Privacy Notice
1. Who we are
Booki7 ("Booki7", "we", "us") provides AI receptionist software to small businesses. Our registered business and primary place of processing is in Ireland.
Data controller of this website and our marketing data: Booki7. Contact: admin@booki7.com.
2. Two types of data we handle
Please read carefully — different rules apply depending on which side you're on.
(a) You signed up for Booki7 ("Customer")
You are our customer. We are the controller of the data you give us when you sign up: your business name, your owner email, your billing details, and your account login. We process this to provide the service to you and to bill you. The legal basis is performance of our contract with you and our legitimate interest in operating the platform.
(b) You're a visitor chatting with a Booki7-powered widget on someone else's website ("Visitor")
The business whose website you're on is the controller of your conversation, your booking, and any contact details you share. Booki7 is their data processor — we host and run the AI on their behalf, but they decide what happens with your data. For requests about your data (access, correction, deletion), contact that business directly. They can ask us to action your request, and we will. If you can't reach them, email admin@booki7.com and we'll forward.
3. What data we process
| Category | Examples | Purpose | Legal basis |
|---|---|---|---|
| Customer account | Business name, owner email, password / admin token, billing details | Run your account, bill you, support | Contract |
| Customer configuration | Business hours, services, FAQ, knowledge base, branding | Power your AI receptionist | Contract |
| End-visitor conversation content | Chat messages between visitor and your AI | Provide the service to you (controller) | Contract / legitimate interest of controller |
| End-visitor identity | Name, email, phone (when given to book) | Process the booking | Performance of pre-contract / consent (controller-determined) |
| Technical telemetry | IP address (truncated where possible), user agent, page URL, session ID | Security, abuse prevention, debugging | Legitimate interest |
| Push notifications | Push subscription endpoint | Notify owners of activity | Consent |
| Audit log of platform-admin access | Who accessed what tenant data and when | Accountability (Art. 5(2) GDPR) | Legal obligation |
4. Where data is stored
Primary processing: Hetzner Online GmbH, a German company, in their Falkenstein, Germany data centre — inside the EU/EEA.
The application database (SQLite) is stored on the same server with TLS in transit and disk encryption provided by the host. Backups (where applicable) are kept in the same region.
Some processing is done by sub-processors located outside the EU/EEA. See Sub-processors for the list and the safeguards we apply.
5. How long we keep data
- Customer accounts: while the account is active, plus 90 days after closure for billing and dispute resolution. Anonymised aggregate metrics may be kept beyond.
- Conversations: kept while the customer (controller) wants them. Customers can delete a conversation in their admin panel at any time. We hard-delete inactive sessions older than 365 days unless the customer extends.
- Bookings: kept until the customer deletes them or the account is closed.
- Push subscriptions: kept until unsubscribed or invalid endpoint.
- Audit logs: kept for 24 months for accountability.
- Backups: rolling 30-day window.
6. Your rights (data subjects in the EEA)
You have the right to:
- access the personal data we hold about you (Art. 15)
- have inaccurate data corrected (Art. 16)
- have your data erased, where applicable (Art. 17)
- restrict or object to processing (Art. 18, Art. 21)
- receive a copy of your data in a machine-readable format (data portability — Art. 20)
- withdraw consent at any time (where processing is based on consent)
- complain to a supervisory authority — for Ireland, this is the Data Protection Commission (DPC)
Customers can exercise these rights themselves from Settings → My Data in the admin dashboard (export and erasure). End-visitors should contact the business they were chatting with.
We respond to requests within 30 days of receipt.
7. Cookies and similar technologies
The Booki7 widget stores a session identifier in your browser's localStorage so that you can return to a conversation. This is strictly necessary for the chat to work and is treated as functional under the ePrivacy Directive. It is not used for tracking across sites.
Our marketing website does not use third-party analytics or advertising cookies.
8. Automated decision-making and AI
Conversations are processed by large language models (Claude by Anthropic; the optional Voice call tier, where a business enables it, also uses OpenAI). The AI suggests booking times and answers questions; final booking decisions are reviewable by the business owner via the approval flow for out-of-hours requests. No solely-automated decision with legal or similarly significant effect is taken without the business owner's involvement.
Where a business owner records a voice note on a client's record, the short audio clip is converted to text by speech-to-text software running on Booki7's own server in the EU (Falkenstein, Germany). The audio is never sent to any third party and never leaves the EU: it is processed in memory, is not stored by Booki7, and is not used to train AI models. Only the resulting text is kept, within that client's record, and treated like any other note the business holds about its client. No third-country transfer and no external sub-processor are involved in transcribing voice notes.
9. Security
TLS 1.2+ in transit, host-managed encryption at rest, strict role-based access control inside the application, audit logging of platform-admin access, signed Stripe webhooks, scoped per-tenant tokens, push subscription origin verification.
10. Breach notification
If we discover a personal data breach, we will notify affected customers without undue delay and within 72 hours wherever feasible, in line with Art. 33 GDPR. Customers are responsible for onward notification to their end-visitors where required.
11. Changes
We will notify customers by email of any material change at least 30 days before it takes effect. The current version and effective date are at the top of this page.
12. Contact
Email admin@booki7.com. We are not currently required to appoint a Data Protection Officer.