Legal

Privacy Policy

Last updated: April 2026 · version 2026.04.1

Data Controller

Email:
privacy@tapsela.com

Operating as unregistered economic activity (działalność nierejestrowana) under art. 5 of the Polish Entrepreneurs’ Law (ustawa Prawo przedsiębiorców).

Data protection contact point

For all matters concerning personal data protection, contact us at privacy@tapsela.com. A Data Protection Officer has not been appointed — the controller is not required to do so under Art. 37 GDPR given the scale and nature of processing.

About this document

This Privacy Policy applies to people booking appointments through book.tapsela.com.

Tapsela provides the booking software. The Specialist with whom you book is an independent professional and is the data controller for your appointment data. Tapsela acts as a processor under a data processing agreement (DPA) signed with the Specialist.

Data we collect

When you book an appointment we may collect:

  • your name
  • your phone number
  • an optional email address
  • the service, date and time of the appointment
  • the Specialist you book with
  • your consents (appointment reminders, marketing) and their history
  • technical data: IP address, user agent, request timestamps

Legal basis for processing

Each category of processing has a defined legal basis under Art. 6(1) GDPR:

  • Creating and managing bookings — Art. 6(1)(b) GDPR (performance of contract between Client and Specialist)
  • Sending booking confirmations — Art. 6(1)(b) GDPR (performance of contract)
  • Sending optional reminders via the Client's preferred channels — Art. 6(1)(a) GDPR (Client consent)
  • Marketing messages — Art. 6(1)(a) GDPR (consent) and Art. 172 of the Polish Telecommunications Act
  • Security, abuse detection, technical logs — Art. 6(1)(f) GDPR (legitimate interest)
  • Compliance with legal obligations — Art. 6(1)(c) GDPR

Retention periods

Data is deleted or anonymised after the retention period:

  • Client data in the Specialist's panel — until deletion by the Specialist or termination of the Specialist's agreement with Tapsela
  • Consent records — 5 years from withdrawal (accountability requirement, Art. 7(1) GDPR)
  • Technical and security logs — 12 months
  • Accounting data (once payments are introduced) — 5 years from end of fiscal year (Polish Tax Ordinance, Accounting Act)

Where data is stored

Data is hosted in the European Union (Supabase, Frankfurt region). Some supporting services (Cloudflare — CDN and abuse protection; Clerk — Client authentication) operate globally, including outside the EEA. Transfer details are described below.

Transfers outside the EEA

Some data may be processed outside the European Economic Area:

  • Cloudflare Inc. (USA) — CDN, DDoS protection, Workers runtime. Data categories: IP addresses, request metadata.
  • Clerk Inc. (USA) — Client authentication on book.tapsela.com. Data categories: phone number, optional email, session identifier.

Communication

Tapsela sends transactional messages on behalf of Specialists (confirmations, reminders, cancellations, reschedule requests). We do not send marketing communication without the Specialist's explicit configuration and a separate Client consent. You can withdraw your consent for reminders at any time by changing your communication preferences via your booking link.

Data subject rights

Under the GDPR you have the following rights:

  • right of access (Art. 15 GDPR)
  • right to rectification (Art. 16 GDPR)
  • right to erasure ('right to be forgotten', Art. 17 GDPR)
  • right to restriction of processing (Art. 18 GDPR)
  • right to data portability (Art. 20 GDPR)
  • right to object (Art. 21 GDPR)
  • right to withdraw consent at any time (Art. 7(3) GDPR) — withdrawal does not affect the lawfulness of processing prior to withdrawal
  • right not to be subject to a decision based solely on automated processing (Art. 22 GDPR) — Tapsela does not make such decisions

Complaint to the supervisory authority

Every person has the right to lodge a complaint with the supervisory authority, which is:

President of the Personal Data Protection Office (UODO) ul. Stawki 2, 00-193 Warsaw, Poland phone +48 22 531 03 00 kancelaria@uodo.gov.pl

To exercise any of the above rights please contact privacy@tapsela.com. We respond without undue delay and no later than within 30 days of receiving the request (Art. 12(3) GDPR).

Children under 16

The Tapsela platform is not intended for people under 16. We do not knowingly collect data from people under 16 without parental or legal-guardian consent. If a Specialist's Client is to be a person under 16, the booking should be made by a parent or legal guardian on their own behalf.

Updates and contact

This policy may be updated. The last update date and version are shown at the top of this page. Privacy questions: privacy@tapsela.com.