Marketing consent management (GDPR consent records)

Bokko stores every guest's marketing consent as a separate record. This record is the GDPR Article 7 evidence that the guest voluntarily, informedly and withdrawably agreed to receive newsletters. Consent is not a simple checkbox on the guest profile: every state change is captured as its own audit entry.

Consent states

A guest's consent record can be in one of the following states:

• No record: The guest has never had a consent statement. They do not receive newsletters and do not appear in the subscriber list.
• Pending confirmation: The guest ticked the opt-in box but has not yet clicked the Double Opt-in confirmation email. In this state they do NOT receive newsletters.
• Granted: The guest confirmed their consent. From this point on, they are included in newsletter campaign recipient lists.
• Withdrawn: The guest unsubscribed or the owner manually withdrew consent. No newsletters are sent, but the record is preserved as evidence.
• Bounced / suppressed: Email delivery has failed permanently or the deliverability provider has suppressed the address. This is a terminal state — Bokko no longer sends here.

Where do consent records originate?

Three sources can create or modify a consent record:

• Public booking (public_booking): The guest ticks the newsletter opt-in at the end of the booking form. Bokko captures the opt-in timestamp, an exact snapshot of the consent text shown, and the active privacy policy version.
• Public booking re-grant (public_booking_re_grant): A previously withdrawn guest opts in again during a new booking. The earlier record is not deleted — a new audit entry is added.
• Manual dashboard entry (manual_dashboard): The owner records on the guest profile that the guest gave paper-based or in-person consent. A confirmation email is still sent (Double Opt-in).

Where to view consent

The consent record is surfaced in two places in the dashboard:

• Guest detail panel → Newsletter consent section: current state for the guest, last change timestamp, the source, and (when granted) the withdraw button.
• Marketing → Subscribers list: aggregate view of all guests with a state filter (pending, granted, withdrawn, bounced). Only the basics (name, email, state) are visible here — open the guest panel for the full audit history.

Permissions

Bokko keeps three distinct permissions for marketing consent:

• Marketing consent read: Open the full consent record for a specific guest — state, timestamps, consent text snapshot.
• Marketing consent read summary: Only aggregate counts (active subscribers, pending, withdrawn) are accessible — no per-guest data.
• Marketing consent write: Record manual consent and withdraw consent. The salon owner has it by default; for other roles it must be granted explicitly.

Withdrawing consent

1. Open the guest detail panel.
2. Scroll to the Newsletter consent section.
3. For a granted record, the Withdraw button is shown.
4. Confirm the action in the dialog.
5. The state changes immediately to withdrawn and the withdrawal timestamp is recorded. The guest is excluded from the next campaign.

What does the consent record actually store?

• Email address (normalised, lowercase) and optionally the guest's name.
• Current state and source (booking / manual).
• Timestamps: created, last updated, pending since, granted at, withdrawn at.
• An exact snapshot of the consent text shown to the guest — if you change the wording later, older records remain provable with the original text.
• Privacy policy and marketing policy version at the moment of consent.
• For manual entries: the short evidence note and the user ID of the recording staff member.
• The associated location ID(s) — this drives per-location segmentation in newsletter campaigns.