Effective: 20 May 2026

Privacy Policy

Introduction

At Photonsoft Pty Ltd (ABN 67 656 104 559), an Australian company based in Sydney, we value your privacy and are committed to protecting your personal information. This Privacy Policy outlines our practices regarding the collection, use, and disclosure of personal information provided by users of our software (the "Service") and complies with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), as well as the General Data Protection Regulation (GDPR) where applicable. By accessing and using our Service, you agree to the terms and conditions of this Privacy Policy, and you consent to the collection, use, and disclosure of your personal information as described below. If you do not agree with this Privacy Policy, please do not use the Service.

Information we collect

We collect the following types of information when you use our Service:

  1. Personal Information: This includes information you provide to us directly or indirectly, such as your name, email address, phone number, and salon information (e.g., name, address, and services offered). We collect this information when you create an account, make a booking, or otherwise interact with our Service.

  2. Usage Information: We collect information about how you use the Service, including the pages you visit, the features you use, and the time you spend on the Service. We may use cookies and other tracking technologies to gather this information.

How we use your information

We use your personal information for the following purposes:

  1. To provide, maintain, and improve the Service, including responding to your inquiries and providing customer support.

  2. To personalise your experience by customising the content, features, and advertisements you see on the Service.

  3. To communicate with you about updates, promotions, and other marketing materials related to the Service.

  4. To protect the security and integrity of the Service and our users' information, and to prevent and detect fraud, security breaches, and other harmful activities.

  5. To comply with legal obligations and enforce our Terms of Service.

We will never sell your personal information to third parties.

Legal basis for processing

We process your personal information based on one or more of the following legal bases:

  1. Your consent, such as when you voluntarily provide us with your personal information.

  2. Performance of a contract, such as when we need to process your personal information to fulfil our obligations under the Terms of Service.

  3. Our legitimate interests, such as improving our Service, maintaining security, and providing customer support.

  4. Compliance with legal obligations, such as responding to lawful requests from authorities.

Sharing your information

We may share your personal information with third parties in the following circumstances:

  1. With your consent, such as when you choose to share your information with a third-party service integrated with our Service.

  2. With service providers who perform functions on our behalf, such as payment processing, data storage, and email delivery. These service providers are prohibited from using your information for purposes other than providing services to us.

  3. In response to a legal request, such as a court order, subpoena, or government investigation, or to comply with applicable laws and regulations.

  4. In connection with a merger, acquisition, or sale of all or a portion of our assets, in which case your information may be transferred to the new owner.

Third-party service providers

We use the following categories of third-party service providers to operate and improve the Service. These providers process personal information on our behalf and are contractually obligated to protect your data:

  1. Analytics and session recording: We use PostHog for product analytics, event tracking, feature flags, and session recording. Session recordings capture your interactions with the Service, including mouse movements, clicks, scrolling, page views, navigation patterns, and text typed into form fields. Sensitive input fields (such as passwords and payment details) are automatically masked and are not captured. Recordings are used solely to improve the user experience and diagnose technical issues. We do not share session recordings with third parties. You can opt out of session recording at any time by contacting us at hello@bellabooking.com.

  2. Customer support: We use Intercom to provide in-app customer support and messaging. When you use the Service, Intercom may collect your name, email address, conversation history, and usage data (such as pages visited and actions taken) to enable proactive support and personalised help. Intercom sets its own cookies to provide this functionality.

  3. Error monitoring: We use PostHog to detect and diagnose software errors. When an error occurs, technical information about the error (including browser type, device information, and the actions leading to the error) may be transmitted to PostHog.

  4. Payment processing: We use Stripe to process payments and manage subscriptions. Stripe processes your payment information directly and is PCI DSS compliant. We do not store your full credit card details on our servers.

  5. Authentication: We use Auth0 to manage user authentication and account security.

  6. Communications: We use Twilio for SMS notifications (such as appointment reminders) and SendGrid for email delivery. These providers process phone numbers and email addresses as necessary to deliver messages on our behalf.

  7. Cloud infrastructure: We use Microsoft Azure for data storage, hosting, and AI-powered features. Your data may be stored on Azure servers located outside your country of residence.

  8. Website import: When you choose to import details from your website, we use Firecrawl to read the publicly available content of the address you provide. Firecrawl receives only that URL and returns the extracted page content to us; it is contractually obligated to protect the data and not to use it for any other purpose.

Google API Services — use of Google user data

Bella Booking integrates with Google APIs to provide optional Google Calendar synchronisation. Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

What we access. When you connect a Google account, we access only: the email address of the connected Google account; and, for the calendar(s) you select, the start and end times of events (free/busy information) and the full content of events that Bella Booking has previously created on those calendars.

How we use it. Google user data is used solely to run the calendar-sync feature you have enabled — we read your availability to prevent double-bookings, and we create, update, or delete events on your selected calendar when appointments change in Bella Booking.

