Legal

Privacy Policy

How we handle personal data about Operator users, website visitors and prospects

Last updated · 1 March 2026 Version 1.0

Scope note: This Privacy Policy describes how The Bookings Group Limited processes personal data in its capacity as controller, primarily in relation to Operator users of the Bookable platform, visitors to our websites, and people who engage with our sales and marketing. Where Bookable processes personal data about guests on behalf of Operators, Bookable acts as a processor under the Operator's own privacy notice. For that processing, please contact the relevant Operator.

1. Who we are

The Bookings Group Limited ("Bookable", "we", "our", "us") is a company registered in England and Wales with company number 11689193, whose registered office is at c/o Bright Beany Accounting, Cumberland House, 35 Park Row, Nottingham, England, NG1 6EE.

We operate the Bookable platform (bookabletech.com) and related services, including booking widgets, APIs and distribution connectors for hospitality operators.

We are the controller responsible for the personal data we process as described in this Privacy Policy. Our Information Commissioner's Office (ICO) registration number is 00013501540.

2. How to contact us

For privacy matters, our contact is:

Email: privacy@bookabletech.com
Post: Privacy Team, The Bookings Group Limited, c/o Bright Beany Accounting, Cumberland House, 35 Park Row, Nottingham, England, NG1 6EE

We have not appointed a statutory Data Protection Officer as we are not required to do so under UK GDPR.

3. What personal data we collect

We collect and process the following categories of personal data.

3.1 Operator accounts and users

Identity data: name, job title, role.
Contact data: business email, business phone, postal address.
Credentials: hashed passwords, authentication tokens, multi-factor authentication settings.
Profile and preferences: notification settings, locale, time zone.
Usage data: records of actions taken in the platform, API calls, login history.
Support data: information included in support tickets, calls or chats.

3.2 Website visitors and prospects

Contact details you provide: name, email, phone, company, role, message content (for example, when submitting a demo or contact form).
Marketing preferences.
Technical data: IP address, approximate location, browser type and version, device information, referring URL, pages visited, time spent.
Cookie and similar technology data (see our Cookies Policy).

3.3 Business contacts

Names and business contact details of our commercial contacts, partners, suppliers, candidates and other business counterparties.

3.4 Guest data processed on behalf of Operators

In the course of providing the Services, we process personal data about guests (such as names, contact details, booking information and dietary information). We do so only on behalf of, and on the documented instructions of, the relevant Operator, under a Data Processing Agreement. For information about this processing, please contact the relevant Operator.

4. How we collect personal data

Directly from you: when you create an account, submit a form, contact us, engage with our sales team or use the platform.
From your organisation: where your employer or another Operator user creates an account or assigns you a role.
Automatically: through cookies and similar technologies on our websites and platform.
From third parties: business contact data from lead generation providers, professional networks (such as LinkedIn), publicly available sources and introductions from partners.

5. Purposes and lawful bases

We process personal data for the purposes, and on the lawful bases, set out below. Where we rely on legitimate interests, we have carried out a balancing test and you have the right to object.

Providing the Services

Performance of contract with the Operator; legitimate interests (where the user is an employee of the Operator rather than a direct counterparty to us) in operating the Services.

Account administration and authentication

Performance of contract; legitimate interests in secure operation.

Customer support

Performance of contract; legitimate interests in providing quality support.

Security, fraud prevention, monitoring

Legitimate interests in protecting the Services, our customers and Bookable; compliance with legal obligations.

Service improvement, analytics and product development

Legitimate interests in improving the Services.

Marketing to existing customers (similar products/services)

Legitimate interests (soft opt-in under PECR), with an easy opt-out in every communication.

Marketing to prospects and non-customers

Consent, where required by PECR and UK GDPR.

Responding to enquiries

Legitimate interests; steps to enter into a contract at your request.

Billing, financial records and tax

Performance of contract; compliance with legal obligations.

Compliance with law and dealing with regulators

Compliance with legal obligations.

