Bookr
PricingSign inGet started free

© 2026 Bookr by Bergbacher. All rights reserved.

ImprintPrivacy PolicyTerms of ServiceDPASub-ProcessorsGetting StartedDeveloper Docs

Terms of Service

Effective: April 1, 2026·Version: 1.0.0

§ 1 Scope and Provider

(1) These Terms of Service ("Terms") govern the use of the Bookr cloud-based booking platform ("Service") operated by Bergbacher GmbH, Zionskirchstraße 46, 10119 Berlin, Germany, registered at Amtsgericht Berlin Charlottenburg under HRB 278809 B ("Provider", "we", "us").

(2) The Service is a Software-as-a-Service (SaaS) solution that enables businesses ("Customers") to manage bookings, appointments, and scheduling through workspaces, embeddable booking forms, and partner integrations.

(3) These Terms apply exclusively. Conflicting or deviating terms of the Customer shall not apply, even if the Provider does not expressly object to them.

(4) The Service is directed at businesses and professionals (B2B). By registering, the Customer confirms that they are acting in a commercial or professional capacity.

§ 2 Definitions

"Workspace" means an isolated tenant environment within the Service, containing the Customer's bookable items, bookings, partners, and settings.

"Booking Entry" means an immutable, append-only ledger record representing a state change in a booking (creation, confirmation, cancellation, modification).

"Bookable Item" means a resource, service, or appointment slot configured by the Customer for booking.

"Partner" means a third party authorized by the Customer to create bookings via the Partner Integration channel.

"End User" or "Booker" means a person who makes a booking through any of the available booking channels.

§ 3 Registration and Account

(1) Access to the Service requires registration with a valid email address and a password (minimum 12 characters). Optionally, users may register passkeys for passwordless sign-in and enable two-factor authentication (TOTP or email code).

(2) The Customer is responsible for ensuring that only authorized persons access their account and workspaces. The Customer must notify the Provider immediately of any unauthorized access.

(3) Each workspace is an isolated tenant. Data within a workspace is not accessible from other workspaces unless explicitly shared through partner integrations.

(4) The Provider reserves the right to refuse registration or terminate accounts that violate these Terms or applicable law.

§ 4 Service Description

(1) The Service provides the following core functionality: (a) creation and management of workspaces; (b) configuration of bookable items; (c) booking management through an append-only ledger system; (d) three booking channels: Internal (dashboard), Direct Embed (iframe widget), and Partner Integration (iframe + API key); (e) role-based access control (admin, manager, viewer); (f) partner management with API key authentication.

(2) The Provider shall make commercially reasonable efforts to ensure high availability of the Service, excluding scheduled maintenance windows. Scheduled maintenance will be announced at least 48 hours in advance where possible. The Provider does not guarantee a specific uptime percentage.

(3) The Provider may modify, enhance, or discontinue features of the Service at any time, provided that the core functionality is not materially reduced during an active subscription period.

§ 5 Subscription and Fees

(1) The Service is offered under subscription plans as published on the Provider's website. The scope of features and usage limits depends on the selected plan.

(2) A free plan with limited usage is available indefinitely. The Customer may upgrade to a paid plan at any time to access additional features and higher usage limits. The scope of each plan is described on the Provider's website.

(3) Subscription fees are due in advance for the selected billing period (monthly or annually). All prices are quoted in EUR and exclusive of applicable VAT.

(4) The Provider reserves the right to adjust pricing for future billing periods with at least 30 days' prior notice. Price changes do not affect the current billing period.

§ 6 Payment

(1) Payment is processed through third-party payment providers. The Customer agrees to the terms of the respective payment provider.

(2) Invoices are issued electronically and sent to the email address associated with the workspace.

(3) In the event of late payment, the Provider may restrict access to the Service after a reminder with a reasonable grace period of at least 14 days. The Provider's right to claim default interest under § 288 BGB remains unaffected.

(4) The Customer may only offset claims that are undisputed or have been finally adjudicated.

§ 7 Customer Obligations

(1) The Customer shall: (a) provide accurate and complete registration information; (b) keep account credentials and API keys confidential; (c) use the Service only in accordance with applicable law and these Terms; (d) not attempt to access other customers' workspaces or data; (e) not use the Service for any illegal, fraudulent, or abusive purpose.

(2) The Customer is solely responsible for all content uploaded, entered, or transmitted through the Service, including bookable item descriptions, booking data, and partner configurations.

(3) The Customer shall ensure that their use of the Service, including the collection and processing of End User data, complies with all applicable data protection laws.

(4) API keys are stored as cryptographic hashes. The plaintext key is displayed once at creation. The Customer is responsible for securely storing API keys. Lost keys cannot be recovered and must be regenerated.

