Legal
Privacy Policy
Last updated: 2026-05-07 · Version 2.1
Contents
1Introduction
BoothZen (“we”, “us”, “our”) is a SaaS booking management platform for photo booth operators. We are based in the United Kingdom and operate the websites boothzen.com and boothzen.com.
This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our platform, visit our websites, or interact with us. It applies to all users of our service, including photo booth operators (our direct customers) and their end customers who interact with booking forms powered by BoothZen.
We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2Information We Collect
Account Information
When you create an account, we collect your name, email address, phone number, and business name. If you register on behalf of a business, we may also collect your business address and VAT number.
Booking Data
Operators enter event details, customer information, and booking specifics into the platform. This data is controlled by the operator and processed by us on their behalf.
Payment Information
Payments are processed via Stripe. We do not store your full credit or debit card details on our servers. Stripe handles all card data in accordance with PCI DSS standards. We retain only a reference to your Stripe customer ID and the last four digits of your card for display purposes.
Usage Data
We collect information about how you interact with our platform, including pages visited, features used, actions taken, and time spent on different sections. This helps us improve the product.
Device and Browser Information
We automatically collect your IP address, browser type and version, operating system, device type, screen resolution, and language preferences when you access our platform.
Cookies and Similar Technologies
We use cookies and similar technologies to maintain your session, remember your preferences, and understand how our platform is used. See the Cookies section below for more detail.
3How We Use Your Information
We use your personal data for the following purposes:
- Providing and maintaining the service — operating your account, processing bookings, managing your subscription, and delivering the core platform functionality.
- Processing payments — facilitating subscription payments and operator payment collection via Stripe.
- Service notifications — sending booking confirmations, payment reminders, account alerts, and other transactional communications essential to the service.
- Improving the platform — analysing usage patterns to identify bugs, improve features, and develop new functionality.
- Customer support — responding to your queries, troubleshooting issues, and providing technical assistance.
- AI features — our AI-powered website scanner analyses publicly available website data to help operators set up their accounts quickly. No personal data is sent to AI models. The scanner only processes publicly accessible business information from URLs you provide.
4Data Sharing
We do not sell, rent, or trade your personal data to third parties. We share data only in the following limited circumstances:
- Sub-processors — we engage a small set of vetted third-party service providers that process data strictly on our documented instructions. The full, current list is published in the Sub-Processors section below and on our dedicated Sub-Processors page.
- Payment networks — payment data is processed by Stripe, Mollie and PayPal. See Stripe's Privacy Policy for one example. Where any payment provider acts as an independent data controller for fraud-prevention or regulatory purposes, that role is governed by the provider's own privacy policy.
- Law enforcement — we may disclose your data if required to do so by law, or if we believe in good faith that such action is necessary to comply with a legal obligation, protect our rights, or ensure the safety of our users.
5Sub-Processors
We engage the following sub-processors to help us deliver the Service. Each sub-processor is bound by a written contract that obliges them to handle personal data only on our documented instructions and to apply appropriate technical and organisational security measures. This list is also published — with a subscribe-to-changes form — on our dedicated Sub-Processors page.
| Vendor | Purpose | Data | Region |
|---|---|---|---|
| Stripe | Payment processing (subscription billing + booking deposits) | Cardholder data (tokenized), customer email | US/EU |
| Mollie | Alternative payment processing | Cardholder data (tokenized), customer email | EU |
| PayPal | Alternative payment processing | Customer email | US/EU |
| Twilio | Outbound SMS (transactional) + inbound SMS handling | Customer phone, message content | US |
| SendGrid (Twilio) | Transactional email delivery | Customer email, message content | US |
| Anthropic | AI Assistant (Charlie) + Website Scanner | Operator question text, anonymized booking metadata | US |
| Google Maps | Geocoding fallback for venue addresses | Venue address strings | US |
| OpenStreetMap (Nominatim) | Geocoding primary | Venue address strings | EU |
| Cloudflare | CDN + DDoS protection | Request metadata, IP, headers | Global |
| Backblaze B2 | (planned) Off-host backups | Encrypted DB + file backups | US |
| GitHub | Source-code repository (codebase only; operator data not stored here) | Source code only | US |
| QuickBooks Online | (operator-opt-in) Accounting sync | Booking metadata, invoice data | US |
| Xero | (operator-opt-in) Accounting sync | Booking metadata, invoice data | NZ/EU |
| Webklex IMAP (npm package) | Inbound email polling | Email content, headers | n/a (library) |
Sub-processor list last updated: 2026-05-07.
6Encryption & Security
We encrypt sensitive customer data — including phone numbers, postal addresses and geographic data — at rest using AES-256-CBC via Laravel's encrypted casts. Application secrets and integration credentials are similarly encrypted in the database.
All data in transit is protected by TLS 1.2 or higher. HTTPS is enforced across the entire platform, including operator dashboards, customer-facing booking forms, webhooks and the API.
Backups are encrypted before leaving our primary infrastructure. Access to production systems is restricted to a small set of named individuals, protected by SSH-key authentication and multi-factor authentication where supported.
7Notification of Sub-Processor Changes
We will notify operators at least 30 days in advance of adding or replacing any sub-processor. Notifications are delivered both by email and via a banner on the operator dashboard, giving operators an opportunity to object before the change takes effect.
Operators can subscribe to sub-processor change announcements from the Sub-Processors page.
8Data Retention
- Active accounts — your data is retained for as long as your account is active and you continue to use the service.
- Account closure — when you close your account, your personal data will be deleted within 30 days. You will have the opportunity to export your data before deletion.
- Backups — encrypted backups containing your data may be retained for up to 90 days after account closure, after which they are permanently purged.
- Legal obligations — we may retain certain data for longer periods where required by law (e.g., financial records for tax purposes).
9Your Rights (GDPR)
Under the UK GDPR and Data Protection Act 2018, you have the following rights:
- Right to access — you can request a copy of the personal data we hold about you.
- Right to rectification — you can ask us to correct any inaccurate or incomplete data.
- Right to erasure — you can request that we delete your personal data, subject to certain legal exceptions.
- Right to restrict processing — you can ask us to limit how we use your data in certain circumstances.
- Right to data portability — you can request your data in a structured, commonly used, machine-readable format (CSV export is available within the platform).
- Right to object — you can object to processing based on our legitimate interests.
To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
11International Transfers
Your data is primarily stored on servers located in the United Kingdom and the European Union. Where data is transferred outside the UK/EU (for example, when processed by Stripe), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.
Stripe processes payment data in accordance with their own privacy policy and maintains appropriate international data transfer mechanisms.
12Children's Privacy
BoothZen is a business-to-business platform intended for use by photo booth operators aged 18 and over. We do not knowingly collect personal data from anyone under the age of 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly.
13Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. If we make material changes, we will notify you by email or through a prominent notice on our platform at least 30 days before the changes take effect.
We encourage you to review this page periodically. The “Last updated” date at the top of this page indicates when the policy was last revised.
14Contact Us
If you have any questions about this Privacy Policy or how we handle your data, please contact us: