Privacy Policy

1. Who we are

EverBooking is a booking platform operated by Uxtra Creatives ("we", "us"). We provide appointment booking software as a managed service to our business clients ("Clients"). End customers booking through a Client's widget are the Client's data subjects; we process their data as a processor on the Client's behalf.

Contact: [email protected]

2. What we collect

From Clients (platform users): business name, contact email, hashed API keys, Google OAuth tokens (encrypted at rest), working hours, service definitions, subscription + billing metadata, and audit logs of actions taken in the admin dashboard.

From end customers (booking widget users): name, email, phone (if provided), timezone, booking times, any custom fields the Client configures. We store these only to deliver the booking, reminders, and cancellation notifications.

Inquiries (marketing site): name, email, company, phone (optional), and message text submitted via the contact form. Used only to respond to your inquiry.

Technical: IP address, user agent, and request timestamps for security, rate limiting, and fraud detection. Retained for 90 days unless tied to an open security investigation.

3. Cookies & similar technologies

The marketing site uses a cookie consent banner. Essential cookies (session, CSRF) are set only after a Client signs in. Analytics and marketing cookies are disabled by default and only activate with explicit consent. The embedded booking widget does not set cookies — it uses short-lived sessionStorage only for the booking flow.

4. Legal basis

• Contract (GDPR Art. 6(1)(b)): delivering the booking service.
• Legitimate interests (Art. 6(1)(f)): security, rate limiting, improving the product.
• Consent (Art. 6(1)(a)): non-essential cookies, marketing emails.
• Legal obligation (Art. 6(1)(c)): tax and accounting record-keeping.

5. Sub-processors

We use the following sub-processors:

• Google Cloud / Workspace — OAuth & Calendar sync (data resides in the Google region you authorize)
• Postmark — transactional email delivery (US)
• Twilio — SMS delivery (US; used only if SMS is enabled on your plan)
• Stripe — payment processing (optional; used only for Clients on a self-service billing path)
• Cloudflare — DNS, DDoS protection, edge caching for static assets
• Self-hosted infrastructure — PostgreSQL database and application server, hosted in the EU

A current sub-processor list with DPAs is available in our Data Processing Addendum.

6. Retention

7. Your rights

If you are in the EU/UK, you have the right to access, correct, delete, restrict, or port your personal data. End customers should contact the Client directly; the Client can issue a request to us on your behalf. You can also object to processing based on legitimate interests and lodge a complaint with your local supervisory authority.

For Clients (admin dashboard users): You can exercise your rights directly through your account:

• Data export: POST /api/gdpr/export — returns a complete JSON export of all data associated with your account (rate limited: 1 per 24 hours).
• Data erasure: POST /api/gdpr/erase — anonymizes all personal data while preserving booking records for legal compliance (rate limited: 1 per 24 hours).

For end customers: Contact the business you booked with directly. They can submit a request to us on your behalf.

To submit a request by email: [email protected]. We respond within 30 days.

8. International transfers

Some sub-processors are located in the US. Where data leaves the EU/UK we rely on Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework.

9. Security

OAuth tokens are encrypted with AES-256-GCM at rest. API keys are stored hashed (SHA-256 with server-side pepper). All traffic is TLS 1.2+. We maintain audit logs of every significant action. Full technical details in our DPA.

10. Changes

Material changes are notified by email to Clients at least 30 days before they take effect. This page always shows the current version and last-updated date.