Privacy Policy
Last updated: 28 April 2026
Who this policy applies to
This policy describes how we process personal data about studio owners and administrators who use the Class Booking platform. If you are an end customer (member, student, client) of a studio that uses Class Booking, please refer to that studio's own privacy policy — the studio is the data controller for its members.
1. Data controller
Class Booking is the data controller for the personal data we collect about you as a user of the platform. "We", "us" and "our" refer to the entity below.
Class Booking
Operated by Nahbo ApS
Denmark
Danish business registration (CVR): 45880583
Email: [email protected]
You can contact us at any time with questions about how we process your personal data.
We have not appointed a Data Protection Officer (DPO), as our processing activities do not meet the criteria set out in Article 37 GDPR. For privacy-related matters you may also reach our privacy team at [email protected] — we respond within 30 days.
2. What personal data we collect
2.1 Account data (studio owners and administrators)
When you create a studio account on Class Booking, we collect:
- Administrator name and email address
- Studio name and contact details
- Business registration number (optional, used for invoicing)
- Password (stored encrypted using bcrypt — we never see it in plain text)
- Phone number (optional)
2.2 Payment data
For subscription billing we process:
- Billing address
- Payment history and subscription status
Important: we never store payment card details. All card payments are handled by Stripe, which is PCI DSS-certified. We only receive a reference to the transaction.
2.3 Technical data
When you use the platform we automatically collect:
- IP address (for security and troubleshooting)
- Browser type and device information
- Login times and activity timestamps
- Page views and feature usage
2.4 Data you upload
- Logos and images for branding
- Website content (text, class templates)
- Legal documents you create within the platform
2.5 Sources of data
We collect personal data primarily directly from you. In the following cases we receive data from third parties:
- Google OAuth: if you sign in with Google, we receive your name, email address and profile picture from Google.
- Stripe: when you connect a Stripe account for collecting payments from your members, we receive basic business details and onboarding status.
3. Purposes and legal basis for processing
We only process personal data where we have a lawful basis under Article 6 GDPR. The table below summarises the purposes and corresponding legal basis:
| Purpose | Legal basis (GDPR) |
|---|---|
| Providing and operating the service | Performance of contract (Art. 6(1)(b)) |
| Processing payments and issuing invoices | Performance of contract (Art. 6(1)(b)) |
| Sending service messages (downtime, product updates, security) | Performance of contract (Art. 6(1)(b)) |
| Improving and developing the platform | Legitimate interest (Art. 6(1)(f)) |
| Preventing fraud and abuse of the platform | Legitimate interest (Art. 6(1)(f)) |
| Meeting statutory bookkeeping obligations | Legal obligation (Art. 6(1)(c)) |
| Marketing emails and newsletters | Consent (Art. 6(1)(a)) |
3.1 Legitimate interest — balancing assessment
Where we rely on legitimate interest, we have weighed our interests against your rights and freedoms. The summary below sets out the key assessments:
Improving and developing the platform
- Our interest: ensuring platform stability, identifying bugs and optimising the user experience.
- Scope of processing: aggregated and anonymised usage statistics (page views, error logs).
- Your perspective: minimal impact on privacy because the data is anonymised.
- Conclusion: the processing is necessary and proportionate.
Preventing fraud and abuse
- Our interest: protecting the platform and its users against misuse, hacking and fraud.
- Scope of processing: IP addresses, login timestamps, failed login attempts.
- Your perspective: protection against unauthorised access to your account.
- Conclusion: the processing is in both our interest and yours.
You have the right to object to processing based on legitimate interest under Article 21 GDPR. Contact us at [email protected].
4. Data retention periods
| Data type | Retention period |
|---|---|
| Account data | As long as the account is active, plus 30 days after closure |
| Invoices and payment records | 5 years (Danish Bookkeeping Act — statutory requirement for invoices) |
| Login history | 12 months |
| Technical logs | 90 days |
| AI assistant conversations (admin chat) | 30 days |
| Backups | 30 days after deletion |
5. Sharing data with third parties
We only share your data with trusted third parties where necessary to deliver the service. Each of these is engaged under a written data processing agreement in accordance with Article 28 GDPR.
5.1 Sub-processors
| Provider | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Server hosting and backups | Germany (EU) |
| Stripe, Inc. | Subscription billing (your payment to Class Booking) | USA (EU-US Data Privacy Framework) |
| Resend, Inc. | Transactional email delivery | EU |
| European SMS gateway provider | Sending SMS notifications (where enabled) | EU |
| Pusher (Sinch Communications) | Real-time communication (live chat) | EU / UK |
| The Rocket Science Group LLC (Mailchimp) | Newsletter list synchronisation (optional) | USA (EU-US Data Privacy Framework) |
| Anthropic PBC | AI assistant for in-product admin help (Claude API) | USA (Standard Contractual Clauses + EU-US Data Privacy Framework) |
5.2 International transfers
Some of our sub-processors (for example Stripe and Anthropic) may transfer personal data to the United States. These transfers take place under one or more of the following GDPR Chapter V safeguards:
- An adequacy decision by the European Commission (currently the EU-US Data Privacy Framework for participating US recipients), or
- The European Commission's Standard Contractual Clauses (SCCs), supplemented where necessary with additional technical and organisational measures.
