POPIA-aware. Field-level encrypted.

Security that respects your clients

Booklink was designed from day one with South Africa's Protection of Personal Information Act (POPIA) in mind. Client data is encrypted at the field level with per-account keys. Payments run on PCI-DSS compliant gateways, never through us.

Start free - no credit card Read the privacy policy →

POPIA-aligned on every plan, including Free.

How Booklink protects client data

Privacy is a product feature, not a post-incident fix. This is how the platform is built.

Field-level AES-256 encryption

Personally identifiable fields (client names, phone numbers, email addresses, notes) are encrypted at the field level using AES-256, not just "at rest on the disk".

Per-account encryption keys

Each Booklink account has its own data encryption key, so a compromise of one account's key cannot unlock another account's data.

PCI-DSS payment gateways

Card details never touch Booklink. Payments go directly to Yoco, Paystack, or PayFast on their PCI-DSS compliant infrastructure.

HTTPS everywhere

HSTS enforced. Every request to every Booklink domain runs over TLS 1.2 or higher. No mixed content, no plain HTTP fallback.

POPIA-aware data model

Data minimisation by default. Clients can request export or deletion. Providers can delete individual client records at any time.

Hosted on Google Cloud

Infrastructure runs on Google Cloud Platform with backups, access logging, and hardened defaults. Production data never lands on developer laptops.

Booklink account settings danger zone showing account and client data deletion options for POPIA compliance

Delete client data or close your account at any time - POPIA-aligned by default.

Quick answer

Is Booklink POPIA compliant?

Booklink is built to be aligned with South Africa's Protection of Personal Information Act (POPIA). Personally identifiable client data - names, phone numbers, email addresses, appointment notes - is encrypted at the field level with AES-256 using a per-account encryption key, so a compromise of one account's key cannot expose another account's data. Card payments never touch Booklink's infrastructure. Clients pay directly to Yoco, Paystack, or PayFast on their PCI-DSS compliant gateway. Booklink only stores a payment reference, an amount in ZAR, and a status. Booklink supports POPIA principles in the product itself: service providers can delete any client record at any time, clients can request export or deletion through their provider, and only the minimum amount of personal data needed to fulfil a booking is collected. The platform is hosted on Google Cloud Platform, which gives Booklink hardened defaults, encrypted backups, and regional data storage. Booklink does not sell client data, run ads against it, or share it with third parties other than the delivery services needed to fulfil bookings (Google Calendar, WhatsApp Business, email provider, and the selected payment gateway).

Frequently asked questions

Does Booklink store my clients' card details?

No. Card details are entered on the gateway's own PCI-DSS compliant pages (Yoco, Paystack, or PayFast). Booklink only stores a reference, an amount in ZAR, and a status.

Can I delete a client's data?

Yes, at any time, from the dashboard. Deletion is permanent and removes personally identifiable fields. Anonymised booking counts can remain for your own accounting.

Where is my data stored?

Booklink is hosted on Google Cloud Platform. Field-level encryption ensures that, even on shared infrastructure, client-identifying data is unreadable without the correct per-account key.

Does Booklink sell or share client data?

No. Booklink does not sell client data or run ads against it. The only third parties that see data are the ones needed to fulfil a booking (Google Calendar, the WhatsApp sender, the email provider, the chosen payment gateway).

Take bookings your clients can trust

Free plan available. POPIA-aware on every plan, from day one.

Create your free account