Privacy Policy
Last updated: March 2026
1. Overview
StudioBook (“we”, “us”) takes the protection of your personal data seriously. This privacy policy explains what data we collect, why we process it, and what rights you have under the General Data Protection Regulation (GDPR).
2. Data Controller
Marcel Jurna
Am Glockenberg 52
51515 Kürten, Germany
Phone: +49 1525 3619145
E-Mail: hello@studiobook.app
3. Data We Collect
3.1 Account Data (Studio Owners)
When you create a StudioBook account, we collect:
- Full name
- Email address
- Studio name and settings
- Language preference
3.2 Account Data (Members)
When members create an account through a studio’s booking page:
- Full name
- Email address
- Account created via email or Google OAuth
3.3 Booking Data
When members book classes:
- Booking history (classes booked, cancellations, waitlist entries)
- Attendance records
- Credit/membership usage
3.4 Payment Data
- Payment transactions are processed entirely by Stripe. We do not store credit card numbers, bank account details, or other payment credentials on our servers.
- We store a reference to the Stripe customer/account ID for reconciliation.
3.5 Usage Data
We collect anonymous, aggregated usage data to improve the service:
- Pages visited, features used
- Browser type, device type
- No advertising or tracking cookies are used
3.6 Platform Operator Access
As the platform operator, StudioBook has access to studio-level statistics for service operation, support, and product improvement. This includes: member count, booking count, subscription status, and revenue data. Legal basis: Art. 6(1)(b) contract performance and Art. 6(1)(f) legitimate interest. This data is only used to operate and improve the platform and is never shared with third parties for marketing.
3.7 Special Categories of Data (Health Data — Art. 9 GDPR)
Studio owners may use intake forms to collect health-related information from their members (e.g. injuries, medical conditions, allergies, physical limitations). This constitutes "special category" personal data under Art. 9 GDPR.
- Controller: The studio owner is the data controller for this data. They determine what health information to request and how to use it.
- Processor: StudioBook stores and processes this data on behalf of the studio owner as a data processor (Art. 28 GDPR).
- Legal basis: Art. 9(2)(a) GDPR — explicit consent of the data subject. By completing an intake form, the member explicitly consents to the processing of the requested health information by the studio.
- Access: Only the studio owner and their staff can view intake form responses. StudioBook staff do not access this data unless required for technical support with the studio owner’s explicit authorisation.
- Retention: Intake form responses are retained for the duration of the active membership plus 30 days, then permanently deleted.
- Your rights: You may request access to, rectification of, or deletion of your intake form data at any time by contacting the studio directly or by deleting your StudioBook account.
4. Legal Basis for Processing
We process personal data on the following legal bases:
- Art. 6(1)(b) GDPR — Performance of contract: providing the booking and studio management service, processing payments, sending transactional emails (booking confirmations, reminders, cancellation notices).
- Art. 6(1)(f) GDPR — Legitimate interest: improving the product based on aggregated usage patterns, ensuring platform security.
- Art. 6(1)(a) GDPR — Consent: where explicitly obtained (e.g. marketing communications, if any).
5. Third-Party Services (Data Processors)
We use the following third-party services to operate StudioBook. All processors have Data Processing Agreements (Art. 28 GDPR) in place.
| Service | Purpose | Data shared | Location |
|---|
|---|---|---|---|
| Supabase | Database, authentication, edge functions | Account data, booking data | AWS EU (Frankfurt) |
| Stripe | Payment processing (SaaS subscriptions + member payments via Stripe Connect) | Email, payment details, Stripe account IDs | EU/US (Stripe DPA) |
|---|---|---|---|
| Resend | Transactional email delivery | Email address, booking details, studio name | EU / US (Resend DPA) |
| Vercel | Application hosting and deployment | IP address, request metadata | EU/US (Vercel DPA) |
|---|---|---|---|
| OAuth authentication (Sign in with Google) | Email, name, profile picture | EU / US (Google DPA, DPF certified) |
Stripe Connect
Studio owners connect their own Stripe account via Stripe Connect Express. Member payments flow directly to the studio owner’s connected Stripe account. StudioBook acts as the platform but does not hold or process member payment funds.