You can request a copy of the relevant transfer safeguards by emailing [email protected].
5.3 We never sell your data
We never sell, rent or otherwise disclose your personal data to third parties for their own marketing purposes.
5.4 AI assistant (Class Booking Assistant)
Inside the admin panel we offer an AI assistant that can answer questions about how to use the system. When an administrator sends a message to the assistant, the message is forwarded to Anthropic PBC (provider of the Claude API), which generates a response. Legal basis: legitimate interest (Art. 6(1)(f)) — to provide product support.
- Anthropic does not use your messages to train its models (commercial API, per Anthropic's Commercial Terms).
- We log the conversations for 30 days for troubleshooting and quality assurance. After that they are deleted automatically.
- Class Booking platform administrators may access the logs within the same 30-day window.
- Avoid entering sensitive personal data (national identifiers, health information, financial details) in the conversation — the assistant does not need them in order to help you with product features.
6. Your rights as a data subject
Under the GDPR (Articles 15-22) you have the following rights:
Right of access (Art. 15)
You can ask us what personal data we process about you and obtain a copy.
Right to rectification (Art. 16)
You can have inaccurate data corrected and incomplete data completed.
Right to erasure (Art. 17 — "right to be forgotten")
In certain cases you can have your personal data deleted. Note that this right is not absolute — for example, statutory bookkeeping obligations may require us to retain certain invoice data for 5 years.
Right to restriction (Art. 18)
In certain cases you can have the processing of your data restricted.
Right to data portability (Art. 20)
You can receive your data in a structured, commonly used and machine-readable format and transmit it to another controller.
Right to object (Art. 21)
You can object to processing based on legitimate interest, including profiling.
Right to withdraw consent
Where processing is based on consent, you may withdraw it at any time. Your withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
To exercise any of these rights, contact us at [email protected]. We respond within 30 days. The exercise of your rights is free of charge unless requests are manifestly unfounded or excessive.
7. Cookies and tracking
7.1 Strictly necessary cookies
We use the following strictly necessary cookies, which do not require consent under the ePrivacy Directive:
- Session cookie: keeps you signed in.
- CSRF token: protects against cross-site request forgery.
- Language preference: remembers your selected language.
7.2 Analytics cookies (consent required)
We use Google Analytics to understand how the platform is used. These cookies are only set after you give consent through the cookie banner.
7.3 Marketing cookies (consent required)
We use Google Ads to measure the effectiveness of our advertising. These cookies are only set with your consent.
See our cookie policy for a complete list of the cookies we use.
8. Security
We take data security seriously and have implemented the following technical and organisational measures:
- Encryption in transit: all traffic is encrypted with TLS 1.3.
- Encryption at rest: sensitive data is encrypted at rest.
- Password hashing: bcrypt with a sufficient cost factor.
- Access control: role-based access control and full audit logs.
- Rate limiting: protection against brute-force and denial-of-service attacks.
- SQL injection protection: parameterised queries via the Prisma ORM.
- XSS protection: input sanitisation and a strict Content Security Policy.
- Patch management: regular security updates of all dependencies and base images.
- Backups: daily automated backups with encrypted storage.
9. Data breaches
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and inform affected users without undue delay, in accordance with Articles 33 and 34 GDPR.
10. Children's data
The Class Booking platform is aimed at businesses and is not intended for children under 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us and we will delete it.
11. Automated decision-making and profiling
Class Booking does not make automated decisions that produce legal or similarly significant effects concerning you, including profiling as defined in Article 22 GDPR.
We use basic analytics to understand how the platform is used (for example, which features are used most often), but this is never used to make decisions about individual users.
12. Changes to this policy
We update this privacy policy as necessary. For material changes, we will notify you by email at least 14 days before the change takes effect. The most recent update date is shown at the top of this page.
13. How to lodge a complaint
If you believe that we are processing your personal data unlawfully, you have the right to lodge a complaint with a supervisory authority. Because Nahbo ApS is established in Denmark, the Danish Data Protection Authority (Datatilsynet) is our lead supervisory authority. EU/EEA residents may also lodge a complaint with the supervisory authority in the country where they live or work.
Datatilsynet (Danish Data Protection Authority)
Carl Jacobsens Vej 35
2500 Valby, Denmark
Phone: +45 33 19 32 00
Email: [email protected]
A directory of all EU/EEA national data protection authorities is available from the European Data Protection Board at edpb.europa.eu.
14. Contact
Do you have questions about this privacy policy or about how we process your personal data?
Class Booking
Operated by Nahbo ApS
Denmark
CVR: 45880583
Privacy enquiries: [email protected]
Data protection (DPO mailbox): [email protected]
General support: [email protected]
Web: class-booking.com