hey.booked
legal

Privacy Policy

Last updated: May 25, 2026

Who we are

hey.booked is operated by Astennu LLC, a Wyoming limited liability company with its principal place of business at 75 E 3rd St, Ste 7, Sheridan, WY 82801, USA. When this policy refers to "we," "us," or "our," it means Astennu LLC.

For any privacy-related questions, you can reach us at [email protected].

Data we collect

We collect the following categories of personal data:

  • Account dataWhen you create an account, we collect your name, email address, and password. If you sign in with Google, we also receive your Google account identifier and profile picture. Your password is hashed before storage and is never stored in plain text. Our database uses AES-256 encryption, and all stored data is protected with Full Disk Encryption (at-rest protection).
  • Subscriber dataIf you sign up for our newsletter, we collect your name and either your email address or phone number, along with whether you signed up as a business or a visitor.
  • Technical dataWhen you use hey.booked, our servers automatically record your IP address, browser type and version (user agent), and session activity timestamps. This data is stored in our session records.
  • Cookie dataWe use essential cookies to keep you logged in and remember your language preference. Your cookie consent choice is stored in your browser's local storage. For full details, see our Cookie Policy.
  • Language preferenceWe store your preferred language (English, Macedonian, French, German, Albanian, or Serbian) so the interface is shown in your chosen language across visits.

Legal bases for processing

Under the General Data Protection Regulation (GDPR), we process your data on the following legal bases:

  • Contract performance (Art. 6(1)(b))Processing your account data is necessary to provide you with the hey.booked service, including account creation, authentication, and booking management.
  • Consent (Art. 6(1)(a))We process your subscriber data (newsletter sign-ups) and analytics cookies based on your freely given consent. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Legitimate interest (Art. 6(1)(f))We process technical data (IP addresses, user agents, session data) for security purposes, fraud prevention, and to maintain the stability and performance of our service. We have assessed that these interests do not override your fundamental rights and freedoms.
  • Legal obligation (Art. 6(1)(c))We may process and retain certain data when required by applicable law, such as tax regulations or court orders.

How we use your data

We use the personal data we collect for the following purposes:

  • To provide, maintain, and improve the hey.booked booking platform
  • To create and manage your account, authenticate your identity, and process your bookings
  • To send you transactional communications (booking confirmations, password resets, account notifications) and, with your consent, marketing communications (newsletters, product updates)
  • To protect against fraud, unauthorized access, and other security threats
  • To comply with legal obligations and enforce our Terms of Service
  • To analyze usage patterns and improve our service, in aggregate and anonymized form where possible

Cookies and tracking

We use essential cookies that are strictly necessary for the operation of our service. We may also use analytics cookies with your explicit consent. For a complete list of cookies we use, how they work, and how to manage your preferences, please see our Cookie Policy. Cookie Policy.

Third-party services

We share personal data with the following categories of third-party service providers, only to the extent necessary for the stated purposes:

  • Payment processingWe use Stripe, Inc. to process payments. When you make a payment, Stripe collects your payment card details directly. We do not store your full card number on our servers. Stripe's processing of your data is governed by the Stripe Privacy Policy. Stripe is certified under the EU-US Data Privacy Framework.
  • Email deliveryWe use a third-party email service provider to send transactional and marketing emails. This provider receives your email address and name solely to deliver messages on our behalf.
  • AnalyticsWith your consent, we may use analytics tools to understand how our service is used. These tools may place cookies on your device. You can opt out of analytics at any time through our cookie consent settings.
  • Hosting and infrastructureOur servers and databases are hosted within the European Union. Your data is stored and processed on EU-based infrastructure.

Data sharing

We do not sell, rent, or trade your personal data to third parties for their marketing purposes. We share data only with service providers described in this policy, and only to the extent necessary for them to perform services on our behalf.

We may disclose your data if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Astennu LLC, our users, or the public.

