Privacy policy. Written in plain English. PDPA and GDPR conscious.

Rovebook (“we”, “our”, “Rovebook”) provides a hospitality-grade operating system for boutique workspaces, spas, and studios across tropical Asia. This policy describes how we handle personal data when you use our website, our administrator dashboard, the member portal we provide to our customers’ end users, and the related services.

We are based in Bangkok and primarily subject to Thailand’s Personal Data Protection Act B.E. 2562 (2019) (the PDPA). Where this policy notes obligations under the European Union’s General Data Protection Regulation (GDPR), those apply because our customers may serve members ordinarily resident in the EU or EEA.

The substance of how data moves through Rovebook depends on whose data it is.

• When a studio uses Rovebook to run its business — accounts, bookings, memberships, packages, mail logs, invoices — the studio is the data controller of its members’ personal data. Rovebook acts only as the data processor, on the studio’s instructions, in accordance with our Data Processing Addendum. The studio decides what to collect from its members and how that data is used inside its own business.
• When you visit rovebook.com directly or sign up as an operator — marketing pages, signup, the administrator dashboard, billing — Rovebook is the data controller of the personal data we collect about you (typically: your name, business name, work email, billing info).

The rest of this policy primarily addresses Rovebook as a controller. For data we handle as a processor on behalf of a studio, the studio’s own privacy policy governs.

We collect four broad categories of personal data:

• Account and identity. Name, work email, phone (where given), workspace name, role within the workspace, profile photo (if uploaded). For end customers using a studio’s member portal, this also includes the data the studio chooses to collect (typically name and contact details).
• Payment. Billing address, the last four digits and brand of your card, expiry month and year, and our payment processor’s opaque token for that card. We do not store full card numbers, CVVs, or magnetic-stripe data at any time; those go directly to our payment partners (see Section 6).
• Service and transaction data. Booking records, class enrolments, package and membership state, invoices, mail-log entries, audit-log entries on sensitive actions, support correspondence.
• Technical and device data. IP address, user agent, device type, time-zone, language preference, request paths, error reports, cookies and session tokens. Cloudflare collects basic edge telemetry in front of our servers.

We use personal data only for purposes that are necessary, proportionate, and tied to providing the service. Specifically:

• To create and operate accounts, authenticate sign-ins, and resolve support requests.
• To process payments owed to us (subscription fees) and payments owed by end customers to a studio (the studio’s revenue).
• To send transactional emails — receipts, password resets, invite links, booking confirmations, billing reminders.
• To detect fraud, prevent abuse, and enforce the multi-tenant boundary that keeps one studio’s data from leaking to another.
• To improve the service in aggregate (which routes are slow, which features are used, what errors are firing). We do not build individual profiles for advertising purposes and we do not sell personal data to anyone.

Our legal basis for processing depends on the activity. Under the PDPA we rely primarily on contractual necessity (we cannot run the service without processing the data) and legitimate interest (for fraud prevention, security, and limited product analytics). For optional features (marketing emails to operators, certain cookies), we rely on consent that you can withdraw at any time. For tax, accounting, and anti-money-laundering retention, we rely on legal obligation.

Where the GDPR applies, the equivalent bases are Article 6(1)(b) (performance of a contract), 6(1)(f) (legitimate interests), 6(1)(a) (consent), and 6(1)(c) (legal obligation).

We share personal data only with vendors who run essential parts of the service under contractual confidentiality, and with public authorities when we are legally required.

• Omise (Opn Payments Co., Ltd.) — handles card and PromptPay payments. Card data is tokenised and stored by Omise; we hold only the token and the last four digits.
• 2C2P — alternative payment routing where Omise is unavailable or where a studio elects to use 2C2P as the processor.
• Cloudflare, Inc. — provides our edge network, Workers runtime, and D1 database. Cloudflare is contractually a data processor for us.
• Amazon Web Services (Amazon SES) — delivers transactional email on our behalf. Email metadata (sender, recipient, subject) transits through SES; bodies are processed at the time of send and not retained longer than is required to deliver.
• Public authorities — where required by Thai law, court order, or comparable legal process in jurisdictions where we operate. We narrow the scope of any such disclosure and notify affected account-holders where we are legally permitted to do so.

We do not sell personal data, license it to advertising networks, or use it for cross-context behavioural advertising.

Cloudflare’s edge network is global. To keep pages fast for visitors in Thailand and the wider region, requests are served from the nearest Cloudflare point of presence (Bangkok, Singapore, and other regional PoPs). Persistent data is stored in Cloudflare D1 with Thailand-region affinity where the platform offers it. Amazon SES is a US-based service. Where transfers leave Thailand or the EU, we rely on the appropriate transfer mechanisms — typically Standard Contractual Clauses for EU transfers and the equivalent measures under the PDPA.

We keep personal data for as long as we need it to run the service and to meet our legal obligations.

• Account data — for the life of the account, plus a short grace window after closure to allow data export and reversal of an accidental deletion.
• Billing and tax records — at least five years from the relevant fiscal year, as required by Thai accounting and tax rules.
• Audit log entries on sensitive actions — at least two years for security and forensics.
• Logs and technical telemetry — typically 30 to 90 days, depending on the system.
• Marketing-list data — until you unsubscribe or revoke consent.

When the retention period ends, the data is deleted or fully anonymised.

Under the PDPA you have the right to:

• Ask whether we hold your personal data and to receive a copy of it.
• Correct it if it is inaccurate, incomplete, or out of date.
• Request deletion in the cases set out by law (we may need to keep some records for tax or legal compliance).
• Restrict processing or object to it on grounds relating to your particular situation.
• Receive your data in a portable, machine-readable format and, where technically possible, have us send it directly to another controller.
• Withdraw consent at any time where processing is based on consent.
• Lodge a complaint with the Thai Personal Data Protection Committee.

Under the GDPR you have equivalent rights, with the right to lodge a complaint to your local supervisory authority. To exercise any of these rights, write to privacy@rovebook.com from the email address on file with your account. We respond within thirty days.

If a request relates to data we hold as a processor for a studio (for example, your bookings at a specific spa), the studio is the controller and we will refer the request to them. We will assist them in responding as required.

Security is the foundation of multi-tenant software. We design the service so that one studio’s data cannot be queried from inside another studio’s context, and so that our own engineers do not have routine read access to customer business data.

• TLS 1.2 or higher for all traffic. HTTP requests are redirected to HTTPS.
• Passwords stored as bcrypt hashes. Session tokens are random, signed, and expire.
• Tenant isolation enforced at the query layer; every row of customer data carries an organisation identifier checked on every read and write.
• Audit log entries on sensitive actions; least-privilege access for engineering and support staff.
• No raw card data ever stored. Cards are tokenised by Omise (or the equivalent processor) and we hold only the token.

Rovebook is a business service. We do not knowingly collect personal data from individuals under sixteen years of age. Where the service is used to manage a studio that admits minors (for example, a children’s martial-arts class), the studio remains the data controller of that personal data and is responsible for obtaining the parental consents required by the PDPA and any other applicable law.

We use cookies and similar storage for three purposes: to keep you signed in (session cookies), to remember basic preferences such as language and timezone, and to count anonymous page views so we can see which parts of the site are useful. We do not run third-party advertising trackers on rovebook.com or in the administrator dashboard. Cloudflare may set technical cookies for performance and bot detection, governed by Cloudflare’s own cookie notice.

You can clear cookies at any time from your browser. Some cookies are required to use the service (notably session cookies); clearing those will sign you out.

We update this policy from time to time as the service evolves or the law changes. When we do, we update the date at the top of this page and, for material changes, send a notice to the email address on file for affected account-holders at least thirty days before the new policy takes effect.

For any privacy-related question, request, or complaint: