Privacy Policy

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Slotlify
Owner Dmitrii Shapiro
An den Krautgärten 33
65760 Eschborn
Germany
Phone: +49 (0)162 453 61 47
Email: service@slotlify.de

No data protection officer has been appointed, as, based on our current understanding, there is no legal obligation to do so.


2. Overview: What is Slotlify about?

Slotlify is a platform through which event organizers and other providers of bookable services (“Merchants”) can register and create their own organizations or entities (“Tenants”). End customers (“Customers”) can book events or other services through the public storefront of a Merchant or Tenant.

This Privacy Policy applies to the use of our website, our platform, and related services. It applies both to:

  • Merchants who use Slotlify to manage their offers, bookings, and Tenants, and
  • Customers who make bookings through a storefront or obtain information about events.

Important note on role allocation

The data protection role depends on the specific context in which data is processed:

a) Platform operation by Slotlify

For the operation of the website and platform, technical provision, hosting, security, account management, support, contract administration, billing of Merchant plans, and certain integrations with payment service providers, we process personal data as controller.

b) Booking data in the Merchant ↔ Customer relationship

When Merchants use Slotlify to manage bookings, participant information, or customer data of their Customers, the respective Merchant is generally the controller for such processing. To the extent that we process such data solely for the technical provision of platform functions to the Merchant, we typically act as processor on behalf of the respective Merchant.

In such cases, the respective Merchant is responsible for independently and lawfully informing its Customers about the processing of their personal data.

c) Payment processing via payment service providers

For online payments, we use payment service providers, in particular Stripe. For online payments made by Customers for the benefit of a Merchant, Connected Accounts may also be used within Stripe Connect. In this context, the respective payment service provider regularly processes personal data, at least in part, under its own data protection responsibilityin accordance with its own privacy policy. Further information can be found below in this Privacy Policy and in the privacy notices of the respective providers.


3. Legal bases for processing

We process personal data in particular on the following legal bases:

  • Art. 6(1)(b) GDPR (contract / pre-contractual measures)
  • Art. 6(1)(c) GDPR (legal obligation)
  • Art. 6(1)(f) GDPR (legitimate interest, e.g. security, fraud prevention, technical provision, system stability)
  • Art. 6(1)(a) GDPR (consent, e.g. for analytics or marketing cookies, where used)

To the extent that we process personal data on behalf of a Merchant, such processing is also based on a data processing agreement pursuant to Art. 28 GDPR, provided that the legal requirements are met.

Consents may be withdrawn at any time with effect for the future.


4. Categories of data

Depending on use, we process in particular the following categories of personal data:

a) Merchant / Tenant data (B2B)

  • Account data: email address, password (encrypted / hash), first name, last name, address
  • Organizational / Tenant data: company name, address, VAT ID, contact person, business information
  • Contract and usage data: booked plan, billing status, invoice information, terms, cancellation status
  • Support and communication data
  • Data related to the activation of online payments, in particular Connected Account status, verification status, and payment enablement

b) Customer / booking data (B2C)

  • Booking data: event, date/time, number of seats, status, booked services
  • Customer data, where required for the booking: first name, last name, email address, address, phone number
  • Guest booking data, where booking without a customer account is possible
  • Participant information, where required by the Merchant for the performance of the service

c) Payment and transaction data

  • Payment status (e.g. paid, open, refunded)
  • Transaction IDs, reference numbers
  • Information about the selected payment method
  • For Merchant plans: information relating to payment to Slotlify
  • For Customer bookings: information relating to online payments for the benefit of the Merchant
  • Information related to Stripe Connect, in particular Connected Account ID, onboarding status, capabilities / enablements, payout status, and similar account information

d) Communication data

  • Email communications, e.g. support requests, confirmations, system notices, booking-related messages

e) Technical data / server logs

When our website and platform are accessed, data is typically processed for technical reasons, such as:

  • IP address
  • date and time of access
  • pages / resources accessed
  • user agent / browser type / operating system
  • referrer URL
  • status codes / technical error data

This data is required to provide the website, ensure security, and maintain system stability.


5. Hosting, infrastructure, database, file storage, and email

a) Hosting

We host central system components with Hetzner in Germany. In this context, the data and log files required for providing and securing the platform are processed.

b) Database

Booking, account, contract, and organizational data are stored in a PostgreSQL database, which is also hosted by Hetzner in Germany.

c) File storage

For storing photos, uploads, and other files, we use Google Cloud Storage, according to our current setup in the Frankfurt, Germany region. Uploaded content and, where applicable, technical metadata are processed in this context.

d) Email delivery

Transactional emails and system emails, such as confirmations, verifications, and technical notices, are sent via an SMTP service at Hetzner.

Privacy notice: https://www.hetzner.com/legal/privacy-policy/


6. Account registration and use by Merchants

Purpose

Creation and management of Merchant accounts and Tenants, performance of the contract, provision of the platform, billing, support, security, and fraud prevention.

Data processed

In particular account data, organizational data, plan and contract data, technical usage data, and support data.

Legal basis

  • Art. 6(1)(b) GDPR (contract / performance of the user agreement)
  • Art. 6(1)(c) GDPR (legal obligations, e.g. tax and commercial retention obligations)
  • Art. 6(1)(f) GDPR (security, fraud prevention, system operation)


7. Bookings by Customers

Purpose

Execution and management of bookings, communication in connection with bookings, provision of booking and participant information to Merchants, technical operation of storefronts and booking flows.

Data processed

In particular name, email address, phone number, address, booking data, event data, and status information, insofar as required for the specific booking.

Where a booking is made as a guest, we process the customer data required for carrying out the booking and communication, in particular for booking confirmations or follow-up questions.

Legal basis

  • Art. 6(1)(b) GDPR, insofar as processing is required for carrying out the booking
  • Art. 6(1)(f) GDPR, insofar as processing is required for the technical operation, security, and integrity of the platform

Recipients

The respective Merchant receives the booking and participant data required for the performance of the event or service, insofar as such data was collected within the booking process.

Important note

To the extent that we process booking and customer data solely on behalf of the Merchant, this is done as data processing on behalf of the Merchant. In such cases, the respective Merchant is generally primarily responsible for informing its Customers under data protection law and for ensuring the relevant legal basis.


8. Payment processing

We use payment service providers, in particular Stripe. We do not store complete credit card data ourselves.

Depending on the specific payment process, we receive status information from payment service providers, such as:

  • “paid”
  • “open”
  • “failed”
  • “refunded”
  • transaction ID / reference data

We need this information for contract performance, billing, payment allocation, and support cases.

Legal basis

  • Art. 6(1)(b) GDPR (contract / payment processing / booking)
  • Art. 6(1)(c) GDPR (tax and commercial law obligations)
  • Art. 6(1)(f) GDPR (fraud prevention, traceability, system security)

Important note on role allocation

Payment service providers such as Stripe regularly process payment data, depending on the specific setup, in whole or in part as independent controllers under their own privacy policies. This applies in particular to payment processing, fraud prevention, risk checks, regulatory requirements, and identity and verification processes.

Stripe Privacy Policy: https://stripe.com/privacy

Further information on data processing by Stripe, including the Data Processing Agreement (DPA): https://stripe.com/de/legal/dpa


9. Stripe Connect / Connected Accounts

When Merchants activate online payments for their Customers, Stripe Connect may be used for this purpose. In this context, we may transmit personal data of the Merchant and, where applicable, authorized representatives to Stripe or retrieve such data from Stripe, insofar as this is necessary for the setup, verification, management, and use of the Connected Account.

The following data may in particular be processed:

  • name, email address, and contact details of the Merchant or contact persons
  • company and address data
  • tax-related or regulatory information required by law
  • status information relating to the Connected Account
  • verification and enablement status
  • information on payment enablement, payout capability, and restrictions

Purpose

  • setup and management of online payments for Merchants
  • performance of onboarding with Stripe
  • verification and activation of payment functions
  • technical display of account and status information in the Merchant dashboard
  • fraud prevention and compliance with regulatory requirements

Legal basis

  • Art. 6(1)(b) GDPR (performance of the contract with the Merchant)
  • Art. 6(1)(c) GDPR (compliance with legal obligations, where applicable)
  • Art. 6(1)(f) GDPR (secure and functional operation of the platform and payment functions)

Stripe processes certain personal data in connection with identity checks, verification, fraud prevention, and payment processing under its own privacy policy. Privacy notice: https://stripe.com/privacy


10. Merchant plans and payments to Slotlify

When Merchants book a paid plan, we process the contract, billing, and payment data required for that purpose.

Purpose

  • performance of the contract
  • invoicing
  • proof of payments
  • management of terms, cancellations, and renewals
  • compliance with statutory retention obligations

Legal basis

  • Art. 6(1)(b) GDPR
  • Art. 6(1)(c) GDPR


11. Platform fees for Customer bookings

Depending on the selected Merchant plan, a platform fee may be charged in favor of Slotlify for bookings. This platform fee may be technically processed through the payment service provider used, e.g. as an Application Fee within Stripe Connect.

In this context, we process the transaction and allocation data required for this purpose, in particular:

  • booking references
  • payment status
  • amount of the platform fee
  • Merchant allocation
  • transaction information relevant for billing

Purpose

  • calculation and billing of the platform fee
  • technical allocation of fees to bookings and Merchants
  • documentation and accounting purposes

Legal basis

  • Art. 6(1)(b) GDPR
  • Art. 6(1)(c) GDPR
  • Art. 6(1)(f) GDPR


12. Authentication

For login and authentication, we use NextAuth and a Payload authentication mechanism. Login via Google (OAuth) may also be available.