International data transfers

Your data is stored on servers located in the European Union. Astennu LLC is a US company, so certain administrative access to data may occur from the United States.

Where data is transferred outside the EU/EEA, we rely on the following safeguards:

  • The EU-US Data Privacy Framework (DPF) for transfers to certified US organizations, including Stripe
  • Standard Contractual Clauses (SCCs) approved by the European Commission for other international transfers
  • Adequacy decisions by the European Commission, where applicable

You may request a copy of the safeguards we use by contacting us at [email protected].

Data retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy:

  • Account data is retained for as long as your account is active. If you delete your account, we erase your personal data within 30 days, except where retention is required by law.
  • Subscriber data (newsletter sign-ups) is retained until you unsubscribe or request deletion.
  • Session data (IP address, user agent) is retained for the duration of your session and automatically purged when sessions expire (14 days of inactivity).
  • Server logs containing IP addresses are retained for up to 90 days for security and debugging purposes.
  • Data required for legal compliance (tax records, dispute resolution) may be retained for the period required by applicable law, typically up to 7 years.

Your rights under the GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the GDPR:

  • Right of access: you may request a copy of the personal data we hold about you.
  • Right to rectification: you may request that we correct inaccurate or incomplete data.
  • Right to erasure: you may request that we delete your personal data, subject to legal retention obligations.
  • Right to restriction: you may request that we restrict processing of your data in certain circumstances.
  • Right to data portability: you may request your data in a structured, commonly used, machine-readable format.
  • Right to object: you may object to processing based on legitimate interest, including profiling.
  • Right to withdraw consent: where processing is based on consent, you may withdraw it at any time.
  • Right to lodge a complaint: you may file a complaint with your local data protection authority.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. We may ask you to verify your identity before processing your request.

Your rights under the CCPA/CPRA

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give you the following rights:

  • Right to know: you may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that data, the business purposes for collection, and the categories of third parties with whom we share it.
  • Right to delete: you may request that we delete your personal information, subject to certain exceptions.
  • Right to correct: you may request that we correct inaccurate personal information.
  • Right to opt out: you have the right to opt out of the "sale" or "sharing" of your personal information. We do not sell your personal information.
  • Right to non-discrimination: we will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact us at [email protected]. We will verify your identity and respond within 45 days.

In the preceding 12 months, we have collected the following categories of personal information: identifiers (name, email, IP address), internet activity (session data, user agent), and geolocation data (derived from IP address). We share data only with service providers as described in this policy. We do not sell personal information.

Your rights under the MK Law on Personal Data Protection

If you are located in North Macedonia, the Law on Personal Data Protection (LPDP) grants you rights that are aligned with the GDPR, including the rights of access, rectification, erasure, restriction, portability, and objection as described in the GDPR section above.

You may lodge a complaint with the Agency for Personal Data Protection of the Republic of North Macedonia (Directorate for Personal Data Protection) at dzlp.mk.

Children's privacy

hey.booked is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly. If you believe a child under 16 has provided us with personal data, please contact us at [email protected].

Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encrypted connections (HTTPS/TLS), hashed passwords (bcrypt), AES-256 database encryption, Full Disk Encryption (at-rest protection), database-backed sessions with HTTP-only cookies, and access controls limiting who can access personal data.

No method of transmission or storage is completely secure. If you discover a security vulnerability, please contact us immediately at [email protected].

Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting the updated policy on this page with a revised "last updated" date. For significant changes, we may also notify you by email or through a notice on our service.

We encourage you to review this policy periodically. Your continued use of hey.booked after changes are posted constitutes your acceptance of the revised policy.

Governing language

This Privacy Policy was originally written in English. Any translated version is provided for convenience only. If there is any conflict or inconsistency between the English version and a translation, the English version prevails and is the only legally binding version.

Contact us

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:

Email: [email protected]

Mail: Astennu LLC, 75 E 3rd St, Ste 7, Sheridan, WY 82801, USA