Privacy Policy
Effective date: June 20, 2026
Questions or requests? privacy@taanbook.com
1. Who we are
TaanBook (“TaanBook”, “we”, “us”, or “our”) operates the scheduling and appointment management platform available at taanbook.com and its sub-paths. Our registered address is on file at the relevant trade registry and available upon written request.
Two roles, one platform. When you create a TaanBook account (a “business”), we are the data controller of the personal data you provide to us. When your clients book appointments through your TaanBook booking page, you (the business) are the data controller and TaanBook acts as your data processor under a Data Processing Agreement incorporated by reference into our Terms of Service.
This policy covers both roles. Section 7 addresses international data transfers applicable to both.
2. Data we collect
2.1 Business account holders
- Identity & contact: name, email address, and optional profile information provided during registration.
- Business information: business name, sector, slug, timezone, locale, brand color, and logo.
- Subscription & billing: plan level; payment card details are processed and stored exclusively by Stripe — we never see or store raw card data.
- Google Calendar tokens (Pro plan only, when connected): OAuth 2.0 access and refresh tokens for two-way calendar synchronisation.
- Usage data: log data, IP addresses, browser type, pages visited, and actions taken inside the dashboard (to detect abuse and improve the product).
2.2 Appointment clients (data subjects booking through your page)
- Name, email address, and optional phone number provided at booking time.
- Appointment history and service selections.
- Sector-specific fields optionally added by the business (e.g. medical history for a clinic, pet name for a grooming service). Health data and other special-category data is encrypted at rest. See Section 9.
- Internal notes and tags added by business staff.
- Payment deposit status (where a deposit was collected). Card details are processed by Stripe; we store only the payment intent status.
2.3 Visitors to taanbook.com
Standard server and CDN logs (IP address, browser, referrer, page path) retained for up to 90 days for security and performance monitoring. We do not run behavioural advertising trackers.
3. How we use your data
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing and operating the platform | Performance of contract (6.1.b) |
| Processing subscription payments via Stripe | Performance of contract (6.1.b) |
| Sending transactional emails (booking confirmations, reminders) | Performance of contract (6.1.b) |
| Syncing with Google Calendar (Pro plan) | Performance of contract / Consent (6.1.b / 6.1.a) |
| Security monitoring and fraud prevention | Legitimate interests (6.1.f) |
| Product analytics and improvement | Legitimate interests (6.1.f) |
| Responding to support and legal requests | Legal obligation (6.1.c) |
| Sending product updates (can be opted out) | Legitimate interests (6.1.f) |
We never sell your personal data. We do not use your data for automated individual decision-making with legal or similarly significant effects (GDPR Art. 22).
4. Data retention
- Business accounts: retained for as long as your account is active. Upon account deletion we erase personal data within 60 days, except where retention is required by law (e.g. financial records, typically 7 years in most jurisdictions).
- Appointment data — Free plan: appointment history older than 6 months is automatically deleted (a system limitation tied to the Free plan).
- Appointment data — Pro plan: retained indefinitely until you delete the record or account.
- Server logs: 90 days.
- Billing records: as required by applicable tax law (minimum 5–7 years in most jurisdictions).
5. Who we share your data with
We use the following sub-processors. All are bound by data processing agreements and appropriate safeguards:
| Processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing & subscription billing | USA (SCCs) |
| Resend | Transactional email delivery | USA (SCCs) |
| Cloudinary | File & image storage (logos, attachments) | USA (SCCs) |
| Vercel | Application hosting & CDN | USA + EU edge (SCCs) |
| Neon / Supabase | PostgreSQL managed database | EU-West or configurable |
| Google LLC | Calendar sync (Pro plan, when connected) | USA (SCCs) |
We may also disclose data to law enforcement or regulatory authorities when required by law, court order, or to protect the rights, property, or safety of TaanBook, our users, or the public.
