Skip to content
1booqBack to Home

PRIVACY POLICY

Effective date: April 29, 2026 Last updated: May 22, 2026 Version: 1.2

1. Introduction

This Privacy Policy ("Policy") describes how the 1booq online booking management platform (operated by WaveOne Technologies Kft., hereinafter: the "Service Provider") processes personal data in connection with the use of the Service.

Personal data is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council ("GDPR"), Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information ("Info Act"), and the applicable Hungarian and EU legislation.

This Policy should be read in conjunction with the Terms of Service and the Cookie Policy.

2. Data Controller and Contact

Data Controller: WaveOne Technologies Kft. Registered office / postal address: 1181 Budapest, Vasvári Pál u. 26, Hungary Company registration number: 01-09-451611 Tax number: 32961430-1-43

Data protection contact: privacy@1booq.com General customer service: support@1booq.com

Data Protection Officer (DPO): At the time this Policy takes effect, the Service Provider is not required to designate a Data Protection Officer under Article 37 GDPR. Should such designation become necessary due to changes in its activities, Users will be informed through an update to this Policy.

3. Definitions and Roles

The Service is a multi-party booking platform in which personal data processing involves several roles.

3.1. Typical User Groups

  • Provider (service-providing business): a User who manages their own business, Sites, and bookable time slots on the platform.
  • Worker (staff member): a person invited by the Provider who manages the Provider's Bookings.
  • Client (customer): a natural person or business that places a Booking for one or more of the Provider's time slots — either as a registered User or (if the Provider permits) as an anonymous booker.

3.2. Data Controller and Data Processor Roles

The Service Provider acts in the following capacities:

  • Independent Data Controller in relation to the general operation of the platform (e.g. registration, authentication, account management, billing, security purposes).
  • Data Processor with respect to the booking data of the Provider's clients, in cases where the Provider manages its own clients for its own business purposes on the platform. In such cases, the Provider is the Independent Data Controller for the relevant client data, and the Service Provider technically stores and processes such data on behalf of the Provider. Details are set out in the [Terms of Service – Data Processing Agreement (DPA)] section.

3.3. No Joint Controllership

The Service Provider and the Provider do not act as joint data controllers within the meaning of Article 26 GDPR. Each party is an independent controller for the data and processing purposes set out in Section 3.2. Where data flows between the two roles (e.g. a Booking that the Service Provider stores on behalf of the Provider but that also feeds into the Service Provider's own security logs), each party processes the data only on its own legal basis and within its own scope.

4. Scope of Data Processed

4.1. Registration and Account Data (All Users)

  • name,
  • email address,
  • password (stored in bcrypt-hash form),
  • 9-digit unique user identifier (User UID),
  • profile picture (optional, stored in Supabase Storage),
  • gender (optional),
  • phone number (optional),
  • language setting (en/hu/de),
  • email verification timestamp,
  • account settings and notification preferences.

Sign-in with Google or Apple (OAuth). Users may register and log in using their Google or Apple account instead of an email/password pair. In that case, based on the User's authorisation on the provider's consent screen, the Service Provider receives the User's email address and name to create or access the account; Google additionally supplies the profile picture where available. With Sign in with Apple, the User may choose Apple's "Hide My Email" option, in which case the Service Provider only receives an anonymised Apple relay email address that forwards messages to the User; Apple supplies the name only on the first sign-in and no profile picture. The Service Provider never receives or stores the User's Google or Apple password. The linked account is shown, and can be reviewed, in the profile's "Sign-in methods" section.

4.2. Provider-Specific Data

  • company data (company name, company registration number, tax number, billing address),
  • Sites (provider_site): address, city, country, GPS coordinates, time zone, service descriptions, images,
  • bookable resource (Slot) configuration,
  • custom data fields defined by the Provider for booking forms (e.g. free-text comment, date, number, selection).

