GDPR Commitment
Last updated: 10 June 2026
Bookso is the trading name of James Adams, trading from Nursery Gardens, Waltham Cross, EN7 6RZ. Bookso is committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page summarises how we meet those obligations for tradespeople using Bookso and for their customers whose details are stored in the platform.
1. Controller and processor roles
Bookso is the controller for your account and billing data. For the customer contact details and job history you store in Bookso, you are the controller and Bookso is your processor: we process that data only on your documented instructions, as set out in our Terms of Service, which incorporate our data processing commitments.
As your processor, Bookso commits to:
- process your customer data only on your documented instructions;
- apply appropriate technical and organisational security measures;
- never sell your data or your customers' data, and never use it for our own marketing;
- only use sub-processors listed below, under written contracts with equivalent obligations;
- assist you in responding to data subject requests and in meeting your UK GDPR obligations;
- delete or return your customer data on closure of your account, subject to any legal retention requirement.
2. Where data is stored
Application data is hosted with Supabase in the European Union. Transactional email is delivered via Resend. Where any transfer outside the UK/EEA occurs, it is protected by the UK International Data Transfer Addendum or EU Standard Contractual Clauses.
3. Sub-processors
- Supabase - database, authentication and hosting (EU region).
- Resend - transactional email delivery.
- Stripe - subscription billing and payment processing.
We will update this list before adding or replacing a sub-processor that handles personal data.
4. Data subject rights
We support the rights of access, rectification, erasure, restriction, portability and objection. Account holders can edit or delete customer records and export their data directly in the app. If a request comes to us from one of your customers, we will pass it to you as the controller and assist you in responding within statutory timescales.
5. Security measures
- Encryption in transit (TLS) and at rest.
- Row-level access controls so each account can only access its own data.
- Least-privilege access for staff, with audit logging.
- Regular review of dependencies and infrastructure for vulnerabilities.
6. Data retention and deletion
Data is retained while your account is active. When you delete a record or close your account, data is removed from live systems within 30 days and from backups within 90 days, unless retention is required by law.
7. Breach notification
We will notify affected controllers without undue delay after becoming aware of a personal data breach affecting their data, and the ICO within 72 hours where required.
8. Contact
For GDPR questions, data processing agreements, or to exercise any right, contact info@bookso.co.uk. You may also complain to the Information Commissioner's Office at ico.org.uk.
Bookso is the trading name of James Adams, trading from Nursery Gardens, Waltham Cross, EN7 6RZ. This statement is governed by the laws of England and Wales.
