Privacy Notice
Last updated: 18 April 2025
FlexKapG (“SlotFinch”, “we”, “us”)
Registered office: [insert address], 1070 Vienna, Austria
Contact (all privacy matters): [email protected]
1 Scope
This notice explains how we handle personal data when you use slotfinch.com, our merchant dashboard, or our booking widgets, regardless of where you live.
Cookie‑specific information has been moved to a separate Cookie Policy.
We aim to comply with:
- EU and UK GDPR
- § 165 TKG 2021 (Austria)
- California CCPA/CPRA
- Canada PIPEDA
- Australia Privacy Act 1988
2 What data we collect
| Category | Typical examples | Source |
|---|---|---|
| Account data | name, e‑mail, password hash | you |
| Shop data | opening hours, service titles, photos | merchant |
| Booking data | chosen slot, notes, status | buyer & merchant |
| Payment meta | transaction ID, last 4 digits of card, VAT number | payment provider |
| Usage & log data | IP address, device/browser, time stamps | your device |
| Support records | tickets, chat history | you |
We do not collect full payment card numbers; they stay with our payment gateway.
3 How and why we use your data
| Purpose | Legal basis* |
|---|---|
| Create accounts, publish shops, process bookings | Contract |
| Invoice merchants, comply with tax & accounting laws | Legal obligation |
| Prevent fraud, secure our platform | Legitimate interest |
| Improve features, fix bugs, analyse performance | Legitimate interest |
| Send product updates & marketing e‑mails | Consent (you can withdraw anytime) |
*Art. 6(1)(a‑f) GDPR or equivalent provisions in other laws.
4 Sharing & international transfers
We share data only with:
- Service providers (cloud hosting in EU, e‑mail/SMS vendors, payment processors).
- Authorities when required by law.
If data leave the EEA/UK we rely on EU Standard Contractual Clauses or an adequacy decision (e.g. Canada, UK, USA‑DPF).
5 Retention
We keep data only as long as necessary:
- Account & shop data – while your account is active + 3 years (Austrian limitation period).
- Booking & payment records – 7 years (Austrian accounting rules).
- Logs – 14 days unless needed for security investigations.
- Marketing consent – until you withdraw.
6 Your rights
| Region | Key rights |
|---|---|
| EU / UK | access, rectification, erasure, portability, restriction, objection, lodge complaint with supervisory authority |
| California | right to know, delete, correct, opt‑out of “sale/sharing”, limit use of sensitive data |
| Canada | access, correction, withdraw consent |
| Australia | access, correction, make a privacy complaint |
We respond within one month (or the shorter period your local law sets).
7 Security
We use TLS encryption, hashed passwords (Argon2id), role‑based access, and least‑privilege API keys. If we ever suffer a breach that is likely to affect you, we will notify you and regulators without undue delay.
8 Changes
We will post updates here and e‑mail registered users at least 14 days before material changes take effect.
9 Contact & complaints
E‑mail: [email protected]
Postal: see top of document.
EU/EEA users may also contact the Österreichische Datenschutzbehörde (Barichgasse 40‑42, 1030 Vienna). UK users may contact the ICO; California users the Attorney‑General; Canadian users the Office of the Privacy Commissioner; Australian users the OAIC.