Privacy Policy
Last updated: 28 May 2026
Soopaspace ("we", "our", "us") provides software that helps self-employed practitioners run their businesses — including a booking page customers can use to schedule sessions with them. This policy explains what personal data we collect, why we collect it, and your rights under UK GDPR and the Data Protection Act 2018.
If you have any questions about this policy or how your data is handled, email us at hello@soopa.ai.
1. Who we are
Soopaspace is operated by Black Isle Group Limited, a company registered in Scotland (company number SC809719), with registered office at 5 South Charlotte Street, Edinburgh, Midlothian, EH2 4AN. We are the data controller for personal data we collect through our platform, except where we act as a processor on behalf of a practitioner (see section 4).
Contact: hello@soopa.ai (also our Data Protection contact — we have not appointed a separate Data Protection Officer at this stage).
2. What personal data we collect
From practitioners (people who sign up to run their business through Soopaspace)
- Account identity: email address, name, business name (optional)
- Profile information: bio, location, photos, banner image, services offered, pricing
- Business operations: bookings received, customers who book with you, schedule and availability data
- Payment-related: a Stripe customer ID linking to your subscription billing record. We never receive your full bank or payment card details — these are held by Stripe directly.
- Google Calendar integration (optional): if you connect your Google Calendar, we store encrypted OAuth credentials so we can sync on your behalf. Tokens are encrypted at rest and can be revoked at any time by disconnecting in Settings.
From customers (people who book sessions through a practitioner's page)
- Booking details: your name, email address, phone number (optional)
- Marketing preferences: whether you've consented to receive marketing emails from the practitioner you booked with
- Booking history: which sessions you've booked, when, with whom
Automatically (everyone)
- Authentication cookies: a session cookie issued by our authentication provider (Supabase) so you stay signed in
- Server logs: IP address, request paths, error events — retained for up to 30 days for operational and security purposes
- We do NOT use third-party analytics, ad-tracking, or profiling cookies
3. Why we collect it (purposes and legal basis)
| Purpose | Data | Legal basis |
|---|---|---|
| Creating and operating your account | Identity, profile | Performance of contract |
| Processing bookings | Customer name, email, phone, booking details | Performance of contract |
| Sending booking confirmation emails | Email address, booking details | Performance of contract |
| Sending marketing communications from your practitioner | Email address, marketing-consent flag | Consent — withdrawable at any time |
| Keeping operational records | Booking history, customer records | Legitimate interest (operational continuity, dispute resolution); legal obligation where applicable (UK accounting records) |
| Security and abuse prevention | Server logs, authentication events | Legitimate interest |
We may also use aggregated and anonymised data — combined across businesses and stripped of anything that identifies you or your customers — to improve and develop our services. As this data does not identify any individual, it is not personal data.
4. Who we share your data with
We use a small set of trusted sub-processors to operate the platform:
- Supabase (database and authentication) — hosts your personal data, processes magic-link logins
- Vercel (hosting + privacy-respecting analytics) — runs the Soopaspace web application, including its built-in Vercel Analytics service. Vercel Analytics helps us understand aggregate site traffic. It does not use cookies, does not collect personal data, and does not track individuals across sites or devices.
- Resend (email delivery) — sends booking confirmations and other transactional emails on our behalf
- Stripe (payment processing) — processes the £4.99/month practitioner subscription for all Soopaspace accounts. Stripe is an independent controller for the payment data they collect.
- Google Maps (location embeds) — when a practitioner displays a map of their venue on their booking page, the map is loaded from Google. Your IP address may be visible to Google when the map renders, subject to Google's own privacy policy.
- Google Calendar (calendar integration, only when a practitioner explicitly connects their Google Calendar) — writes booking events into the practitioner's calendar and reads busy intervals (time ranges only — never event titles, descriptions, or attendees) to prevent double-bookings.
When you book through a practitioner's page, your booking details are shared with that practitioner so they can deliver the session. The practitioner is independently responsible for how they use your data after that booking (for example, the marketing emails they may send you if you've consented).
5. International transfers
Most of our infrastructure is hosted in the EU (Ireland) under the UK's data adequacy decision for the EEA. Some of our hosting (Vercel) operates from multi-region serverless infrastructure including the UK (London) and the United States (Virginia). Sub-processors operating from outside the UK/EEA — including Vercel's US functions, Stripe, Google Maps, and Google Calendar — process data under the EU-US Data Privacy Framework (DPF) and/or Standard Contractual Clauses (SCCs), maintaining UK-GDPR-compliant data protection commitments.
6. How long we keep your data
| Data type | Retention |
|---|---|
| Practitioner account | While your account is active. After account closure, we retain your data for a period that supports reactivation if you choose to return. You can request earlier deletion at any time by contacting us at hello@soopa.ai. |
| Customer records | Persist until the practitioner deletes them. As a customer, you can request deletion of your records — see section 7. |
| Booking records | Booking records are retained for the duration of the business relationship with the coach, plus a reasonable period afterwards (typically up to 6 years) for operational, tax, and dispute-resolution purposes. UK accounting record-keeping standards apply. Personal data within bookings (customer name, email, phone) is subject to data subject rights and can be deleted on request — please contact hello@soopa.ai. |
| Server logs | Up to 30 days. |
| Email delivery logs | Retained for the lifetime of the related booking. |
7. Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate or incomplete data
- Erase your data (the "right to be forgotten"), subject to legitimate retention requirements
- Restrict processing in certain circumstances
- Object to processing — including direct marketing, which you can opt out of at any time
- Portability — receive your data in a structured, machine-readable format
- Withdraw consent where consent is the legal basis (such as marketing communications)
To exercise any of these rights, email hello@soopa.ai. We aim to respond within one month.
If you're unhappy with how we handle your data, you can lodge a complaint with the UK Information Commissioner's Office (ICO): https://ico.org.uk.
8. Marketing communications
If you've ticked the marketing consent checkbox when booking, the practitioner you booked with may send you marketing emails. You can withdraw consent at any time by:
- Clicking the unsubscribe link in any marketing email
- Emailing the practitioner directly
- Emailing us at hello@soopa.ai
Withdrawal of consent doesn't affect the lawfulness of processing done before the withdrawal.
9. Cookies
We use one cookie: a session cookie issued by our authentication provider (Supabase) to keep you signed in. This is a strictly necessary cookie and doesn't require opt-in under PECR.
During Google Calendar connection, we also briefly use a CSRF-protection cookie (gcal_oauth_state) for the duration of the OAuth round-trip (a few seconds). Also strictly necessary; cleared on completion.
Because we only use strictly-necessary cookies, no cookie consent banner is required under PECR. We deliberately avoid third-party tracking and analytics so this remains the case.
We do NOT use third-party tracking cookies, advertising cookies, or analytics cookies that profile you across sites.
10. Changes to this policy
We may update this policy from time to time. If we make material changes we'll notify you by email and update the "Last updated" date at the top.
11. Contact us
For any privacy questions, data subject requests, or complaints:
Email: hello@soopa.ai
You can also lodge a complaint with the UK Information Commissioner's Office (ICO) at https://ico.org.uk.