3 Automatically collected data
- IP addresses (used for rate limiting and fraud prevention)
- Error logs and crash reports (via Sentry)
3. How We Use Your Data
- To provide the service: processing bookings, managing schedules, sending confirmation and reminder notifications
- To communicate with you: transactional emails (booking confirmations, rejections, reminders) via Resend; SMS reminders via Twilio
- To process payments: subscription billing via Stripe
- To improve reliability: error monitoring and performance tracking via Sentry
- To comply with legal obligations: retaining billing records as required by Estonian accounting law
4. Legal Basis for Processing (GDPR)
- Contract performance (Art. 6(1)(b)): processing necessary to deliver the booking service you signed up for
- Legitimate interests (Art. 6(1)(f)): fraud prevention, security monitoring, service improvement
- Legal obligation (Art. 6(1)(c)): retaining financial records for tax and accounting purposes
- Consent (Art. 6(1)(a)): where you have explicitly opted in to marketing communications
5. Third-Party Services
We share data only with trusted processors required to deliver the service. All processors are GDPR-compliant.
| Service | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing & subscriptions | Name, email, billing info |
| Resend | Transactional email delivery | Name, email, booking details |
| Twilio | SMS appointment reminders | Phone number, booking details |
| Vercel | Application hosting | All app data (encrypted at rest) |
| Supabase / PostgreSQL | Database storage | All app data (encrypted at rest) |
| Sentry | Error monitoring | Anonymised error reports, IP address |
| Inngest | Background job processing | Booking event data |
We do not sell your personal data to any third party.
6. Data Retention
- Account data: retained for the duration of your subscription plus 2 years after closure, unless you request earlier deletion
- Booking data: retained for 3 years for business analytics and legal compliance
- Billing records: retained for 7 years as required by Estonian accounting law
- Error logs: retained for 90 days in Sentry
7. Your Rights Under GDPR
As a data subject, you have the right to:
- Access: request a copy of the personal data we hold about you
- Rectification: correct inaccurate or incomplete data
- Erasure: request deletion of your data ("right to be forgotten") where no legal obligation requires us to keep it
- Portability: receive your data in a structured, machine-readable format
- Restriction: request we limit processing of your data in certain circumstances
- Objection: object to processing based on legitimate interests
- Withdraw consent: where processing is based on consent, withdraw it at any time
To exercise any of these rights, email us at privacy@buukmark.com. We will respond within 30 days. You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (AKI).
8. Cookies
BuukMark uses a minimal set of cookies:
- Session cookie: required to keep you logged in (HttpOnly, Secure, expires on session end)
- No third-party advertising cookies — we do not use Google Analytics, Facebook Pixel, or similar tracking tools
9. Security
We take appropriate technical and organisational measures to protect your data, including:
- All data transmitted over HTTPS/TLS
- Passwords stored using bcrypt hashing (never in plain text)
- Database encrypted at rest
- Access restricted to authorised personnel only
- Regular security monitoring via Sentry
10. International Data Transfers
Some of our processors operate servers outside the EEA (e.g. Twilio in the US). Where data is transferred outside the EEA, we ensure appropriate safeguards are in place through Standard Contractual Clauses (SCCs) approved by the European Commission, or by relying on the EU–US Data Privacy Framework where applicable.
11. Changes to This Policy
We may update this policy from time to time. We will notify account holders of material changes by email at least 14 days before the change takes effect. Continued use of the service after that date constitutes acceptance of the updated policy.
12. Contact
For any questions about this policy or your data, contact us at: