Legal

Privacy Policy

Effective date: 1 June 2026  ·  Last updated: May 2026  ·  Applicable law: POPIA (South Africa) + GDPR (European Union)

Who I Am

Booked. is a sole proprietorship operated by Luca Bold, providing digital infrastructure and discoverability services for fashion creatives. The registered business operates from South Africa and serves clients globally, including within the European Union.

For all data-related matters, the responsible party and data controller is: Luca Bold, trading as Booked.

What Data I Collect

I collect personal information only when it is necessary to deliver a service or respond to an enquiry. This includes:

• Contact information — name, email address, WhatsApp number, Instagram handle
• Professional information — creative discipline, portfolio links, agency representation, career credits
• Digital presence data — publicly accessible website URLs, social profiles, and online footprint assessed during Scan audits
• Payment information — processed via third-party payment providers (Yoco, Stripe). Booked does not store card or banking details.
• Communications — messages sent via WhatsApp, email, or through forms on this website

I do not collect sensitive information (race, health, religion, biometric data) and have no interest in doing so.

Services are intended for individuals aged 18 and over. Booked does not knowingly collect personal data from minors.

How I Use Your Data

Data is used solely for the following purposes:

• Delivering the specific service you enquired about or purchased
• Communicating about your project, audit, or build
• Sending your audit report or portfolio deliverable
• Following up at agreed intervals (such as the 90-day check-in built into Structure projects)
• Improving service quality through anonymised, aggregate analysis of audit findings (Scan data is anonymised after 12 months — see Section 06)

I do not use your data to send unsolicited marketing, build advertising profiles, or share with third-party marketing platforms.

Legal Basis for Processing

For clients based in the European Union, processing is conducted under the following legal bases as defined by GDPR Article 6:

• Contract performance — processing necessary to deliver a service you have requested or purchased
• Legitimate interests — follow-up communications directly related to services rendered
• Consent — for any communications beyond direct service delivery, including audit result emails where you have submitted your email address to receive them

For South African clients, processing is conducted in accordance with the Protection of Personal Information Act (POPIA) No. 4 of 2013.

Data Sharing

I do not sell, rent, or trade personal data. Data may be shared with the following categories of third parties only where necessary to operate the service:

• Payment processors — Yoco (South Africa), Stripe (international). Each operates under their own privacy policy and PCI DSS compliance framework.
• Infrastructure providers — GitHub Pages (site hosting), Netlify (demo hosting), Google (Analytics, Search Console). These are governed by their respective data processing agreements.
• Communication tools — WhatsApp Business (Meta), email. Messages sent through these channels are subject to their respective platform policies. WhatsApp Business conversations are processed by Meta under their privacy policy — do not share sensitive personal data via WhatsApp.
• AI processing — Scan audits use the Anthropic API (Claude) for analysis. Submitted data is processed according to Anthropic's API data usage policy. According to Anthropic's current API usage policy, data submitted via the API is not retained for model training purposes.

Data transferred outside South Africa is processed subject to the privacy frameworks and data processing agreements of each receiving party. Details are available on the respective third-party websites listed above.

How Long I Keep Your Data

• Active clients — retained for the duration of the project plus 24 months, to support the 90-day check-in and any reasonable follow-on work
• Enquiries that did not convert — retained for 3 months on the basis of legitimate interest (reasonable follow-up window), then permanently deleted
• Scan audit submissions — retained for 12 months to support service improvement and benchmark analysis (anonymised after 12 months)
• Financial records — retained for 5 years to comply with South African tax law

Your Rights

You have the following rights in relation to your personal data. To exercise any of them, contact us at the details below.

• Access — request a copy of the personal data held about you
• Correction — request correction of inaccurate or incomplete data
• Deletion — request deletion of your data (subject to legal retention requirements)
• Objection — object to processing based on legitimate interests
• Portability — request your data in a structured, machine-readable format (EU clients)
• Withdrawal of consent — where processing is based on consent, you may withdraw at any time without affecting prior processing

EU clients also have the right to lodge a complaint with their national Data Protection Authority. South African clients may contact the Information Regulator of South Africa at inforegulator.org.za.

Cookies and Analytics

This website uses Google Analytics 4 for anonymised traffic analysis. No personally identifiable information is collected through analytics. GA4 does not log or store full IP addresses.

The Booked website does not use advertising cookies or third-party tracking pixels. If you use a browser with tracking protection enabled, this will not affect your experience on the site.

A full cookie disclosure will be available at bookednow.co.za/cookie-policy.

Security

All data is handled with appropriate technical and organisational measures. The site is served over HTTPS. Payment processing is handled entirely by PCI DSS compliant third-party providers — no card data passes through or is stored on Booked's infrastructure.

No system is impenetrable. In the event of a data breach that affects your rights, you will be notified within 72 hours where required by applicable law.

Changes to This Policy

This policy will be updated as the business evolves. Material changes will be communicated to active clients via WhatsApp or email. The effective date at the top of this page reflects the most recent version.