Privacy Policy
Last updated: 18 February 2026
1. Introduction and Scope
Bookoosh ("we", "us", "our") is a multi-tenant booking platform for leisure and hospitality venues, operated by TechTeamUp, a company based in the United Kingdom. This Privacy Policy explains how we collect, use, store, share, and protect personal information at app.bookoosh.com.
This policy applies globally to:
- Merchants — venue operators who use the platform to manage bookings and accept payments
- Staff — team members who use the platform on behalf of a Merchant
- End Users — customers who make bookings, purchase gift vouchers, or interact with Merchant booking pages
We comply with the UK GDPR, EU GDPR, Data Protection Act 2018, CCPA/CPRA, and other applicable data protection laws.
2. Data Controller and Data Processor
Bookoosh operates under a dual-role model:
- Data Controller: TechTeamUp is the data controller for Merchant account data, platform analytics, and billing data.
- Data Processor: For booking data, customer data, and payment records collected through Merchant booking pages, the Merchant is the data controller and TechTeamUp acts as data processor. See our Data Processing Agreement.
Data Protection Contact: Tom Watts, Director · TechTeamUp · [email protected]
3. Personal Data We Collect
3.1 Information Provided by Users
| Category | Examples | Lawful Basis |
|---|---|---|
| Merchant account data | Business name, contact name, email, phone, address | Contract (Art. 6(1)(b)) |
| Staff accounts | Names, email addresses, roles | Contract (Art. 6(1)(b)) |
| Booking customer data | Customer name, email, phone number, booking details (date, time, activity, group size) | Contract (Art. 6(1)(b)) / Consent (Art. 6(1)(a)) |
| Payment data | Processed via Stripe — we do not store card numbers. Stripe Connect account IDs, transaction references, payout records | Contract (Art. 6(1)(b)) / Legal obligation (Art. 6(1)(c)) |
| Gift voucher data | Purchaser name/email, recipient details, voucher codes | Contract (Art. 6(1)(b)) |
3.2 Information Collected via Technology
| Category | Examples | Lawful Basis |
|---|---|---|
| Device and browser data | IP address, user agent, device type, OS, screen resolution | Legitimate interest (Art. 6(1)(f)) |
| Authentication data | Session tokens, CSRF tokens, login timestamps | Contract (Art. 6(1)(b)) |
4. How We Use Your Data
- To operate the booking platform and process bookings on behalf of Merchants
- To facilitate payment processing via Stripe Connect
- To send booking confirmations, reminders, and notifications via email
- To manage Merchant accounts, staff, locations, and business settings
- To generate business analytics and revenue reports for Merchants
- To process gift voucher purchases and redemptions
- To maintain security and prevent fraud
- To comply with legal and tax obligations
5. Data Retention Schedule
| Data Type | Retention | Justification |
|---|---|---|
| Merchant account data | Duration + 30 days post-closure | Contract |
| Booking data | 24 months post-booking date | Operations, dispute resolution |
| Payment/invoice records | 6 years (HMRC requirement) | Legal obligation |
| Customer contact details | While Merchant account active, or until erasure requested | Contract / Legitimate interest |
| Gift vouchers | Until redeemed/expired + 6 months | Contract |
| Auth sessions | 30 days (auto-expiry) | Security |
6. Data Storage, Security, and International Transfers
Infrastructure: Railway (EU region). Payment processing: Stripe (PCI DSS Level 1 compliant).
- TLS 1.2+ encryption in transit; database encryption at rest
- Passwords hashed with bcrypt
- Multi-tenant data isolation with organisation-scoped queries
- PCI DSS-compliant payment processing — we never store card numbers
- Rate limiting and brute-force protection
Stripe may transfer data internationally per their Privacy Policy and SCCs. For other transfers outside UK/EEA, we rely on SCCs, UK IDTA, and/or DPF adequacy decisions.
7. Sub-Processors
| Sub-Processor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Railway | Hosting, database | EU | EEA |
| Stripe | Payment processing (Connect) | US/EU | DPF + SCCs |
| Emailit | Email delivery | EU | SCCs |
14 days' notice before sub-processor changes. We do not sell personal data.
8. Your Rights
8.1 UK/EU Data Subject Rights (GDPR)
- Access (Art. 15): Obtain a copy of your personal data
- Rectification (Art. 16): Correct inaccurate data
- Erasure (Art. 17): Request deletion
- Restrict processing (Art. 18): Limit processing
- Data portability (Art. 20): Receive data in machine-readable format
- Object (Art. 21): Object to legitimate interest processing
- Withdraw consent: At any time, without affecting prior processing
- Lodge a complaint: ICO (ico.org.uk, 0303 123 1113) or your EU supervisory authority
8.2 California Residents (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with additional rights. We also comply with the California Online Privacy Protection Act (CalOPPA).
We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising.
- Right to Know: You may request the categories and specific pieces of personal information we have collected about you in the past 12 months, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
- Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions (e.g., legal obligations, completing a transaction).
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: We do not sell your personal information. No opt-out is necessary.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
Categories of Personal Information Collected (Past 12 Months)
| CCPA Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email address, phone number, IP address | Yes |
| Internet/Network Activity | Browser type, device info, login timestamps | Yes |
| Commercial Information | Booking records, payment transaction references, gift voucher details | Yes |
| Financial Information | Stripe transaction IDs, payout records (no card numbers stored) | Yes |
| Professional/Employment Information | Business name, merchant role | Yes |
| Sensitive Personal Information | — | No |
How to Exercise Your CCPA Rights
To make a verifiable consumer request, email [email protected] with the subject line "CCPA Request". We will verify your identity by matching information you provide against our records before fulfilling the request. You may also designate an authorised agent to make a request on your behalf, provided you supply written authorisation.
"Do Not Track" Signals
Our Service does not currently respond to "Do Not Track" (DNT) browser signals, as there is no universally accepted standard for how to respond to such signals. We do not track users across third-party websites and do not use advertising cookies.
8.3 How to Exercise
End Users: Contact the Merchant (venue) first — they are the data controller for your booking data.
Merchants/Staff: Contact [email protected]. Response: 1 month (GDPR) / 45 days (CCPA).
9. Automated Decision-Making
We do not engage in automated decision-making or profiling with legal effects.
10. Children's Data
The Service is not directed at children under 16. Merchants are responsible for ensuring parental/guardian consent where bookings involve minors. We do not knowingly collect children's data directly.
11. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:
- Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by Article 33 of the UK GDPR
- Notify affected Merchants (data controllers) without undue delay to enable them to fulfil their own notification obligations
- Where the breach is likely to result in a high risk to individuals, notify the affected data subjects directly without undue delay, as required by Article 34 of the UK GDPR
- Document all breaches, including those that do not require notification, in our internal breach register
Our breach notification will include: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences of the breach, and the measures taken or proposed to address the breach and mitigate its effects.
12. Cookies
See our Cookie Policy.
13. Changes and Contact
Material changes notified via email and in-app notification.
Tom Watts, Director · TechTeamUp · [email protected] · techteamup.com