4.3. Booking Data (From the Client and Provider Perspective)

  • booking date and time, duration, status (BU/AP/AU/RP/RU/PA/DP/DU/NP/MV),
  • completed values of the booking form defined by the Provider,
  • the booker's name, email address, and phone number (if provided),
  • optionally, the Client's comments and reviews.

4.4. Two-Factor Authentication (2FA)

  • TOTP secret key (encrypted),
  • backup codes (stored in bcrypt-hash form).

4.5. Messages

Content and metadata of direct messages (message) exchanged between Users (Provider <-> Client, Provider <-> Worker), including sender, recipient, timestamp, and read timestamp.

4.6. Reviews and Notes

  • rating (rating, 1–5 scale) and note (note), which may be given by the Provider about a Client, or by the Client about a Provider.

4.7. Payment and Billing Data

  • Credit Subscription quantity (5–1,000 Credits/month) and status (active / paused / cancelled),
  • one-off Credit pack purchase records,
  • paddle_customer_id managed by Paddle,
  • Credit balance (credit_balance) and transactions (credit_transaction),
  • invoice history, payment confirmations.

Important: The Service Provider does not store bank card data, IBAN/account numbers, or other payment details. These are processed exclusively by Paddle (Merchant of Record).

4.8. Technical and Usage Data

  • IP address (for login security and abuse prevention),
  • device and browser information (User-Agent),
  • operating system,
  • log data (successful/failed logins, security events),
  • error reports, performance metrics,
  • transactional email delivery and bounce events (essential telemetry from our email sub-processor — MailerSend — for reliable delivery; open-tracking pixels are disabled by default; details in the Cookie Policy),
  • cookies and similar technologies (detailed in the Cookie Policy).

4.9. Location Data

The locations of Provider Sites (address + GPS coordinates) are publicly searchable on the platform if the Provider has enabled search visibility (discoverable_flag). During search, the Client only shares their selected city/country filters; the Service Provider does not collect precise location data from the Client's device automatically.

4.10. Identity Verification Data for Account Recovery

If a User loses both their 2FA device and backup codes and requests manual account recovery under Section 5.4 of the Terms of Service, the Service Provider may request the following data to verify the request:

  • a redacted copy of an official photo ID matching the account name (e.g. only name and photo visible, other identifiers blurred),
  • confirmation from the registered email address,
  • where applicable, confirmation of billing data.

Legal basis: Article 6(1)(b) GDPR — performance of contract (restoring account access), and Article 6(1)(f) GDPR — legitimate interest (preventing unauthorised access).

Retention and security: identity verification documents are received via a secure channel, processed under strict access controls, and deleted without undue delay after verification, and in any event within 30 days. The Service Provider does not request ID copies as plain email attachments where a secure upload channel is available.

Where possible, the Service Provider applies alternative identity verification methods (registered email + security questions + billing data + administrative approval) and requests an ID copy only as a last resort.

4.11. External Calendar Connection Data (Optional)

A registered User may optionally connect their Google Calendar so that the Service can warn them when a new Booking overlaps an event already in their personal calendar. This connection is strictly opt-in and can be disconnected at any time in the profile settings.

While the calendar is connected, the Service Provider processes:

  • an OAuth access token and refresh token issued by Google, stored in encrypted form and used solely to read the connected calendar;
  • the start and end times of events in the connected calendar, retrieved on demand to detect scheduling conflicts;
  • the title and location of a conflicting event, displayed back to the User only, so that the conflict warning is meaningful.

The Service requests read-only access (the calendar.events.readonly scope) and never creates, modifies, or deletes anything in the User's calendar. Calendar event content is used transiently for the conflict check and is not stored in the Service Provider's database. Disconnecting the calendar deletes the stored tokens and revokes the Service Provider's access at Google.

Legal basis: Article 6(1)(a) GDPR — consent. The User gives consent by explicitly connecting the calendar; it may be withdrawn at any time by disconnecting.

