Skip to main content
FeaturesPricingTrustMigrateAbout

Resources

BlogUpdatesDemoFAQDevelopers

Sign in

Admin LoginStaff LoginClient Login
Get started free

Security & Trust

How we keep your studio data safe

GDPR-first, EU-hosted, encrypted, audit-trailed. Pick the view that fits — warm overview for studio owners, concrete spec for IT & security teams.

Last audited May 13, 2026

Data Protection

Your data is safe

Every piece of your studio's information — client names, bookings, payment receipts, health forms — is encrypted before it touches our database. Our servers are physically located in the European Union (Frankfurt and Stockholm), so your data never leaves the protection of European law. We take encrypted backups every night, store them in a separate region, and test once a quarter that we can actually restore them. If something ever went wrong, we have a written 72-hour playbook for telling you what happened and what we're doing about it. Trust is built on details like these, and we'd rather be boring than dramatic.

Payments are secure

We don't touch your clients' card numbers. Every card payment is handled by Stripe (or our other certified processors — Mollie, Frisbii (formerly Reepay), Adyen), each of which is PCI DSS Level 1, the highest standard in the industry. The card data never lands in our database; we only see a token that we can use to issue refunds. For refunds above a sensible threshold, the system requires a second admin to approve — so a single compromised account can't drain your payouts. MobilePay, Apple Pay, Google Pay, and bank transfers all work the same way: we handle the booking, the processor handles the money.

Billing or payment questions? billing@bookingbible.com

Access & Authentication

Access is controlled

Not everyone on your team needs access to everything. Booking Bible lets you give the front desk reception the tools they need, your accountant a window into finance, your instructors their schedule — and nothing more. Studio owners and managers can turn on two-factor authentication (a one-time code from their phone), and we recommend it strongly. We log every important admin action, so you can see who deleted what and when. If a phone gets lost, you can log everyone out from one screen. If we suspect someone is logging in from a strange country at a strange hour, we'll let you know.

Need help with team access? support@bookingbible.com

Infrastructure

We're prepared

Security isn't a one-time project. We run a security audit quarterly — the most recent ran on May 13, 2026, and you can see the date below. We have a written incident-response playbook with the contacts already filled in (the Danish Data Protection Authority, our legal counsel, our hosting providers). Every login attempt is rate-limited. Every file uploaded to the platform is scanned. Every database query is filtered to your studio only, so even a bug can't accidentally show you another studio's data. We can't promise nothing will ever go wrong — anyone who promises that is lying — but we can promise we'll be ready.

Technical or integration questions? integration@bookingbible.com

Compliance

We follow the rules

Booking Bible was built in Denmark, so GDPR isn't an afterthought — it's the law we operate under every day. You get a Data Processing Agreement (DPA) included with every account; you sign it once when you onboard, and we keep the signed version on file. Our list of third-party tools (payment, email, calendar) is published and updated within 30 days of any change. If a client asks for their data, you can export it as a single bundle. If a client asks to be forgotten, the system erases everything — including photos, chat history, and notes — and keeps only what the law forces us to keep.

We're transparent

Every third-party tool we use is listed on our Data Processing Agreement page — Supabase for the database, Resend for email, Mux for video, Anthropic for the AI assistant, and the rest. When we add or remove one, you get an email at least 30 days before it takes effect. Our Privacy Policy is written in plain language and updated whenever something material changes. You can export your data at any time, in machine-readable JSON, including everything we hold about you. You can also see — and revoke — every consent your clients have given (marketing email, SMS, analytics cookies).

GDPR, DPA, or migration questions? migration@bookingbible.com

FAQ

In the European Union — Supabase Postgres in Frankfurt (eu-west-1) with a hot replica in Stockholm (eu-north-1), and the application is deployed to Vercel Frankfurt. Your data never leaves the EU.

Still have questions? support@bookingbible.com

Trust badges

GDPR CompliantEU Hosted (Frankfurt + Stockholm)Encrypted at RestTLS 1.3 in TransitMFA AvailablePCI DSS via StripeDaily Backups72h Breach SLASOC 2 ready

Responsible disclosure

Found something? Email security@bookingbible.com. Encrypted reports via the PGP key at /.well-known/security.txt. Disclosure window: 90 days from receipt or coordinated public release, whichever comes first.

Acknowledgments. We credit every researcher whose report resulted in a fix. This list is currently empty — be the first.