Last updated: May 15, 2026

Privacy Policy

Grafa, operated by Book Together LLC ("Book Together", "we", "us", "our") doing business as Grafa, provides booking tools for independent artists and studios. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR), the UK GDPR, and similar laws.

Privacy Officer & data controller

Our Privacy Officer, designated under PIPEDA and Quebec's Law 25, is Serena Tsay. Reach her at serena@grafa.co for any privacy question, complaint, or rights request.

For your Grafa account and your interactions with our marketing site, Grafa is the data controller. You can contact us at privacy@grafa.co.

When a Grafa customer (an artist, studio, or agency) uses Grafa to collect data from their own clients, that customer is the controller and Grafa is the processor. See our Data Processing Addendum.

Data we collect

  • Account data: name, email, handle, password (hashed), profile photo.
  • Profile content: bio, work gallery images, pricing, links you publish.
  • Booking data: client briefs, attachments, appointment dates, notes.
  • Payment data: deposit amount and status. Card details are handled by Stripe — we never see them.
  • Communications: emails and support messages you send us.
  • Usage data: pages visited, device type, approximate location (from IP), referrer.
  • Cookies: see "Cookies" below.

CCPA/CPRA categories of personal information

For California residents, the categories of personal information we have collected in the past 12 months, as defined by Cal. Civ. Code § 1798.140, are:

CCPA categoryExamplesCollected
A. IdentifiersName, email, handle, IP address, account IDYes
B. Customer records (Cal. Civ. § 1798.80)Contact details, billing detailsYes
C. Protected classificationsAge, gender, race, etc.No
D. Commercial informationSubscription tier, deposits collected, transaction historyYes
E. Biometric informationNo
F. Internet / network activityPages visited, referrer, device type, cookie IDsYes
G. GeolocationApproximate location derived from IPYes (coarse)
H. Sensory dataAudio, photo, video uploaded by you (work gallery, brief attachments)Yes
I. Professional / employmentStudio name, role, business detailsYes
J. Education informationNo
K. InferencesAggregated product-usage signals to improve GrafaYes
L. Sensitive personal informationAccount password (hashed)Yes (limited)

We collect this data from you directly, from your interactions with the Service, and from our sub-processors (e.g. Stripe for payment confirmations).

How we use your data & lawful basis

PurposeLawful basis (GDPR Art. 6)
Provide the Service to youContract
Process payments & depositsContract
Security, fraud prevention, debuggingLegitimate interest
Product analytics & improvementConsent (cookies)
Marketing emailsConsent (opt-in)
Tax, accounting, legal obligationsLegal obligation

Who we share data with

We use a small number of vetted sub-processors to run Grafa:

  • Supabase — database, authentication, file storage.
  • Paddle — Merchant of Record for Grafa subscriptions; handles checkout, billing, tax, and refunds.
  • Cloudflare — content delivery and edge runtime.
  • PostHog — product analytics and session replay (US-hosted). Only loaded after you opt in to analytics cookies. All form inputs and any element marked data-sensitive are masked in recordings. Not used for advertising.
  • Resend / Postmark — transactional email delivery.

We don't sell your personal data and we don't share it with advertisers. We may disclose data when required by law or to protect rights, property, or safety.

Our order process for Grafa subscriptions is conducted by our online reseller Paddle.com. Paddle.com is the Merchant of Record for all our orders. Paddle provides all customer service inquiries and handles returns.

International transfers

Some sub-processors are based outside the EEA or UK. Where personal data is transferred internationally, we rely on the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, plus appropriate supplementary measures. In particular, PostHog processes analytics data in the United States; this transfer is covered by Standard Contractual Clauses and only occurs after you opt in to analytics cookies.

Retention

  • Account & profile data — for as long as your account is active, plus 30 days after deletion.
  • Booking & client data — until you delete it; up to 90 days after account closure.
  • Payment records — kept as long as required for tax/accounting (typically 7 years).
  • Marketing data — until you withdraw consent.
  • Backups — purged on a rolling 35-day cycle.

Your rights

Under the GDPR you have the right to:

  • access your data and get a copy;
  • rectify inaccurate data;
  • erase your data ("right to be forgotten");
  • restrict or object to processing;
  • data portability — receive your data in a machine-readable format;
  • withdraw consent at any time, without affecting prior processing;
  • lodge a complaint with your local supervisory authority.

To exercise any of these, use our data request form or email privacy@grafa.co. We respond within 45 days (and within 30 days where GDPR applies).

California privacy rights (CCPA/CPRA)

If you are a California resident, you have the right to (i) know what personal information we collect, use, disclose, and retain about you; (ii) request a copy in a portable format; (iii) request correction of inaccurate information; (iv) request deletion, subject to certain exceptions; and (v) opt out of the "sale" or "sharing" of your personal information, including for cross-context behavioural advertising. You also have the right not to receive discriminatory treatment for exercising any of these rights, and to designate an authorized agent to act on your behalf.

Grafa does not sell or share personal information as those terms are defined in the CCPA/CPRA, and we have not done so in the preceding 12 months. We also do not knowingly sell or share the personal information of minors under 16. See Do Not Sell or Share My Personal Information for more detail. To exercise any California right, use the same data request form — it's available to California residents and we'll respond within 45 days.

Australian residents (Privacy Act 1988)

If you are in Australia, Book Together LLC handles your personal information in accordance with the Australian Privacy Principles (APPs) set out in the Privacy Act 1988 (Cth).

  • What we collect and why (APP 1, 3, 5): the categories listed above under "Data we collect," used only for the purposes described in "How we use your data." We do not collect sensitive information, government identifiers, or tax file numbers.
  • Use and disclosure (APP 6): we only use your information for the purposes for which it was collected, or for directly related purposes you would reasonably expect.
  • Direct marketing (APP 7): marketing emails are opt-in and every message includes an unsubscribe link.
  • Cross-border disclosure (APP 8): your information is stored and processed by sub-processors located in the United States, the European Union, and the United Kingdom (see "Who we share data with"). We take reasonable steps, including contractual commitments equivalent to the APPs, to ensure these recipients handle your information consistently with the Privacy Act.
  • Security (APP 11): see the "Security" section below.
  • Access and correction (APP 12, 13): use our data request form or email privacy@grafa.co.
  • Complaints: contact privacy@grafa.co first. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Cookies

We use a small number of cookies and similar storage technologies. You set your preferences when you first visit and can change them any time via .

  • Essential — required for sign-in, security, and remembering your preferences.
  • Analytics — anonymous usage data and session replay (via PostHog, US) to improve Grafa. Form inputs are masked. Opt-in.
  • Marketing — measure our own campaigns. Opt-in. No third-party ad networks.

Security

We use TLS in transit, encryption at rest, role-based access, and least-privilege admin tooling. No system is perfectly secure; we'll notify you and the relevant supervisory authority of any qualifying personal data breach without undue delay.

Privacy impact assessments (Quebec Law 25)

Before launching any new product or technology that involves personal information, we complete a written privacy impact assessment ("PIA") covering the data involved, its purpose, the risks identified, and the mitigations applied. This is a standing internal practice maintained by the Privacy Officer. Quebec residents may request a summary of a relevant PIA by writing to serena@grafa.co. See our PIA template for the format we use.

Children

Grafa is not directed at children. We don't knowingly collect personal data from anyone under 16. If you believe a child has given us data, contact us and we'll delete it.

Changes

We may update this policy. If changes are material, we will notify you in the Service or by email before they take effect.

Contact

Privacy questions: privacy@grafa.co.

See also our Terms and DPA.