6. Data Retention
We retain personal data only as long as necessary for the purposes described in this policy or as required by law. Specific retention periods:
| Data Category | Retention Period | Legal Basis |
|---|
|---|---|---|
| Account data (name, email, settings) | Duration of active account + 30 days after deletion | Art. 6(1)(b) GDPR |
| Booking records (bookings, cancellations, attendance) | Duration of active account. Deleted immediately upon account deletion | Art. 6(1)(b) GDPR |
|---|---|---|
| Payment/transaction data (Stripe references, amounts, dates) | 10 years from end of calendar year of the transaction | Art. 6(1)(c) GDPR, § 147 AO, § 257 HGB |
| Email/notification logs | 90 days (full data), then anonymised; deleted after 1 year | Art. 6(1)(f) GDPR |
|---|---|---|
| Waitlist entries | Until resolved + 7 days after class date | Art. 6(1)(b) GDPR |
| Intake form responses | Duration of active membership + 30 days | Art. 6(1)(b) GDPR |
|---|---|---|
| Credit/membership balances | Duration of active account; purchase records retained 10 years | Art. 6(1)(b), Art. 6(1)(c) GDPR |
| Analytics data | Indefinite (anonymised and aggregated only) | Recital 26 GDPR |
|---|---|---|
| Abandoned studios | 12 months after subscription cancellation, with advance notice at 6 and 9 months. Tax-relevant data retained per above | Art. 5(1)(e) GDPR |
When you delete your account, all personal data is deleted immediately. Payment and transaction records required by tax law (Stripe references, amounts, dates) are retained for 10 years as required by § 147 AO / § 257 HGB. This legal obligation overrides the right to erasure (Art. 17(3)(b) GDPR).
Data in encrypted backups is purged through normal backup rotation within 30 days.
7. Your Rights
Under the GDPR, you have the following rights:
- Right of access (Art. 15) — obtain a copy of your personal data
- Right to rectification (Art. 16) — correct inaccurate data
- Right to erasure (Art. 17) — delete your account and all associated data
- Right to restriction (Art. 18) — restrict processing under certain conditions
- Right to data portability (Art. 20) — receive your data in a machine-readable format
- Right to object (Art. 21) — object to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3)) — withdraw consent at any time (e.g. marketing emails). Withdrawal does not affect the lawfulness of processing before withdrawal. You can withdraw marketing consent at any time via your account settings.
To exercise these rights, contact: hello@studiobook.app
You also have the right to lodge a complaint with a supervisory authority. The competent authority for us is:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestr. 2–4, 40213 Düsseldorf
https://www.ldi.nrw.de
8. Cookies
StudioBook uses only technically necessary cookies required for the service to function:
- Authentication session — maintains your login state
- Language preference — stores your chosen language (localStorage, not a cookie)
We do not use advertising, analytics, or tracking cookies. No cookie consent banner is required as we only use essential cookies (exempt under § 25(2) TDDDG).
9. Data Transfer to Third Countries
Some of our processors (Stripe, Resend, Vercel) may process data in the United States. These transfers are safeguarded by:
- EU Standard Contractual Clauses (SCCs)
- The EU-US Data Privacy Framework (where applicable)
10. Automated Decision-Making
We do not use automated decision-making or profiling as defined in Art. 22 GDPR.
11. Controller and Processor Roles
StudioBook operates in a dual role:
- StudioBook as data controller: For your StudioBook account data (authentication, login credentials, SaaS billing, platform analytics), StudioBook is the data controller under Art. 4(7) GDPR.
- Studio owner as data controller, StudioBook as data processor: For member personal data collected through studio booking pages (booking history, attendance, credits, studio-level communications), the studio owner is the data controller and StudioBook acts as the data processor under Art. 28 GDPR.
Member payments made via Stripe Connect flow directly to the studio owner’s Stripe account. StudioBook does not hold or process member payment funds.
Our Data Processing Agreement is available at Data Processing Agreement.
12. Changes
We may update this policy from time to time. Significant changes will be communicated via email to registered users at least 14 days before they take effect.