Privacy Policy

1.1. Book2befit is used by businesses (such as studios, gyms and clubs) to manage scheduling, bookings and payments, and by individuals who book sessions and services offered by those businesses.

1.2. We act as a controller for the personal data for which we determine the purposes and means of processing, including data about the businesses and their representatives, data of visitors to our websites, data we process to operate, secure, administer and improve the platform, data we process for our own billing and invoicing, and data we process to comply with our legal obligations.

1.3. We act as a processor for the personal data of a business’s clients that we process on that business’s behalf through its public booking page and account. For that data, the business is the controller and decides why and how the data is processed. That processing is governed by the Data Processing Agreement between us and the business, and this Privacy Policy does not replace it. If you are a client of a business that uses Book2befit and you have questions about how your data is used, you should contact that business in the first instance.

1.4. With the exception of Section 3., this Privacy Policy describes the processing for which Book2befit is the controller.

We process personal data on the following grounds:

• the performance of a contract with you, or the taking of steps at your request before entering into a contract;
• compliance with our legal obligations;
• our legitimate interests, where these are not overridden by your rights and freedoms;
• your explicit consent, the purpose of which is specified in each case.

The following sections describe the processing depending on the basis on which we carry it out.

For the performance of our contract

We process your personal data in order to fulfil our contractual and pre-contractual obligations and to exercise our rights under the contract concluded with you.

Processing purposes:

• establishing and verifying your identity and, for a business, the authority of the person acting for it;
• creating and administering accounts and providing the functionality of the platform;
• preparing and issuing invoices and processing subscription and platform fees;
• providing support and handling requests, complaints and feedback;
• detecting and preventing actions that are unlawful or contrary to our Terms and Conditions.

Data we process on this basis:

On the basis of the contract concluded between us and you, we process information about the type and content of the contractual relationship and any other information related to it, including:

• personal contact data – contact address, e-mail, telephone number;
• identification and business data – names and, where applicable, company, registration and tax information, and the identity of the account owner and Staff;
• data on the orders, bookings and subscriptions made;
• correspondence related to the overall service – e-mail and other messages, support requests, complaints, requests and feedback we receive from you;
• payment-related information, such as payment status, transaction references and invoice or receipt information; payments are processed by Stripe and we do not store full card details;
• technical data, such as IP address, and information about your use of the platform.

Providing the specified personal data is necessary in order for us to conclude and perform the contract with you. Without it, we would not be able to fulfil our obligations under the contract.

Provision of personal data to third parties:

We may provide personal data to service providers acting as our processors, including payment processing (Stripe), cloud hosting, transactional e-mail, analytics and security providers, in each case subject to appropriate safeguards; and, with your express consent, for the purposes of direct marketing.

When we delete data collected on this basis:

We delete the data collected on this basis 2 years after termination of the contractual relationship, regardless of whether due to the expiry of the contract, cancellation or any other reason, unless a longer period is required by law.

To fulfil our statutory obligations

The law may require us to process your personal data. In these cases, we are required to carry out the processing, including in relation to:

• obligations under the Anti-Money Laundering Measures Act, where applicable;
• obligations relating to distance selling and off-premises sales provided for in the Consumer Protection Act;
• provision of information to the Commission for Consumer Protection or third parties provided for in the Consumer Protection Act;
• provision of information to the Commission for Personal Data Protection in relation to obligations under the data-protection framework;
• obligations under the Accountancy Act, the Tax-Insurance Procedure Code and other related legal acts, in connection with keeping lawful accounting records;
• provision of information to courts and third parties within proceedings, in accordance with the applicable normative acts;
• age verification where required.

When we delete personal data collected on this basis:

We delete the data collected in accordance with a statutory obligation once the obligation to collect and store it has been fulfilled or no longer exists.

On the basis of our legitimate interests

We process technical, usage and security data to operate, secure and improve the platform, to prevent fraud and abuse, and to ensure network and information security. We carry out a balancing assessment to ensure that our legitimate interests are not overridden by your interests, rights and freedoms. We delete or anonymise such data when it is no longer necessary for the relevant purpose.

Upon your explicit consent

We process your personal data on this basis only after your express, unequivocal and voluntary consent. We do not foresee any adverse consequences for you if you refuse.

Consent is a separate basis for processing and the purpose of the processing is stated when consent is requested; it is not covered by the other purposes listed in this Policy. Where you give the relevant consent, and until its withdrawal or the termination of any contractual relationship with you, we may prepare suitable offers for you for products or services, including by performing analysis of your basic personal data.

Data we process on this basis:

On this basis we may process personal data for direct-marketing purposes, including platform usage data and the contact data you have provided.

Provision of data to third parties:

On this basis we may provide your data to service providers that assist us with marketing communications, subject to appropriate safeguards.

