Built for businesses that take data seriously.
Bookley stores schedules, billing and member records for clinics, consulting rooms and shared offices. We take that responsibility seriously — here's how we protect your data.
Tenant-level isolation
Every workspace's bookings, members, invoices and analytics are query-scoped to that tenant at the middleware layer. Staff in one workspace can't see — or accidentally affect — data in another, even when they share the same database.
Role-based access
Owners, staff and members each see only what they need. Permissions are per-flag for staff (e.g. can_manage_bookings, can_view_analytics) so you can delegate exactly what's safe to delegate.
Two-factor authentication
2FA is available for every account via standard TOTP apps (Authy, Google Authenticator, 1Password). Owners can require 2FA across their workspace.
Activity logging
Booking creates, edits, cancellations and refunds, plus membership and role changes, are recorded in immutable audit logs. When something needs explaining — to a member, an auditor, or yourself — the answer is one screen away.
Encrypted in transit
HTTPS-only with HSTS (1-year max-age, includeSubDomains, preload). Session and CSRF cookies are flagged secure and HTTP-only, so they can't be sniffed or read by malicious scripts.
Hardened defaults
CSRF protection, X-Frame-Options, content-type sniffing protection, browser XSS filtering, and strict referrer policy — all enabled by default on every page. Industry-standard password hashing protects your members' credentials.
Payments handled by Stripe
Card details never touch Bookley servers. Online payments go directly to Stripe (PCI DSS Level 1) via Stripe Checkout. We only ever see redacted last-four digits and Stripe's tokenised charge references.
Real-time error monitoring
Every production error is captured by Sentry the moment it happens, so we can investigate and fix issues before most users notice. We never log passwords, card numbers, or session cookies.
Hosting & access
Bookley runs on Render — a SOC 2 Type II compliant managed cloud platform — currently from their Singapore region. Database backups are managed by Render with point-in-time recovery. Production access is restricted to authorised Bookley staff over 2FA-protected logins.
Bookley is an Australian-headquartered company. If you have specific data residency requirements for your jurisdiction, talk to us — we'll work through them with you.
Your data, your control
- Export anytime. Owners can export bookings, invoices and member lists from the analytics & billing screens — no support ticket needed.
- Delete on request. Tell us you want your workspace and its data removed and we'll do it. Standard retention periods apply for tax/audit reasons.
- Privacy by design. We never sell or share your data, never train models on it, and never display ads.
Reporting a vulnerability or needing a security review?
Found a vulnerability, or running vendor due diligence on Bookley? Email info@bookley.co. We respond within one business day and we'll happily work through vendor questionnaires, sign mutual NDAs, and share architecture details under cover.
Ready to see Bookley in action?
Start your 14-day free trial today.