Privacy policy

Last updated · 22 April 2026

This privacy policy explains how Nexus Labs ("we", "us") — the operator of SimplyBooked — collects, uses, and protects personal data when you use our booking platform or visit simplybooked.app. We operate under the EU General Data Protection Regulation (GDPR).

1. Who we are

Nexus Labs is the data controller for personal data submitted through our marketing website and the data processor for personal data processed on behalf of our customers (the venues running SimplyBooked).

Contact: [email protected]

2. What we collect

Account data — name, email, organization, password hash.
Booking data — the reservations you create, resources involved, timestamps, and optional notes.
Technical data — IP address, browser type, and pages visited, collected via standard server logs.
Contact form submissions — anything you send us via the contact form on this site.

We do not collect payment card data ourselves. Payments are processed by our PCI-DSS compliant partners (Stripe / Bancontact).

3. How we use it

To provide the booking service to you and your venue.
To send transactional emails (booking confirmations, password resets, receipts).
To respond to enquiries sent through the contact form.
To keep the service secure and detect abuse.
To comply with legal obligations (tax, accounting).

We do not sell your data. We do not use it to train AI models. We do not send marketing emails unless you opt in.

4. Legal basis

We process data under the GDPR lawful bases of contract (to provide the service you signed up for), legitimate interest (security, product improvement), consent (optional marketing, non-essential cookies), and legal obligation (invoicing, tax records).

5. Cookies

We use a minimal set of cookies: an authentication cookie to keep you signed in, a CSRF cookie to secure form submissions, and a preference cookie to remember your chosen language. No third-party analytics cookies are set without your explicit consent.

6. Data retention

Account data is retained for as long as your account is active, and deleted within 30 days of account closure.
Booking history is retained for 24 months after your last booking.
Invoices and tax records are retained for 7 years, as required by Belgian law.
Contact form messages are retained for 12 months.

You have the right to:

Access the personal data we hold about you.
Correct inaccurate data.
Request deletion of your data ("right to be forgotten").
Object to processing or request that we restrict it.
Receive your data in a portable format.
Lodge a complaint with the Belgian Data Protection Authority (APD / GBA).

To exercise any of these rights, email [email protected].

8. Where your data lives

All personal data is stored on EU-based servers (Frankfurt, Germany). Backups are encrypted at rest and stay within the EU. We use a small number of sub-processors (hosting, email delivery, payment processing) — a current list is available on request.

9. Security

SimplyBooked uses TLS 1.3 in transit, AES-256 at rest, bcrypt for password hashing, and daily encrypted backups. Production access is restricted to designated engineers and audited.

10. Changes to this policy

We'll update this page when our practices change, and notify customers by email for material changes. Minor edits (typos, clarifications) may be made without notice.

11. Contact

Questions about this policy? Email [email protected]. We'll respond within 30 days, as required by GDPR.