← Back to Slotstack

Privacy Policy

Last updated: 21 March 2026

1. Who We Are

Slotstack (“we”, “us”, “our”) is a multi-tenant class booking platform operated from London, United Kingdom. We provide scheduling, payment, and communication tools to studios, gyms, and other businesses that run scheduled sessions (“Studios”), and to the customers who book with them (“End Users”).

2. Data We Collect

Studio Owners & Staff

  • Email address and name (account creation & login)
  • Studio name, timezone, currency, and branding settings
  • Stripe Connect account ID (for payment processing — we do not store bank details)
  • Google Calendar OAuth tokens (if calendar sync is enabled — stored encrypted, revocable at any time)

End Users (Customers)

  • Name, email, and phone number (provided during booking or account creation)
  • Booking history, pass balances, and subscription status
  • Payment amount and status (processed via Stripe — we do not see or store card numbers)
  • Gift card purchase and redemption records

Automatically Collected

  • IP address (used for rate limiting — not stored permanently)
  • Supabase authentication session cookies (httpOnly, secure, first-party only)

We do not use third-party analytics, advertising trackers, or marketing cookies.

3. How We Use Your Data

  • Process bookings and payments
  • Send transactional emails (booking confirmations, cancellations, OTP codes, gift cards)
  • Send SMS reminders (if enabled by the Studio and the customer has provided a phone number)
  • Sync calendar events (if the instructor has connected Google Calendar)
  • Enforce rate limits and prevent abuse (IP-based, via Upstash Redis)
  • Debug errors and improve reliability (via Sentry error reporting)

We do not sell, rent, or share personal data with advertisers or data brokers.

4. Sub-Processors

We use the following third-party services to operate the platform:

ServicePurposeData Shared
SupabaseDatabase & authenticationAll platform data (hosted in AWS eu-west-2)
StripePayment processingCustomer email, payment amounts
ResendTransactional emailRecipient email, email content
TwilioSMS remindersPhone number, message text
Google CalendarInstructor schedule syncBooking time, title (no customer PII)
UpstashRate limitingHashed IP address (ephemeral)
SentryError monitoringError stack traces, request metadata
VercelHosting & CDNHTTP request logs (auto-purged)

5. Data Retention

  • Bookings & transaction records: retained for the lifetime of the Studio account plus 7 years (UK tax requirements)
  • Customer accounts: retained while the Studio is active; deletable on request
  • Auth sessions: expire after 7 days of inactivity
  • Rate limit data: ephemeral, expires within minutes
  • Error logs (Sentry): auto-purged after 90 days

6. Your Rights

Under UK GDPR and the Data Protection Act 2018, you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate or incomplete data
  • Erase your data (“right to be forgotten”)
  • Restrict or object to processing
  • Port your data to another service
  • Withdraw consent at any time (e.g. disconnect Google Calendar, unsubscribe from SMS)

For End Users: your data is held on behalf of the Studio. Contact the Studio directly in the first instance. If unresolved, contact us.

7. Cookies

We use only essential first-party cookies for authentication (Supabase session) and CSRF protection (OAuth flows). We do not use advertising, analytics, or preference cookies.

Because we use only strictly necessary cookies, no cookie consent banner is required under UK/EU ePrivacy regulations.

8. Security

We protect your data with:

  • Row-Level Security (database isolation per tenant)
  • Encrypted connections (TLS everywhere)
  • Rate limiting on all public endpoints
  • Advisory locks to prevent race conditions
  • httpOnly secure cookies (no client-side token exposure)
  • Webhook signature verification (Stripe)

9. International Transfers

Our infrastructure is hosted primarily in the EU/UK (Supabase eu-west-2, Vercel edge). Some sub-processors (Stripe, Sentry, Resend) process data in the United States under Standard Contractual Clauses (SCCs) or equivalent safeguards.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to Studio account holders. The “last updated” date at the top indicates the latest revision.

11. Contact

For privacy-related enquiries or to exercise your rights, email privacy@slotstack.io.

© 2026 Slotstack