Back to SantaBook

Privacy Policy

Effective date: May 5, 2026 · Last updated: May 5, 2026

1. Who We Are

SantaBook is operated by SantaBookLLC, located in Christmas, FL 32820, United States. SantaBook is a software-as-a-service business platform built for professional Santa portrayers — covering bookings, clients, contracts, payments, and communications.

For privacy questions or to exercise your rights, contact mark@santabook.app.

2. Information We Collect

From your account

  • Identity: name, email, password (hashed), profile photo, business name.
  • Subscription: billing plan, billing status, and renewal dates. Card data is handled by Stripe — we never see or store full card numbers.
  • Authentication: session tokens and login history for security purposes.

Data you store in SantaBook

SantaBook is a tool for running your business. The records you create — clients, bookings, contracts, quotes, photos, emails, SMS — are your data. You control them. We process them on your behalf to deliver the service you signed up for.

  • Client contact details, notes, and visit history.
  • Calendar entries, including bookings made off-platform that you record manually.
  • Payment records, invoice line items, and refund history.
  • Communications: emails and SMS sent through SantaBook.
  • Photos, gift certificates, vendor relationships, and other files you upload.
  • Children's information (e.g., gift lists) only if a portrayer enters it. See section 7.

Automatically collected

  • Device, browser, and approximate location (from IP) for security and abuse prevention.
  • Aggregate usage analytics (page views, feature usage) — cookieless, no cross-site tracking.
  • Server logs (request paths, timestamps, status codes) retained up to 90 days for diagnostics.

3. How We Use Information

  • Operate the service: store your records, send your emails/SMS, process your payments.
  • Authenticate sessions and prevent fraud or abuse.
  • Send service notifications (booking reminders you configured, payment receipts, security alerts).
  • Send product announcements you opted into. You can opt out at any time.
  • Improve the platform — usage patterns, performance metrics, error tracking.
  • Comply with legal obligations (tax records, lawful requests, dispute resolution).

We do not sell or rent your personal information or your business records, and we do not share them with third parties for their own marketing purposes.

4. Service Providers (Subprocessors)

The following providers process data on our behalf under contractual data protection terms.

Stripe (payment processing)

Card payments and subscription billing run through Stripe, Inc. When clients pay through SantaBook, their card details go directly to Stripe — SantaBook never sees the full card number. Stripe stores payment data on US infrastructure under PCI DSS. See Stripe's Privacy Policy.

Mailgun (transactional email)

Emails sent through SantaBook (booking confirmations, password resets, marketing campaigns you create) are delivered through Mailgun (by Sinch). See Mailgun's Privacy Policy.

Twilio (SMS)

SMS messages sent from SantaBook are routed through Twilio, Inc. Phone numbers and message bodies are transmitted to Twilio for delivery. See Twilio's Privacy Notice.

Hosting and storage

Application servers and the PostgreSQL database run on infrastructure operated by SantaBookLLC. File storage (photos, attachments) uses self-hosted MinIO. All data is stored in the United States.

Analytics

We use cookieless analytics that record aggregate page views and feature usage only. No cross-site tracking, no advertising IDs, no third-party trackers.

5. Data Retention

Your account data is retained for as long as your subscription is active. After cancellation:

  • 30-day grace period — you can re-activate or export your data at any time.
  • After 30 days — account data is queued for deletion. You can request immediate deletion at any point.
  • Tax and legal records — invoice and payment records are retained for up to 7 years to satisfy tax law, even after account deletion.
  • Backups — encrypted backups expire on a 35-day rolling window.

6. Your Rights

  • Access and portability: export your account data at any time from /settings.
  • Correction: edit or correct your account information directly in the app.
  • Deletion: close your account from /settings or email us. We will process the deletion within 30 days.
  • GDPR (EU/EEA/UK): right of access, rectification, erasure, restriction, portability, and to object to processing.
  • CCPA (California): right to know, right to delete, right to opt out of sale (we do not sell), right to non-discrimination.

To exercise any right that is not self-service, email mark@santabook.app. We respond within 30 days.

7. Children's Privacy (COPPA)

SantaBook is sold to and used by adult professional Santa portrayers. The portrayer is the SantaBook customer; SantaBook does not market to or collect data directly from children.

If a portrayer chooses to record a child's information in SantaBook (for example, a gift list for a personalized letter), the portrayer is responsible for collecting any required parental consent in accordance with the U.S. Children's Online Privacy Protection Act (COPPA) and equivalent laws. SantaBook acts as a data processor for that information on the portrayer's behalf.

If you are a parent and believe a portrayer has stored your child's information in SantaBook without your consent, contact mark@santabook.app and we will work with the portrayer to remove it.

8. Security

We use industry-standard practices to protect your data:

  • Encrypted connections (HTTPS/TLS) for all traffic.
  • Hashed and salted password storage; session tokens with short lifetimes.
  • Role-based access; production data accessed only by authorized personnel.
  • Encrypted backups; periodic restore drills.
  • Webhook signatures verified for all third-party callbacks.

No system is perfectly secure. If we become aware of a breach likely to affect your rights, we will notify affected accounts and the relevant authorities without undue delay and generally within 72 hours, in accordance with applicable law.

9. International Transfers

SantaBook is operated in the United States and your data is stored on US infrastructure. If you access SantaBook from outside the US, your data will be transferred to the United States, where data protection laws may differ from those in your jurisdiction. By using SantaBook, you consent to that transfer.

10. Changes

We may update this Privacy Policy from time to time. Material changes will be announced via email and an in-app notice at least 30 days before they take effect. The effective date at the top of this page reflects the current version. Continued use of SantaBook after changes become effective constitutes acceptance.

11. Contact

For privacy questions, requests, or concerns:

SantaBookLLC
Christmas, FL 32820
United States
mark@santabook.app