Privacy Policy
Last updated 13 July 2026
This policy explains what personal data ISZ Booking ("we", "the platform") collects, why we collect it, who we share it with, and what rights you have over it. It covers both businesses who run their booking operations on the platform and clients who book appointments through it.
Our Two Roles
ISZ Booking is a platform that independent businesses use to take bookings. That means we handle personal data in two different capacities, and it matters which one applies to you:
- As a controller — for the accounts of businesses that sign up with us, and for the operation and security of the platform itself. Here we decide what data is collected and why.
- As a processor — for the client and appointment records a business stores in its own workspace. That data belongs to the business; we only hold and process it on their instructions. If you booked an appointment with a business, that business is the controller of your booking, and requests about it are best directed to them.
Information We Collect
Business account data. When you register a business, we collect your name, email address, password (stored only as a salted hash — never in readable form), business name, your chosen language and locale, and your subscription and billing status.
Client and booking data. When an appointment is booked, we store the client's name, email address, phone number, the service and provider selected, the appointment time, and any notes or answers submitted through the booking form. This data is stored in the workspace of the business you booked with.
Payment data. Card payments are handled entirely by our payment provider. Full card numbers never reach our servers and we never store them. We keep only the customer and subscription identifiers the provider returns to us, so we can tell what plan an account is on.
Technical and usage data. To keep accounts secure and the service working, we record login activity, session information, IP addresses, and basic page-visit data.
How We Use Your Information
- To create and confirm bookings, and to send confirmations, reminders, and change or cancellation notices by email and — where a business has enabled it — by SMS.
- To operate business accounts: authentication, subscription billing, plan limits, and support.
- To keep the platform secure — detecting abuse, preventing fraudulent sign-ups, and investigating suspicious logins.
- To improve the service by understanding which features are actually used.
- To meet our legal, tax, and accounting obligations.
We do not sell your personal data, and we do not use it to build advertising profiles.
Who We Share It With
We share data only with the service providers we need in order to run the platform, and only to the extent required:
- Stripe — to process subscription payments and, where a business has enabled it, booking payments.
- Twilio — to deliver SMS appointment reminders, when a business has turned SMS on.
- Google — to sync confirmed appointments to a provider's calendar when they have connected it (see Google User Data below), and to run reCAPTCHA on public forms to block automated abuse.
- Our email delivery provider — to send transactional email such as booking confirmations and password resets.
- Our hosting provider — which stores the platform's data on our behalf.
Each of these providers processes data under its own privacy terms. We may also disclose data where we are legally required to, or where it is necessary to protect our rights or the safety of our users.
Google User Data
Google Calendar sync is an optional feature. It is off by default, and it affects only service providers who choose to connect their own Google account. Clients booking appointments are never asked to connect a Google account. If a provider never connects one, we never access any Google user data belonging to them.
What we ask for. When a provider connects their calendar, we request the Google Calendar events scope (https://www.googleapis.com/auth/calendar.events) — the narrowest scope that lets us do the job. It allows us to read their existing commitments and to write their bookings back as calendar events. It does not let us create, delete, or share entire calendars, and we never do so.
What we access and why.
- Reading events — we read the events in the provider's calendar for a limited window ahead (currently the next 14 days) so that times when they are already busy are blocked out and cannot be double-booked by a client.
- Writing events — when a booking is made, changed, or cancelled on the platform, we create, update, or delete the matching event in that calendar.
- Creating a Google Meet link — for services the business has marked as online, we ask Google to attach a Meet conference to the event it creates, and we pass that link on to the client in their confirmation email.
What we store. We store the OAuth access and refresh tokens Google issues us, encrypted at rest. For each existing event we read, we store its event ID, its start and end times, and its title, which is used to label the blocked period in the provider's own schedule so they can see what the conflict is. For each event we create from a booking, we store the Google event ID so we can keep the two in sync. We do not copy across attendees, descriptions, attachments, or any other event content.
What we never do. We do not use Google user data for advertising, we do not sell it, we do not transfer it to third parties except as needed to provide the calendar sync feature itself, and we do not use it to train generalised artificial intelligence or machine learning models. No human at ISZ Booking reads your Google Calendar data, except where you have given explicit consent, where it is necessary for security purposes such as investigating abuse, or where the law requires it.
How to revoke access. A provider can disconnect their calendar at any time from their calendar settings on the platform, which deletes the stored tokens immediately and stops all further access. Access can also be revoked directly from your Google Account at myaccount.google.com/permissions.
Limited Use. ISZ Booking's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Cookies
We use cookies that are strictly necessary to run the platform: keeping you signed in, protecting forms against cross-site request forgery, and remembering your language choice. If reCAPTCHA is enabled on a form, Google may set its own cookies under its policy. We do not use advertising or cross-site tracking cookies. Blocking essential cookies in your browser will prevent core features such as signing in from working.
Data Retention
We keep account and booking data for as long as the account is active, so that businesses retain their appointment history. When a business closes its account, its workspace data is deleted or anonymised, except where we must retain records — invoices and payment records, for example — to satisfy legal and tax obligations. Security logs are kept for a limited period and then discarded.
Your Rights
Depending on where you live, you may have the right to access the personal data we hold about you, correct it if it is wrong, have it deleted, restrict or object to how we use it, and receive a copy in a portable format. You can exercise these rights through our contact form, and we will respond within the period required by applicable law.
If your data relates to an appointment you booked with a business on this platform, that business controls it. We will pass your request on to them, but they are best placed to act on it directly.
Security
Traffic to the platform is encrypted in transit. Passwords are stored only as salted hashes. Access to production data is restricted to the personnel who need it to operate the service. No system can be guaranteed perfectly secure, but if a breach ever affects your personal data we will notify you and the relevant authorities as the law requires.
Children
The platform is not intended for children, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.
International Transfers
The providers listed above may process data in countries other than your own. Where data is transferred out of your region, we rely on the safeguards those providers have in place, such as standard contractual clauses.
Changes to This Policy
We may update this policy as the service evolves. The "last updated" date at the top of this page always reflects the current version, and we will give notice of material changes through the platform or by email.
Contact
Questions about this policy, or about the data we hold on you? Reach us through our contact page.