Política de privacidad

1. Introduction and Data Controller

This Privacy Policy describes how Astral Prism S.r.l.s. (hereinafter “SKDL.ME”, “we” or “the Controller”), with registered office at Piazza Roma 5, 00015 Monterotondo (RM), Italy — VAT No. and Tax Code 18380411001, REA RM-1781416 — collects, uses, stores and protects the personal data of users of the SKDL.ME service.

This policy applies to all users of the service, including account holders (“Account Holder”), guests who make bookings (“Guest”) and website visitors. This policy is drawn up in accordance with Regulation (EU) 2016/679 (“GDPR”), Italian Legislative Decree 196/2003 and subsequent amendments, as well as the California Consumer Privacy Act (“CCPA/CPRA”) for users residing in California.

2. Definitions

• Personal Data: any information relating to an identified or identifiable natural person.
• Processing: any operation or set of operations performed on personal data, such as collection, recording, organisation, storage, consultation, use, disclosure, erasure or destruction.
• Data Controller: the natural or legal person who determines the purposes and means of the processing of personal data. For Account Holder data, the Data Controller is Astral Prism S.r.l.s.
• Data Processor: the natural or legal person who processes personal data on behalf of the Controller.
• Service: the SKDL.ME platform accessible via the skdl.me website and its scheduling features.
• Account Holder: the registered user who creates and manages booking pages.
• Guest: the person who makes a booking through a booking page.
• Booking Page: the public page created by an Account Holder through which Guests can book appointments.
• Sub-processor: a third-party provider that processes personal data on behalf of SKDL.ME in connection with the provision of the Service.

3. Data Collected

When you use SKDL.ME, we collect the following categories of personal data:

3.1 Account Data

When you sign in via Google or Microsoft OAuth, we collect: full name, email address and profile picture. We do not have access to the password of your Google or Microsoft accounts.

3.2 Calendar Data

When you connect a Google or Microsoft calendar, we access only the availability data (free/busy status) and event times to determine your availability. We do not read the titles, descriptions, attendees or content of events for the purpose of availability checks. We create, modify and delete calendar events only for confirmed, rescheduled or cancelled bookings.

3.3 Booking Data

When a guest makes a booking, we collect: name, email address and any additional data entered in the custom fields of the booking page (configured by the Account Holder).

3.4 Payment Data

Payments are processed entirely by Stripe. SKDL.ME does not collect, store or have access to credit or debit card data. We retain only the Stripe transaction identifier, amount and payment status for subscription management purposes.

3.5 Technical and Usage Data

We automatically collect: IP address, browser type and version, operating system, device type, pages visited, interaction timestamps and aggregated browsing data. These data are collected via Google Analytics in anonymised form.

3.6 Cookies and Tracking Technologies

We use cookies and similar technologies as described in our Cookie Policy.

4. Legal Basis for Processing

Pursuant to Art. 6 of the GDPR, we process your personal data on the following legal bases:

• Performance of a contract (Art. 6.1.b): processing is necessary to provide you with the scheduling service, manage your account, process bookings and send confirmations and reminders.
• Legitimate interest (Art. 6.1.f): processing is necessary for our legitimate interests, including service improvement, usage analytics, platform security and the prevention of fraud and abuse.
• Legal obligation (Art. 6.1.c): processing is necessary to comply with legal obligations, including tax, accounting and record-keeping requirements.
• Consent (Art. 6.1.a): for promotional communications and non-essential (analytics) cookies, processing takes place only with your explicit consent, which you may withdraw at any time.

5. How We Use Your Data

We use the data collected for the following purposes:

• Provide, maintain and improve the SKDL.ME scheduling service
• Create and manage calendar events for confirmed bookings
• Send booking confirmations, reminders and modification/cancellation notifications
• Communicate service updates, support responses and security notices
• Analyse usage patterns to improve the product (aggregated and anonymised data)
• Ensure platform security and prevent fraud, abuse and unauthorised access
• Comply with legal, tax and accounting obligations
• Send promotional communications (only with your consent, with the option to opt out at any time)

6. Calendar Permissions and Data Minimisation

Our policy is to access and process only the minimum amount of data necessary to deliver the service. When you connect a Google or Microsoft calendar:

• Reading events: we access event times to determine your availability (free/busy). We do not read or analyse event content.
• Creating events: we create calendar events for confirmed bookings.
• Modifying/Deleting: we modify or delete events when a booking is rescheduled or cancelled.

