S
SlotCatcher

Privacy Policy

Last updated: May 8, 2026

🏢Data Controller: dev.DS Dominik Skarbek · Tax ID (NIP) 7952565173 · Tajęcina 18L, 36-002 Jasionka, Poland · hello@slotcatcher.eu

1. Data Controller

The Data Controller is dev.DS Dominik Skarbek, a sole proprietorship registered at: Tajęcina 18L, 36-002 Jasionka, Poland, Tax ID (NIP): 7952565173, email: hello@slotcatcher.eu (hereinafter: the "Controller").

The Controller has not appointed a Data Protection Officer (DPO) pursuant to Art. 37 GDPR, as the nature and scale of data processing do not require such appointment. For all matters regarding personal data protection, please contact the Controller directly at: hello@slotcatcher.eu.

2. SlotCatcher's Role in Data Processing

Depending on the category of data subject, SlotCatcher fulfils different roles under the GDPR:

a) Data Controller — for business owners (Users) who create an account. We process User data for service delivery, billing, and communication.

b) Data Processor — for end Clients joining a waitlist. In this case, the data controller is the specific salon or business (User) whose waitlist the Client joins. SlotCatcher processes this data solely on the User's instructions to provide the notification service, under a data processing agreement.

3. Purposes and Legal Bases for Processing User Data (B2B)

We process business owner data (name, email, business name, billing details) for the following purposes:

a) Service delivery and account management — Art. 6(1)(b) GDPR (performance of a contract);

b) Financial settlements and invoicing — Art. 6(1)(c) GDPR (legal obligation under accounting and tax law);

c) Complaint handling, establishing, exercising, or defending legal claims — Art. 6(1)(f) GDPR (legitimate interest);

d) Service-related communication and policy change notifications — Art. 6(1)(f) GDPR.

Providing data is voluntary but necessary to create an account and use the Service.

4. SMS and Email Notifications for Clients (B2C)

Clients joining a waitlist provide their name, phone number, and/or email address and select their preferred notification language. This data is used exclusively to send notifications about available appointment slots.

Legal basis for processing:

• Art. 6(1)(a) GDPR — Client consent given during sign-up;

• Art. 172 of the Polish Telecommunications Law — consent for SMS communication;

• Art. 10 of the Polish Electronic Services Act — consent for email communication.

Clients may withdraw consent at any time by clicking the unsubscribe link in an email or contacting the salon. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

5. Data Recipients (Sub-processors)

Personal data may be shared with the following categories of trusted third parties:

• Supabase Inc. (USA) — cloud infrastructure, database, authentication;

• Stripe Payments Europe Ltd. (Ireland) — payment processing and subscription management;

• SerwerSMS.pl sp. z o.o. (SMSPlanet, Poland) — SMS gateway for sending notifications;

• Transactional email service provider — sending slot availability notifications.

All partners process data solely under data processing agreements (DPAs) and in compliance with GDPR. Data is not shared with third parties for marketing purposes.

6. Data Transfers Outside the EEA

Some technology providers (Supabase Inc., Stripe Inc.) are based in the United States. Data transfers are carried out based on:

• Standard Contractual Clauses (SCCs) approved by the European Commission;

• The EU-U.S. Data Privacy Framework (DPF) — for US entities with active certification.

The SMS gateway provider (SerwerSMS.pl sp. z o.o.) is based in Poland and processes data exclusively within the EEA.

7. Data Retention Period

We retain User data for the duration of the active account. After account deletion, data is retained for the period necessary to:

• fulfil tax and accounting obligations — 5 years from the end of the relevant tax year;

• cover the statute of limitations for civil claims — typically 3 years.

End Client data on waitlists is processed until:

• deleted by the User from the application dashboard;

• consent is withdrawn by the Client (unsubscribe link);

• the User's account is deleted.

8. Rights of Data Subjects

Under the GDPR, you have the following rights:

• Right of access (Art. 15 GDPR);

• Right to rectification (Art. 16 GDPR);

• Right to erasure — "right to be forgotten" (Art. 17 GDPR);

• Right to restriction of processing (Art. 18 GDPR);

• Right to data portability (Art. 20 GDPR);

• Right to object to processing (Art. 21 GDPR);

• Right to withdraw consent at any time (Art. 7(3) GDPR).

To exercise these rights, contact us at: hello@slotcatcher.eu. We will process your request within 30 days.

You also have the right to lodge a complaint with the supervisory authority — the President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw, Poland, www.uodo.gov.pl.

9. Automated Decision-Making and Profiling

SlotCatcher does not make decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect the data subject (Art. 22 GDPR).

The system automatically matches slot notifications to service preferences selected by the Client during waitlist sign-up. This is a technical matching filter and does not constitute profiling affecting the Client's legal situation.

10. Data Security

The Controller implements appropriate technical and organisational measures to protect personal data (Art. 32 GDPR), including:

• Data transmission encryption (SSL/TLS);

• Role-based access control (RBAC);

• Cloud infrastructure certified under SOC 2 Type II;

• User password hashing;

• Regular data backups.

11. Cookies

The SlotCatcher application uses:

• Strictly necessary cookies (always active) — session management, security. No consent required.

• Analytical cookies (optional) — help us understand how users interact with the platform. Installed only after consent is given.

You can change cookie settings in your browser. More information: www.aboutcookies.org.

12. Changes to the Privacy Policy

The Controller reserves the right to amend this Privacy Policy in the event of changes to applicable law, service scope, or technology. Users will be notified of significant changes via email or an in-app message at least 14 days before the changes take effect.

Questions about data protection?

hello@slotcatcher.eu