OneDiary
Sign in Create account

Data protection

GDPR Policy

This policy explains how OneDiary approaches UK GDPR, data protection responsibilities and requests from people whose information is held in the platform.

Last updated: 9 June 2026

1. Our approach

OneDiary is built to collect only the information needed to run bookings, deposits, accounts and support. The product is intentionally simple, and our data protection approach follows the same idea.

  • Use personal data fairly, lawfully and transparently.
  • Collect information for clear booking, account, payment and support purposes.
  • Keep information relevant and not excessive.
  • Keep records accurate where practical.
  • Keep information only for as long as it is needed.
  • Protect information with sensible security controls.

2. Controller and processor roles

For appointment information entered into a business's booking page, the business is usually the controller and OneDiary is usually the processor. That means the business decides why it needs the client's appointment information, while OneDiary provides the software that stores and processes it.

OneDiary is usually the controller for platform account information, subscription billing, support messages, security, marketing preferences and OneDiary client accounts.

Where the roles overlap, we will handle requests practically and help route them to the right place.

3. What businesses should do

Businesses using OneDiary should make sure their own customers understand how their information is used. This may include having their own privacy notice, cancellation policy and booking terms.

Businesses should:

  • collect only the booking information they need;
  • keep client notes professional, relevant and respectful;
  • avoid adding unnecessary sensitive information to appointment notes;
  • manage staff access carefully and archive users who no longer need access;
  • respond promptly if a client asks about their appointment information.

4. Data subject requests

People may ask to access, correct, delete, restrict or object to certain processing of their personal information. They can contact us at support@onediary.co.uk.

If a request relates to appointment data controlled by a business, we may ask the business for instructions or direct the person to the business. If a request relates to OneDiary account, subscription, platform or marketing information, we will handle it as controller.

We may need to confirm identity before acting on a request. We will aim to respond within the timeframe required by law.

5. Service providers and sub-processors

OneDiary uses trusted providers to operate the platform. This includes payment processing, email delivery, hosting, security and operational tools.

Current key providers include Stripe for payments and subscription billing, and Brevo for email delivery. We only share the information needed for the provider to perform its role.

6. International transfers

Some providers may process information outside the UK. Where this happens, we expect appropriate safeguards to be used, such as recognised contractual safeguards or equivalent protections required by data protection law.

7. Retention and deletion

We keep records for as long as needed to run the platform, support businesses and clients, handle payments, protect security, resolve disputes and meet legal obligations.

Where a business account closes, we may retain limited information for a reasonable period before deletion or anonymisation, unless we need to keep it for legal, accounting, security or dispute reasons.

8. Security incidents

If we become aware of a personal data breach affecting OneDiary-controlled data, we will assess the risk and take appropriate action. Where required, we will notify affected people and the Information Commissioner's Office.

If an incident affects appointment data controlled by a business, we will support the business with the information reasonably needed for them to meet their own obligations.

9. Staff and access controls

OneDiary supports business roles, permissions and staff archiving so businesses can limit access. Businesses should use these tools carefully, especially where staff rent chairs, work independently or only need limited diary access.

10. Contact

For GDPR or data protection questions, contact OneDiary at support@onediary.co.uk or write to OneDiary, 28 West Haddon Road, Northampton, NN6 8QL.