You may disconnect your calendar at any time from your account settings. Disconnection immediately revokes our access. In exceptional technical troubleshooting cases, we may need to temporarily access additional calendar data, but only with your explicit permission.

6.1 Revoking Permissions

In addition to disconnecting the calendar from SKDL.ME settings, you may revoke the permissions granted to our application directly from your accounts:

• Google: visit https://myaccount.google.com/permissions to view and revoke SKDL.ME's access to your Google account.
• Microsoft (work/school account): visit https://myapps.microsoft.com to manage and revoke application permissions.
• Microsoft (personal account): visit https://account.live.com/consent/Manage to view and revoke the consents granted to SKDL.ME.

Revoking permissions from Google or Microsoft will immediately terminate our access to your calendar data and may limit or prevent the functioning of the Service. Data already collected will be processed in accordance with the retention policies described in Section 10.

7. Data Sharing and Sub-processors

We do not sell your personal data to third parties. We do not share your data with advertisers nor use your data for third-party advertising purposes. We share data only in the following limited circumstances:

7.1 With Your Guests

Your name, availability and booking page information are visible to persons who access your booking link.

7.2 Sub-processors

We use the following third-party providers, bound by data processing agreements (DPA):

7.3 Compliance with Google and Microsoft API Policies

SKDL.ME's use and transfer to any other app of information received from Google APIs will comply with the Google API Services User Data Policy, including the Limited Use requirements.

This privacy policy is compliant with and at least as restrictive as the Microsoft Privacy Statement with respect to the processing of data obtained through Microsoft APIs.

In particular, data obtained through Google and Microsoft APIs will under no circumstances be used for:

• Targeted, personalised, retargeted or interest-based advertising
• Sale to data brokers or information resellers
• Creditworthiness determination or lending purposes
• Building databases for resale or redistribution
• Training artificial intelligence or machine learning models (beyond individual user personalisation)
• Any other purpose not directly related to providing or improving user-facing Service functionality

7.4 Legal Obligations

We may disclose your data when required by law, by a court order or by a competent authority, or when necessary to protect our rights, property or the safety of our users.

7.5 Corporate Transactions

In the event of a merger, acquisition, business transfer or insolvency proceedings, personal data may be transferred to the succeeding entity, which shall be bound by the same protection obligations set forth in this policy. With respect to data obtained through Google and Microsoft APIs, such transfer shall take place only with the explicit consent of the user, as required by the respective API policies.

8. International Data Transfers

Our primary servers are located in Germany (Frankfurt), within the European Economic Area (EEA). Some of our sub-processors (Stripe, Google, Microsoft) may process data outside the EEA, in particular in the United States.

For data transfers outside the EEA, we ensure that appropriate safeguards are in place, including:

• Adequacy decisions of the European Commission (Art. 45 GDPR)
• Standard Contractual Clauses (SCCs) approved by the European Commission (Art. 46.2.c GDPR)
• EU-US Data Privacy Framework for transfers to the United States, where applicable

You may request specific information about the safeguards adopted by contacting us at [email protected].

9. Data Security

We adopt appropriate technical and organisational measures to protect your personal data from unauthorised access, loss, destruction or alteration. These measures include:

• Encryption of all data in transit via TLS (HTTPS)
• Encryption of data at rest
• OAuth tokens stored securely and never exposed to client-side code
• Strict access controls based on the principle of least privilege
• No credit card data stored in our systems
• Continuous monitoring and periodic security assessments

9.1 Data Breach Notification

In the event of a personal data breach that poses a risk to the rights and freedoms of data subjects, we will notify the competent supervisory authority (Italian Data Protection Authority — Garante per la Protezione dei Dati Personali) within 72 hours of becoming aware of the breach, pursuant to Art. 33 GDPR. If the breach is likely to result in a high risk to your rights, we will inform you directly without undue delay (Art. 34 GDPR).

10. Data Retention

We retain your personal data only for as long as necessary for the purposes for which they were collected. The specific retention periods are set out below:

Certain anonymised and aggregated data may be retained indefinitely for statistical and product improvement purposes, as they do not constitute personal data.

