Privacy Policy

As of: March 2026 | Version 1.0

1. Data Controller

The data controller responsible for data processing on this website is:

Unicorn Factory Media GmbH
Managing Directors: Daniel Haenle, Florian Konrad
In der Kolling 146
66450 Bexbach, Germany
Email: hey@bookicorn.net
VAT ID: DE340084710
Commercial Register: HRB 107099, District Court Saarbrücken

2. Scope

This privacy policy applies to the websites www.bookicorn.net (customer marketplace, studio search, SEO pages) and app.bookicorn.net (studio admin, trainer dashboard, customer dashboard, booking system). Both platforms are operated by Unicorn Factory Media GmbH.

3. Overview of Data Processing

In the course of providing our services, we process the following types of personal data:

  • Inventory data - Name, address, date of birth
  • Contact data - Email address, phone number
  • Content data - Profile pictures, messages, reviews
  • Usage data - Pages visited, access times, IP addresses
  • Contract data - Booking history, memberships, course registrations
  • Payment data - Payment history, credit balances, payout information
  • Communication data - Chat messages, email correspondence

4. Legal Bases

The processing of personal data is based on the following legal bases of the GDPR:

  • Art. 6(1)(a) GDPR (Consent) - The data subject has given consent to the processing of their personal data, e.g. for optional cookies or newsletters.
  • Art. 6(1)(b) GDPR (Performance of a contract) - Processing is necessary for the performance of a contract, e.g. registration, course booking, payment processing.
  • Art. 6(1)(c) GDPR (Legal obligation) - Processing is necessary for compliance with a legal obligation, e.g. tax record-keeping requirements.
  • Art. 6(1)(f) GDPR (Legitimate interests) - Processing is necessary for the purposes of legitimate interests, e.g. platform security, fraud prevention, analysis to improve our services.

5. Registration and User Account

Registration is required to use certain features of our platform. Authentication is handled by Supabase Auth (Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992).

The following data is processed:

  • Email address
  • Name (first and last name)
  • Password (stored encrypted, no plaintext access)

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
Deletion: After account deletion, data is completely removed within 30 days at the latest.

6. Studio Management (Admin Area)

Studio operators use the admin area on app.bookicorn.net to manage their studio. The following data is processed:

  • Studio name and description
  • Address and locations
  • Contact details (email, phone, website)
  • Bank details (for payouts via Stripe Connect)
  • Course offerings, prices, and schedules
  • Trainer profiles and assignments

Legal basis: Art. 6(1)(b) GDPR (performance of a contract for the provision of platform services).

7. Trainer Dashboard

Trainers have access to a personal dashboard on app.bookicorn.net where they can view their assigned courses, participant lists, and payouts. The following data is processed:

  • Name and contact details
  • Qualifications and profile picture
  • Fees and payout history
  • Assigned courses and participant lists

Stripe Connect is used for automatic payouts. Trainers go through an onboarding process with Stripe, where Stripe processes payment data directly.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

8. Customer Dashboard

Registered participants can manage their bookings, credits, and profile on app.bookicorn.net. The following data is processed:

  • Name and email address
  • Profile picture and personal settings
  • Booking history (booked courses, dates, cancellations)
  • Credit balance
  • Payment history

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

9. Course Bookings and Payment Processing

The following data is processed when booking courses:

  • Participant name and email address
  • Booked courses, dates, and booking status
  • Booking history and cancellations

Payment processing is handled by Stripe (Stripe Inc., 510 Townsend Street, San Francisco, CA 94103, USA). Payment data (credit card numbers, bank details) is processed directly by Stripe and is never stored on our servers.

Stripe is certified under the EU-US Data Privacy Framework, ensuring an adequate level of data protection. For more information, please see Stripe's privacy policy: https://stripe.com/en-gb/privacy

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

10. Credit System (Credits)

Participants can purchase credit packages on our platform, which can be used to book courses. Purchases are processed via Stripe Checkout.

The following data is processed:

  • Account credit balance
  • Transaction history (purchases, redemptions)
  • Payment information (processed by Stripe)

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

11. Chat Function

Our platform offers a chat function through which participants can communicate with studios and trainers. The following data is processed:

  • Message content (text)
  • Message timestamps
  • Sender and recipient information

Retention period: Messages are stored for the duration of membership. All chat messages are deleted upon account deletion.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

12. Email Communication

Emails are sent via the SMTP service of ALL-INKL.COM (Neue Medien Münnich, Hauptstraße 68, 02742 Friedersdorf, Germany).

The following emails are sent:

  • Registration confirmation and email verification
  • Booking confirmations and cancellations
  • Course reminders
  • Payment confirmations and invoices
  • Account notifications (password reset, etc.)

Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interests in providing relevant information).