§ 8 Data Protection

(1) The Provider processes personal data in accordance with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). Details are set out in the Privacy Policy, available on the Provider's website.

(2) To the extent the Provider processes personal data on behalf of the Customer, the parties shall enter into a Data Processing Agreement (DPA) in accordance with Art. 28 GDPR. The DPA is incorporated as Annex 1 to these Terms and is additionally available at /en/dpa for review and export.

(3) The Customer remains the data controller for all personal data processed within their workspace. The Provider acts as data processor.

(4) Customer data (database) is stored on servers within the European Union. The application layer is hosted in the EU (Frankfurt) by Vercel Inc., a US-based sub-processor operating under the EU–US Data Privacy Framework. The current list of sub-processors is publicly available at /en/sub-processors. The Provider shall not engage additional sub-processors that transfer data to third countries without appropriate safeguards under Chapter V GDPR.

§ 9 Intellectual Property

(1) All rights to the Service, including software, design, trademarks, and documentation, remain with the Provider. The Customer receives a non-exclusive, non-transferable, revocable right to use the Service for the duration of the subscription.

(2) The Customer retains all rights to their content and data uploaded to the Service.

(3) The Customer grants the Provider a limited license to process, store, and display Customer content solely for the purpose of providing the Service.

§ 10 Liability

(1) The Provider shall be liable without limitation for damages caused intentionally or through gross negligence, as well as for damages resulting from injury to life, body, or health.

(2) For slight negligence, the Provider shall only be liable in the event of a breach of a material contractual obligation (cardinal obligation). In such cases, liability is limited to the foreseeable, typically occurring damage. Material contractual obligations are obligations whose fulfilment is essential for the proper execution of the contract and on whose compliance the Customer regularly relies.

(3) Liability under the German Product Liability Act (Produkthaftungsgesetz) remains unaffected.

(4) The Provider shall not be liable for loss of data to the extent the Customer has failed to ensure that such data can be reproduced from data backups with reasonable effort.

(5) The Provider's total aggregate liability for all claims arising under or in connection with this agreement shall not exceed the total fees paid by the Customer in the twelve (12) months preceding the event giving rise to the claim.

§ 11 Term and Termination

(1) The contract is concluded for the selected subscription period and renews automatically for successive periods of the same length, unless terminated by either party with at least 14 days' notice before the end of the current period.

(2) The right of both parties to terminate for cause (außerordentliche Kündigung) remains unaffected. Cause for immediate termination by the Provider includes, in particular: (a) material breach of these Terms by the Customer; (b) use of the Service for illegal purposes; (c) non-payment despite reminder and grace period.

(3) Upon termination, the Customer may export their data for a period of 30 days. After this period, the Provider shall delete all Customer data in accordance with applicable data protection law.

(4) Termination must be in text form (email is sufficient).

§ 12 Changes to These Terms

(1) The Provider may modify these Terms with at least 30 days' prior notice. Notification is provided by email or through the Service.

(2) If the Customer does not object within 30 days of receipt of the notification, the modified Terms shall be deemed accepted. The Provider will expressly advise the Customer of the significance of the 30-day period in the change notification.

(3) If the Customer objects to the change, the Provider may terminate the contract at the end of the current billing period.

§ 13 Governing Law and Jurisdiction

(1) These Terms and any disputes arising out of or in connection with them shall be governed exclusively by the laws of the Federal Republic of Germany, excluding the UN Convention on Contracts for the International Sale of Goods (CISG).

(2) The exclusive place of jurisdiction for all disputes arising out of or in connection with these Terms is Berlin, provided the Customer is a merchant, legal person under public law, or special public-law fund.

§ 14 Severability

(1) Should any provision of these Terms be or become invalid, the validity of the remaining provisions shall not be affected.

(2) The invalid provision shall be replaced by a valid provision that comes closest to the economic purpose of the original provision.

§ 15 Contact

For questions regarding these Terms, please contact: Bergbacher GmbH, Zionskirchstraße 46, 10119 Berlin, Germany. Email: contact@bergbacher.com. Phone: +49 30 65941623.

Annex 1 — Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") concretizes the data-protection obligations between Bergbacher GmbH ("Processor") and the Customer ("Controller") in the context of using the Bookr service. It supplements the Terms of Service as Annex 1.

§ 1 Subject and Duration of Processing

(1) The subject of this DPA is the processing of personal data by the Processor in the course of providing the Bookr service pursuant to the Terms.

(2) This DPA applies for the duration of the main contract between the parties and terminates automatically with it, supplemented by the deletion or return obligations under § 10.

§ 2 Nature and Purpose of Processing

(1) Nature of processing: collection, storage, organisation, display, transmission, modification, retrieval, querying, deletion, and erasure of personal data to provide the Bookr platform.