Establishing, exercising and defending legal claims

Legitimate interests in protecting our rights.

Corporate transactions (e.g. due diligence for fundraising, sale or acquisition)

Legitimate interests in running and developing our business.

6. Marketing

We may send marketing communications about Bookable products and services that we believe may be of interest to you. You can opt out at any time by clicking the unsubscribe link in any marketing email, by changing your preferences in your account, or by emailing us.

Where required by law, we will obtain your consent before sending marketing communications. Withdrawing consent does not affect the lawfulness of any processing carried out before withdrawal.

We share personal data with the following categories of recipient:

Service providers and sub-processors that help us operate the Services, including cloud infrastructure, email and SMS delivery, analytics, error monitoring, payment processing, customer support tools and professional services. Our current list of material sub-processors is maintained at /legal/subprocessors.
Integration Partners and TMS platforms where you or your Operator has enabled such integrations.
Our professional advisors, including lawyers, accountants and auditors, under duties of confidentiality.
Regulators, law enforcement and other authorities, where required by law or to protect rights.
Parties to a corporate transaction, including actual or prospective investors, buyers or their advisors, under appropriate confidentiality arrangements.
Other parties with your consent or at your direction.

We do not sell personal data.

8. International transfers

Some of our service providers are located outside the United Kingdom and the European Economic Area. Where we transfer personal data to such countries, we put in place appropriate safeguards in accordance with UK GDPR, including adequacy decisions, the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or other lawful transfer mechanisms. A copy of the relevant safeguards can be obtained on request.

9. How long we keep personal data

We keep personal data for as long as necessary for the purposes for which it was collected, which depends on the nature of the data and the purpose. Our general retention approach is:

Operator account and user data

For the duration of the account, plus up to [6] years after closure to comply with statutory record-keeping obligations and to deal with any disputes.

Support and communications records

Typically [3] years from the date of the last interaction.

Marketing data

Until you opt out or after a reasonable period of inactivity (typically [2] years).

Website analytics and cookie data

In line with our Cookies Policy.

Billing and financial records

[6] years from the end of the relevant financial year.

Security logs

Typically [12] months unless required for investigation or legal purposes.

Guest data (as processor)

Controlled by the Operator under its own retention schedule and the Data Processing Agreement.

Where legal proceedings are ongoing or anticipated, we may retain data for longer as necessary.

10. Security

We implement technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure or destruction. Further information is set out in our Security Policy. No system is entirely secure; please use a strong, unique password for your account and enable multi-factor authentication where available.

11. Your rights

Subject to conditions and exceptions under Applicable Data Protection Law, you have the right to:

Access the personal data we hold about you and receive a copy.
Rectification of inaccurate or incomplete personal data.
Erasure of personal data in certain circumstances.
Restriction of processing in certain circumstances.
Data portability: to receive your data in a structured, commonly used, machine-readable format.
Object to processing based on our legitimate interests or direct marketing.
Withdraw consent where we rely on it, without affecting the lawfulness of prior processing.
Not to be subject to solely automated decisions that produce legal or similarly significant effects (we do not currently carry out such decision-making).

To exercise any of these rights, contact us using the details in section 2. We will respond within one month (extendable by up to two further months for complex requests).

12. Complaints

If you have a concern about how we handle your personal data, please contact us first so that we can try to resolve it. You also have the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk or, where applicable, the supervisory authority in your country of residence or workplace.

13. Cookies

For information about our use of cookies and similar technologies, see our Cookies Policy.

14. Children

The Services are intended for business use by adults. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will take appropriate steps.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated version on our website and update the "Last updated" date. Material changes will be communicated in advance, where feasible, by email or through the platform.

The Bookings Group Limited

Registered in England and Wales with company number 11689193

Registered office: c/o Bright Beany Accounting, Cumberland House, 35 Park Row, Nottingham, England, NG1 6EE

Version: 1.0 | Last updated: 1 March 2026

Last updated · 1 March 2026 Questions? legal@bookabletech.com