Last updated: May 15, 2026
Privacy Policy
Grafa, operated by Book Together LLC ("Book Together", "we", "us", "our") doing business as Grafa, provides booking tools for independent artists and studios. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR), the UK GDPR, and similar laws.
Privacy Officer & data controller
Our Privacy Officer, designated under PIPEDA and Quebec's Law 25, is Serena Tsay. Reach her at serena@grafa.co for any privacy question, complaint, or rights request.
For your Grafa account and your interactions with our marketing site, Grafa is the data controller. You can contact us at privacy@grafa.co.
When a Grafa customer (an artist, studio, or agency) uses Grafa to collect data from their own clients, that customer is the controller and Grafa is the processor. See our Data Processing Addendum.
Data we collect
- Account data: name, email, handle, password (hashed), profile photo.
- Profile content: bio, work gallery images, pricing, links you publish.
- Booking data: client briefs, attachments, appointment dates, notes.
- Payment data: deposit amount and status. Card details are handled by Stripe — we never see them.
- Communications: emails and support messages you send us.
- Usage data: pages visited, device type, approximate location (from IP), referrer.
- Cookies: see "Cookies" below.
CCPA/CPRA categories of personal information
For California residents, the categories of personal information we have collected in the past 12 months, as defined by Cal. Civ. Code § 1798.140, are:
| CCPA category | Examples | Collected |
|---|---|---|
| A. Identifiers | Name, email, handle, IP address, account ID | Yes |
| B. Customer records (Cal. Civ. § 1798.80) | Contact details, billing details | Yes |
| C. Protected classifications | Age, gender, race, etc. | No |
| D. Commercial information | Subscription tier, deposits collected, transaction history | Yes |
| E. Biometric information | — | No |
| F. Internet / network activity | Pages visited, referrer, device type, cookie IDs | Yes |
| G. Geolocation | Approximate location derived from IP | Yes (coarse) |
| H. Sensory data | Audio, photo, video uploaded by you (work gallery, brief attachments) | Yes |
| I. Professional / employment | Studio name, role, business details | Yes |
| J. Education information | — | No |
| K. Inferences | Aggregated product-usage signals to improve Grafa | Yes |
| L. Sensitive personal information | Account password (hashed) | Yes (limited) |
We collect this data from you directly, from your interactions with the Service, and from our sub-processors (e.g. Stripe for payment confirmations).
How we use your data & lawful basis
| Purpose | Lawful basis (GDPR Art. 6) |
|---|---|
| Provide the Service to you | Contract |
| Process payments & deposits | Contract |
| Security, fraud prevention, debugging | Legitimate interest |
| Product analytics & improvement | Consent (cookies) |
| Marketing emails | Consent (opt-in) |
| Tax, accounting, legal obligations | Legal obligation |
Who we share data with
We use a small number of vetted sub-processors to run Grafa:
- Supabase — database, authentication, file storage.
- Paddle — Merchant of Record for Grafa subscriptions; handles checkout, billing, tax, and refunds.
- Cloudflare — content delivery and edge runtime.
- PostHog — product analytics and session replay (US-hosted). Only loaded after you opt in to analytics cookies. All form inputs and any element marked
data-sensitiveare masked in recordings. Not used for advertising. - Resend / Postmark — transactional email delivery.
We don't sell your personal data and we don't share it with advertisers. We may disclose data when required by law or to protect rights, property, or safety.
Our order process for Grafa subscriptions is conducted by our online reseller Paddle.com. Paddle.com is the Merchant of Record for all our orders. Paddle provides all customer service inquiries and handles returns.
International transfers
Some sub-processors are based outside the EEA or UK. Where personal data is transferred internationally, we rely on the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, plus appropriate supplementary measures. In particular, PostHog processes analytics data in the United States; this transfer is covered by Standard Contractual Clauses and only occurs after you opt in to analytics cookies.
Retention
- Account & profile data — for as long as your account is active, plus 30 days after deletion.
- Booking & client data — until you delete it; up to 90 days after account closure.
- Payment records — kept as long as required for tax/accounting (typically 7 years).
- Marketing data — until you withdraw consent.
- Backups — purged on a rolling 35-day cycle.
Your rights
Under the GDPR you have the right to:
- access your data and get a copy;
- rectify inaccurate data;
- erase your data ("right to be forgotten");
- restrict or object to processing;
- data portability — receive your data in a machine-readable format;
- withdraw consent at any time, without affecting prior processing;
- lodge a complaint with your local supervisory authority.
To exercise any of these, use our data request form or email privacy@grafa.co. We respond within 45 days (and within 30 days where GDPR applies).
California privacy rights (CCPA/CPRA)
If you are a California resident, you have the right to (i) know what personal information we collect, use, disclose, and retain about you; (ii) request a copy in a portable format; (iii) request correction of inaccurate information; (iv) request deletion, subject to certain exceptions; and (v) opt out of the "sale" or "sharing" of your personal information, including for cross-context behavioural advertising. You also have the right not to receive discriminatory treatment for exercising any of these rights, and to designate an authorized agent to act on your behalf.
Grafa does not sell or share personal information as those terms are defined in the CCPA/CPRA, and we have not done so in the preceding 12 months. We also do not knowingly sell or share the personal information of minors under 16. See Do Not Sell or Share My Personal Information for more detail. To exercise any California right, use the same data request form — it's available to California residents and we'll respond within 45 days.
Australian residents (Privacy Act 1988)
If you are in Australia, Book Together LLC handles your personal information in accordance with the Australian Privacy Principles (APPs) set out in the Privacy Act 1988 (Cth).
- What we collect and why (APP 1, 3, 5): the categories listed above under "Data we collect," used only for the purposes described in "How we use your data." We do not collect sensitive information, government identifiers, or tax file numbers.
- Use and disclosure (APP 6): we only use your information for the purposes for which it was collected, or for directly related purposes you would reasonably expect.
- Direct marketing (APP 7): marketing emails are opt-in and every message includes an unsubscribe link.
- Cross-border disclosure (APP 8): your information is stored and processed by sub-processors located in the United States, the European Union, and the United Kingdom (see "Who we share data with"). We take reasonable steps, including contractual commitments equivalent to the APPs, to ensure these recipients handle your information consistently with the Privacy Act.
- Security (APP 11): see the "Security" section below.
- Access and correction (APP 12, 13): use our data request form or email privacy@grafa.co.
- Complaints: contact privacy@grafa.co first. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
Cookies
We use a small number of cookies and similar storage technologies. You set your preferences when you first visit and can change them any time via .
- Essential — required for sign-in, security, and remembering your preferences.
- Analytics — anonymous usage data and session replay (via PostHog, US) to improve Grafa. Form inputs are masked. Opt-in.
- Marketing — measure our own campaigns. Opt-in. No third-party ad networks.
Security
We use TLS in transit, encryption at rest, role-based access, and least-privilege admin tooling. No system is perfectly secure; we'll notify you and the relevant supervisory authority of any qualifying personal data breach without undue delay.
Privacy impact assessments (Quebec Law 25)
Before launching any new product or technology that involves personal information, we complete a written privacy impact assessment ("PIA") covering the data involved, its purpose, the risks identified, and the mitigations applied. This is a standing internal practice maintained by the Privacy Officer. Quebec residents may request a summary of a relevant PIA by writing to serena@grafa.co. See our PIA template for the format we use.
Children
Grafa is not directed at children. We don't knowingly collect personal data from anyone under 16. If you believe a child has given us data, contact us and we'll delete it.
Changes
We may update this policy. If changes are material, we will notify you in the Service or by email before they take effect.
Contact
Privacy questions: privacy@grafa.co.