Your data, your peace of mind.

The data controller under GDPR and the Swiss FADP (nLPD) is POZTEK SA (UID: CHE-152.857.209), based at Avenue Pierre-de-Savoie 66, 1400 Yverdon-les-Bains, Switzerland. We process personal data of Users (salon managers) and of their end clients (appointments, payments, client records).

For any question regarding your data, write to our data protection officer: privacy@slooti.app. We commit to respond within a reasonable timeframe, and within 30 days at the latest.

We collect: (i) account data (name, email, hashed password, phone); (ii) billing data (handled by Stripe, we never store card data); (iii) usage data (logs, IP, anonymised events) for security and product improvement.

As a User, you also import data about your own clients (name, contact, appointment history, notes). For that data Slooti acts as a processor — a dedicated DPA governs that processing.

Your data is processed to: (i) perform the contract (create your account, deliver the Service); (ii) bill the subscription; (iii) secure the platform and prevent fraud; (iv) improve the product through aggregated and anonymised statistics.

The legal bases are performance of the contract (art. 6.1.b GDPR), our legitimate interests (art. 6.1.f GDPR) for security and improvement, and your consent for optional marketing communications.

Account data is kept as long as the account is active. After termination, it is deleted within 90 days, unless legal retention obligations apply (billing, accounting: 10 years in Switzerland).

Technical logs are kept for a maximum of 12 months. Encrypted backups are purged within 30 days following their rotation cycle.

We share only what is strictly necessary with our processors: Supabase (database and file hosting, Switzerland/Zurich), Stripe (payment, PCI-DSS certified), Resend (transactional email, EU), Vercel (application hosting, edge).

Each is bound by a processing agreement compliant with art. 28 GDPR. No data is sold to third parties for commercial purposes.

Our main servers (database and files) are located in Switzerland, in the Supabase Zurich region. Some processors (Stripe, Vercel edge, Resend) may process metadata outside Switzerland, primarily in the EU.

Such transfers are framed by the European Commission's standard contractual clauses and, where relevant, complementary technical measures (encryption at rest and in transit, pseudonymisation).

You have the following rights: access, rectification, erasure, restriction, portability, objection, withdrawal of consent. Most of these can be exercised directly from your dashboard (export, account deletion).

For any specific request, write to privacy@slooti.app. You may also lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC), or with the supervisory authority of your country of residence in the EU.

Slooti applies technical and organisational security measures: TLS 1.3 encryption in transit, AES-256 at rest, isolation through Row-Level Security per shop, access logging, encrypted backups, MFA on the owner account.

Despite our efforts, no measure is infallible. In case of a data breach that may affect you, we will notify you as soon as possible and inform the competent authority in compliance with the law.