Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Funbutler Booking is an online booking platform by Funbutler AB, a Swedish company headquartered in Stockholm. Venues for events, escape rooms, leisure and activities embed a booking widget on their website to manage availability, payments and confirmations. Funbutler hosts data in the European Union (AWS Stockholm and Frankfurt) and sets strictly necessary cookies for the booking session. Optional analytics widgets and embedded marketing scripts a venue activates require GDPR and ePrivacy consent.
Funbutler Booking is an online booking platform operated by Funbutler AB, a Swedish company headquartered in Stockholm. The product targets venues that sell time slots: escape rooms, mini golf, indoor karting, climbing gyms, axe throwing, padel courts, leisure parks and event facilities. Venues embed a booking widget on their existing website, or use a hosted booking page provided by Funbutler. The platform manages availability, group bookings, online payments through Swedish Klarna and Stripe, gift cards, customer accounts and email or SMS confirmations. Funbutler acts as a processor for the venue, which remains the controller.
The Funbutler widget sets a small set of first party cookies: a booking session identifier, a CSRF token, a cart cookie that remembers the slot the user is reserving, and a payment session identifier when checkout is reached. Funbutler stores the customer name, email, phone number, the chosen activity, date, number of participants, optional notes and the payment confirmation reference. IP address and basic technical metadata are processed for security and fraud prevention. Optional venue integrations (Google Analytics, Facebook Pixel, Mailchimp, Klaviyo) may add their own cookies and processing.
The venue is the controller for the booking data and Funbutler AB acts as a processor under Art. 28 GDPR. The strictly necessary booking and payment cookies are exempt from prior consent under Art. 5(3) ePrivacy because the user explicitly requested the service. Any analytics or marketing tracker the venue adds on the surrounding website falls inside the consent scope, supervised by IMY in Sweden, the CNIL in France, the DSK in Germany and the AEPD in Spain. Venues that handle bookings for minors must apply the parental consent rules of Art. 8 GDPR.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For the Funbutler booking flow and the payment session, no prior consent is required, although the venue must still describe these cookies in the privacy notice. Consent must be obtained before any analytics or marketing widget loads on the surrounding website, for example Google Analytics, Meta Pixel, Hotjar or a chat tool. The venue must offer reject all and accept all options with equal prominence, granular per category choices, and a clear withdrawal link. Storing a proof of consent record under Art. 7 GDPR is recommended for accountability.
Funbutler AB hosts its production environment within the European Union (AWS Stockholm and AWS Frankfurt), so no personal data leaves the European Economic Area for the core booking service. Transfers can occur through optional integrations: Stripe for payments may process data in the United States, Mailchimp or Klaviyo for marketing automation, Google Analytics for measurement. For each such integration the venue must rely on Standard Contractual Clauses, the EU US Data Privacy Framework where the partner is certified, and a Transfer Impact Assessment documenting supplementary measures.
Sign the Funbutler Data Processing Agreement, list the platform in your Art. 30 register of processing activities, define a clear retention period for booking records (typically aligned with Swedish accounting rules) and publish a privacy notice that distinguishes the booking widget from optional analytics. Configure your Consent Management Platform to block analytics and marketing widgets before consent. Provide self service access, rectification and erasure through the venue support email, ensure SMS and email confirmations include an opt out for marketing, and review the active integrations at least once a year.
Websites using Funbutler Booking must obtain user consent under GDPR regulations.
DPIA considerations
A full DPIA is generally not required for the Funbutler Booking widget itself, because Funbutler AB hosts data within the European Union (AWS Stockholm and Frankfurt) and processes only the personal data needed to manage a booking (contract under Art. 6(1)(b) GDPR). A documented record of processing activities under Art. 30 GDPR and a balancing test for legitimate interest are sufficient. A DPIA becomes appropriate when the venue handles bookings for minors at scale, special categories of data (health for therapy or sport injuries), automated fraud scoring on payments, or extensive marketing automation combining the booking data with external profiles.
Sample consent text
This booking is powered by Funbutler and uses strictly necessary cookies to keep your reservation, your payment session and your confirmation flow alive, which do not require consent. With your consent, we also enable optional analytics and marketing widgets that may set additional cookies and share data with partners. You can accept all, reject all non essential or set your preferences at any time from the cookie link in the footer.
