Bokko — Privacy Policy

1. Data Controller Roles

Bokko is an online appointment request and booking management platform for personal service providers. The system handles two distinct data processing scenarios:

Service Provider Accounts and Platform Operation: Bokko is an independent data controller regarding provider account data, access credentials, technical and security logs.
Guest Bookings: The primary business purpose of the booking data provided by guests is to enable the selected service provider to manage the request. Regarding guest booking data, the service provider is the data controller, and Bokko acts as a data processor. Exceptions include cases where Bokko has independent decision-making authority for platform security, abuse prevention, or legal compliance purposes — in these cases, Bokko acts as an independent data controller.
Platform-level Processing: Bokko may perform certain processing operations as an independent data controller for the purposes of operating, developing the service, and fulfilling the billing relationship. Where Bokko uses data for statistical or development purposes, such processing is performed in an anonymized format that cannot be traced back to the data subject.

The allocation of roles between Bokko and the service providers is recorded in a Data Processing Agreement (DPA) under Article 28 of the GDPR, which forms part of Bokko's Service Agreement. The subject of the agreement is the processing of guest booking data, its duration lasts for the term of the contractual relationship, the data categories and data subjects are listed in Section 2 of this policy, and the right to issue instructions belongs to the service provider. Bokko does not make business decisions regarding the specific terms and content of the service provided; however, it independently performs the technical processing operations necessary for the platform's operation. Therefore, regarding guest booking data, the service provider is the data controller.

Open Beta Operation. Bokko is currently in its Open Beta phase, operated by a private individual; company formation is planned, the date is not yet fixed. Operator's basic data according to Act CVIII of 2001 (Ektv.):
Operator: Dávid Mácsik (private individual)
Address: 7100 Szekszárd, Fürdőház utca 1, Hungary
Electronic contact: [email protected]
Information regarding the hosting provider is available on the Imprint & Contact page.

1a. Data Processing Principles (GDPR Article 5)

When processing personal data, Bokko applies the following principles set out in Article 5 of the GDPR:

Lawfulness, fairness and transparency — every processing activity is based on a legal basis (typically GDPR Art. 6(1)(a), (b), (c) or (f); see Section 3), and is transparently documented for the data subject.
Purpose limitation — personal data is collected only for specified, explicit and legitimate purposes, and is not further processed in a manner incompatible with those purposes.
Data minimisation — the scope of processed data is limited to what is necessary for the processing purpose; that is why the minimum mandatory booking data (name, email address) and the optionality of every additional data field are explicitly indicated in Section 2.
Accuracy — inaccurate data is rectified or erased without delay upon request (see Section 6, data subject rights).
Storage limitation — data is stored only for as long as necessary for the processing purpose. Detailed per-data-category retention periods are set out in Section 5 and in the Retention and Deletion Policy.
Integrity and confidentiality — the security of personal data is protected by appropriate technical and organisational measures (see Section 8).
Accountability — every processing activity is documented; compliance can be demonstrated (processor records, sub-processor list, retention-jobs audit, consent log).

2. Scope of Processed Data

Based on current application logic, Bokko processes the following data.

Data Subjects	Data Category	Notes
Guests	Name, email address, optional phone number, optional note	Provided in the booking form. Mandatory: name and email address (the booking confirmation is sent by email). Optional: phone number (only processed if the guest provides it; required for SMS reminders) and note.
Guests	Requested service, preferred or confirmed date and time, booking status	Required for recording, managing, and confirming the booking request.
Guests	Notification and event log data	SMS/email sending times, status changes, replies, delivery metadata.
Guests	Data related to token-based response and cancellation links	For accepting/declining reschedule proposals and other guest-side operations.
Guests	Technical and transactional metadata related to online payments, deposits, card guarantees, and refunds	Processed only if the specific service provider activates online payment features.
Guests	Billing data	Name, company name, tax ID, address, and billing email, if the guest requests an invoice.
Guests	Browser-side stored data	Consent state, language and appearance preferences, and pre-filling of name/email in the booking form.
Service Providers	Email address, Firebase ID, provider details	For logging in and using the dashboard.
Service Providers	Two-factor authentication (TOTP/MFA) metadata	If activated: TOTP secret and encrypted recovery code hashes, timestamps of last successful/failed login attempts. The secret itself is never decrypted for purposes other than authentication.
Service Providers	Provider name, slug, phone number, address, business hours, notification email	For operating the public booking page and notifications.
Guests / Providers	Google Calendar event data (guest name, service name, time)	When optional Google Calendar synchronization is enabled, Bokko uses the Google Calendar API exclusively to: (a) create, update, and delete booking events it has written to the connected calendar; (b) retrieve the user's calendar list for synchronization settings; (c) query busy intervals for conflict detection. Bokko never reads the content of other calendar entries (titles, descriptions, attendees, etc.). Per-staff calendar push: If a staff member enables this feature, Bokko also writes bookings to the staff member's personal Google Calendar using the booking's own data. Bokko only touches events it has created and does not access any other entries in the staff member's calendar. Two-way sync (deletion detection): If a staff member deletes a Bokko booking event from their Google Calendar, Bokko by default only notifies the business owner (the booking remains unchanged). If the staff member has explicitly opted in to "cancel booking" mode, Bokko will also cancel the booking, and this consent is recorded during the staff member's calendar connection setup.
Guests / Providers	Health monitoring and diagnostic data	Runtime errors, exceptions, and technical diagnostics related events for system stability.

Special categories of personal data (GDPR Article 9): Bokko does not request or process special categories of personal data — in particular data relating to health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, sex life or sexual orientation. We expressly request service providers not to record such data in the guest note field or any other free-text field. Bokko is not responsible for processing that occurs in breach of this invariant; if such content is detected, it will be removed.

3. Purposes and Legal Bases for Processing

Purpose	Involved Data	Primary Legal Basis
Recording and managing booking requests	Guest name, phone, service, time, note	GDPR Art. 6(1)(b) - steps prior to entering into a contract or performance of a contract
Sending SMS or email notifications about booking status	Phone, email, status data	GDPR Art. 6(1)(b) and, where applicable, Art. 6(1)(f)
Dashboard access and permission management	Provider email, identifier	GDPR Art. 6(1)(b)
Online payment, deposit management, card guarantee, and billing administration	Payment metadata, billing data, payment states linked to booking	GDPR Art. 6(1)(b) or, where required by law, Art. 6(1)(c)
Abuse prevention, rate limiting, system security	Normalized phone number, technical events, logs	GDPR Art. 6(1)(f) – legitimate interest, particularly for system security, abuse prevention, and service stability. Bokko performs a legitimate interest assessment (LIA).
Error monitoring and operational diagnostics	Technical error reports, exception and performance data	GDPR Art. 6(1)(f) – legitimate interest for system stability, error handling, and security
Consent-based analytics	Analytical events and required browser identifiers	GDPR Art. 6(1)(a) – data subject's consent
Compliance with legal obligations, legal enforcement	Relevant data related to the specific case	GDPR Art. 6(1)(c) and Art. 6(1)(f)
Platform operation, service development, and billing administration	Minimum necessary provider and usage data, or anonymized statistical data where applicable	GDPR Art. 6(1)(b) for contract performance; Art. 6(1)(f) for legitimate interest in service development
Newsletter – marketing communication to guests	Guest email address, name, consent status, and legal basis log	GDPR Art. 6(1)(a) – data subject's voluntary, informed, and withdrawable consent. Details: Section 3a.
Post-booking review request email after the completed service — optional feature, enabled at the Provider's discretion	Guest name, email address, service name, completion timestamp, Provider contact details (display only)	GDPR Art. 6(1)(f) – legitimate interest of the Provider in maintaining the customer relationship and obtaining service-quality feedback. Details: Section 3b.
Provider onboarding information and subscription lifecycle notifications (drip emails, Day+2 onboarding, trial / pilot / founder grace expiry reminders)	Provider (Subscriber) email address, name, registration or trial / pilot start and expiry timestamps, subscription plan identifier	GDPR Art. 6(1)(b) – transactional email communication necessary for the performance of the contract between Bokko and the Subscriber (subscription and onboarding flow). Not marketing; unsubscribing is only effective by terminating the Subscriber account.
Push notification delivery (booking status changes and operational notifications to dashboard and booking app users)	FCM registration token (pseudonymous device identifier), booking ID, event type, localised notification text — no guest PII	GDPR Art. 6(1)(a) – the user's push notification permission state (browser permission); and GDPR Art. 6(1)(b) for service-related communication.