If you log in via Google, we receive from Google the information required for login, such as email address and, where applicable, name, depending on the permissions / scopes granted.

Purpose

Provision of login and account functions, secure authentication, and session management.

Legal basis

Art. 6(1)(b) GDPR


13. Web analytics

If you have given your consent, we use Google Analytics to analyze the use of our website and platform.

In this context, usage data may in particular be processed, such as:

  • page views
  • interactions
  • device and browser information
  • approximate location information
  • technical usage parameters

IP anonymization is activated, insofar as this is provided for in the relevant implementation.

Legal basis

Art. 6(1)(a) GDPR (consent)

Processing takes place only after the corresponding consent has been given through our consent management.

Google Privacy Policy: https://policies.google.com/privacy

Information on Google Analytics: https://support.google.com/analytics/answer/6004245


14. Error analysis / monitoring

We use Sentry for technical error analysis and stabilization of the system. In this context, technical data and error diagnostics may be processed, such as:

  • time of an error
  • browser / device
  • technical requests
  • affected pages or components
  • contextual information for troubleshooting to a minimized extent

Purpose

Operational security, error resolution, system stability, and abuse detection.

Legal basis

Art. 6(1)(f) GDPR (legitimate interest in secure and stable operation)

Privacy notice: https://sentry.io/privacy/


15. Google Places API

We use the Google Places API to provide location-related functions, such as address or place search. Search requests and technical metadata may be transmitted to Google in this context.

Legal basis

  • Art. 6(1)(f) GDPR, insofar as the function is required for convenient and appropriate use
  • and, where the specific implementation requires consent, Art. 6(1)(a) GDPR via consent management


16. External links

Our website and platform may contain links to external services, e.g. LinkedIn or Discord. If you click on such links, you leave our website. The privacy notices of the respective external providers are exclusively applicable to data processing by those providers.


17. Cookies, consent management, and device access

We use our own consent management to manage consent for cookies and similar technologies.

Cookie categories may in particular include:

  • necessary cookies (e.g. login, security, session)
  • functional cookies
  • analytics cookies
  • performance cookies
  • advertising cookies, where used

We only set non-essential cookies or technologies if you have previously consented. You can change or withdraw your consent at any time via the cookie settings.


18. Data transfer to third countries

Some service providers used by us may process data outside the EU or EEA or transfer data there, in particular depending on the specific use and configuration, e.g. Stripe, Google, or Sentry. Where data is transferred to third countries, we rely, where legally required, on appropriate safeguards, such as adequacy decisions or standard contractual clauses, and, where applicable, additional protective measures.


19. Storage period

As a rule, we store personal data only for as long as this is necessary for the respective purposes or as long as statutory retention obligations exist.

Indicative periods, unless different obligations apply:

  • Merchant accounts: at least 12 months; beyond that until deletion / termination of the contract, insofar as required for contract handling, evidentiary, or defense purposes
  • Booking and billing data: according to the applicable statutory retention periods, depending on the type of document generally 6, 8, or 10 years
  • Server logs: approx. 30 to 90 days, unless security-related reasons require longer storage
  • Support and communication data: as long as necessary; possibly longer for traceability, unless a deletion obligation applies
  • Analytics data (Google Analytics): according to the configured retention period, currently e.g. 14 months, if configured accordingly


20. Your rights

Provided that the legal requirements are met, you have the following rights:

  • access (Art. 15 GDPR)
  • rectification (Art. 16 GDPR)
  • erasure (Art. 17 GDPR)
  • restriction of processing (Art. 18 GDPR)
  • data portability (Art. 20 GDPR)
  • objection to processing based on legitimate interests (Art. 21 GDPR)
  • withdrawal of consent with effect for the future (Art. 7(3) GDPR)

You may send requests at any time to: service@slotlify.de

If your request relates to booking data that a Merchant processes under its own responsibility, it may be necessary for you to contact the respective Merchant first.


21. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority. In Hesse, the competent authority is:

The Hessian Commissioner for Data Protection and Freedom of Information (HBDI)

Postfach 31 63, 65021 Wiesbaden, Germany

Email: poststelle@datenschutz.hessen.de

Phone: +49 611 1408-0

Website: https://datenschutz.hessen.de/


22. Data security

We implement appropriate technical and organizational measures to protect personal data, in particular:

  • TLS / HTTPS encryption
  • role- and permission-based access concepts, where technically implemented
  • logging for security and error analysis
  • regular updates and maintenance
  • measures to secure accounts and infrastructure


23. Changes to this Privacy Policy

We may amend this Privacy Policy if the legal situation, our services, our integrations, or the type of data processing changes. The version currently published on our website shall apply.

In the event of discrepancies or inconsistencies, the German version shall prevail.