In compliance with the Microsoft API requirements, in the event of account abandonment (an account inactive for a prolonged period without response to our notices), in addition to the account deletion described above, we will delete all personal data obtained through third-party APIs (Google, Microsoft), including access tokens, calendar data and user profile. The only data retained beyond that point will be data necessary to comply with statutory obligations (e.g. tax and accounting data).

11. Cookies

We use essential cookies for authentication and session management. Analytics cookies are used only with your consent. We do not use third-party advertising cookies.

For detailed information about the cookies we use, their purposes and how to manage your preferences, please refer to our Cookie Policy.

12. Your Rights under the GDPR

As a data subject, you have the following rights in relation to your personal data:

• Right of access (Art. 15): you have the right to obtain confirmation as to whether your personal data are being processed and to receive a copy of your personal data.
• Right to rectification (Art. 16): you have the right to obtain the correction of inaccurate personal data or the completion of incomplete data.
• Right to erasure (Art. 17): you have the right to obtain the erasure of your personal data (“right to be forgotten”), unless processing is necessary for compliance with a legal obligation.
• Right to restriction (Art. 18): you have the right to obtain the restriction of processing in certain circumstances.
• Right to data portability (Art. 20): you have the right to receive your personal data in a structured, commonly used and machine-readable format, and to transmit them to another controller.
• Right to object (Art. 21): you have the right to object to the processing of your personal data based on legitimate interest, including profiling.
• Right to withdraw consent: where processing is based on consent, you have the right to withdraw it at any time without affecting the lawfulness of processing carried out prior to the withdrawal.

To exercise your rights, contact us at [email protected]. We will respond to your request within 30 days. We may request verification of your identity before proceeding.

You also have the right to lodge a complaint with the competent supervisory authority. For Italy, the authority is the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali).

13. California Users' Rights (CCPA/CPRA)

If you reside in California, under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), you have the following additional rights:

• Right to know: you may request which categories and specific personal data we collect, the sources, the purposes and the third parties with whom we share them.
• Right to deletion: you may request the deletion of your personal data, subject to the exceptions provided by law.
• Right to opt out of sale: we confirm that we do not sell or share your personal data with third parties for advertising or commercial purposes.
• Right to non-discrimination: we will not discriminate against you for exercising your CCPA rights.

To exercise your CCPA rights, contact us at [email protected]. You may submit requests up to 2 times per 12-month period.

14. Roles in Data Processing

14.1 SKDL.ME as Data Controller

Astral Prism S.r.l.s. acts as Data Controller for Account Holder data (registration, account, payment and usage data).

14.2 SKDL.ME as Data Processor

For Guest data collected through booking pages, SKDL.ME acts as Data Processor. The Account Holder who creates the booking page is the Data Controller for their guests' data and is responsible for:

• Ensuring a valid legal basis for the collection of guest data
• Providing an adequate privacy notice to their guests, where required
• Responding to data subject rights requests from their guests

The terms governing data processing as a Processor are set out in the Data Processing Agreement (DPA) incorporated into our Terms of Service.

15. Children's Privacy

The Service is not intended for persons under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child, we will promptly delete such data. If you believe that we have collected data from a child, please contact us immediately at [email protected].

16. Do Not Track Signals

We honour “Do Not Track” (DNT) signals sent by your browser. When we detect an active DNT signal, we do not use analytics cookies and do not collect usage data via Google Analytics for your session.

17. Changes to This Policy

We may update this policy periodically to reflect changes to our practices or to comply with new regulatory requirements. In the event of material changes:

• We will notify you by email and/or in-app notification at least 30 days in advance
• We will clearly indicate the date of the last update
• Previous versions of the policy will be available upon request

Your continued use of the Service after the publication of changes constitutes acceptance of the updated policy.

18. Contact Us

For any questions regarding this policy, the processing of your personal data or to exercise your rights, you may contact us:

• Privacy email: [email protected]
• Legal email: [email protected]
• Data Controller: Astral Prism S.r.l.s., Piazza Roma 5, 00015 Monterotondo (RM), Italy
• VAT No. / Tax Code: 18380411001