Last updated: May 15, 2026
Privacy Policy
Grafa, operated by Book Together LLC ("Book Together", "we", "us", "our") doing business as Grafa, provides booking tools for independent artists and studios. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR), the UK GDPR, and similar laws.
Privacy Officer & data controller
Our Privacy Officer, designated under PIPEDA and Quebec's Law 25, is Serena Tsay. Reach her at serena@grafa.co for any privacy question, complaint, or rights request.
For your Grafa account and your interactions with our marketing site, Grafa is the data controller. You can contact us at privacy@grafa.co.
When a Grafa customer (an artist, studio, or agency) uses Grafa to collect data from their own clients, that customer is the controller and Grafa is the processor. See our Data Processing Addendum.
Data we collect
- Account data: name, email, handle, password (hashed), profile photo.
- Profile content: bio, work gallery images, pricing, links you publish.
- Booking data: client briefs, attachments, appointment dates, notes.
- Payment data: deposit amount and status. Card details are handled by Stripe — we never see them.
- Communications: emails and support messages you send us.
- Usage data: pages visited, device type, approximate location (from IP), referrer.
- Cookies: see "Cookies" below.
CCPA/CPRA categories of personal information
For California residents, the categories of personal information we have collected in the past 12 months, as defined by Cal. Civ. Code § 1798.140, are:
| CCPA category | Examples | Collected |
|---|---|---|
| A. Identifiers | Name, email, handle, IP address, account ID | Yes |
| B. Customer records (Cal. Civ. § 1798.80) | Contact details, billing details | Yes |
| C. Protected classifications | Age, gender, race, etc. | No |
| D. Commercial information | Subscription tier, deposits collected, transaction history | Yes |
| E. Biometric information | — | No |
| F. Internet / network activity | Pages visited, referrer, device type, cookie IDs | Yes |
| G. Geolocation | Approximate location derived from IP | Yes (coarse) |
| H. Sensory data | Audio, photo, video uploaded by you (work gallery, brief attachments) | Yes |
| I. Professional / employment | Studio name, role, business details | Yes |
| J. Education information | — | No |
| K. Inferences | Aggregated product-usage signals to improve Grafa | Yes |
| L. Sensitive personal information | Account password (hashed) | Yes (limited) |
We collect this data from you directly, from your interactions with the Service, and from our sub-processors (e.g. Stripe for payment confirmations).
How we use your data & lawful basis
| Purpose | Lawful basis (GDPR Art. 6) |
|---|---|
| Provide the Service to you | Contract |
| Process payments & deposits | Contract |
| Security, fraud prevention, debugging | Legitimate interest |
| Product analytics & improvement | Consent (cookies) |
| Marketing emails | Consent (opt-in) |
| Tax, accounting, legal obligations | Legal obligation |
Who we share data with
We use a small number of vetted sub-processors to run Grafa:
- Supabase — database, authentication, file storage.
- Stripe — payment processing.
- Cloudflare — content delivery and edge runtime.
- Resend / Postmark — transactional email delivery.
We don't sell your personal data and we don't share it with advertisers. We may disclose data when required by law or to protect rights, property, or safety.
International transfers
Some sub-processors are based outside the EEA or UK. Where personal data is transferred internationally, we rely on the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, plus appropriate supplementary measures.
Retention
- Account & profile data — for as long as your account is active, plus 30 days after deletion.
- Booking & client data — until you delete it; up to 90 days after account closure.
- Payment records — kept as long as required for tax/accounting (typically 7 years).
- Marketing data — until you withdraw consent.
- Backups — purged on a rolling 35-day cycle.
Your rights
Under the GDPR you have the right to:
- access your data and get a copy;
- rectify inaccurate data;
- erase your data ("right to be forgotten");
- restrict or object to processing;
- data portability — receive your data in a machine-readable format;
- withdraw consent at any time, without affecting prior processing;
- lodge a complaint with your local supervisory authority.
To exercise any of these, use our data request form or email privacy@grafa.co. We respond within 45 days (and within 30 days where GDPR applies).
California privacy rights (CCPA/CPRA)
If you are a California resident, you have the right to (i) know what personal information we collect, use, disclose, and retain about you; (ii) request a copy in a portable format; (iii) request correction of inaccurate information; (iv) request deletion, subject to certain exceptions; and (v) opt out of the "sale" or "sharing" of your personal information, including for cross-context behavioural advertising. You also have the right not to receive discriminatory treatment for exercising any of these rights, and to designate an authorized agent to act on your behalf.
Grafa does not sell or share personal information as those terms are defined in the CCPA/CPRA, and we have not done so in the preceding 12 months. We also do not knowingly sell or share the personal information of minors under 16. See Do Not Sell or Share My Personal Information for more detail. To exercise any California right, use the same data request form — it's available to California residents and we'll respond within 45 days.
Cookies
We use a small number of cookies and similar storage technologies. You set your preferences when you first visit and can change them any time via .
- Essential — required for sign-in, security, and remembering your preferences.
- Analytics — anonymous usage data to improve Grafa. Opt-in.
- Marketing — measure our own campaigns. Opt-in. No third-party ad networks.
Security
We use TLS in transit, encryption at rest, role-based access, and least-privilege admin tooling. No system is perfectly secure; we'll notify you and the relevant supervisory authority of any qualifying personal data breach without undue delay.
Privacy impact assessments (Quebec Law 25)
Before launching any new product or technology that involves personal information, we complete a written privacy impact assessment ("PIA") covering the data involved, its purpose, the risks identified, and the mitigations applied. This is a standing internal practice maintained by the Privacy Officer. Quebec residents may request a summary of a relevant PIA by writing to serena@grafa.co. See our PIA template for the format we use.
Children
Grafa is not directed at children. We don't knowingly collect personal data from anyone under 16. If you believe a child has given us data, contact us and we'll delete it.
Changes
We may update this policy. If changes are material, we will notify you in the Service or by email before they take effect.
Contact
Privacy questions: privacy@grafa.co.