Privacy Policy | Slotlify

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Slotlify
Owner Dmitrii Shapiro
An den Krautgärten 33
65760 Eschborn
Germany

Phone: +49 (0)162 453 61 47
Email: service@slotlify.de

A Data Protection Officer has not been appointed (no legal obligation).

2. Overview: What is Bookload?

Bookload is a platform where event organizers (“Merchants”) can register and create organizations (“Tenants”). End customers (“Customers”) can book events created by Merchants.

Important role allocation:

a) Platform operation (we as controller):

For operating the website/platform (hosting, security, account administration, support, payment processing via payment service providers, etc.) we process personal data as the controller.

b) Booking data in the Merchant ↔ Customer relationship:

Merchants use Bookload to manage bookings of their customers. In this relationship, the respective Merchant is generally the controller for the processing of customer data (e.g., attendee lists, booking history). We typically process such data as a processor on behalf of the Merchant insofar as we process the data exclusively to provide the platform functionality.

The Merchant is responsible for informing their customers about data processing (their own privacy information).

3. Legal bases for processing

We process personal data in particular on the following legal bases:

Art. 6(1)(b) GDPR (performance of a contract / pre-contractual measures)
Art. 6(1)(c) GDPR (legal obligation)
Art. 6(1)(f) GDPR (legitimate interests, e.g., security, prevention of abuse, technical provision)
Art. 6(1)(a) GDPR (consent, e.g., for analytics/marketing cookies where applicable)

Consent can be withdrawn at any time with effect for the future.

4. Categories of data

Depending on usage, we process the following data, among others:

a) Merchant/Tenant data (B2B)

Account data: email, password (encrypted/hash), first name, last name, address
Organization data (Tenant): company name, address, VAT ID, contact person
Usage/contract data: booked packages/plan, billing status (no card data)

b) Customer/booking data (B2C)

Booking data: event, date/time, number of seats, status
Customer data (as required for the booking): first name, last name, email address, address, phone number
It is possible to book as a guest (without a customer account).

c) Communication data

Email communication (e.g., confirmations, support requests)

d) Technical data / server logs

When you access the website/platform, data is typically processed for technical reasons (e.g., IP address, date/time, accessed page, user agent, referrer). This data is required to provide and secure the website.

5. Hosting, infrastructure, email

a) Hosting

We host core system components at Hetzner (Germany). Data required for provision as well as log files are processed in this context.

b) Database

Booking and account data are stored in a PostgreSQL database (hosted at Hetzner in Germany).

c) File storage

For storing photos/uploads, we use Google Cloud Storage (region Frankfurt, Germany). Uploaded content and, where applicable, technical metadata are processed.

d) Email delivery

Transactional emails (e.g., confirmations, system notifications) are sent via an SMTP service at Hetzner.

6. Account registration and use by Merchants

Purpose: creation and management of Merchant accounts and Tenants, performance of the contract, billing, support.

Legal basis: Art. 6(1)(b) GDPR (contract), Art. 6(1)(c) GDPR (legal obligations, e.g., retention) and Art. 6(1)(f) GDPR (security, prevention of abuse).

7. Bookings by Customers (end customers)

Purpose: processing and managing bookings, communication (e.g., booking confirmations), providing participant information to Merchants.

If a booking is made as a guest, we process the required customer data (first name, last name, email address, address, phone number) to execute the booking and to communicate (e.g., booking confirmation).

Legal basis: Art. 6(1)(b) GDPR (performance of the booking) and/or Art. 6(1)(f) GDPR (technical operation/security).

Recipients: The respective Merchant receives the booking and participant data necessary to deliver the event (e.g., booking status, and where applicable name/email if collected for the booking).

8. Payment processing

For payments we use payment service providers (e.g., Stripe and PayPal). We do not store full credit card details.

Depending on the payment flow, we receive status information from the payment service providers (e.g., “paid”, transaction ID) for contract performance and billing.

Legal basis: Art. 6(1)(b) GDPR (contract) as well as Art. 6(1)(c) GDPR (tax/commercial law obligations).

Stripe/PayPal may process payment data as independent controllers (or as processors, depending on the specific setup). Further information can be found in the privacy policies of the respective providers.