3a. Marketing Communication – Newsletter

Bokko enables service providers (Subscribers) to send newsletters to their guests who have previously provided voluntary consent.

Legal Basis

The legal basis for processing is exclusively the data subject's voluntary, specific, and withdrawable consent (GDPR Art. 6(1)(a), Art. 7). Providing consent is not a condition for completing a booking and can be withdrawn at any time.

Double Opt-in Process

Consent is collected through a two-step (double opt-in) process:

The guest indicates their intent by checking an optional checkbox during the booking process.
The system sends a confirmation email to the guest with a one-time, time-limited link.
Consent is only set to granted status after the link is activated.

Guests will not receive newsletters until they activate the confirmation link.

Methods of Unsubscribing

One-click unsubscribe link: Included in every newsletter email, with an RFC 8058 compliant List-Unsubscribe header and a text-based link.
Direct email request: Guests can request to be unsubscribed via email to the provider or Bokko.
Dashboard request: While viewing booking details or their profile, guests can indicate their intent to the provider, who can then enforce it in the dashboard.

Suppression List

The system automatically excludes guests whose consent has been withdrawn, expired, or whose email address resulted in a hard bounce event. This applies immediately upon withdrawal.

Retention Periods

Consent log (audit): 5 years from the date consent was granted or withdrawn, for legal and accountability purposes.
Newsletter event log (openings, delivery status): 24 months.

Right to Withdraw

Guests may withdraw their consent at any time without justification. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal. After withdrawal, the system immediately adds the email address to the suppression list.

3b. Post-Booking Review Request Email

Bokko enables Providers to send a single transactional review request email to the guest after an appointment has been marked completed. This feature is optional, off by default, and active only with the Provider's explicit opt-in. It is not marketing communication: the email contains no promotional content, no coupon, no rebooking call-to-action, no star rating, and no newsletter signup. The guest receives only a single service-experience question and the Provider's contact details.

Legal Basis

The legal basis is the Provider's legitimate interest in maintaining the customer relationship and obtaining service-quality feedback (GDPR Art. 6(1)(f)). Balancing test outcome: guests reasonably expect a single follow-up check after a service; the processing has low privacy intrusion (no profiling, no marketing content, the email contains no open- or click-tracking, and every email carries a one-click unsubscribe link).

Frequency Cap

The same guest receives at most one review request email within 90 days from the same Provider (frequent-guest protection). This cap is enforced system-wide and cannot be overridden by the Provider.

Unsubscribing from Review Request Emails

Every review request email contains a clickable unsubscribe link. After the guest confirms the unsubscribe (two-step flow: open link → confirm button), no further review request emails will be sent from this Provider to this guest (per-Provider, per-guest unsubscribe). The unsubscribe decision is irreversible from the system's perspective; to revoke it, the guest must contact the Provider directly.

Right to Object

Under GDPR Art. 21(1), the guest may object to processing for this purpose at any time. Upon objection, the Provider is required to cease further review request emails without undue delay.

