Privacy Policy

1. Scope and User Types

This Privacy Policy explains how Reserv.Now collects, uses, stores, and discloses personal data when the following user types interact with the platform:

• Account owners/admins — registered users who manage businesses, billing, staff, and configuration;
• Staff members — users invited by owners/admins to access the staff portal for scheduling and assignment management;
• Booking customers — end users who submit booking requests through public booking pages without creating an account.

The data collected and processing activities differ by user type, as described below.

2. Data We Collect

From account owners/admins:

• account and profile data (name, email, authentication events, role);
• business data (name, address, subdomain, timezone, schedule, services, place ID);
• billing data (plan, licence count, invoices, VAT ID, Stripe customer/subscription references);
• booking configuration (confirmation templates, operating hours, service definitions).

From staff members:

• identity data (name, email);
• availability and schedule data (working hours, exceptions, assignments);
• consent records (policy acceptance, timestamp, IP address).

From booking customers:

• contact data (name, email address, phone number if provided);
• booking data (selected service, date, time, party size);
• verification data (one-time passcodes sent to email for booking confirmation);
• consent records (policy acceptance, timestamp, IP address).

From all users (automatically):

• technical data (IP address, browser type, device type, operating system);
• usage data (pages visited, features used, actions taken, timestamps);
• security data (authentication logs, rate-limit events, error logs).

3. Data Sources

We obtain personal data directly from you, from users you authorize, and from APIs.

We also receive data from integrated providers (listed in Section 7) in connection with service delivery, including payment confirmations from Stripe, email delivery status from Resend, and geolocation/timezone data from Google Maps.

4. How We Use Data

• provide booking, scheduling, staff assignment, and billing functionality;
• authenticate users via one-time passcodes (OTP) and session management;
• send transactional communications (booking confirmations, OTP codes, staff notifications, billing receipts);
• process subscription payments and manage billing lifecycle;
• resolve business location and timezone from address or coordinates;
• monitor reliability, prevent abuse/fraud, and troubleshoot incidents;
• analyze product usage to improve the Service (see Section 8);
• comply with legal, regulatory, tax, and accounting obligations.

5. Legal Bases (DIFC Context)

Depending on context, processing is based on contractual necessity, legal obligation, legitimate interests, or consent where required.

Where you submit customer data, you are responsible for your own lawful basis and notices to your end customers.

6. One-Time Passcodes (OTP)

The Service uses email-based one-time passcodes for authentication (owner/admin login) and booking verification (customer bookings). OTP codes are:

• generated server-side and sent to the email address provided;
• valid for a limited time window (typically 5 minutes);
• single-use and invalidated after successful verification;
• logged for security and abuse-prevention purposes (delivery status, IP, timestamp).

7. Subprocessors and Third-Party Services

We share data with the following categories of subprocessors, strictly for service operations:

We may disclose data if required by law, legal process, or to protect rights, security, and platform integrity.

8. Analytics and Session Replay

We use PostHog for product analytics and, on specific pages (such as the public booking flow), session replay. Session replay captures:

• mouse movements, clicks, scrolls, and page navigation;
• rendered page content (with sensitive fields automatically masked);
• browser console errors and network timing data.

Session replay is used to diagnose usability issues, debug errors, and improve the booking experience. Replay data is retained for a limited period and is not used for advertising or sold to third parties.

We also capture named analytics events (such as "booking page viewed", "service selected", "booking confirmed") to understand usage patterns. Where a user provides their email during a booking, we may associate analytics events with that email for support and debugging purposes.

9. International Data Transfers

Data may be processed in jurisdictions outside the DIFC/UAE where our service providers operate (including the United States and European Union). We apply contractual and organizational safeguards designed for cross-border transfers, including standard contractual clauses where applicable.

10. Retention

We retain data as needed for service operations, security, legal obligations, dispute handling, and audit requirements.

• Active account data — retained for the duration of the account plus applicable retention windows after cancellation;
• Booking customer data — retained for the duration of the associated business account's active period, plus applicable legal retention;
• Consent records — retained for legal compliance purposes (minimum 6 years);
• Security and audit logs — retained for up to 24 months;
• Session replay data — retained for up to 90 days;
• Backups — may persist in secure backups for up to 30 days after deletion from production systems.

11. Security

We implement administrative, technical, and organizational controls, including encrypted transport (TLS 1.2+), encryption at rest (AES-256), access controls, logging, and incident response processes.

See the Security Addendum for additional details (where applicable).

12. Data Subject Rights

Subject to applicable law, you may request access, correction, deletion, restriction, objection, or portability for personal data we control.

To exercise your rights:

1. Email privacy@reserv.now with your request and the email address associated with your data;
2. We will verify your identity before processing the request (typically via an OTP sent to the email on file);
3. We aim to respond within 30 days. Complex requests may take up to 60 days with prior notice.

Some requests may be limited by legal or security obligations (for example, we cannot delete data required for active legal proceedings or regulatory compliance).

Booking customers: If you made a booking and wish to have your data deleted, contact privacy@reserv.now with the email address used for the booking. We will process the request in coordination with the business that received your booking.

13. Cookies and Similar Technologies

We use essential cookies and comparable technologies required for authentication, session continuity, security, and core product operation. These include:

• authentication session cookies (Supabase auth tokens);
• CSRF and security tokens;
• theme/preference cookies (light/dark mode).

PostHog analytics may set cookies or use local storage for session identification and feature flag evaluation. These are used for product improvement, not advertising. Analytics cookies are only set after you provide consent via the cookie banner. You can withdraw consent at any time using the "Cookies" link in the site footer.

We do not use third-party advertising cookies or tracking pixels.

14. Children

The Service is intended for business use and is not directed to children under the age of 16. Do not submit children's personal data unless you have an appropriate legal basis and authority.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material updates will be notified by reasonable means (in-product notice or email) at least 14 days before the effective date. The version date at the top of this page indicates the latest revision.

16. Contact

Privacy requests: privacy@reserv.now

General legal contact: legal@reserv.now