Sharing, storage, and retention. Google user data is processed under the practices described elsewhere in this policy — see the "Sharing your information", "Third-party service providers", "Security", and "Data retention" sections.

Disconnecting. You can revoke Bella Booking's access to your Google account at any time by disconnecting Google Calendar from your team-member profile in Bella Booking, or from your Google Account at myaccount.google.com/permissions. Once disconnected, we stop accessing your Google data and delete the access credentials we held.

Website import (setup assistance)

To help you set up quickly, Bella Booking offers an optional feature that reads your own business website. When you provide your website address — during onboarding or from your settings — and choose to scan it, we retrieve the publicly available content of that website (via our service provider Firecrawl) and extract details such as your business name, contact details, services, team, opening hours, brand colors, logo, and social media links.

This feature is user-initiated and processes the website address you supply (and, where applicable, your own public business listing on a booking platform you tell us you currently use). We do not scrape unrelated third-party websites on your behalf. Nothing extracted is applied automatically — each detail is shown as a suggestion that you choose to apply. Extracted results are cached for a short period (currently up to 7 days) to power these suggestions, then deleted. Where extracted content includes personal information about your team members, you remain responsible — as the controller of that information — for having a lawful basis to provide it to us.

Cookies and tracking technologies

We use cookies and similar technologies to operate and improve the Service. These include:

  1. Essential cookies: Required for the Service to function, including authentication and session management.

  2. Analytics cookies: Used by PostHog to understand how users interact with the Service and to improve user experience.

  3. Support cookies: Used by Intercom to provide customer support functionality.

You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of the Service.

Account access for support

Authorised Bella Booking support personnel may access your account when reasonably necessary to respond to support requests, troubleshoot technical issues, perform maintenance, or ensure compliance with our terms. Such access is limited to what is necessary, logged for accountability, and our personnel are bound by confidentiality obligations. For further details, please refer to the Account Access for Support section in our Terms and Conditions.

Data breach notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by the GDPR. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay. As an Australian company, we additionally comply with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth).

Data retention

We retain your personal information for as long as your account is active or as needed to provide you with the Service. If you cancel your account, we will delete your data within 90 days, except where we are required to retain it for legal, accounting, or regulatory purposes. Backup copies may be retained in encrypted form for a limited period after deletion. Analytics and aggregated data that cannot identify you may be retained indefinitely.

International data transfers

If we transfer your personal information to countries outside of the European Economic Area (EEA), we will ensure that appropriate safeguards are in place, such as Standard Contractual Clauses or other mechanisms approved by the European Commission. Some of our third-party service providers are located overseas, including in the United States and Australia. As an Australian company, we also comply with Australian Privacy Principle 8 regarding cross-border disclosure of personal information and take reasonable steps to ensure overseas recipients are subject to equivalent privacy protections.

Your rights under the GDPR

Under the GDPR, you have the following rights regarding your personal information:

  1. Access: You have the right to request access to the personal information we hold about you.

  2. Rectification: You have the right to request correction of any inaccurate personal information we hold about you.

  3. Erasure: You have the right to request the deletion of your personal information under certain circumstances, such as when the data is no longer necessary for the purposes it was collected or when you withdraw your consent.

  4. Restriction of processing: You have the right to request that we restrict the processing of your personal information under specific circumstances, such as when you contest the accuracy of the data or when the processing is unlawful.

  5. Data portability: You have the right to request that we provide you with a copy of your personal information in a structured, commonly used, and machine-readable format, or that we transfer it directly to another data controller, where technically feasible.

  6. Objection: You have the right to object to the processing of your personal information for direct marketing purposes or when the processing is based on our legitimate interests.

  7. Automated decision-making: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or significantly affects you.

  8. Withdraw consent: If we process your personal information based on your consent, you have the right to withdraw your consent at any time. However, this will not affect the lawfulness of the processing before the withdrawal.

To exercise any of these rights, please contact us using the contact information provided below.

Security

We take reasonable measures to protect your personal information from unauthorised access, disclosure, alteration, or destruction. However, no method of electronic transmission or storage is completely secure, and we cannot guarantee the absolute security of your information.

Third-party links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties, and we encourage you to review their privacy policies before providing them with your personal information.

Children's privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16 without appropriate consent, we will take steps to delete that information promptly. If you believe we have collected information from a child under 16, please contact us immediately.

Changes to this privacy policy

We may update this Privacy Policy from time to time. When we make changes, we will post the updated policy on our website and update the effective date. Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

Contact us

If you have any questions or concerns about this Privacy Policy, your rights under applicable privacy laws, or our privacy practices, please contact us or email us at: Photonsoft Pty Ltd (ABN 67 656 104 559).

hello@bellabooking.com

Last updated: 20 May 2026