Privacy Policy

1. Identity of the Data Controller

PickASlot is a scheduling platform operated by CMD CYBERSPACE SOFTWARE SOLUTIONS SRL, a company registered in Romania under CUI 46891247 (the "Data Controller").

For any questions or requests regarding the processing of your personal data, you can contact us at privacy@pickaslot.io.

2. Information We Collect

We collect and process the following categories of personal data:

Account Data

When you create an account, we collect your name, email address, and profile picture from your Google or Microsoft account via OAuth.

Calendar Data

When you connect your calendar (Google Calendar or Outlook), we access event titles and times solely for the purpose of checking your availability and creating booking events. We do not read event descriptions, attendee lists, or other metadata beyond what is necessary for availability.

Booking Data

When guests book meetings through your scheduling page, we collect their name, email address, timezone, and any responses to intake questions you configure.

Payment Data

If you enable paid bookings, payments are processed by Stripe. We do not store credit card numbers or full payment details. We retain only transaction identifiers, amounts, and statuses required for invoicing and tax compliance.

Usage Data

We collect anonymized product analytics via PostHog only with your explicit consent. No analytics data is collected until you opt in through our cookie consent banner.

Technical Data

We collect IP addresses and browser metadata via Sentry for the purpose of error tracking, debugging, and maintaining service reliability.

3. Legal Basis for Processing (Art. 6 GDPR)

We process your personal data on the following legal bases under the General Data Protection Regulation:

Contract Performance — Art. 6(1)(b)

Processing necessary for the performance of our contract with you, including: maintaining your account, syncing with your connected calendars to determine availability, creating and managing bookings, and sending transactional email notifications (booking confirmations, reminders, cancellations).

Consent — Art. 6(1)(a)

Processing based on your freely given, specific, informed consent, including: analytics cookies (PostHog) and marketing communications. You may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

Legitimate Interest — Art. 6(1)(f)

Processing necessary for our legitimate interests, including: error tracking and debugging via Sentry, maintaining service security, and preventing fraud. We have conducted balancing tests to ensure these interests do not override your fundamental rights and freedoms.

Legal Obligation — Art. 6(1)(c)

Processing necessary to comply with legal obligations, including: retention of financial and transaction records for tax compliance under Romanian fiscal law.

4. How We Use Your Information

We use your personal data for the following purposes:

• To create and maintain your account and authenticate your identity
• To sync with your connected calendars (Google Calendar, Outlook) for real-time availability checking
• To create calendar events and video meeting links (Google Meet, Microsoft Teams, Zoom) when bookings are made
• To send booking confirmations, reminders, rescheduling, and cancellation notifications to hosts and guests
• To process payments via Stripe for paid event types
• To display your scheduling page and availability to guests
• To provide in-app notifications about booking activity
• To improve service reliability through error tracking (Sentry)
• To understand product usage patterns through anonymized analytics (PostHog, with consent only)
• To comply with legal and regulatory obligations, including tax record retention
• To protect against fraud, abuse, and unauthorized access

5. Data Sharing & Sub-processors

We do not sell your personal data. We share data only with the following sub-processors, each of which is necessary for delivering the service:

We maintain signed Data Processing Agreements (DPAs) with all sub-processors listed above, in accordance with Art. 28 GDPR.

6. International Data Transfers

Your primary data is stored within the EU/EEA (Supabase, AWS eu-west-1, Ireland). However, some of our sub-processors may process data outside the EU/EEA (e.g., Google, Microsoft, Stripe, Zoom, Resend, Sentry).

Where personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Art. 46(2)(c) GDPR)
• Adequacy decisions by the European Commission where applicable (Art. 45 GDPR)

You may request details of the specific safeguards applied to any transfer by contacting us at privacy@pickaslot.io.

7. Data Storage, Security & Retention

Storage & Security

• Your data is stored in a PostgreSQL database hosted on Supabase in the EU (AWS eu-west-1, Ireland)
• All data in transit is protected with TLS encryption
• OAuth tokens for calendar and video integrations are stored securely and are only used to interact with third-party services on your behalf
• We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction (Art. 32 GDPR)

Retention Periods

• Active accounts: Data is retained for as long as your account remains active
• Deleted accounts: All personal data is purged immediately upon account deletion
• Booking records: Retained for the host's financial and tax obligations. Guests may request anonymization of their personal data within booking records
• Financial transaction records: Retained for 10 years in accordance with Romanian fiscal law (Codul Fiscal)

8. Your Rights Under the GDPR (Art. 15–22)

As a data subject, you have the following rights under the General Data Protection Regulation:

• Right of access (Art. 15) — You can export all your personal data from Settings.
• Right to rectification (Art. 16) — You can edit your profile information directly in Settings.
• Right to erasure (Art. 17) — You can permanently delete your account and all associated data from Settings. Guests who have booked meetings can request deletion of their personal data at pickaslot.io/gdpr.
• Right to restrict processing (Art. 18) — You may request that we restrict the processing of your personal data in certain circumstances (e.g., while we verify accuracy or assess an objection).
• Right to data portability (Art. 20) — You can download your complete data (profile, bookings, event types, calendar connections) as a structured JSON or CSV file from Settings.
• Right to object (Art. 21) — You may object to processing based on legitimate interest (Art. 6(1)(f)). We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to withdraw consent (Art. 7) — You may withdraw consent at any time by adjusting your cookie preferences, disconnecting your calendar, or unsubscribing from marketing communications. Withdrawal does not affect the lawfulness of prior processing.
• Right to lodge a complaint — You have the right to lodge a complaint with the Romanian supervisory authority, ANSPDCP (Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal). See Section 14 below for contact details.

To exercise any of these rights, contact us at privacy@pickaslot.io. We will respond within 30 days as required by Art. 12(3) GDPR.

9. Cookies & Tracking

Strictly Necessary Cookies

We use essential cookies for session management and authentication. These cookies are strictly necessary for the service to function and do not require consent under Art. 5(3) of the ePrivacy Directive.

Analytics Cookies

We use PostHog for anonymized product analytics. Analytics cookies are only activated after you provide explicit consent via our cookie consent banner. You can change your preference at any time.

No Advertising or Third-Party Tracking

We do not use advertising cookies or any third-party tracking cookies. No cross-site tracking is performed.

10. Children's Privacy

PickASlot is not directed at children under the age of 16, in accordance with Art. 8 GDPR. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without appropriate parental consent, we will take steps to delete that data promptly.

11. Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects you, as described in Art. 22 GDPR.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the supervisory authority (ANSPDCP) without undue delay and no later than 72 hours after becoming aware of it, in accordance with Art. 33 GDPR.

Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected users without undue delay, in accordance with Art. 34 GDPR.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes that affect how your personal data is processed, we will notify you via email at least 30 days before the changes take effect. The "Last updated" date at the top of this page will be revised accordingly.

14. Contact & Supervisory Authority

Data Controller

CMD CYBERSPACE SOFTWARE SOLUTIONS SRL, CUI 46891247, Romania
Email: privacy@pickaslot.io

Supervisory Authority

Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, cod postal 010336, Bucuresti, Romania
Website: www.dataprotection.ro