6. International data transfers
TaanBook operates globally. When we transfer personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to countries without an adequacy decision (such as the United States), we rely on the European Commission's Standard Contractual Clauses (SCCs) as the legal transfer mechanism (GDPR Art. 46.2.c). Our key sub-processors are covered by EU–US Data Privacy Framework participation or SCCs.
Brazilian residents: transfers outside Brazil are carried out with appropriate safeguards per LGPD Art. 33–36, including standard contractual clauses.
You can request a copy of the applicable transfer safeguards by emailing privacy@taanbook.com.
7. Your rights
Depending on your location, you have the following rights regarding your personal data. Submit any request via our Data Subject Request form or email privacy@taanbook.com. We respond within 30 days.
EU / EEA / UK — GDPR & UK GDPR
- Access (Art. 15): Obtain a copy of your personal data.
- Rectification (Art. 16): Correct inaccurate data.
- Erasure (Art. 17): Request deletion (“right to be forgotten”).
- Restriction (Art. 18): Limit how we process your data.
- Portability (Art. 20): Receive your data in a structured, machine-readable format.
- Object (Art. 21): Object to processing based on legitimate interests.
- Withdraw consent: Where processing is based on consent, withdraw at any time.
- Lodge a complaint: You have the right to lodge a complaint with your national supervisory authority (e.g. the AEPD in Spain, the ICO in the UK, the CNIL in France, the BfDI in Germany).
California — CCPA / CPRA
- Know: Request disclosure of categories and specific pieces of personal information collected.
- Delete: Request deletion of personal information.
- Opt-out of sale/sharing: We do not sell or share personal information for cross-context behavioural advertising.
- Non-discrimination: We will not discriminate against you for exercising these rights.
- Correction: Request correction of inaccurate personal information.
Brazil — LGPD
- Access to, correction of, and deletion of your personal data (Art. 18).
- Portability of your data to another service provider.
- Information about the possibility of not providing consent and the consequences.
- Revocation of consent at any time (Art. 8.5).
- Complaint to the ANPD (Autoridade Nacional de Proteção de Dados).
Canada — PIPEDA & provincial laws
You may request access to, and correction of, your personal information held by us. Complaints may be directed to the Office of the Privacy Commissioner of Canada.
Other jurisdictions (PDPA, APPI, POPIA, etc.)
Where local data protection laws grant additional rights (Thailand PDPA, Japan APPI, Singapore PDPA, South Africa POPIA, and others), we honour those rights to the extent technically feasible. Contact us at privacy@taanbook.com.
8. Cookies
We use cookies and similar technologies. See our Cookie Policy for a full list and how to manage your preferences.
9. Health and special-category data
Some business sectors (clinics, wellness, physiotherapy, psychology, nutrition) collect health-related information about their clients. This data constitutes special-category personal data under GDPR Art. 9 and equivalent provisions in other jurisdictions.
Where such data is processed through TaanBook, it is encrypted at rest using AES-256. Businesses that collect health data are responsible for obtaining an appropriate legal basis (explicit consent under GDPR Art. 9.2.a or, where applicable, Art. 9.2.h for healthcare) and must inform their clients accordingly.
10. Children's privacy
TaanBook is not directed to children under 16 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child's data has been submitted in error, contact us at privacy@taanbook.com and we will delete it promptly.
11. Security
We implement appropriate technical and organisational measures including TLS encryption in transit, AES-256 encryption at rest for sensitive fields, access controls and audit logs, and routine security reviews. No transmission over the internet is 100% secure; we cannot guarantee absolute security.
12. Changes to this policy
We may update this policy from time to time. If we make material changes, we will notify registered business accounts by email at least 14 days before the changes take effect. Continued use of the service after the effective date constitutes acceptance of the updated policy.
13. Contact & DPA
For privacy-related enquiries, data subject requests, or to request a copy of our Data Processing Agreement:
- Email: privacy@taanbook.com
- Online form: taanbook.com/legal/data-request
EU/UK users have the right to lodge a complaint with their national data protection authority if they are not satisfied with our response.