Retention Periods

Review request email audit (task) log: 3 months from creation. Operational audit and debugging purpose.
Guest-level last-sent timestamp (used for the frequency cap): retained per the guest record retention period (see Retention and Deletion Policy).

4. Recipients, Data Processors, and Infrastructure Providers

Based on the current architecture, data may reach the following providers or infrastructure partners. Some providers participate only if optional features are activated.

Google Firebase - Auth, Firestore, Cloud Functions, Hosting, and Firebase Analytics infrastructure.
BulkGate (Spoje.net, s.r.o.) - SMS reminder delivery. EU-based; the SMS delivery chain may involve third countries.
Mailjet - Transactional email delivery (booking status notifications, reminders, optional post-booking review requests).
Sentry — Error monitoring and technical diagnostics. Bokko's Sentry configuration uses a beforeSend hook for data minimization: email addresses, phone numbers, auth tokens, and booking tokens are redacted before transmission.
Google Calendar API - Optional calendar synchronization. Bokko requests minimal-privilege (calendar.events) access; it only writes and reads events it created. Per-staff calendar push and deletion detection are only active after explicit opt-in connection by the staff member.
Microsoft Ireland Operations Ltd. (Microsoft Graph / Outlook Calendar) — Optional staff-level calendar synchronization with a Microsoft 365 / Outlook account, as an alternative to Google Calendar; active only with the staff member's explicit OAuth consent. Detailed description in section 4a.
Firebase Cloud Messaging (FCM) — Push notification delivery to dashboard and booking app users. Bokko stores an FCM registration token (pseudonymous device identifier) server-side for targeted delivery; the push payload contains booking ID, event type, and localised text, with no guest PII.
Google Maps Platform (Places API) — Address autocomplete for profiles and billing addresses; search characters are sent to Google servers without being linked to a booking profile.
Stripe, Barion, SimplePay — Providers prepared for online payments, deposits, refunds, and related metadata, if the Subscriber activates such features. During Open Beta, online payment data flows managed by Bokko are inactive; these integrations are in a prepared state.
Billingo, Számlázz.hu - Optional invoicing integrations and processing of billing data required for invoice issuance.
Cloudflare - DNS management and Cloudflare Web Analytics: aggregated, cookie-less traffic measurement for getbokko.com; Bokko does not use this for individual user profiling. The script loads only upon analytics consent.

For some providers, data may be transferred outside the European Economic Area (EEA). Legality of data transfer is typically based on:

Standard Contractual Clauses (SCC): Clauses adopted by the European Commission, which relevant providers rely upon.
EU–US Data Privacy Framework (DPF): Where the processor is certified under the DPF, the transfer is lawful based on this adequacy decision.

Bokko relies on relevant provider and contractual guarantees, particularly SCCs and — where applicable — the EU–US Data Privacy Framework.

4a. External services (not sub-processors)

The booking page may display content from the external services listed below. These services act as independent controllers — not Bokko sub-processors. Their own privacy terms apply.

Google Maps

On booking pages, a Google Maps map may be displayed to show the provider's address, provided that the provider selected their address via the Google Places search and the map section is enabled. The map does NOT load automatically; you must click a "Show map" button to allow your browser to connect to Google services. After you click, your choice is stored in your browser's local storage (localStorage bokko.mapConsent) at the domain level — the map will then load automatically on every other bokko.app booking page in the same browser. When the map loads, your browser may connect to Google services. Google may process technical data such as your IP address, browser and device information, time of access, referrer information, and data based on your existing Google cookies or sign-in state.

The use of Google Maps may also be subject to Google's Privacy Policy and Google's Terms of Service.

You can revoke your map setting at any time via the privacy notice link on your booking page (accessible from the booking page footer or the "Privacy" button). After revocation, all Bokko booking pages will show the placeholder again, and you will need to enable the map once more. (Technically, the revocation only works on the booking.bokko.app origin pages — this notice on the current getbokko.com page documents the process but cannot modify your browser storage from a different origin.)