(2) Purpose of processing: providing the SaaS functionality contracted by the Customer (booking management, workspace management, partner integrations, notifications).

§ 3 Categories of Personal Data

The following categories of data are processed in particular:

  • Master data of end users (name, email address, phone number)
  • Booking data (time, booked item, selected options, notes)
  • Authentication data of Controller's staff (hashed passwords, passkey public keys, TOTP secrets)
  • Security metadata (IP addresses, user agent, login timestamps, audit logs)
  • Payment metadata (no full payment instruments; see payment-provider sub-processor)

§ 4 Categories of Data Subjects

  • End users (bookers) of the Controller
  • Staff and agents of the Controller with workspace access
  • End customers of partners who book via the partner-integration channel

§ 5 Obligations of the Processor

(1) The Processor processes data only on documented instructions from the Controller. The Controller's use of the service via the dashboard and API constitutes documented instructions.

(2) The Processor commits the persons involved in processing to confidentiality in writing, unless they are already subject to a statutory duty of confidentiality.

(3) The Processor maintains the technical and organisational measures (TOM) described in Annex A pursuant to Art. 32 GDPR.

§ 6 Sub-Processors

(1) The Controller grants the Processor general written authorisation to engage sub-processors pursuant to Art. 28 (2) GDPR.

(2) A current list of all sub-processors is publicly available at /en/sub-processors.

(3) If the Processor intends to engage a new sub-processor or replace an existing one, it announces this on the sub-processors page at least 14 days before it takes effect. The Controller may object within this period; the consequences of an objection are governed by § 11 of the Terms.

§ 7 Third-Country Transfers

(1) The application layer is operated in the EU (Frankfurt) by Vercel Inc., a US-based sub-processor. The transfer to the United States is based on the EU–US Data Privacy Framework.

(2) Logging and observability data are processed by Axiom Inc. (United States). Only security metadata (in particular IP addresses, user agent, timestamps, and status codes) are transmitted to Axiom; no booking or master data. The transfer is based on the EU–US Data Privacy Framework.

(3) Insofar as other sub-processors transfer data to third countries, this is done exclusively on the basis of appropriate safeguards under Chapter V GDPR (adequacy decision, Standard Contractual Clauses Module 3, or Data Privacy Framework).

§ 8 Obligations to Assist

(1) The Processor assists the Controller in fulfilling data-subject rights (Art. 15–22 GDPR) by appropriate technical and organisational means, in particular through data-export and deletion functions in the dashboard.

(2) The Processor notifies the Controller without undue delay upon becoming aware of a personal-data breach in its area of responsibility, and assists with the notification obligations under Art. 33 and Art. 34 GDPR.

(3) The Processor assists the Controller with data-protection impact assessments (Art. 35 GDPR) and with prior consultation with the supervisory authority (Art. 36 GDPR), as required.

§ 9 Audit and Evidentiary Obligations

(1) The Processor provides the Controller with appropriate evidence of compliance with the TOM and the obligations under this DPA upon request (e.g. certifications, audit reports, self-assessments).

(2) The Controller may, after prior written notice with reasonable lead time and during normal business hours, conduct on-site audits or have them conducted by independent auditors, where self-assessments are insufficient for the specific audit situation.

§ 10 Deletion and Return after End of Contract

(1) After termination of the main contract, the Controller may export their data within 30 days (cf. § 11 (3) of the Terms).

(2) After the export period, the Processor deletes all of the Controller's personal data, unless statutory retention obligations apply.

§ 11 Liability

(1) Liability between the parties is governed by § 10 of the Terms; liability under Art. 82 GDPR remains unaffected.

Annex A — Technical and Organisational Measures (TOM)

The Processor implements the following measures pursuant to Art. 32 GDPR, in particular:

  • Encryption: TLS 1.3 for all connections; encryption at rest for database and object storage via the respective hosting providers.
  • Access control: Role-based authorisation model (admin, manager, viewer) at workspace level; tenant isolation via separated workspaces.
  • Authentication: Password policy (minimum 12 characters), optional two-factor authentication (TOTP, email code), optional passkeys; Argon2 password hashing.
  • Integrity: Append-only booking ledger; every booking state change is recorded as an immutable entry.
  • Secret management: API keys are stored only as cryptographic hashes; plaintext is shown once at creation.
  • Logging and monitoring: Audit logs for security-relevant events; central log aggregation.
  • Backups: Regular database backups via the hosting provider; restorability is testable.
  • Personnel measures: Confidentiality commitments from staff; access on a need-to-know basis.
  • Sub-processors: Pre-engagement review of new sub-processors for data-protection compliance; public sub-processor list with prior notification of changes.