1.Overview
This page explains, in plain terms, where your data lives when you use GetBook, how we keep each business’s data separate and secure, and how backups, retention and deletion work. It complements our Privacy Policy, which covers what we collect and why.
Our goal is simple: your data is yours, it stays isolated from other businesses, it travels and rests encrypted, and you can export or delete it.
2.Where your data is stored
GetBook runs on managed cloud infrastructure. Your application data — accounts, services, staff, bookings, customers, invoices and settings — is stored in a managed PostgreSQL database. Uploaded files such as gallery images and logos are kept in managed object storage. The application itself is served from a managed hosting platform.
We rely on established infrastructure providers to operate this hosting, database and storage. These providers maintain their own physical and network security controls and industry certifications.
3.Tenant isolation
GetBook is multi-tenant: many businesses share the same infrastructure, but each business’s data is logically isolated. Every record is scoped to the business (tenant) that owns it, and access is enforced at the database layer using row-level security policies — not merely in application code.
This means a request can only ever read or write rows belonging to the authenticated user’s own business. Row-level security is our real security boundary, so isolation holds even if application logic has a bug.
4.Encryption
- In transit — all traffic between your browser and GetBook, and between our services and the database, is encrypted using TLS (HTTPS).
- At rest — the database and file storage are encrypted at rest by our infrastructure providers.
- Credentials — account passwords are never stored in plain text; they are salted and hashed by our authentication provider.
5.Access controls
Within your workspace, access is governed by roles (owner, admin, manager, and other member roles) that you assign. Members only see and do what their role permits, and the same rules are enforced by the database.
On our side, access to production systems is limited to authorised personnel on a least-privilege, need-to-know basis, protected by strong authentication. We do not access your business’s data except as needed to operate the Service, provide support you request, or comply with law.
6.Payment data
GetBook does not store full payment-card numbers. Subscription payments are handled by a specialised payment processor that meets industry security standards (such as PCI DSS). We retain only limited, non-sensitive details — for example the card brand, the last four digits, and a transaction reference — to display your billing history and manage renewals.
7.Backups and recovery
The database is backed up regularly by our infrastructure provider to support disaster recovery. Backups are encrypted and retained for a limited period before being rotated out. Backups exist to restore the Service after a failure; they are not a substitute for your own exports.
8.Retention, export and deletion
You control your business’s data. While your account is active, your data is retained so you can use the Service. You can edit or remove records at any time from your dashboard.
- Export — you can export key data (such as customers, bookings and invoices) from the dashboard. If you need a full export, contact us.
- Deletion — when you close your account or ask us to delete it, we remove or anonymise your data within a reasonable period, except where we must retain certain records to meet legal, tax, or accounting obligations, or to resolve disputes.
- Backups — deleted data may persist in encrypted backups until those backups expire on their normal rotation schedule.
9.Sub-processors
We use trusted third-party providers to deliver the Service — including cloud hosting, database and storage, authentication, email delivery, payment processing, and analytics. Each is bound by contractual confidentiality and data-protection obligations and processes data only on our instructions. The categories of providers we rely on are described in our Privacy Policy.
10.Incident response
We monitor for security issues and maintain procedures to investigate and contain incidents. If a data breach affecting your personal information occurs, we will notify affected users and the relevant authorities as required by law, including the National Privacy Commission where applicable.
11.Your responsibilities
- use a strong, unique password and keep your credentials confidential;
- grant team members only the role and access they need, and remove those who leave;
- collect only the End-Client data you need, with any consent your local law requires; and
- tell us promptly at hello@getbook.cloud if you suspect unauthorised access.
Questions?
If anything here is unclear, or you want to exercise a right described above, contact the GetBook team at hello@getbook.cloud. We aim to respond within 30 days.