Google reCAPTCHA Enterprise

On public booking, registration and other surfaces sensitive to automated abuse, Bokko uses Google reCAPTCHA Enterprise bot- and abuse-filtering. The purpose of the protection is to prevent mass automated booking or registration attempts and to protect SMS- and email-delivery resources. The filter runs in the background; the user does not need to solve a puzzle and no click interaction is required — Google computes a risk score based on data coming from the browser and only the highest-risk traffic is rejected.

When using reCAPTCHA Enterprise, Google processes technical data automatically passed by your browser — such as IP address, browser and device signals, interaction and risk-analysis data — and sets a necessary cookie (see Section 7). The legal basis for processing is Bokko's legitimate interest in securely operating the service (GDPR Art. 6(1)(f)). Third party: Google Ireland Limited (EU). Further information: Google's Privacy Policy, reCAPTCHA Enterprise documentation.

Microsoft Outlook / Microsoft 365 calendar synchronization

Staff members may optionally connect their own Microsoft 365 / Outlook account to Bokko for staff-level calendar synchronization (as an alternative to Google Calendar). The connection is established exclusively through the staff member's explicit OAuth consent.

The synchronization can run in two directions: (1) Bokko reads the staff member's Outlook calendar free/busy state to prevent scheduling conflicts; and (2) Bokko may optionally write confirmed booking times and descriptions to the staff member's Outlook calendar, if the staff member individually enables this. The staff member may disconnect the integration at any time from the dashboard; Bokko then deletes the stored access token and transmits no further data to Microsoft.

The legal basis for processing is Bokko's legitimate interest in operating the service and the staff member's explicit consent to enable the integration (GDPR Art. 6(1)(a) and (f)). Third party: Microsoft Ireland Operations Ltd. (EU); parent: Microsoft Corporation (USA). Transfer safeguards: Microsoft EU Data Boundary + SCC (2021/914/EU) + EU–US Data Privacy Framework. Further information: Microsoft Privacy Statement.

5. Retention Periods

Bokko applies a specific retention and deletion policy. Detailed rules are available on the Retention & Deletion Policy page.

Data Category	Rule
Service Provider account data	During the term of the contract, then 90 days, unless longer retention is required by law or for legal disputes.
Active and closed bookings	60 months (5 years) from the appointment date or final status update, unless a legal dispute or claim makes longer retention necessary.
Technical and security logs	12 months, unless a specific incident or dispute requires longer retention.
Billing and accounting records	At least 8 years — mandatory retention under Hungarian accounting laws. This is an independent controller purpose for Bokko.
Admin and security audit logs	Up to 7 years — based on legal enforcement and security obligations. Independent controller purpose for Bokko.
Support communication and internal admin notes	7 years — based on accountability and enforcement possibilities.
System event logs (lifecycle audit)	6 months — operational and incident investigation purposes; automatic purge.
Staff invitations	30 days from expiry or acceptance — for email PII cleanup purposes.

The complete, per-data-category retention table is available on the Retention and Deletion Policy page.

6. Data Subject Rights

Data subjects are entitled to the following rights under applicable law:

Right of access,
Right to rectification,
Right to erasure (right to be forgotten),
Right to restriction of processing,
Right to data portability,
Right to object to processing based on legitimate interests;
Right against automated decision-making and profiling (GDPR Art. 22) — Bokko currently does not perform such processing; details: AI and Automated Processing.

If a request is related to a booking at a specific provider, the provider can handle the request effectively, as they are the data controller for guest booking data. Bokko, as a processor, supports the fulfillment of these requests without undue delay.

Requests regarding Bokko's independent data processing (e.g., provider account data) can be submitted directly to [email protected].

7. Cookies and Technical Logs

The system uses technically necessary cookies and browser-side storage elements — including cookies, localStorage, and sessionStorage — for example, for Firebase Auth session management, consent status storage, language and appearance preferences, and pre-filling certain booking forms.

