Last updated: June 28, 2026
This document maps every piece of personally identifiable information (PII) the platform stores to its purpose, lawful basis, and retention window. It satisfies the GDPR documentation obligation (Art. 5(1)(e) — storage limitation) and accompanies our Privacy Policy.
| Data | PII fields | Purpose | Lawful basis | Retention window |
|---|---|---|---|---|
| Business owner accountprofiles, businesses | email, name, phone, business details | Platform account management | Contract | Until account deletion + 30 days |
| Customer bookingsbookings | customer_name, customer_email, customer_phone, notes | Appointment record; owner operational need | Legitimate interest | 24 months from appointment date, then anonymised |
| Chat conversationsconversations | customer_email | Session linking | Legitimate interest | 12 months from last message |
| Chat messagesmessages | Full chat transcript text | AI context; owner insight | Legitimate interest | 12 months from creation (deleted with conversation) |
| OTP verification codescustomer_otps | email, token_hash | One-time booking verification | Legitimate interest | 24 hours from creation |
| Customer lookupcustomers | email, name, phone | CRM aggregation view | Legitimate interest | Derived from bookings — purged when all related bookings are anonymised |
| Paymentspayments | Stripe payment intent IDs | Financial record | Legal obligation | 7 years (statutory accounting requirement) |
| Knowledge baseknowledge_base_documents, knowledge_base_chunks | None (owner-uploaded business content) | RAG context for AI | Contract | Until owner deletes |
| Uploaded filesSupabase Storage knowledge-base bucket | None | Document source | Contract | Until owner deletes |
A retention purge cron enforces these windows automatically on a daily schedule. The purge rules are:
Business owners can erase a specific customer's data on request from the dashboard Customers page → customer detail panel → "Erase customer data". This:
The action is access-controlled (owner only), audit-logged (a non-PII hash of the email and business ID), and applied immediately without waiting for the automated purge schedule.
Data subjects may request a copy of their data by contacting the business owner directly; the owner can retrieve booking and conversation data from the Customers dashboard. A self-service export flow is planned.
| Processor | Purpose | Region | DPA |
|---|---|---|---|
| Supabase | Database, auth, file storage | EU (Frankfurt) | Supabase DPA |
| OpenAI | AI chat, intent classification, embeddings | US | OpenAI DPA |
| Resend | Transactional email | US | Resend DPA |
| Vercel | Hosting, serverless functions | Edge (global) | Vercel DPA |
| Stripe | Payment processing | US/EU | Stripe DPA |
| Upstash | Redis rate limiting | EU | Upstash DPA |
| Lemon Squeezy | Platform subscription billing (MoR) | US | LS Privacy |
This document is updated whenever: