Privacy Policy

1. Introduction

Welcome to Slotify ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our resource booking platform ("Service").

By using Slotify, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service.

2. Data Controller

The data controller responsible for your personal information is:

3. Information We Collect

3.1 Personal Information You Provide

When you register for an account or use our Service, we collect:

• Account Information: Email address, first name, last name, phone number (optional)
• Authentication Data: Password (encrypted), Google OAuth tokens (if using Google Sign-In)
• Profile Information: User role (Customer, Personal Trainer, Admin), assigned resources
• Booking Information: Booking dates/times, customer notes, cancellation reasons
• Credit Information: Credit balance, transaction history, credit notes
• Communication Preferences: Email notifications, SMS notifications (if provided)

3.2 Calendar Integration Data

If you connect external calendars (Google Calendar or Microsoft Outlook), we collect:

• Calendar Provider: Google or Microsoft
• Connected Email: Email address of the connected calendar account
• OAuth Tokens: Access tokens and refresh tokens (encrypted at rest using AES-256)
• Busy Times: Start/end times of calendar events to prevent double-booking
• Event IDs: External event identifiers for synchronization

Important: We only read your calendar availability (busy/free status). We do NOT access event titles, descriptions, attendees, or other event details. Calendar tokens are encrypted and stored securely in our database.

3.3 Automatically Collected Information

• Log Data: IP address, browser type, operating system, referring URLs, pages viewed, date/time stamps
• Device Information: Device type, unique device identifiers
• Usage Data: Features used, pages visited, time spent on platform, user actions
• Cookies: Session cookies, authentication cookies, preference cookies (see Cookie Policy)

3.4 Contact Form Data

When you contact us through our contact form:

• Name, email, phone number (if provided)
• Message content
• IP address and timestamp (for security and spam prevention)
• reCAPTCHA data (processed by Google)

4. How We Use Your Information

We use your personal information for the following purposes:

4.1 Service Provision

• Create and manage your account
• Process and manage bookings, cancellations, and rescheduling
• Manage credit system and transactions
• Send booking confirmations via email (.ics calendar invites)
• Sync external calendar busy times to prevent double-booking
• Display available time slots for booking

4.2 Communication

• Send booking confirmations and reminders
• Notify you of cancellations, rescheduling, or changes
• Respond to your inquiries and support requests
• Send account-related notifications (password reset, security alerts)
• Send administrative messages (service updates, policy changes)

4.3 Analytics and Improvement

• Analyze usage patterns to improve our Service
• Monitor and analyze trends, usage statistics
• Troubleshoot technical issues and bugs
• Develop new features and services

4.4 Security and Fraud Prevention

• Protect against fraud, abuse, and security threats
• Verify identity during authentication
• Enforce our Terms of Service
• Comply with legal obligations

5. Legal Basis for Processing (GDPR/KVKK)

We process your personal data based on the following legal grounds:

• Contractual Necessity: Processing is necessary to perform our contract with you (providing booking services)
• Consent: You have given explicit consent for calendar integration and marketing communications
• Legitimate Interests: Processing is necessary for our legitimate interests (improving service, security, analytics)
• Legal Obligation: Processing is required to comply with legal obligations (tax, accounting, legal requests)

6. How We Store Your Data

6.1 Storage Location

Your data is stored on secure servers located in:

• Primary Database: PostgreSQL database hosted on Google Cloud Platform (GCP)
• Geographic Location: [Specify your GCP region, e.g., Europe (Belgium) for GDPR compliance]
• Backups: Automated daily backups stored in the same region

6.2 Security Measures

• Encryption: Data encrypted in transit (TLS/SSL) and at rest (AES-256)
• Passwords: Hashed using industry-standard bcrypt algorithm
• OAuth Tokens: Encrypted before database storage
• Access Control: Role-based access control (RBAC) limits data access
• Firewall: Network-level firewall protection
• Monitoring: 24/7 security monitoring and logging
• Regular Audits: Security audits and vulnerability scanning

6.3 Data Retention

• Active Accounts: Retained as long as your account is active
• Inactive Accounts: Deleted after 24 months of inactivity
• Booking History: Retained for 3 years for accounting and legal compliance
• Transaction Records: Retained for 7 years as required by tax law
• Calendar Tokens: Deleted immediately when you disconnect calendar
• Contact Form Data: Retained for 1 year, then anonymized

7. How We Share Your Data

We do NOT sell your personal information. We may share your data with:

7.1 Service Providers

• Google Cloud Platform: Cloud hosting and database services
• Email Service (MailHog/Mailgun): Transactional email delivery
• SMS Service (Twilio): SMS notifications (if you opt-in)
• Google APIs: Google Sign-In and Calendar integration
• Microsoft APIs: Microsoft Calendar integration
• reCAPTCHA: Spam and bot prevention (Google)

7.2 Legal Requirements

We may disclose your information if required by law or in response to:

• Court orders, subpoenas, or legal processes
• Government or regulatory authorities
• Law enforcement requests
• Protection of our rights, property, or safety

7.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.

8. Your Data Protection Rights

Under GDPR and KVKK, you have the following rights:

• Right of Access: Request copies of your personal data
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data (subject to legal retention requirements)
• Right to Restrict Processing: Request limitation of how we process your data
• Right to Data Portability: Request transfer of your data to another service in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or direct marketing
• Right to Withdraw Consent: Withdraw consent for calendar integration or marketing communications at any time
• Right to Lodge a Complaint: File a complaint with your local data protection authority

To exercise these rights, contact us at privacy@slotify24.com. We will respond within 30 days.

9. Third-Party Services and Links

Our Service may contain links to third-party websites and services:

• Google Services: Google Sign-In and Calendar integration (see Google Privacy Policy)
• Microsoft Services: Microsoft Calendar integration (see Microsoft Privacy Policy)

We are not responsible for the privacy practices of third-party services. We encourage you to review their privacy policies.

10. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

11. International Data Transfers

Your data is primarily stored in [Your GCP Region]. If data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions for specific countries
• Privacy Shield or equivalent frameworks

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

• Email notification to your registered email address
• Prominent notice on our website
• In-app notification upon login

The "Last Updated" date at the top of this policy indicates when it was last revised. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

14. Supervisory Authority

If you are located in the EU/EEA or Turkey, you have the right to lodge a complaint with your local data protection authority:

• Turkey: Kişisel Verileri Koruma Kurumu (KVKK) - www.kvkk.gov.tr
• EU/EEA: Find your authority at EDPB Member List