5. Purposes and Legal Bases of Data Processing

5.1. Performance of a Contract – Article 6(1)(b) GDPR

  • creating, operating, and authenticating user accounts (including optional sign-in with a Google or Apple account),
  • recording, confirming, and cancelling Bookings,
  • processing payment and billing flows,
  • providing platform features (calendar, messages, reviews, Credit system).

5.2. Legal Obligation – Article 6(1)(c) GDPR

  • accounting and tax obligations (invoice retention for 8 years),
  • compliance with regulatory requests,
  • mandatory consumer-protection disclosures,
  • anti-money laundering obligations (including on Paddle's side),
  • trader traceability and Provider verification under Article 30 of the Digital Services Act (EU 2022/2065): collection, reasonable verification, retention, and — where applicable — making available to Consumers of Provider identification and registration data,
  • where the platform falls within its scope, reporting obligations of platform operators under EU Directive 2021/514 (DAC7): transmission of the Provider's identification and financial data to the competent tax authority (the Hungarian NAV or another EU member state's tax authority).

5.3. Legitimate Interest – Article 6(1)(f) GDPR

  • IT and network security (logging, access control),
  • abuse prevention (spam, fraud, automated attacks),
  • establishing, exercising, or defending legal claims,
  • Service improvement and bug fixing, technical performance optimisation.

The Service Provider carries out a balancing-of-interests assessment under Article 6(1)(f) GDPR in every case and will make it available upon request.

5.4. Consent – Article 6(1)(a) GDPR

  • sending newsletters / marketing messages,
  • non-essential cookies (functional / analytics / marketing),
  • truly optional profile data such as gender (where collected for statistical purposes only),
  • connecting an optional external calendar (Google Calendar) for booking-conflict detection (see Section 4.11).

Note on optional profile fields: profile picture and phone number, although optional to provide, are processed under Article 6(1)(b) GDPR (performance of a contract) when supplied — the profile picture appears on the Provider's public booking page (intended part of the Service), and the phone number is used for booking-related contact. Their voluntary nature relates to whether the User chooses to provide them, not to the legal basis for their processing once supplied.

Consent may be withdrawn at any time; withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.

6. Automated Decision-Making and Profiling

The Service Provider does not employ solely automated decision-making (Article 22 GDPR) that would produce legal effects or similarly significantly affect the User.

Automatic booking acceptance (auto_acc_usr_req_flag) is a technical acceptance logic pre-configured by the Provider and does not constitute profiling within the meaning of Article 22 GDPR.

7. Data Processors and Data Transfers

The Service Provider engages the following Data Processors in the operation of the Service:

Data ProcessorFunctionData Processing LocationLegal Basis for Transfer
Supabase Inc.Database (PostgreSQL)EU regionWithin the EEA
Vercel Inc.Hosting, edge networkUSAEU-US Data Privacy Framework / SCC
Paddle.com Market Ltd.Payment processing, invoicing (Merchant of Record)United Kingdom / USAUK GDPR adequacy / SCC
MailerSend (MailerSend Inc.)Transactional email deliveryUSA / EUEU-US Data Privacy Framework / SCC
GeoNames (Unxos GmbH)City auto-completionGermanyWithin the EEA
OpenStreetMap FoundationMap tilesUnited KingdomUK GDPR adequacy

The Service Provider has entered into a data processing agreement in accordance with Article 28 GDPR with each Data Processor.

7.1. International Data Transfer Safeguards

In the event of data transfers outside the EEA, the Service Provider:

  • gives preference to Data Processors certified under the EU-US Data Privacy Framework,
  • applies Standard Contractual Clauses (SCCs) (modules pursuant to European Commission Decision 2021/914),
  • implements supplementary technical and organisational measures based on a risk assessment (encryption in transit, access controls, pseudonymisation).

7.2. Third-Party Identity and Calendar Services (Google, Apple)

The Service offers the following optional integrations with third-party providers:

  • Sign-in with Google: when a User chooses to register or log in with their Google account, the authentication takes place on Google's own infrastructure and the Service Provider receives only the identity data described in Section 4.1.
  • Sign in with Apple: when a User chooses to register or log in with their Apple account, the authentication takes place on Apple's own infrastructure and the Service Provider receives only the identity data described in Section 4.1 (optionally via Apple's "Hide My Email" relay).
  • Google Calendar connection: when a User connects their Google Calendar (Section 4.11), read-only calendar access is performed through Google's Calendar API.

For these integrations, Google (Google Ireland Limited / Google LLC) and Apple (Apple Distribution International Ltd.) each act as an independent controller under their own privacy policies (Google Privacy Policy, Apple Privacy Policy); the Service Provider is not a joint controller with them for these activities. The data exchange occurs solely as a result of the User's own authorisation on the provider's consent screen, and the User may revoke this access at any time — within 1booq (unlink / disconnect) or in their Google or Apple account security settings.

8. Data Retention

In accordance with the GDPR storage-limitation principle (Art. 5(1)(e)) we apply the following retention periods:

Data CategoryRetention Period
Active account data (profile, settings, preferences)for the lifetime of the account
Deactivated/deleted account datapermanently deleted within 90 days of termination
Statutory accounting and invoicing data (transactions, invoice metadata, tax-relevant fields)8 years — Section 169 of Act C of 2000 on Accounting (Hungarian Sztv.)
Booking metadata not required for accounting purposesup to 90 days after account termination
Backups containing personal datarolling window during operation; full purge within 180 days of account termination
Email logs at our email sub-processor (MailerSend)up to 12 months
Authentication / security logsup to 12 months
In-platform messagesfor the lifetime of the account; deleted messages become inaccessible immediately and are removed from technical backups within 90 days
Cookie preferences (in the User's browser)up to 12 months or until cleared by the User

Retention periods may also be justified by the need to establish, exercise, or defend legal claims; in such cases, data may be retained until the conclusion of the proceedings.

9. Data Security

The Service Provider applies appropriate technical and organisational measures, in particular:

  • encryption: database-level encryption at rest, TLS 1.2+ in transit,
  • passwords: bcrypt hash (10+ rounds),
  • 2FA: optional TOTP-based two-factor authentication,
  • access control: internal access based on the principle of least privilege,
  • logging: centralised collection of security events,
  • backups: stored in encrypted form,
  • version-controlled infrastructure: changes are auditable,
  • rate limiting: account lockout for 15 minutes after 5 consecutive failed login attempts,
  • CSRF, XSS, SQL injection protection: ensured at the framework level.

10. Handling of Data Protection Incidents

In the event of a data protection incident (a breach of security, confidentiality, or integrity), the Service Provider shall act in accordance with Articles 33–34 GDPR:

  • notify the supervisory authority within 72 hours of becoming aware of the incident, where the incident is likely to result in a risk to the rights and freedoms of natural persons,
  • where the incident poses a high risk, notify the affected Users without undue delay,
  • document the incident, its impact, and the measures taken in detail.

11. Rights of Data Subjects

Under Articles 15–22 GDPR, you have the right to:

  • request access to your personal data,
  • request rectification of inaccurate data,
  • request erasure ("right to be forgotten"),
  • request restriction of processing,
  • request data portability (in a structured, machine-readable format),
  • object to processing (in particular processing based on legitimate interest),
  • withdraw your consent (where processing is based on consent),
  • lodge a complaint with the supervisory authority.

11.1. Submitting Requests

You may submit your requests at:

  • Email: privacy@1booq.com
  • By post: to the registered office of the Service Provider.

The Service Provider will respond to requests without undue delay, and in any event within one month. This deadline may be extended by a further two months where warranted by the complexity of the request; in such cases, we will inform the data subject accordingly.

11.2. Identification

Before fulfilling a request, the Service Provider will verify the identity of the requester (e.g. via the registered email address) to prevent unlawful disclosure.