Bokko uses consent-based analytical measurement:

Platform Apps (dashboard, booking page): Firebase Analytics in Flutter platform apps — activated only upon prior consent.
Landing Pages (getbokko.com): Cloudflare Web Analytics — cookie-less, aggregated statistics; not used for individual profiling; loads only upon analytics consent.

Remarketing or targeted advertising cookies are currently not used by Bokko.

On the public booking and registration surfaces, Google reCAPTCHA Enterprise bot-filtering may also place a necessary cookie (_GRECAPTCHA) in your browser. This cookie is a technical cookie required for risk analysis, processed without consent on the basis of legitimate interest; its expiry is determined by Google (and can be observed in your browser's Application → Cookies view). Third party: Google. Details of reCAPTCHA Enterprise processing are set out in Section 4a.

Detailed cookie categories, retention periods, and consent management are set out in the Cookie & Tracking Policy.

8. Data Security

According to current implementation, Bokko applies several technical protection measures, such as:

Permission-based Firestore access rules,
Restriction of direct client-side booking writes,
Phone normalization and abuse-prevention rate limits (during the Open Beta phase — balancing daily iteration with guest accessibility — the rate limit may be temporarily disabled; an automatic re-enable backstop is in place before GA cutover, and other protections including Google reCAPTCHA Enterprise bot filtering remain active),
Token-based guest response pages for rescheduling — tokens are time-limited and single-use,
Multi-layered automatic backups (Point-in-Time Recovery for 7 days, daily backup with 14-day retention, weekly backup with 84-day retention) — details in DPA Section 14.

Platform administrator access. Bokko platform administrators may access Subscriber and guest data only for strictly limited and documented reasons: every data-modifying administrative callable requires a two-factor authentication (TOTP step-up) short-lived server-side session. Read-only (listing) administrative callables require TOTP enrollment (a registered second factor) but do not require an active session re-verification. Every access is recorded in the _audit/ audit log (timestamp, admin identifier, operation type, affected salon, and affected record identifier). Bokko retains the audit log for 7 years and processes it exclusively for security, legal compliance, and incident-handling purposes — details in the Retention Policy.

However, absolute security on the internet cannot be assured. Bokko applies access-logging, continuous review and incident-response procedures to protect data. In the event of a personal data breach, Bokko acts in accordance with applicable laws. Where Bokko acts as a controller for the processing concerned, it will notify the competent supervisory authority without undue delay and, where possible, within the 72-hour deadline under GDPR Article 33, and will notify the data subjects as well in cases of high risk. Where Bokko acts as a processor, the incident is reported to the affected service provider without undue delay.

Bokko processes only the necessary and proportionate data. The principle of data minimisation is enforced at the level of feature design and codebase.

9. Complaints and Contact

Data Protection Officer (DPO): Under GDPR Article 37, Bokko is not required to designate a DPO, because (a) it is not a public authority or body performing a public task, (b) its core activities do not require processing operations which by their nature, scope and/or purposes require regular and systematic monitoring of data subjects on a large scale, and (c) it does not process on a large scale special categories of data or criminal-conviction data. Data-protection questions can be directed to [email protected].

For privacy-related questions or requests, write to: [email protected]. Bokko responds without undue delay, and at the latest within the applicable legal deadlines.

In Hungary, complaints can also be filed with the National Authority for Data Protection and Freedom of Information (NAIH):
NAIH
H-1055 Budapest, Falk Miksa utca 9-11, Hungary
Phone: +36 (1) 391-1400
Email: [email protected]
https://www.naih.hu/

10. Versioning

Bokko reserves the right to update this policy. In case of significant changes, the effective date of the new version will be indicated on this page, and separate notifications may be sent to service providers.

Review: Bokko reviews this policy annually, and whenever EU or Hungarian legislation changes, and reflects the identified changes in a new version. Previous effective versions are accessible from the bottom of the Legal Documents page.