Third-party domains contacted
funbutler.comapp.funbutler.combooking.funbutler.comcdn.funbutler.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| fb_session | Session | Session | First party booking session cookie used to keep the visitor selection, contact details and confirmation step linked together during the booking flow. |
| fb_csrf | Session | Session | CSRF protection token tied to the booking session and validated on each form submission to prevent cross site request forgery. |
| fb_cart | Persistent | 1 day | Stores a reference to the slots the visitor has selected so they are not lost if the user navigates back during the booking flow. |
| fb_payment | Session | Session | Payment session identifier used during checkout with Klarna or Stripe to link the booking to the resulting payment intent. |
| fb_locale | Persistent | 1 year | Stores the preferred display language for the booking widget so future visits load in the same locale. |
Funbutler Booking uses cookies for user preferences — inform visitors with a consent banner.
The Funbutler widget sets a small set of first party cookies needed for the booking: a booking session identifier, a CSRF token, a cart cookie that remembers the selected slot, and a payment session identifier at checkout. Funbutler stores the customer name, email, phone number, the chosen activity, date, number of participants, optional notes and the payment confirmation reference. IP address and basic device metadata are processed for security and fraud prevention. Anything beyond that, such as Google Analytics or a chat widget, comes from optional venue integrations.
Consent is not required for the strictly necessary cookies that operate the booking session and the payment flow, because the user explicitly requested the service under Art. 5(3) ePrivacy. Consent becomes mandatory for any optional analytics, marketing or social widget the venue adds on the surrounding website (Google Analytics, Meta Pixel, Hotjar, chat). The venue must offer reject all and accept all options with equal prominence, a granular per category choice and an easy way to withdraw.
The venue relies on contract performance under Art. 6(1)(b) GDPR for the booking, the payment and the email or SMS confirmation. Legitimate interest under Art. 6(1)(f) GDPR can justify fraud prevention, abuse mitigation and aggregated business statistics. Consent under Art. 6(1)(a) GDPR plus Art. 5(3) ePrivacy is the basis for optional analytics, marketing and newsletter sign ups. Legal obligation under Art. 6(1)(c) GDPR covers invoice retention, in line with Swedish or local accounting rules, typically several years.
Funbutler AB hosts its production on AWS Stockholm and AWS Frankfurt, so personal data processed for the core booking service does not leave the European Economic Area. Transfers can occur through optional integrations chosen by the venue: Stripe and PayPal for payments may process data in the United States, Mailchimp or Klaviyo for marketing automation, Google Analytics for measurement. Each of these must rely on an appropriate transfer tool, typically the EU US Data Privacy Framework or EU Standard Contractual Clauses with a Transfer Impact Assessment.
A formal DPIA is not usually required for the Funbutler widget alone, given EU hosting, contract based processing and limited data categories. A DPIA becomes appropriate when the venue takes bookings for minors at scale, handles special categories such as health for therapeutic or sports settings, runs automated fraud scoring with significant effects, or combines booking data with extensive third party profiles for behavioural advertising. Document the screening decision in your data protection file in any case.
Sign the Funbutler Data Processing Agreement, list the platform in your Art. 30 register, set a clear retention period for booking and payment data (typically aligned with national accounting rules), and publish a privacy notice that distinguishes the booking widget from optional analytics. Use a Consent Management Platform on the surrounding website to gate every non essential tag. Provide self service rights through your support email, add a marketing opt out to SMS and email confirmations, and audit active integrations at least annually.
Other EU based or EU friendly booking platforms include Bookeo, SimplyBook.me, Bookwhen, Planyo, ReservIt, Resamania and TicketCo, plus open source options such as Easy!Appointments. For activity venues specifically, Regiondo (Germany), Bokun (Iceland with EU hosting) and Smartbox are common alternatives. None remove the consent obligation for analytics and marketing add ons on the surrounding website. Compare them on EU hosting, the Data Processing Agreement and the maturity of native consent integrations.
List the strictly necessary Funbutler cookies (booking session, CSRF token, cart, payment session) with purpose and lifetime, and mark them as exempt from consent. Add a separate section for optional integrations: analytics, marketing pixels, payment partners and chat tools, with the cookies they set, the retention and the transfer mechanism (Data Privacy Framework, Standard Contractual Clauses) for any non EU recipient. Mention Funbutler AB as processor and the EU hosting location, and refresh the policy whenever a new integration is added, at least every six months.