Privacy policy

1. Overview

This notice explains what personal data we process when you use PickASlot, why we process it, and the rights you have. It is provided to you as required by Articles 13 and 14 GDPR.

2. Who is the data controller

The controller for the PickASlot platform is CMD CYBERSPACE SOFTWARE SOLUTIONS S.R.L, registered office at Strada Penes Curcanul 14, sector 3, Bucuresti, VAT/CUI RO46891247. Data protection contact: privacy@pickaslot.io. If you book a slot through an operator (venue), that operator is a separate, independent controller for the booking data they collect through us.

3. Lawful bases

We rely on the following Article 6 GDPR lawful bases: • Performance of a contract - to operate your account and process bookings (Art. 6(1)(b)). • Legal obligations - accounting, tax, consumer protection (Art. 6(1)(c)). • Legitimate interests - security, fraud prevention, service improvements (Art. 6(1)(f)). • Consent - analytics and marketing cookies, optional emails (Art. 6(1)(a)).

4. What data we collect

Account: name, email, hashed credentials, profile preferences, language. Bookings: guest name, email, phone (if provided), selected slot, location and activity. Payments: Stripe handles card data directly; we receive payment status and last 4 digits only. Technical: IP address (hashed before storage for rate-limit and abuse detection), browser metadata, error logs. Consent: a timestamped record of cookie choices, including the banner version shown.

5. Why we use it

To run the booking flow, send confirmation and reminder emails or SMS, prevent abuse, comply with Romanian accounting and consumer-protection law, and - with consent - to measure traffic and run advertising.

6. How long we keep it

Account data: as long as the account is active, plus 30 days after deletion request. Booking records: 10 years from the booking date (Romanian accounting law). Logs: 90 days. Consent records: 24 months (proof of consent under Art. 7(1) GDPR). Marketing data: until you withdraw consent.

7. International transfers

Primary processing happens in the EU (Supabase EU, Vercel EU). Some sub-processors (Google, Resend, Sinch, Cloudflare) may transfer data to the US under the EU–US Data Privacy Framework or Standard Contractual Clauses (Art. 46 GDPR). You can request a copy of the safeguards by emailing privacy@pickaslot.io.

8. Sub-processors

We use the following sub-processors: Supabase (database, EU), Vercel (hosting, EU), Resend (transactional email), Sinch (SMS), Google (Calendar OAuth, Ads), Cloudflare (Turnstile CAPTCHA on public forms). The live list with DPA links is below.

9. Automated processing (Art. 14(2)(g))

We run a small number of automated checks on the public booking form to prevent abuse: Cloudflare Turnstile bot scoring, per-IP / per-email / per-phone rate limits, a disposable-email blocklist, and an internal sweep that promotes repeat offenders to a 30-day blocklist on the targeted venue. These checks can refuse a booking attempt but never produce legal effects against you within the meaning of Art. 22 GDPR. If you believe a refusal was wrong, contact privacy@pickaslot.io; we will review human-in-the-loop and lift the block if appropriate.

10. Your rights

Under Articles 15–22 GDPR you may request access, rectification, erasure, restriction, portability, or object to processing. You may also withdraw any consent you have given. See the GDPR rights page for the exercise procedure.

11. How to complain

You can contact our DPO at privacy@pickaslot.io. You also have the right to lodge a complaint with the Romanian Data Protection Authority (ANSPDCP) at https://www.dataprotection.ro/.

12. Changes to this policy

Material updates are announced via the cookie banner version and on this page. The date at the top of the page reflects the most recent change.

Current sub-processors

Per Article 28(2) GDPR, here is the live list of sub-processors we use. We notify operators before adding or replacing any entry.

Operators may object to a new sub-processor within 30 days of notice - write to the privacy contact above.