11.3. Costs

The Service Provider fulfils requests free of charge, unless the request is manifestly unfounded or excessive (in which case a reasonable fee may be charged, or the request may be refused).

11.4. Connection-Specific Limitations

Please note: a data subject request relating to client data managed by a Provider (e.g. a Client requesting deletion of their booking data held by a Provider) should be submitted primarily to the Provider (as the Independent Data Controller). The Service Provider, as Data Processor, acts on the Provider's instructions.

12. Protection of Minors' Data

Registered use of the Service is available exclusively to persons who have reached 18 years of age. The Service Provider does not knowingly collect personal data from persons under 18.

If the Service Provider becomes aware that it is processing data of a person under 18 (without the prior approval of a legal guardian), it will erase such data without undue delay.

In the case of a non-registered (public) Booking, a person under 18 may book a time slot only under the supervision of and on behalf of a legal guardian.

13. Messages and Communication

The Service allows direct messaging between Users. The Service Provider does not routinely monitor the content of messages; however:

  • automated spam and abuse-filtering systems may operate,
  • content may be reviewed on the basis of a legal obligation or a report,
  • in cases of serious violation, messages may be removed and/or the User's account may be restricted.

Notice and action mechanism (Digital Services Act EU 2022/2065): illegal content can be reported at any time by emailing legal@1booq.com. Details of the procedure, including statement of reasons and appeal rights, are set out in Section 11.5 of the Terms of Service.

Deleted messages are no longer accessible to the other party after deletion; however, they may remain at the system level for the duration of the technical backup retention period (up to 90 days).

14. Reviews, Notes, and Ranking

Providers and Clients may rate each other (rating), and the Provider may create internal notes (note) about a Client for its own use.

  • Internal notes are not visible to other Users; the Client, as a data subject, may request access to them under Article 15 GDPR.
  • Public reviews (where such a feature is active) may be published on the Provider's page. Users may request editing/deletion of a review, and the Service Provider moderates manifestly abusive content.

15. Marketing Communications

The Service Provider sends marketing messages (newsletters, new features, special offers) only:

  • on the basis of express prior consent (for new Users) — Article 6(1)(a) GDPR and Section 6 of Hungarian Act XLVIII of 2008 on commercial advertising activity ("Grtv."); or
  • within the framework permitted by Section 6(4) Grtv. in the context of an existing customer relationship for the same or similar Service (soft opt-in).

Every such message includes a free, one-click unsubscribe link, and the User may also update their marketing preferences in their account settings at any time.

16. Cookies

A detailed description of cookies and similar technologies is set out in the separately published Cookie Policy.

17. Complaints and Legal Remedies

If you believe that the processing of your data infringes your rights, you may lodge a complaint:

With the Service Provider: privacy@1booq.com

Or directly with the supervisory authority: Hungarian National Authority for Data Protection and Freedom of Information (NAIH) 1055 Budapest, Falk Miksa u. 9–11., Hungary Postal address: 1363 Budapest, Pf. 9., Hungary Email: ugyfelszolgalat@naih.hu Website: https://naih.hu

In addition, you have the right to seek a judicial remedy (Article 79 GDPR). Proceedings may be brought before the court of your habitual residence or place of stay, or before the court with jurisdiction over the Service Provider's registered office.

18. Amendments to This Policy

The Service Provider reserves the right to amend this Policy unilaterally, in particular:

  • due to changes in legislation or regulatory requirements,
  • upon introduction of new Service features,
  • upon engagement of a new Data Processor.

In the case of material changes, the Service Provider will notify Users at least 15 days in advance of the effective date of the amendment, by email or via an in-platform notification. Where new processing activities are based solely on consent, the Service Provider will request new, express consent.

19. Contact

Data protection inquiries: privacy@1booq.com General customer service: support@1booq.com Postal address: the registered office of the Service Provider as set out in Section 2 of this Policy.

By using the Service, you acknowledge that you have read this Privacy Policy.