Privacy
SlotFlo Privacy Policy
How SlotFlo processes personal data for accounts, workspaces, booking operations, AI features, providers, retention, rights and security.
Последна актуализация 28 April 2026
Версия 1.0
Тази страница в момента използва английския правен текст до наличието на прегледан превод. Английската версия е референтната правна версия.
Controller and contact
KRASYLNYKOV OLEKSANDR, trading as SlotFlo, is the controller for the processing described in this Privacy Policy where SlotFlo acts as controller.
Address: Carrer del Vallespir, 169, 3-3, 08014 Barcelona, Spain. NIF/NIE: Y9569535P. Privacy contact: privacy@slotflo.com.
We have not appointed a Data Protection Officer. Privacy requests are handled through the privacy contact above.
Privacy Policy version: 1.0. Publication date: 28 April 2026.
English is the reference legal version. If a translated copy differs, the English version prevails unless mandatory law requires otherwise.
Scope and role split
This Privacy Policy covers owners, staff users, End Customers using public booking, AI/widget users, website visitors, API or integration users and marketing visitors.
SlotFlo acts as controller for account, billing, support, security, analytics, marketing measurement, cookie consent, fraud prevention and platform operation data.
The Business Customer is controller for End Customer booking or client data inside the tenant workspace.
SlotFlo is processor for booking, customer and client data processed on behalf of the Business Customer.
Data Processing Terms are included inside the Terms of Use.
Data categories
- Owner data: name, email, authentication identity, workspace membership, settings, support requests and product usage needed to operate the account.
- Staff user data: name, email, role, resource assignment, availability-related access and activity inside the Business Customer workspace.
- Business and workspace data: tenant name, services, categories, resources, locations, schedules, branding uploads, configuration and API or integration settings.
- Booking customer data: names, emails, phone numbers, booking history, booking metadata, comments or notes where the Business Customer enables or enters them.
- Mobile scanner and check-in data: QR or ticket token references, booking check-in status, scanner account access metadata and staff or resource access assignments where mobile access is used.
- Billing data: Stripe customer, subscription, checkout, invoice, payment status and tax or accounting references. SlotFlo does not store full card numbers.
- Transactional email data: recipient, template or event context and delivery status for account, booking, invite, billing and deletion emails.
- Technical, security and log data: IP-derived security signals, user-agent, request metadata, abuse prevention events, audit logs and runtime or error logs where configured.
- Cookies, analytics and browser storage: consent records, auth or session storage, language or theme preferences and consent-gated GA4 where enabled after analytics consent.
- reCAPTCHA data: security and abuse-prevention signals for public booking submission where configured.
- AI/RAG data: uploaded knowledge sources, extracted text, chunks, embeddings, normalized service facts, AI conversation messages, handoff or contact data and related metadata.
- API and integration data: API clients, webhook endpoints, webhook delivery records and integration request metadata.
- Support or admin data: support impersonation audit records, admin actions, support notes and operational records needed to investigate or assist.
Legal bases
SlotFlo processes direct platform data where needed to perform a contract with the Business Customer, operate and secure the service, comply with legal obligations, handle billing, accounting and disputes, respond to support requests and measure analytics only where consent applies.
Where SlotFlo processes End Customer booking or client data inside a workspace, the Business Customer determines the lawful basis and SlotFlo processes that data as processor on the Business Customer's instructions.
Providers and international transfers
SlotFlo uses Supabase for authentication, database and storage infrastructure; Railway for hosted application infrastructure; Stripe for billing and checkout; Resend or another transactional email provider for service emails; OpenAI as the primary and only AI provider for launch; Google for OAuth, reCAPTCHA where configured and consent-gated Google Analytics; and Meta Pixel for marketing measurement when configured and marketing consent is granted.
Telegram is disabled by default and is not part of the active launch provider set.
These providers may process data outside Spain or the EEA depending on their infrastructure and subprocessors. SlotFlo relies on contractual safeguards and keeps optional analytics or marketing disabled unless the relevant consent is granted.
Analytics, cookies and marketing measurement
Google Analytics may be used only after analytics consent.
Meta Pixel may be used for advertising measurement only after marketing consent and when the tag is configured.
SlotFlo does not use Google Tag Manager for the MVP.
The Cookie Policy explains cookies, browser storage, tags, consent and withdrawal controls in more detail.
AI and RAG processing
If the Business Customer uses AI features, uploaded knowledge sources and extracted booking or business information may be processed into searchable chunks, embeddings, normalized facts and AI conversation context.
OpenAI is used through the API for launch. SlotFlo does not use ChatGPT browser sessions as the production AI provider path.
AI Features are assistive and may be wrong, incomplete or outdated. The Business Customer remains responsible for source accuracy and AI-assisted customer communication.
Retention
Operational workspace, customer and booking data is targeted for deletion or anonymisation within 30 days after confirmed workspace deletion or within 30 days after final access termination following unresolved non-payment.
A 7-day payment recovery window applies after payment failure. If billing remains unresolved and access is finally terminated, the 30-day operational cleanup target begins from final termination.
Async email jobs are targeted for pruning after 30 days where safe once they are completed or terminally failed. Pending, running or retryable jobs are not pruned by that retention rule.
RAG data is targeted for cleanup within 30 days after account or workspace deletion. Individual RAG source deletion removes searchable derived records immediately where technically supported.
AI widget browser storage may persist for up to 2 months on an active service, but SlotFlo cannot guarantee deletion from a browser that never revisits.
Backup data may persist temporarily according to normal backup rotation and disaster recovery practices. Backup data is not used for ordinary processing.
Rights and booking customer requests
Where SlotFlo is controller, individuals may contact SlotFlo to request access, correction, deletion, restriction, portability, objection or withdrawal of consent where applicable.
End Customers usually need to contact the Business Customer because the Business Customer is controller for booking or client data inside the workspace.
If an End Customer contacts SlotFlo, SlotFlo may forward or assist the request according to the controller-processor relationship and legal obligations.
Owner export remains limited to supported CSV, XLSX or API features and is available only while the Business Customer is active, trialing or otherwise entitled.
Security
SlotFlo uses Supabase authentication, role-based owner, staff and admin access, tenant separation, backend validation, rate limiting and audit or security logging where implemented.
Staff access remains resource-scoped according to the current role model.
No public Privacy Policy wording exposes internal project refs, secrets, dev URLs or staging details.
Children and contact
SlotFlo is a B2B SaaS tool and is not directed to children.
Privacy questions can be sent to privacy@slotflo.com. General legal contact: legal@slotflo.com.