Privacy Policy
Last updated: 8 May 2026
AutoBook is a CRM for car-detailing businesses. This page explains, in plain English, what personal data we collect, why we collect it, who we share it with, and the rights you have under UK GDPR and EU GDPR. If anything here is unclear, email info@autobook.pro and we'll spell it out.
1. Who we are
AutoBook is operated by Luke Hartsink, sole trader, registered in the Netherlands. Contact: info@autobook.pro. For data-protection enquiries, use the same address — there is no separate Data Protection Officer because the business is small enough not to require one under GDPR Article 37.
2. Two kinds of users
AutoBook has two distinct user types and the data we hold for each is different:
- Detailers — the businesses that subscribe to AutoBook. They sign up, log in, and use the app to manage their own clients. We are the data controller for their account data.
- Detailers' customers — the people booking details from a detailer via the public booking page at
autobook.pro/{detailer-slug}. We process their data on behalf of the detailer (the detailer is the data controller; AutoBook is the data processor under a standard processor agreement implicit in our terms of service).
3. What we collect
From detailers (account holders)
- Identity & contact: full name, email, phone, business name, business address, VAT number, company number, country.
- Authentication: hashed password (handled by Supabase Auth — we never see the plaintext), session cookies.
- Branding: brand colour, logo, cover photo, slogan, booking-page slug, cancellation policy text.
- Service catalogue: the services the detailer offers, prices, durations, and customer-facing notes.
- Subscription state: trial start/end dates, subscription status, Stripe customer ID and subscription ID (the card details themselves are stored only by Stripe, never by us).
- Optional integrations: Google Calendar refresh token (if connected), Google account email; Stripe Connect account ID, default currency, and onboarding state (if connected).
- Push notification endpoints: the Web Push subscription details for each device the detailer has enabled notifications on.
- How they found us: a single dropdown answer collected at signup for our marketing analytics (Google, Instagram, TikTok, etc.).
From a detailer's clients
When the detailer adds a client manually, imports a CSV, or a customer submits the public booking form, we may store:
- Name, phone, email, postcode
- Vehicle make, model, year, colour, registration number
- Photos uploaded via the booking page (stored in Supabase Storage)
- Free-text descriptions, preferred timeline, notes the detailer adds
- Stripe customer ID (only if the customer pays a deposit or subscribes to a maintenance plan — created on the detailer's connected Stripe account, not ours)
- Job + appointment history with that detailer
We do not store credit-card numbers, CVCs, or any other payment-card data — those flow directly between the customer and Stripe.
4. Why we collect it (legal bases)
- Contract performance (GDPR Article 6(1)(b)) — the detailer signs up to use AutoBook; we need their account data to deliver the service they paid for. Same applies to customer data the detailer enters: it's necessary for the detailer to fulfil the booking.
- Legitimate interests (Article 6(1)(f)) — basic product analytics (page views, action counts) so we can fix bugs and prioritise improvements. We don't share that data and we don't profile individuals.
- Legal obligation (Article 6(1)(c)) — VAT and invoice records for our subscription billing must be kept for 7 years per UK and Dutch tax law.
- Consent (Article 6(1)(a)) — only used for optional integrations (Google Calendar OAuth, Web Push permission). You can withdraw at any time.
5. Where it's stored
- Database + file storage — Supabase, EU region (Frankfurt). All rows + photos + documents stay inside the EU.
- Hosting — Vercel, with EU-region serverless functions where possible.
- Authentication — Supabase Auth (EU region).
- Payments — Stripe Inc. (San Francisco) under their standard contractual clauses for international transfers. Stripe holds card data; we hold only the customer ID and subscription metadata.
- Web push notifications — pushed via the browser's push service (Apple, Google, Mozilla).
- Google Calendar integration (optional) — when a detailer connects Google Calendar, we hold a refresh token in our database and use it to read free/busy windows and create events. We never read the content of any calendar event we didn't create.
AutoBook's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We only use Google user data to provide and improve the features you connect it to (reading free/busy windows and creating calendar events), never for advertising, and we never sell it or transfer it to third parties except as needed to provide those features.
6. Who we share it with
We share data only with the third parties needed to operate the service (“sub-processors”):
- Supabase — hosting database + storage + auth (EU)
- Vercel — application hosting (EU + US edge cache)
- Stripe — subscription billing (detailer side) and customer payments (Stripe Connect, when the detailer enables it)
- Google — Calendar integration only, only when the detailer connects it
- web-push services (Apple, Google, Mozilla) — push notification delivery only, only when the detailer enables push
We do not sell, rent, or trade personal data. We do not use it for advertising. We do not share it with insurers, brokers, or marketing databases.
7. WhatsApp & messaging
AutoBook does not send messages on the detailer's behalf. Every customer-facing message (quotes, booking confirmations, follow-ups) is generated as a deep link to WhatsApp that the detailer taps to send manually from their own phone. No customer data is transmitted to WhatsApp by AutoBook; the detailer's own WhatsApp client handles delivery and is governed by Meta's privacy policy.
8. Cookies & tracking
AutoBook sets only the strictly-necessary cookies needed to keep you logged in (Supabase Auth session cookies). We don't use third-party analytics cookies, advertising pixels, or fingerprinting libraries. The booking page is fully cookie-free for anonymous visitors.
9. How long we keep it
- Detailer account data — for the lifetime of the account. When a detailer deletes their account from Settings → Account → Delete account, all rows owned by that account are erased within 30 days (the cascade DELETE in Supabase fires immediately; backups are pruned within 30 days).
- Customer data inside a detailer's account — controlled by the detailer. They can delete individual clients and jobs at any time. If the detailer deletes their account, their customer data is erased with it.
- Subscription invoices + billing records — kept for 7 years to meet UK and Dutch tax law.
- Web push subscriptions — auto-pruned after a push delivery returns 410-Gone (typically when the device is uninstalled or notifications are disabled).
10. Your rights
Under UK GDPR and EU GDPR, you have the right to:
- Access the personal data we hold about you (subject access request)
- Correct inaccurate data
- Erase your data (“right to be forgotten”) — for detailers this is one click in Settings → Account → Delete account; for a detailer's customers, contact the detailer directly
- Restrict or object to processing
- Receive a copy of your data in a portable format (data portability) — email us and we'll send a JSON / CSV export within 30 days
- Withdraw consent for optional integrations (Google Calendar, Web Push) at any time from Settings → Integrations or Settings → Notifications
- Lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or with the Dutch Autoriteit Persoonsgegevens at autoriteitpersoonsgegevens.nl if you're unhappy with how we've handled your data
Email info@autobook.pro to exercise any of these rights. We'll respond within 30 days as required by GDPR.
11. Security
All connections are HTTPS (TLS 1.3). Database access is gated by row-level security: each detailer can only see their own data, enforced at the database engine. Service-role keys are stored in Vercel's encrypted environment variables and never shipped to the browser. Passwords are hashed with bcrypt by Supabase Auth before they touch any storage layer. We carry out monthly security reviews and patch dependencies via Dependabot.
12. Children
AutoBook is a B2B product for businesses. We don't knowingly collect data from anyone under 18.
13. Changes to this policy
When we change this policy in any material way, we'll email every active detailer with a summary at least 14 days before the change takes effect. Cosmetic changes (typos, link fixes) may happen without notice.
14. Contact
For any privacy question, email info@autobook.pro. We typically respond within 2 working days.
AutoBook · The CRM for ambitious detailers · Terms of service · Home