Privacy Policy

Data Controller

Email:

privacy@tapsela.com

Operating as unregistered economic activity (działalność nierejestrowana) under art. 5 of the Polish Entrepreneurs’ Law (ustawa Prawo przedsiębiorców).

Overview

This Privacy Policy describes how Tapsela processes personal data when you use the service at tapsela.com and the booking surface book.tapsela.com. The Policy follows Regulation (EU) 2016/679 (GDPR) and the Polish Personal Data Protection Act of 10 May 2018. The Tapsela data controller is identified in the "Data Controller" block displayed at the top of this page.

Data protection contact point

For all matters relating to personal data protection, contact us at privacy@tapsela.com. A Data Protection Officer has not been appointed — the controller is not required to do so under art. 37 GDPR given the scale and nature of processing.

Data we collect

We may process Specialist data (name, email, login credentials) and Client data entered into the system (name, phone, optional email, appointment details, location, notes, communication preferences and consent history).

Purpose of processing

Data is used to provide the service, manage appointments, send transactional messages, ensure security, and improve the product.

Legal bases for processing

Each category of processing has a defined legal basis under art. 6(1) GDPR: • Specialist account creation and operation — art. 6(1)(b) GDPR (performance of contract). Data: name, email, login credentials. • Creating and serving appointment bookings — art. 6(1)(b) GDPR (performance of contract between Client and Specialist). Data: name, phone, appointment details. • Sending appointment confirmations and reminders — art. 6(1)(b) GDPR. Data: phone or email, appointment details. • Optional reminders via Client-preferred channels — art. 6(1)(a) GDPR (Client consent). • Marketing communications — art. 6(1)(a) GDPR (Client consent) and art. 172 of the Polish Telecommunications Act. • Security, abuse detection, technical logs — art. 6(1)(f) GDPR (legitimate interest of the controller). Data: IP address, user agent, request metadata. • Performance of legal obligations (e.g. accounting) — art. 6(1)(c) GDPR.

Retention periods

Data is deleted or anonymised after the retention period: • Specialist account data (active account) — for the duration of the contract. • Specialist account data after contract termination — 30 days (recovery window), then deletion. • Client data in the Specialist panel — until deleted by the Specialist or the contract ends. • Consent records — 5 years after consent withdrawal (compliance demonstration obligation, art. 7(1) GDPR). • Technical and security logs — 12 months. • Accounting data (after billing is introduced) — 5 years from the end of the accounting year (Polish Tax Ordinance, Accounting Act).

Where data is stored

Data is hosted in the European Union (Supabase, Frankfurt region). Some supporting services (Cloudflare — CDN and DDoS protection; Clerk — Client authentication on the booking surface) operate globally, including outside the EEA.

Transfers outside the European Economic Area

Some data may be processed outside the EEA. In particular: • Cloudflare Inc. (USA) — CDN, DDoS protection, Workers runtime. Data: IP addresses, request metadata. • Clerk Inc. (USA) — Client authentication on book.tapsela.com. Data: phone number, optional email, session identifier. Each transfer takes place under the Standard Contractual Clauses approved by Commission Implementing Decision 2021/914 of 4 June 2021. Copies of the SCCs are available on request to privacy@tapsela.com. We have also signed Data Processing Agreements (DPAs) with Cloudflare and Clerk.

Analytics and cookies

During early access we do not load any analytics tools or analytics cookies. The full list of cookies set by the platform (including Cloudflare and Clerk) is described on the Cookies page. If we introduce analytics in the future, those tools will be enabled only after explicit consent via a cookie banner.

Communications

Tapsela may send transactional messages on behalf of Specialists (confirmations, reminders, cancellations, rescheduling requests). These messages are part of the service. We do not send marketing communications without explicit configuration by the Specialist and separate Client consent. The Client may withdraw reminder consent at any time by changing communication preferences in the booking link.

Rights of data subjects

Under the GDPR every data subject has the following rights: • right of access (art. 15 GDPR), • right to rectification (art. 16 GDPR), • right to erasure ("right to be forgotten", art. 17 GDPR), • right to restriction of processing (art. 18 GDPR), • right to data portability (art. 20 GDPR), • right to object to processing (art. 21 GDPR), • right to withdraw consent at any time (art. 7(3) GDPR) — withdrawal does not affect the lawfulness of processing carried out before withdrawal, • right not to be subject to decisions based solely on automated processing (art. 22 GDPR) — Tapsela does not make such decisions, • right to lodge a complaint with a supervisory authority. The supervisory authority is the President of the Personal Data Protection Office (UODO): ul. Stawki 2, 00-193 Warsaw, Poland tel. +48 22 531 03 00 kancelaria@uodo.gov.pl https://uodo.gov.pl To exercise any of the above rights, contact privacy@tapsela.com. We respond without undue delay and within 30 days at the latest (art. 12(3) GDPR).

Data of persons under 16

The Tapsela platform is not intended for persons under 16. We do not knowingly collect data of persons under 16 without parental or legal-guardian consent. If a Specialist's Client is to be a person under 16, the booking should be made by the parent or legal guardian on their own behalf.

Contact

privacy@tapsela.com