Privacy Policy

Appointly is a WordPress booking plugin developed by Jolene Lederer (TSCHOLENE). This privacy policy explains what personal data is collected, why it is collected, and how it is processed when a booking form powered by Appointly is used on a website.

The data controller for bookings is the operator of the WordPress site that uses the Appointly plugin. Appointly itself is a self-hosted plugin — all data stays in the site operator’s own WordPress database. TSCHOLENE (the plugin developer) does not have access to booking data.

When a visitor submits a booking request, the following data is collected and stored in the WordPress database:

• Name — to identify the booking
• Email address — to send confirmations and offers
• Phone number (optional) — for direct contact if needed
• Message (optional) — additional information from the customer
• Custom field responses — any additional fields configured by the site operator
• Selected date, time slot & service
• Consent timestamp — when the privacy checkbox was accepted

The legal basis for processing is Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures) and Art. 6(1)(a) GDPR (consent via the checkbox).

To prevent automated abuse, a hashed version of the visitor’s IP address is temporarily stored for rate limiting (default: 60 seconds). The raw IP address is not stored in the database. A honeypot field is used as additional bot protection — this does not collect any personal data.

Appointly Pro includes anonymous conversion tracking. It records which steps of the booking funnel are reached (e.g. calendar view, date selection, form submission) using an anonymous session ID. No names, email addresses, IP addresses, or cookies are used. Analytics data is automatically deleted after 90 days.

If the site operator enables online payments (Pro), Appointly integrates with Stripe and/or PayPal. When a customer accepts an offer and proceeds to payment:

• The booking ID, service title, date, and amount are sent to the payment provider
• Card details are handled exclusively by Stripe/PayPal — they are never stored by Appointly
• A payment confirmation ID is stored in the WordPress database

Please refer to the privacy policies of Stripe and PayPal for details.

Appointly sends transactional emails (booking confirmation, offers, cancellation) via the WordPress mail system or a configured SMTP server. Emails contain the customer’s name, booking details, and action links. SMTP credentials are encrypted at rest (AES-256-CBC).

Pro users’ license keys are validated via the LemonSqueezy API. Only the license key and the site URL are transmitted — no customer or booking data.

Booking data is stored indefinitely until manually deleted by the site operator. Analytics data is automatically purged after 90 days. Rate-limiting data expires within 60 seconds.

If your data has been collected through an Appointly-powered booking form, you have the right to:

• Access — request a copy of your stored data
• Rectification — request correction of inaccurate data
• Erasure — request deletion of your data
• Data portability — receive your data in a structured format
• Withdrawal of consent — at any time, without affecting the lawfulness of prior processing

Appointly integrates with the WordPress privacy tools (Tools → Export/Erase Personal Data), so site operators can fulfil these requests directly.

Appointly does not set any cookies. Session tracking for analytics uses a temporary, randomly generated ID that is not stored on the visitor’s device.

Sensitive credentials (SMTP passwords, payment API keys) are encrypted with AES-256-CBC before being stored in the WordPress database. Booking action links use cryptographic tokens. All API endpoints use WordPress nonce verification and capability checks.

For privacy-related questions about the Appointly plugin, contact:
Jolene Lederer / TSCHOLENE
Email: apps@tscholene.com
Web: jl-creative.at