Stripe privacy policy: https://stripe.com/privacy

PayPal privacy policy: https://www.paypal.com/webapps/mpp/ua/privacy-full

9. Authentication

For login and authentication we use NextAuth and a Payload authentication mechanism. Login via Google (OAuth) may also be available.

If you sign in with Google, we receive the information necessary for login from Google (e.g., email address, possibly name — depending on the scopes/permissions granted).

Legal basis: Art. 6(1)(b) GDPR (providing login/account access).

10. Web analytics

If you have given consent, we use Google Analytics to analyze the use of our website/platform.

In particular, usage data (e.g., page views, interactions, device/browser information) may be processed. IP anonymization is enabled.

Processing takes place only after consent via our consent tool (see cookies/consent).

Legal basis: Art. 6(1)(a) GDPR (consent).

Google privacy policy: https://policies.google.com/privacy

Google Analytics information: https://support.google.com/analytics/answer/6004245

11. Error analysis / monitoring

We use Sentry for technical error analysis and stabilization of the system. Technical data and diagnostic information may be processed (e.g., time, device/browser, possibly affected pages/requests; content is minimized as far as possible).

Purpose: operational security, troubleshooting, abuse detection.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and stable operation).

12. Google Places API

We use the Google Places API to provide location-related features (e.g., address/place search). Search queries and technical metadata are transmitted to Google.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in convenient features) and — if technically classified as non-essential — Art. 6(1)(a) GDPR (consent) via the consent tool, depending on the specific implementation.

13. External links

Our website may contain links to external services (e.g., LinkedIn, Discord). If you click such links, you leave our website. The privacy policies of the respective providers apply to their data processing.

14. Cookies, consent management and device access

We use a consent management tool (CookieYes) to manage consent for cookies/technologies.

Cookie categories:

Necessary cookies (for essential functions such as login/security)
Functional cookies
Analytics cookies (e.g., Google Analytics)
Performance cookies
Advertising cookies (where applicable)

We set non-essential cookies/technologies only if you have given prior consent. You can change or withdraw your consent at any time via the cookie settings.

CookieYes privacy policy: https://www.cookieyes.com/privacy-policy/

15. Transfers to third countries

Some service providers we use may process data outside the EU/EEA or transfer it there (e.g., Stripe, Google, Sentry — depending on the specific setup).

Where a transfer to third countries takes place, we rely — where required — on appropriate safeguards (e.g., EU Standard Contractual Clauses) and additional protective measures, as appropriate.

16. Storage period

We store personal data only for as long as necessary for the purposes of processing or as long as we are legally obliged to do so.

Indicative retention periods (unless other obligations apply):

Merchant accounts: at least 12 months; beyond that until deletion/termination if required for contract performance and evidentiary purposes
Booking/billing data: according to statutory retention obligations (depending on the document type generally 6, 8 or 10 years)
Server logs: approx. 30 to 90 days, unless security-related reasons require longer retention
Support/communication data via email: as long as necessary; possibly longer for traceability unless deletion is requested and no retention obligation prevents it
Analytics data (Google Analytics): retention period 14 months (as configured in Google Analytics)

17. Your rights

You have the following rights, provided the legal requirements are met:

Access (Art. 15 GDPR)
Rectification (Art. 16 GDPR)
Erasure (Art. 17 GDPR)
Restriction of processing (Art. 18 GDPR)
Data portability (Art. 20 GDPR)
Objection to processing based on legitimate interests (Art. 21 GDPR)
Withdrawal of consent (Art. 7(3) GDPR)

You can send requests at any time to mail@linxnpix.com.

18. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for Hesse is:

The Hessian Commissioner for Data Protection and Freedom of Information (HBDI)

P.O. Box 31 63, 65021 Wiesbaden, Germany

Email: poststelle@datenschutz.hessen.de

Phone: +49 611 1408-0

Website: https://datenschutz.hessen.de/

19. Data security

We implement appropriate technical and organizational measures to protect your data, in particular:

TLS/HTTPS encryption
Logging for security and error analysis
Regular updates and maintenance

20. Changes to this privacy policy

We may update this privacy policy if legal requirements, services, or processing activities change. The current version published on our website applies.