Privacy Policy
Last updated: 12 July 2026
1. Who is responsible
Slotora Ltd (company number 17330293, registered in England & Wales) is the data controller for the personal data described here, except where an organiser collects data from their participants — for that data the organiser is the controller and Slotora is their processor (see section 7). Contact: hello@slotora.app.
2. What we collect
- Account data — name, email, password (hashed), or your Google account identity; passkeys if you add them; timezone; email-verification status.
- Profile data you choose to add — nickname, photo, bio, location, gender (for the default avatar), and optional sports details (sport, position, height, weight, kit colour, etc.). All optional; you control card visibility.
- Content — oras you create, votes and comments, group posts and chat, direct messages, uploaded images and files.
- Participation data — when you respond to an ora, your answers plus (to prevent duplicate voting) a browser-stored device identifier, your IP address, and a cookie. Guests may be asked for a name and optionally an email/phone by the organiser.
- Payment data — payments are processed by Stripe; card details go directly to Stripe and never touch our servers. We keep records of transactions (amounts, status, who paid whom) and, for organisers, Stripe account status.
- Bookings — name, email, chosen slot, answers to the organiser's intake questions.
- Technical data — logs, and push-notification subscriptions if you enable reminders.
3. Why we use it (legal bases)
- To run the service (contract): accounts, oras, groups, messages, payments, bookings, reminders.
- To keep it fair and safe (legitimate interests): duplicate-vote prevention (device/IP checks), rate limiting, spam and fraud prevention, moderation of reported content.
- To communicate (contract/legitimate interests): transactional email — verification, reminders you or an organiser trigger, booking confirmations, moderation notices. Marketing (e.g. the waitlist newsletter) only with your consent, with unsubscribe in every email.
- Legal obligations: financial record-keeping, responding to lawful requests.
4. Who we share it with
We don't sell personal data, and Slotora has no advertising. We share data only with processors that run the service:
| Provider | Purpose |
|---|---|
| Stripe | Payments, subscriptions, organiser payouts (Stripe is an independent controller for its own compliance) |
| Vercel | Hosting the application |
| Railway | Database hosting |
| Resend | Sending transactional email |
| Loops | Waitlist / marketing email (consent-based) |
| UploadThing | Storing uploaded images and files |
| Optional "Sign in with Google" |
Some providers process data outside the UK/EEA (e.g. in the US); where they do, transfers are covered by recognised safeguards such as the UK Extension to the EU–US Data Privacy Framework or standard contractual clauses. Content you share (a public poll link, a public fundraiser, your public booking page) is visible to whoever you share it with.
5. How long we keep it
- Account and content data: while your account exists. Finished oras move to a bin and are permanently deleted about 30 days later.
- Transaction records: kept up to 6 years for tax/accounting law.
- If you delete your account, we delete or anonymise your personal data promptly, keeping only what the law requires us to keep (see section 6).
6. Your rights
Under UK GDPR you can:
- Access / export — download a copy of your data from Settings → Privacy ("Export my data").
- Erase — delete your account from Settings → Privacy ("Delete my account").
- Rectify — edit your profile and content in the app any time.
- Object / restrict / withdraw consent — e.g. unsubscribe from marketing at any time.
- Complain — to the ICO (ico.org.uk) if you're unhappy with how we handled your data. We'd appreciate the chance to fix it first: security@slotora.app.
7. Data organisers collect
Organisers can ask participants for information (sign-up sheet fields, booking intake questions, payment details for an event). The organiser decides what to ask and why, so the organiser is the controller of those answers and must have a lawful basis for collecting them; Slotora stores them as the organiser's processor. If you have questions about data an organiser collected from you, contact the organiser first — we'll help if needed.
8. Children
Slotora is not for children under 13, and we don't knowingly collect their data. Teams groups offer supervised-member controls for youth settings; supervised members cannot use direct messages.
9. Security
Passwords are hashed, data is encrypted in transit, card data is handled solely by Stripe, and admin actions are double-gated and audit-logged. No system is perfectly secure — report vulnerabilities to security@slotora.app.
10. Changes
We'll update this policy as the service evolves and give notice of significant changes. See also the Cookie Policy.
Slotora Ltd · Company No. 17330293, registered in England & Wales. Questions? Email hello@slotora.app.