Privacy Policy

1. Data Controller

PackBook is published and operated by Charlie Coupe, an individual entrepreneur based in France. As data controller within the meaning of Regulation (EU) 2016/679 (GDPR) and French Law No. 78-17 of January 6, 1978 (Loi Informatique et Libertés), Charlie Coupe determines the purposes and means of processing personal data collected through the PackBook service.

Contact: support@packbook.app

2. Data We Collect and Legal Basis

We collect and process the following categories of personal data:

No payment card data is ever stored by PackBook. All card data is handled exclusively by Stripe, which is PCI DSS Level 1 certified.

3. Purposes of Processing

Personal data is processed solely for the following purposes:

• Providing and operating the PackBook service (offers, checkout, embeds, client plans, booking, payments, and portals)
• Processing payments through Stripe Connect on behalf of the service provider
• Sending transactional emails to end customers (booking confirmation, reminders, portal link)
• Synchronizing appointments with your connected calendars
• Maintaining service security, stability, and preventing fraud
• Complying with legal and regulatory obligations (accounting, tax, anti-fraud)

We never use your data or your customers' data for advertising, profiling, or sale to third parties.

4. Data Recipients and Sub-Processors

We do not sell personal data. Data is shared only with the following sub-processors, strictly limited to what is necessary for service operation:

• Workspace platformWorkspace integration — synchronizes calendars, contacts, and appointments, and delivers webhooks (regions depend on the workspace provider).
• StripePayment processing and subscription billing (US — EU–US Data Privacy Framework) — Privacy Policy
• ResendTransactional email delivery (US — Standard Contractual Clauses apply) — Privacy Policy
• RailwayApplication hosting and database infrastructure (US — Standard Contractual Clauses apply) — Privacy Policy
• CloudflareBot protection (Turnstile) and file storage (R2) — EU data centers available — Privacy Policy

Where data is transferred outside the European Economic Area (EEA), such transfers are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission, or an equivalent adequacy mechanism, in accordance with GDPR Chapter V.

5. Data Retention

• Account and operational data: retained for the duration of the active subscription. When a deletion is initiated (either by submitting the "Request data deletion" action in the application Settings, or automatically upon uninstallation of the application), a 30-day grace period begins. During this period your data remains intact and the request may be cancelled. After 30 days, personal data is permanently deleted or anonymized. Reinstalling the application during the grace period automatically cancels the pending deletion.
• Personal data deleted at end of grace period: customer contact details (names, email addresses, phone numbers), customer portal access tokens, customer notes, white-label branding settings (company name, logo, support contacts), and the encrypted authentication tokens used to connect to your workspace. Transaction ledger entries (transaction identifiers, amounts, dates) are retained for 10 years as required by French accounting and tax law, with personal identifiers removed.
• Transaction and financial records (PlatformRevenue): retained for 10 years from the date of the transaction, as required by French commercial law (Code de commerce, Art. L.123-22) and tax regulations.
• Server logs: anonymized after 30 days.
• Customer portal tokens: expire after 365 days from issuance.

You may request early deletion of your data at any time (subject to legal retention obligations) by contacting support@packbook.app.

6. Security Measures

We implement the following technical and organizational measures to protect personal data:

• AES-256-GCM encryption for all OAuth tokens stored at rest
• TLS 1.2+ (HTTPS) for all data in transit
• JWT-based authentication with short expiry (1 hour for admin sessions)
• Rate limiting and bot protection (Cloudflare Turnstile) on all public endpoints
• HMAC signature verification on all incoming webhooks (Stripe and your workspace platform)
• No sensitive credentials in logs — enforced at code level
• Stripe PCI DSS Level 1 compliance for all payment card data

In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the CNIL within 72 hours as required by GDPR Article 33, and affected individuals where required by Article 34.

7. Cookies and Tracking

PackBook does not use advertising, analytics, or tracking cookies. The application may be embedded inside your workspace interface and operates without persistent client-side tracking. Authentication tokens are stored in memory (not in persistent cookies). Cloudflare Turnstile is used on public checkout pages solely for bot protection; it does not perform behavioral profiling. No consent banner is required as no non-essential cookies are set.

8. Your Rights Under GDPR

In accordance with GDPR and French Loi Informatique et Libertés, you have the following rights regarding your personal data:

• Right of access (Art. 15) — obtain a copy of the data we hold about you
• Right to rectification (Art. 16) — correct inaccurate or incomplete data
• Right to erasure (Art. 17) — you may request deletion at any time via the "Request data deletion" button in the Settings page of the application, or by emailing support@packbook.app. A 30-day grace period applies, during which you may cancel the request. After this period, personal data is permanently deleted; financial records required by law (accounting ledger) are retained for the duration mandated by applicable regulations.
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
• Right to restriction of processing (Art. 18) — limit how we process your data in certain circumstances
• Right to object (Art. 21) — object to processing based on legitimate interest
• Right not to be subject to automated decision-making (Art. 22) — PackBook does not use automated profiling or decision-making

To exercise any of these rights, send a written request to support@packbook.app. We will respond within 30 days. If you believe your rights have not been respected, you have the right to lodge a complaint with the French data protection authority:

9. Contact

For any questions or requests regarding this Privacy Policy or the processing of your personal data, please contact the data controller:

To exercise your right to data deletion, the fastest way is the "Request data deletion" button in the Settings section of the application. You will receive a confirmation email upon submission, a reminder 7 days before final deletion, and a completion notice once your personal data has been deleted.