The contract that protects your clients.

This Data Processing Agreement ("DPA") is entered into between the User of Slooti, acting as Data Controller, and POZTEK SA (UID: CHE-152.857.209), acting as Processor within the meaning of art. 28 GDPR and the Swiss FADP.

It governs exclusively the processing by Slooti of the personal data you import or create on the platform regarding your end clients (the "Data"). It does not cover data concerning you directly, which is governed by the Privacy Policy.

Terms used (Personal Data, Processing, Sub-processor, Data Breach, etc.) have the meaning given to them by the General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP).

In case of conflict between the GDPR and FADP definitions, the most protective definition prevails.

Slooti processes the Data only to provide the Service as defined in the Terms: storing client records, managing appointments, point-of-sale, history, notifications.

Slooti does not use the Data for its own purposes, does not resell it, does not cross-reference it with other sources, and does not exploit it for targeted advertising.

Categories of data subjects: end clients of the salon, salon employees, prospects having booked an appointment.

Categories of data: identity (first name, last name), contact (email, phone), appointment data (date, service, employee), transaction history, optional notes left by the salon. No sensitive data is meant to transit through Slooti unless the User imports it — which is under their own responsibility.

Slooti commits to: (i) process the Data only on documented instructions from the Controller; (ii) ensure the confidentiality of its personnel; (iii) implement the technical and organisational security measures described below; (iv) assist you in handling requests from data subjects.

In case of a data breach, Slooti will notify you as soon as possible and within 72 hours after becoming aware of it, with the elements needed for your own notification to the supervisory authority.

Slooti implements: TLS 1.3 encryption in transit, AES-256 at rest, isolation through Row-Level Security per shop, automatic encrypted backups, access logging, MFA available for admin accounts.

An internal security review is conducted at least once a year. Slooti reserves the right to update technical measures to maintain or improve the level of security, never to lower it.

Slooti relies on sub-processors to deliver the Service: Supabase (database and file hosting, Switzerland/Zurich), Stripe (payment, global), Resend (email, EU), Vercel (frontend, edge). An up-to-date list is available upon request.

Any change to that list will be notified to you at least 30 days in advance, giving you the possibility to object on legitimate grounds. Absent objection, the change is deemed accepted.

The Data is hosted in Switzerland, in the Supabase Zurich region. Any transfer outside Switzerland (metadata, transactional email, payment) is framed by the standard contractual clauses and complementary technical measures.

The DPA is concluded for the duration of the main contract (Terms). At termination, Slooti will return or delete the Data within 90 days, at your choice, save for legal retention obligations. An export can be requested at any time from the dashboard.