Privacy Policy

ReservationFlow ("we", "the service") is a booking automation product for pilates and yoga studios, provided by Pride of Design, a brand of Try Quantum OÜ (the legal entity that owns and operates the service). This policy explains what personal data we collect when you book a class or interact with the service — either through your studio's web booking page or through WhatsApp — how that data is used, and what rights you have over it.

Who is responsible for your data

The studio you are booking with is the data controller for your membership and booking history. ReservationFlow acts as a data processor on the studio's behalf, providing the technical infrastructure that connects WhatsApp to the studio's booking system.

For questions about data we hold on behalf of a studio, please contact the studio directly. For questions about ReservationFlow itself, you can reach Pride of Design at hello@prideofdesign.com.

What we collect

We process the minimum personal data required to deliver class booking on the web and in WhatsApp:

• Identity: your name, email address and (if you use WhatsApp) your WhatsApp phone number, as held by the studio.
• Booking activity: classes you book, cancel or waitlist; remaining class credits; the calendar and instructor for each booking.
• Operational data: timestamps of booking actions, one-time email codes used to sign in on the web, signed session tokens stored in your browser or carried by WhatsApp Flows, and a small audit log used for support and dispute resolution.
• Web technical data: standard request metadata (IP address, user agent) used for security and abuse detection, plus an anti-bot challenge token (Cloudflare Turnstile) on sensitive endpoints when configured.
• Communication content: the structured form data you submit inside WhatsApp Flows or on the web booking page. We do not read or store the content of unrelated WhatsApp conversations.

Why we use it

• To create, change and cancel class bookings on your behalf.
• To manage waitlists and to allocate class credits when seats free up.
• To send transactional messages such as booking confirmations and reminders, when configured by your studio.
• To detect abuse, debug technical issues, and audit booking activity.

We do not use your data for marketing or profiling, and we do not sell it.

Service providers

ReservationFlow relies on the following processors to deliver the service. Each is bound by data-processing terms appropriate to its role:

• WhatsApp Business Platform (Meta)— the messaging channel through which you interact with the booking flow. Your messages are subject to Meta's privacy terms.
• Studio CRM— the studio's booking software of record (for example a CRM that holds your membership and class credits). We read and write to this on the studio's instructions only.
• Upstash — encrypted, geographically-bounded key value storage for short-lived session tokens, waitlists and audit log entries.
• Vercel — application hosting.
• Email and SMS providers — used only when the studio has configured them for transactional notifications.

How we protect it

All web traffic is served over HTTPS. Web sign-in uses a one-time code emailed to you, after which a signed session token is held in your browser's storage and rotated regularly.

Communication between the WhatsApp Flow and our servers is end-to-end encrypted using RSA-OAEP and AES-128-GCM session keys issued by Meta. WhatsApp session tokens are signed with HMAC and short-lived. We do not log unencrypted message contents on either channel.

Operational secrets are stored in encrypted environment configuration, never in source control.

How long we keep it

• Booking and credit data — kept for as long as your studio retains your membership record. Deletion is handled by the studio.
• Waitlist entries — removed when the class passes or you leave the waitlist.
• Web session tokens — held in your browser storage and refreshed periodically; cleared on sign-out.
• WhatsApp Flow tokens — automatically expire within 24 hours of issue.
• One-time email codes — expire 10 minutes after issue.
• Audit log — capped at the most recent 10,000 actions per studio and used only for support and dispute resolution.

Your rights

Depending on where you live, you have the right to access, correct or delete the personal data held about you, to restrict or object to certain uses, and to receive a copy in a portable format. To exercise these rights, please contact your studio first — they are the controller of your booking record. If you cannot reach them, you can write to us at hello@prideofdesign.com and we will assist within a reasonable timeframe.

International transfers

ReservationFlow is operated from the United Kingdom. Some sub-processors (notably WhatsApp/Meta and Vercel) may process data in other countries. Where transfers leave the UK or the EEA, they are governed by the standard contractual clauses or equivalent adequacy mechanisms.

Cookies and local storage

The web booking app uses local browser storage to hold your signed session token after sign-in. We do not set advertising or analytics cookies. The marketing site at reservationflow.app uses only essential cookies. The WhatsApp Flow runs inside the WhatsApp client and does not set cookies on your device.

Changes to this policy

We may update this policy as the service evolves or as the law changes. When we do, we will revise the "last updated" date above. Material changes affecting how we use your data will be communicated through your studio.

Contact and legal entity

ReservationFlow is provided by Pride of Design, a brand of Try Quantum OÜ. Try Quantum OÜ is the data controller for the service itself and the legal entity behind any contract with a studio.