13. Cookies and Similar Technologies

Our websites use cookies and similar technologies. We distinguish between:

  • Strictly necessary cookies - These are required for the operation of the website (e.g. session cookies, authentication cookies). They are set without consent. Legal basis: Art. 6(1)(f) GDPR.
  • Optional cookies - Cookies for analytics or marketing purposes are only set with your explicit consent. Legal basis: Art. 6(1)(a) GDPR.

On your first visit to our website, a cookie banner is displayed through which you can grant or refuse consent. You can change your settings at any time via the cookie settings.

14. Hosting

Our websites are hosted by Vercel Inc. (440 N Barranca Ave #4133, Covina, CA 91723, USA).

The following data is automatically processed:

  • IP address of the accessing device
  • Access data (date, time, page accessed)
  • Volume of data transferred

Vercel is certified under the EU-US Data Privacy Framework. More information: https://vercel.com/legal/privacy-policy

Legal basis: Art. 6(1)(f) GDPR (legitimate interests in the secure and efficient provision of our website).

15. Server Log Files

Each time our websites are accessed, the following data is automatically collected in server log files:

  • Browser type and version
  • Operating system used
  • Referrer URL (previously visited page)
  • IP address of the accessing computer
  • Time of the server request

This data is not merged with other data sources. It is automatically deleted after 30 days.

Legal basis: Art. 6(1)(f) GDPR (legitimate interests in ensuring trouble-free operation).

16. Contact Form

If you send us enquiries via the contact form, your details from the enquiry form, including the contact details you provide, will be stored by us for the purpose of processing the enquiry and in the event of follow-up questions. We do not share this data without your consent.

In addition, technical origin information is transmitted when the contact form is submitted (entry page, referring website, campaign parameters if applicable). This data is used exclusively to improve our services and is stored only for the duration of the session in the browser (session storage). No cookies are set and no data is passed on to third parties.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the efficient processing of enquiries).

17. Third-Party Providers and Data Processors

We use the following third-party providers to deliver our services:

  • Supabase Inc. (Singapore) - Database and authentication. Data is stored on AWS servers in the EU (Frankfurt).
  • Vercel Inc. (USA) - Hosting and Content Delivery Network (CDN). Certified under the EU-US Data Privacy Framework.
  • Stripe Inc. (USA) - Payment processing and payouts. Certified under the EU-US Data Privacy Framework.
  • ALL-INKL.COM - Neue Medien Münnich (Germany) - Email delivery via SMTP. Data processing exclusively in Germany.
  • Amazon Web Services EMEA SARL (EU) - Cloud infrastructure (via Supabase). Data centre in Frankfurt (eu-central-1).

We have concluded data processing agreements (DPAs) pursuant to Art. 28 GDPR with all data processors. All US-based providers are certified under the EU-US Data Privacy Framework or Standard Contractual Clauses (SCCs) are in place.

18. Data Sharing with Studios

When booking a course, the following data is shared with the respective studio:

  • Participant name
  • Email address
  • Booking details (course, date, status)

Data is shared for the purpose of fulfilling the booking contract. Studios are independently responsible for the processing of data shared with them. A data processing agreement (DPA) exists between Bookicorn and studios.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

19. Data Subject Rights

You have the following rights regarding your personal data:

  • Art. 15 GDPR - Right of access: You have the right to obtain information about your personal data stored by us.
  • Art. 16 GDPR - Right to rectification: You have the right to request the correction of inaccurate data or the completion of your data.
  • Art. 17 GDPR - Right to erasure: You have the right to request the deletion of your personal data, provided no statutory retention obligations apply.
  • Art. 18 GDPR - Right to restriction of processing: You have the right to request the restriction of processing of your data.
  • Art. 20 GDPR - Right to data portability: You have the right to receive your data in a structured, commonly used, and machine-readable format.
  • Art. 21 GDPR - Right to object: You have the right to object to the processing of your data at any time, provided the processing is based on legitimate interests.
  • Art. 7(3) GDPR - Right to withdraw consent: You have the right to withdraw any consent given at any time. The lawfulness of processing carried out on the basis of consent before its withdrawal is not affected.

To exercise your rights, you can contact us at any time: hey@bookicorn.net

20. Data Retention

We store personal data only for as long as is necessary for the respective processing purposes or as required by statutory retention periods.

  • Commercial and tax law retention periods: up to 10 years (Section 257 HGB, Section 147 AO)
  • Booking data: for the duration of the business relationship, thereafter in accordance with statutory retention periods
  • User accounts: deletion within 30 days after account deletion
  • Server logs: deletion after 30 days

21. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data.

The supervisory authority responsible for us is:

Unabhängiges Datenschutzzentrum Saarland
Fritz-Dobisch-Straße 12
66111 Saarbrücken
Germany

22. Changes to This Privacy Policy

We reserve the right to amend this privacy policy to reflect changes in the legal situation or changes to our services and data processing. The current version is always available on this page.

Last updated: March 2026