Slotsy
147 / 250 claimed Claim a seat

Legal · Privacy

Privacy Policy

LAST UPDATED · 2026-05-12 · PLAIN-ENGLISH SUMMARIES IN grey

Stub · pending solicitor review before public launch. The intent below is final; the legal wording will be polished.

§01 Who we are

Slotsy is run by one person from Tirana, Albania. Data lives on Cloudflare's EU edge.

Slotsy ("we", "us") is operated as a sole-trader business by Jorgo, registered in Albania. The booking platform runs on Cloudflare Workers with EU data residency (region hint weur) and uses Cloudflare D1, R2, and KV for storage.

§02 What we collect

Your account email, your bookings, your members' booking data, payment metadata (not card numbers). No tracking pixels.

From you: email, hashed password, billing address (held by Paddle), custom-domain CNAME, calendar credentials (OAuth tokens encrypted at rest, or iCal feed URL).

From your members: name, email, scheduled time, intake-form fields you defined, payment metadata if you took a paid booking through your Stripe key (we never see card numbers — Stripe does).

Automatically: server request logs (IP, user-agent, timestamp, response status) retained 30 days for abuse-detection. Plausible Analytics on the marketing site is used — server-side, cookieless, GDPR-exempt, no fingerprinting. No Meta Pixel, no Google Analytics, no Hotjar.

§03 How we use it

To make the bookings work. Not to advertise to your members.

We use account-holder data to operate the service: serve your booking page, sync your calendar, send confirmation emails on your behalf, process your Paddle subscription.

Member data is used exclusively on your behalf to operate your booking flow. We do not sell, share, license, rent, or otherwise transfer member data to third parties.

§04 Lawful basis (GDPR)

  • Contract · Art. 6(1)(b) · processing account-holder data to provide the service you paid for.
  • Legitimate interest · Art. 6(1)(f) · abuse-detection logs, fraud prevention.
  • Consent · Art. 6(1)(a) · optional marketing emails (opt-in only).

§05 Sub-processors

Cloudflare (hosting, EU region) · Paddle (subscription billing, EU/UK) · Stripe (your key, not ours, member payments) · Resend (transactional email, EU region available) · Plausible (analytics, EU-hosted).

§06 Your rights

Access · rectification · erasure · restriction · portability · objection · withdrawal of consent. Exercise any of them by emailing [email protected]. We respond within 30 days.

§07 Retention

Account data: for the lifetime of your account, plus 90 days after deletion (backups). Member booking data: same. Request logs: 30 days. Earlier deletion on request.

§08 Cookies

The marketing site sets no cookies. The application sets one session cookie (HttpOnly, SameSite=Lax) and one CSRF token. That's the entire cookie surface.

§09 International transfers

Data stays in the EU by default. Where a sub-processor transfers outside the EU (e.g. Stripe), Standard Contractual Clauses apply.

§10 Changes

Material changes get 30 days' email notice with a redline diff. No silent updates.

Questions? [email protected] · Privacy / DSAR: [email protected]