Privacy policy

Privacy policy

Last updated: 2026-05-28

Who we are

This platform is operated by Dimitrios Rarras, based in Greece. No legal entity is yet registered for this service; it is currently operated by an individual and is not a monetised service. For any privacy-related question, contact:

Who this policy covers

This policy describes the personal data that the platform itself collects from operators who manage tenants on the system and from visitors to the platform's public surfaces (the request-account form, this page, the terms page).

If you booked an appointment through one of our tenants, the tenant is the data controller for your booking — please contact the tenant directly to exercise your rights. Each tenant publishes its own privacy policy at /p/{tenant-slug}/privacy.

What we collect

The platform collects personal data in four narrow contexts:

Account-request form. When you submit the request-access form on our website, we collect the name, email address, organisation, optional phone number, and the message you supply. We also record the IP address and browser user-agent of the submitting device for abuse-prevention purposes.

Admin authentication. Operators who manage a tenant have an admin account on the platform. We store the operator's name, email address, a salted password hash (or a one-time-token reset trail), Better Auth session identifiers, and, where enabled, two-factor authentication factors (TOTP secret, recovery codes hashed).

Server access logs. Every HTTP request to the platform is logged with: IP address, user-agent, request path, response code, timestamp, request duration. These logs are used for security monitoring, debugging, and abuse triage.

Error telemetry. When our backend or admin SPA encounters an unhandled error, we send a structured event to Sentry. Personal-data fields (customer email, customer phone, customer notes, request Authorization headers, token query parameters) are scrubbed in our beforeSend hook before any event leaves our servers.

We do not collect special-category data (Art. 9 GDPR) on any of these surfaces. We do not use cookies on the public-facing pages beyond a strictly-necessary session cookie on the admin dashboard.

Lawful basis

We process the data above on the following lawful bases under the General Data Protection Regulation (Regulation (EU) 2016/679):

Where your data lives

The platform's stack is hosted entirely in the European Union. We share personal data only with the sub-processors below, and only to the extent strictly necessary:

Sub-processor Purpose Location
Our hosting provider Operation of the application servers and PostgreSQL database EU
Resend, Inc. Delivery of platform transactional emails (account-request confirmation, super-admin notification, admin password reset) EU region
Cloudflare, Inc. Bot protection on the admin login and the account-request form (Cloudflare Turnstile) Global edge — only the visitor IP and the challenge response are processed at the edge; form body content is never forwarded to Cloudflare
Functional Software, Inc. (Sentry) Backend and admin SPA error tracking EU region. Personal-data fields are stripped client-side before any event leaves our servers.

Where a sub-processor is established outside the European Economic Area, the transfer is governed by the European Commission's Standard Contractual Clauses (SCC) and, where applicable, supplementary safeguards.

We do not sell or rent your personal data to any third party.

How long we keep your data

Type of record Retention period
Account-request rows (status new) Until triaged, then 90 days
Account-request rows (status reviewed / archived) 90 days from triage date, then automatically purged
Admin accounts Duration of the operator's use of the platform; deleted on request or when the account is closed
Server access logs 30 days, then rotated out
Sentry error events Governed by the Sentry project's retention setting (90 days by default)

Your rights

Under the GDPR, you have the following rights with respect to your personal data:

To exercise any of these rights, email demetriosrarras@gmail.com. We respond within one month as required by Art. 12(3) GDPR.

If you are an end-customer who booked an appointment through one of our tenants, please exercise your rights through the tenant directly — the tenant is the controller for your booking data.

Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.

The competent supervisory authority for the platform is the Hellenic Data Protection Authority (Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα), Kifisias 1-3, 11523 Athens, Greece. Website: dpa.gr.

Security

We protect your data with appropriate technical and organisational measures, including:

Changes to this policy

We may update this policy from time to time. The version in force is the version published at this URL; the git commit hash and timestamp of the file in our repository is the version record. Substantive changes will be announced to operators by email.