Privacy Policy

Hardbook ("we," "us," or "our") provides a professional booking and contract management platform for high-demand creative artists. The Service (available at www.hard-book.com and associated subdomains) is operated by Adam Albo, a registered sole proprietor in Tel Aviv, Israel.

We are the "Data Controller" of your personal information — which is a fancy way of saying we take responsibility for keeping your data safe so you can focus on your day rate.

For any privacy questions or to exercise your data rights, reach out to our team at service@hard-book.com.

This policy covers the Hardbook web application at www.hard-book.com, tenant booking portals served from our domain, and any APIs we expose to logged-in users. It does not cover third-party websites we link to — please review their policies independently.

We collect only what we need to operate Hardbook for you.

• Account data. Email address, display name, hashed password (managed by Supabase Auth), and authentication provider (e.g., Google OAuth) when you sign up or sign in.
• Business profile. Information you choose to add to your freelancer studio: display name, logo, brand assets, daily rate, business contact details, and tax identifiers used in contracts.
• Bookings and contracts. Records of bookings you create, statuses (pencil, hard, confirmed), generated contracts, and signatures.
• Client-supplied data. Information your clients enter into your booking portal — typically name, email, company, and project details — submitted to you via Hardbook.
• Google Calendar metadata (optional).If you enable Google Calendar Sync, we read busy/free metadata from the calendar(s) you authorize so Hardbook can render your availability. See "Google API Disclosure" below.
• Uploaded media. Logo files, background imagery, and motion-identity videos you upload to your studio (stored in Vercel Blob).
• Generated artifacts. Output produced by AI features inside Hardbook Studio (e.g., generated brand prompts) at your request.
• Operational logs. Standard request and error logs (IP address, user agent, timestamp) used for security, debugging, and abuse prevention.

We do not knowingly collect special-category data (e.g., health, biometric, political opinions). Please don't put such data into Hardbook.

For users in the EU, UK, and similar regimes, our lawful bases under GDPR Article 6 are:

• Contract performance — to provide the Service you signed up for: hosting your studio, processing bookings, generating contracts.
• Legitimate interests — keeping the Service secure, preventing fraud and abuse, fixing bugs, and improving the product. These interests are balanced against your rights and freedoms.
• Consent — for optional features such as Google Calendar Sync and any future product or marketing communications. You can withdraw consent at any time.
• Legal obligation — when we must retain or disclose data to comply with applicable law.

We rely on the following service providers to operate Hardbook. Each processes personal data only on our instructions and under appropriate data-protection terms.

• Vercel — application hosting, edge delivery, Vercel Blob storage for uploaded media, Vercel AI Gateway for inference routing.
• Supabase — managed Postgres database and authentication.
• Google — Google Calendar API, accessed only when you have explicitly connected a Google account to Hardbook.
• Anthropic — large-language-model inference (via Vercel AI Gateway) for generative features inside Hardbook Studio.
• Resend — transactional email delivery for sign-up confirmations, password resets, and booking notifications.

A current list of sub-processors is available on request from service@hard-book.com.

Hardbook use and transfer of information received from Google API to any other app will adhere to Google API Services User Data Policy, including the Limited Use Requirement.

In practice, when you connect a Google account so Hardbook can sync your calendar:

• We read only the calendar data you authorize (busy/free windows and event metadata required to render your availability inside Hardbook).
• We never sell, rent, or transfer Google user data to advertisers, data brokers, or any third party other than the sub-processors listed in section 5 above.
• We never use Google user data to train, fine-tune, or improve any generalized or third-party AI/ML model.
• We use Google user data only to provide and improve features the user is using inside Hardbook.
• You can disconnect Google Calendar Sync at any time from your Hardbook settings, which revokes our access and deletes the synced calendar data we hold.

We use only essential cookies — primarily the session cookies that Supabase Auth sets so you can stay logged in. We do not run third-party analytics, advertising, or tracking cookies on the public site or signed-in product today. If we add analytics, we will update this section before turning them on.

We hold your account, bookings, contracts, and the calendar data we synced for you until you request account deletion (see next section). Once we process the deletion, the data is removed from our live systems and overwritten in routine encrypted backups within 30 days. We retain data longer only where the law requires us to (for example, tax or anti-fraud records).

To delete your Hardbook account and erase any data we hold about you — including any Google Calendar data we synced via the Calendar integration — email service@hard-book.com from the address tied to your account with the subject line "Delete my account". We will confirm and complete the deletion within 30 days.

Self-service in-app deletion is on our roadmap. Until it ships, the email path above is the canonical, fully-supported way to wipe your account.

Hardbook is operated from the United States, and our sub-processors may process data in the U.S. and other regions. Where required, we rely on Standard Contractual Clauses (and their UK addenda) to provide appropriate safeguards for cross-border transfers of personal data from the EEA, UK, or Switzerland.

If you are in the EU, UK, or Switzerland, you have the right to:

• access the personal data we hold about you;
• request rectification of inaccurate data;
• request erasure (the "right to be forgotten");
• request restriction of processing;
• request portability of data you provided;
• object to processing based on legitimate interests;
• withdraw consent at any time without affecting prior processing;
• lodge a complaint with your local supervisory authority (we'd appreciate the chance to address concerns first — email us).

If you are in a U.S. state with comprehensive privacy legislation (e.g., California, Virginia, Colorado, Connecticut, Utah), you have the right to know what personal information we hold, request deletion, request correction, and not be discriminated against for exercising these rights. We do not sell personal information and we do not engage in "sharing" for cross-context behavioral advertising as defined under the CCPA.

Hardbook is a B2B product for professional freelancers and is not directed to anyone under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us and we will delete it.

Hardbook uses Supabase-managed encryption at rest, TLS in transit, and Postgres row-level-security policies to keep tenant data isolated. No system is perfectly secure; if you suspect a security issue, please email service@hard-book.com.

We may update this policy as the Service evolves or the law changes. Material changes will be reflected by updating the effective date at the top of this page. We'll make a reasonable effort to notify active users of significant changes.

For any privacy-related question, email service@hard-book.com.

See also our Terms of Service.