GDPR & Data Rights

Your GDPR rights

As a user of BookSlot based in the EU or UK, you have the following rights:

• Right to be informed: we tell you exactly what data we collect and why.
• Right of access: request a complete export of all your data within 30 days.
• Right to rectification: correct any inaccurate personal data we hold.
• Right to erasure ("right to be forgotten"): delete your account and all data within 30 days.
• Right to restrict processing: pause data processing while a dispute is resolved.
• Right to data portability: receive your data in JSON format for transfer elsewhere.
• Right to object: object to processing for direct marketing (we don't do this anyway).
• Rights related to automated decision making: we make no automated decisions about you.

Data processing lawful basis

We process your data under the following lawful bases:

• Contract: processing your account and booking data to deliver the service you contracted.
• Legitimate interests: security monitoring and fraud prevention.
• Consent: email communications beyond service messages (you can withdraw any time).

Data retention

We retain data for the following periods:

• Account and business data: for the duration of your account plus 30 days after closure.
• Booking records: 12 months from the date of the booking.
• Payment records: 7 years (required by financial regulations).
• Security logs: 90 days.

International data transfers

Your data is stored in the EU (MongoDB Atlas, Europe West). If data is transferred outside the EU, we ensure appropriate safeguards are in place including Standard Contractual Clauses (SCCs).

How to make a request

To exercise any of your rights:

• Email privacy@bookslot.io with the subject "GDPR Request — [Your Right]"
• Provide your account email address for verification.
• We will respond within 72 hours and fulfil the request within 30 days.
• There is no charge for exercising your rights.