Privacy Policy

1. Who are we?

GlowBook is an online booking platform for beauty and wellness professionals, established in Belgium. We act as a processor of personal data on behalf of the practitioner (the controller) who uses our software. For questions about your data, please contact us at [email protected].

2. What data do we collect?

We process the following personal data:

• Practitioner account details: name, email address, business name, telephone number
• Client details: first name, surname, email address, telephone number, WhatsApp number, date of birth
• Appointment details: date, time, type of treatment, price, status, notes
• Intake forms: answers to health and preference questions
• Payment details: payment status and transaction IDs (full payment card details are processed solely by Stripe)
• Technical data: IP address, browser type (for functional purposes only)

3. Why do we process this data?

• To manage and schedule appointments
• To send confirmations and reminders (email and WhatsApp)
• To process payments and deposits
• To maintain a client history for the practitioner
• To improve our services

4. Legal basis

We process personal data on the following grounds:

• Performance of a contract (Art. 6(1)(b) GDPR): necessary for booking and managing appointments
• Legitimate interest (Art. 6(1)(f) GDPR): sending reminders and improving our service
• Consent (Art. 6(1)(a) GDPR): for marketing communications (you may withdraw this consent at any time)

5. Retention period

We retain personal data for as long as your account is active, plus a period of 2 years after the account is closed. After this period, your data is permanently deleted, unless a longer retention obligation applies under the law.

Data obtained via Google OAuth (see section 12) is an exception to the above retention period: it is immediately and permanently deleted as soon as you disconnect the link with Google, with no 2-year retention period.

6. Sharing with third parties

We share personal data only with the following parties:

• Stripe (Stripe, Inc.) — for processing payments and deposits
• Meta / WhatsApp Business (Meta Platforms, Inc.) — for sending WhatsApp reminders and confirmations
• Email delivery — emails are sent from our own mail server within the EU (Hetzner, Germany); there are no external email sub-processors
• Google (Google LLC) — solely for the optional "Sign in with Google" feature and Google Calendar synchronisation. See section 12 for details

We have concluded data-processing agreements with all these parties. We never sell your data to third parties.

7. Your rights

Under the GDPR, you have the following rights:

• Right of access (Art. 15): you may request which data we process about you
• Right to rectification (Art. 16): you may have inaccurate data corrected
• Right to erasure (Art. 17): you may request that your data be deleted
• Right to data portability (Art. 20): you may receive your data in a structured format
• Right to object (Art. 21): you may object to the processing of your data
• Right to restriction (Art. 18): you may request that processing be restricted

To exercise your rights, please contact us at [email protected]. We will respond to your request within 30 days.

8. Cookies

GlowBook uses functional cookies only, which are necessary for the operation of the website (e.g. session cookies and cookie-consent preferences). We do not use tracking or analytics cookies.

9. Location of data

All our servers, databases and mail server are located within the European Union (EU). Some sub-processors (Stripe, Meta) may process data outside the EU, but do so on the basis of adequacy decisions or Standard Contractual Clauses (SCCs).

10. Security

We take appropriate technical and organisational measures to protect your data, including encryption of data in transit (TLS) and at rest, access controls and regular security audits.

11. Lodging a complaint

If you have a complaint about the processing of your personal data, you may contact the Belgian Data Protection Authority (GBA):

12. Google OAuth and Google Calendar

GlowBook offers two optional features that use Google OAuth. Both require your explicit consent via the official Google consent screen. You can disconnect the link at any time via Settings → Google Calendar.

Sign in with Google — When you choose to sign in with Google, we receive only your name, email address and Google account ID (scopes: openid, email, profile). This data is used solely to create your GlowBook account and to authenticate you. We do not share this data with third parties and do not use it for profiling, advertising or the training of machine-learning models.

Google Calendar synchronisation — If you connect Google Calendar (scope: https://www.googleapis.com/auth/calendar.events), GlowBook reads and writes appointments solely in your primary calendar ("primary") in order to detect conflicts and synchronise your GlowBook appointments. We do not read other users' calendars, do not modify events we did not create ourselves, and never use calendar data for advertising, analytics or the training of AI models. This use fully complies with the Google API Services User Data Policy, including the Limited Use requirements.

Storage and security — Access and refresh tokens are stored encrypted (AES-256) in our database within the EU. Only the server-side processes linked to your account can decrypt them.

Disconnecting — When you disconnect the Google link, (1) the watch channel with Google is stopped, (2) the refresh token is explicitly revoked with Google via oauth2.googleapis.com/revoke, and (3) all locally stored tokens and sync state are immediately deleted. You may also revoke access yourself at any time via myaccount.google.com/permissions.

13. Changes

We may update this privacy policy from time to time. Changes will be published on this page. We recommend that you consult this policy regularly.