Privacy policy

Last updated: 12 June 2026

Bookey ("we", "us") is a coworking space management platform operated by PLYO Technologies S.L., Barcelona, Spain. This policy explains what personal data we process, why, and what rights you have. The short version: your data lives in the EU, we sell nothing to ad networks, and we only process what the product needs to work.

Who is responsible

Data controller for this website and for Bookey accounts: PLYO Technologies S.L., Carrer de Sagues 2, Barcelona, Spain. Contact: k@adu.dk. When a coworking space uses Bookey to manage its members and visitors, the space is the controller of that data and we act as processor under a data processing agreement.

What we process

  • Account data - name, email, phone number, role, company affiliation. Needed to run your account.
  • Booking data - rooms, times, attendees. The core of the product.
  • Visitor data - name and host for guests who check in at a reception kiosk or pre-register via a magic link. Retained per the space's own retention settings.
  • Communications - transactional email and SMS we send (booking confirmations, visitor notifications).
  • Website analytics - if enabled, we use self-hosted, cookie-free analytics (Umami) that does not track you across sites and stores no personal profiles.

Legal bases

Contract performance (running your account and bookings), legitimate interest (service security, abuse prevention, product improvement), and consent where required (marketing communications, which we send only if you opt in).

Where it lives

All application data is hosted in the European Union: the application and database run in Germany, files sit in EU object storage, and backups stay in EU regions. The complete subprocessor list, including regions and DPA artefacts, is public on our subprocessors page.

Retention

Account data is kept while your account is active and deleted or anonymised within 90 days of account closure, except where law requires longer (e.g. invoicing records). Visitor check-in data follows the retention period configured by the space that hosts you.

Your rights

Under the GDPR you can request access, rectification, erasure, restriction, portability, and object to processing. Write to k@adu.dk and we will respond within 30 days. You can also complain to your local supervisory authority; ours is the AEPD (Spain).

Changes

We update this policy when our processing changes, and we mirror any subprocessor change here within 30 days, as promised in our subprocessor register.