Withdrawal of consent:

Consent may be withdrawn at any time. Withdrawal of consent does not affect the fulfilment of contractual obligations. If you withdraw your consent to the processing of personal data for any or all of the purposes described above, we will no longer use your personal data for those purposes. Withdrawal of consent does not affect the lawfulness of processing based on consent given prior to its withdrawal. To withdraw a given consent, you only need to use the relevant settings on the platform or our contact details.

When we delete data collected on this basis:

We delete the data collected on this basis upon your request or 12 months after its initial collection, whichever is earlier, where no other basis applies.

3.1. Where a business uses Book2befit to manage its clients, we process the clients’ personal data on that business’s instructions and on its behalf, as a processor. The business is the controller and is responsible for the lawful basis for the processing and for informing its clients.

3.2. This may include identification and contact data, booking, attendance and membership data, communications, and, where the business chooses to record it, optional information such as notes, health-related notes and emergency contacts. The handling of this data is governed by the Data Processing Agreementand the business’s own privacy information.

4.1. We may share personal data with service providers who process data on our behalf, including payment processing (Stripe), cloud hosting, transactional e-mail, analytics and security providers, in each case subject to appropriate safeguards. We may also disclose data where required by law or to competent authorities and courts, and to advisers or in connection with a corporate transaction, subject to confidentiality.

4.2. Payments are processed by Stripe directly to the relevant business; we do not collect, hold or store the price of bookings and do not store full card details. Stripe processes payment data as described in its own terms and privacy documentation.

5.1. Personal data is processed within the European Economic Area where possible. Where personal data is transferred to a country outside the EEA that is not covered by an adequacy decision, we ensure that an appropriate transfer mechanism is in place, such as the European Commission’s standard contractual clauses, together with any supplementary measures required.

6.1. To ensure adequate protection of personal data, we implement appropriate organisational and technical measures, taking into account the state of the art and the risks of the processing. We maintain rules and processes designed to prevent abuse and security breaches. For the security of data during processing, transfer and storage, we may use additional protection mechanisms such as encryption, pseudonymisation, access controls, logging and backups. No method of transmission or storage is completely secure, but we work to protect personal data against unauthorised access, loss or misuse.

7.1. Where we act as a controller, you enjoy all the rights for the protection of personal data under Bulgarian legislation and the law of the European Union. You may exercise your rights by sending a message to our contact e-mail. Where we act as a processor for a business, please direct your request to that business as controller; we will assist the business in responding as required by the Data Processing Agreement.

7.2. Each data subject has the right to:

• be informed in connection with the processing of their personal data by the controller;
• access their own personal data;
• rectification, where the data is inaccurate or incomplete;
• erasure of personal data (the right to be forgotten);
• restriction of processing by the controller or processor;
• portability of personal data between controllers;
• object to the processing of their personal data;
• not be subject to a decision based solely on automated processing, including profiling, which produces legal effects for the data subject or similarly significantly affects them;
• judicial or administrative protection where the data subject’s rights have been infringed.

Right to erasure

You may request erasure where one of the following conditions applies:

• the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
• you withdraw the consent on which the processing is based and there is no other legal basis for the processing;
• you object to the processing and there are no overriding legitimate grounds for it;
• the personal data has been processed unlawfully;
• the personal data must be erased to comply with a legal obligation under Union or Member State law applicable to the controller;
• the personal data was collected in connection with the provision of information society services to a child.

Right to restriction of processing

You have the right to restrict the processing of your personal data by the controller when:

• you contest the accuracy of the personal data, for a period enabling the controller to verify its accuracy;
• the processing is unlawful but you do not want the data erased and instead request restriction of its use;
• the controller no longer needs the personal data for the purposes of the processing, but you require it for the establishment, exercise or defence of legal claims;
• you have objected to the processing, pending verification of whether the controller’s legitimate grounds override yours.

Right of portability

You have the right to receive the personal data concerning you which you have provided to a controller, in a structured, commonly used and machine-readable format, and to transmit that data to another controller without hindrance, where the processing is based on consent or on a contract and is carried out by automated means. Where technically feasible, you have the right to have the personal data transmitted directly from one controller to another.

Right to object

You have the right to object to the processing of your personal data. The controller must cease the processing unless it demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims. Where you object to processing for the purposes of direct marketing, the processing must be stopped immediately.

8.1. If you consider that the processing of your personal data infringes data-protection law, you have the right to lodge a complaint with the competent supervisory authority, without prejudice to your right to seek judicial protection.

8.2. Commission for Personal Data Protection (CPDP) – Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.; telephone +359 2 915 3518; e-mail kzld@cpdp.bg; website www.cpdp.bg.

8.3. Commission for Consumer Protection (CCP) – for consumer-protection matters: Sofia 1000, 4A Slaveykov Square, floors 3, 4 and 6; telephone 0700 111 22; e-mail info@kzp.bg; website kzp.bg.

9.1. We may update this Privacy Policy from time to time and will publish the updated version on the platform. Material changes will be indicated as appropriate.

9.2. For any question about this Privacy Policy or the processing of your personal data, contact us at privacy@book2befit.com or support@book2befit.com.