Privacy Policy

1. Introduction

This Privacy Policy explains how Booktomic ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our service at booktomic.io (the "Service"). We are committed to protecting your privacy in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Spanish data protection laws (Ley Organica 3/2018, LOPDGDD).

Booktomic is not affiliated with any Third-Party Platform. When you connect a third-party account to Booktomic, your interactions with that platform are also governed by that platform's own privacy policy, which you are responsible for reviewing independently.

2. Data Controller

The data controller responsible for your personal data is:

Booktomic
Contact: contact@book-tomic.com

3. Data We Collect

We collect and process the following categories of personal data:

3.1 Account Data

Data	Purpose	Legal Basis
Email address	Account creation, authentication, communication	Contract performance
Firebase UID	Unique account identification	Contract performance
Account role	Access control and permissions	Contract performance

3.2 Third-Party Platform Credentials

Data	Purpose	Legal Basis
Third-Party Platform email	Authenticate with the platform on your behalf under your mandate	Explicit consent (separate from account creation)
Third-Party Platform password	Authenticate with the platform on your behalf under your mandate	Explicit consent (separate from account creation)
Third-Party Platform user ID	Identify your account for reservation execution	Explicit consent (separate from account creation)

Third-Party Platform credentials are collected only when you explicitly choose to connect an account, and you may withdraw your consent and delete these credentials at any time by disconnecting your account through the Service.

3.3 Reservation Data

Data	Purpose	Legal Basis
Club selection, dates, times, court preferences	Execute and manage automated reservations under your mandate	Contract performance
Reservation status and history	Provide service functionality and logs	Contract performance

3.4 Payment Data

Data	Purpose	Legal Basis
Card details (encrypted at rest)	Process payments for reservations on Third-Party Platforms and credit purchases	Contract performance

Card details are encrypted using industry-standard symmetric encryption (Fernet/AES) and are only decrypted at the moment of payment execution. We store the minimum data necessary to process payments on your behalf.

3.5 Technical Data

Data	Purpose	Legal Basis
IP address, browser type, session data	Security, fraud prevention, service operation	Legitimate interest
Cookies	Session management, language preferences	Legitimate interest (essential) / Consent (analytics)

3.6 Consent Records

Data	Purpose	Legal Basis
Terms acceptance timestamp, consent flags	Record and demonstrate user consent for legal compliance	Legal obligation / Legitimate interest

4. How We Use Your Data

We use your personal data exclusively for the following purposes:

• Service delivery: to create and manage your account, execute automated reservations under your mandate, and provide the core functionality of the Service.
• Authentication: to verify your identity and manage access to your account.
• Third-Party Platform interaction: to authenticate with and perform reservation actions on Third-Party Platforms on your behalf, using your own credentials and under your explicit authorization.
• Communication: to send you service-related notifications (e.g., reservation confirmations, account alerts).
• Security: to protect against unauthorized access, fraud, and abuse.
• Legal compliance: to comply with applicable laws and regulations.

We do not use your data for marketing purposes, profiling, or automated decision-making. We do not sell your data to third parties.

5. Data Storage and Security

• Your data is stored on secure servers using Google Cloud / Firebase infrastructure.
• Third-Party Platform credentials are encrypted at rest using Fernet symmetric encryption (AES-128-CBC) and are only decrypted when executing reservation actions you have configured.
• We implement appropriate technical and organizational measures to protect your data, including access controls, encryption in transit (TLS), encryption at rest, and regular security reviews.
• Despite our efforts, no method of electronic storage is 100% secure. You acknowledge this inherent risk.

6. Data Sharing

We do not sell, rent, or share your personal data with third parties, except:

• Third-Party Platforms: Your credentials are transmitted to Third-Party Platforms solely to perform the reservation actions you have configured and authorized. This is done using your own account - we act as your mandatary (agent).
• Service providers: We use Firebase/Google Cloud for hosting and authentication, and Stripe for payment processing. These providers process data under strict data processing agreements in compliance with GDPR.
• Legal obligations: We may disclose data if required by law, court order, or governmental authority.

7. Data Retention

• Account data: retained for the duration of your account. Deleted upon account termination.
• Third-Party Platform credentials: retained while your account is active and you have connected credentials. You may delete them at any time through the Service by disconnecting your account. They are permanently deleted upon disconnection or account termination.
• Reservation data: retained for the duration of your account for service functionality and history.
• Payment data: retained while your account is active. Deleted upon account termination or when you remove your payment information.
• Technical logs: retained for up to 90 days for security and debugging purposes.
• Consent records: retained for the duration of your account and for a reasonable period after termination to demonstrate compliance.

8. Your Rights (GDPR)

Under the GDPR and LOPDGDD, you have the following rights regarding your personal data:

• Right of access (Art. 15) - obtain confirmation of whether your data is being processed and access to it.
• Right to rectification (Art. 16) - correct inaccurate or incomplete data.
• Right to erasure (Art. 17) - request deletion of your personal data ("right to be forgotten").
• Right to restriction (Art. 18) - restrict the processing of your data in certain circumstances.
• Right to data portability (Art. 20) - receive your data in a structured, machine-readable format.
• Right to object (Art. 21) - object to processing based on legitimate interest.
• Right to withdraw consent - withdraw consent at any time without affecting the lawfulness of prior processing. For Third-Party Platform credentials, you can withdraw consent by disconnecting your account through the Service.

To exercise any of these rights, contact us at: contact@book-tomic.com. We will respond within 30 days.

9. Cookies

We use essential cookies for:

• Session management: to keep you logged in and maintain your session state.
• Language preferences: to remember your chosen language.

We may also use analytics cookies (Google Analytics, Meta Pixel) to understand how the Service is used. These are loaded only with your consent and are subject to the respective providers' privacy policies. You can manage your cookie preferences at any time.

10. International Data Transfers

Your data may be processed on servers located outside the European Economic Area (EEA), specifically through Google Cloud infrastructure. Such transfers are protected by appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission.

11. Third-Party Platform Privacy

When you connect a Third-Party Platform account to Booktomic, your interactions with that platform are also governed by that platform's own privacy policy. It is your responsibility to review the privacy policies of any Third-Party Platform you connect. Booktomic is not responsible for the data practices of Third-Party Platforms.

12. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will take steps to delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of the Service after changes constitutes acceptance of the revised policy.

14. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. In Spain, the relevant authority is the Agencia Espanola de Proteccion de Datos (AEPD) - www.aepd.es.

15. Contact

For any questions or requests regarding this Privacy Policy or your personal data, contact us at:

Booktomic
Email: contact@book-tomic.com