Privacy Policy

Last updated: 10/12/2025

1. Introduction

This Privacy Policy describes how we collect, use, store, and protect your personal data when you use our online class booking system. This policy complies with the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679) and other applicable data protection legislation in the European Union.

By using our class booking service, you agree to the collection and use of information in accordance with this policy.

 

 

2. Personal data collected

2.1. Data provided directly by you

When you make a class booking through our system, we collect the following personal data:

  • Identification data:
    • Full name
    • Email address
    • Phone number (optional)
  • Booking data:
    • Selected class package
    • Chosen teacher
    • Scheduled class times and dates
    • Time zone (timezone)
    • Additional notes or comments (optional)
    • Preference for receiving Google Calendar invite (optional)

2.2. Automatically collected data

While using our system, we automatically collect:

  • Technical data:
    • IP address
    • Browser type and version (User Agent)
    • Date and time of access
    • Actions performed in the system (audit logs)
  • Payment data:
    • Stripe transaction identifiers (session_id, payment_intent_id, charge_id)
    • Payment status
    • Payment date
    • Receipt URL (when available)

Note: We do not store sensitive credit card data or banking information. All payments are processed through Stripe, which is a PCI-DSS certified payment processor.

 

 

 

3. Purposes of data processing

We use your personal data for the following purposes:

3.1. Performance of service agreement

  • Process and manage your class bookings
  • Confirm and communicate details of your scheduled classes
  • Manage teacher availability and schedules
  • Process payments and issue payment confirmations
  • Send calendar invites (Google Calendar) when requested

3.2. Compliance with legal obligations

  • Maintain accounting and tax records as required by law
  • Comply with legal data retention obligations
  • Respond to requests from competent authorities

3.3. Legitimate interests

  • Improve the quality of our services
  • Prevent fraud and ensure system security
  • Maintain audit logs for security and troubleshooting purposes
  • Implement security measures (rate limiting) to prevent abuse

3.4. Consent

  • Sending marketing communications (only with your explicit consent)
  • Processing optional data (notes, calendar preferences)

 

4. Legal basis for processing

The processing of your personal data is based on the following legal bases under the GDPR:

  • Performance of contract (Art. 6(1)(b) GDPR): To process bookings and payments
  • Compliance with legal obligation (Art. 6(1)(c) GDPR): To comply with accounting and tax obligations
  • Legitimate interest (Art. 6(1)(f) GDPR): For security, fraud prevention, and service improvements
  • Consent (Art. 6(1)(a) GDPR): For marketing communications and optional features

 

5. Data sharing

Your personal data may be shared with the following third parties:

5.1. Service providers

  • Stripe, Inc. (payment processing)
    • Data shared: Payment information, email, transaction identifiers
    • Purpose: Secure payment processing
    • Legal basis: Performance of contract
    • Privacy policy: https://stripe.com/privacy
    • Transfers: Stripe may transfer data to the US under Privacy Shield and Standard Contractual Clauses
  • Email service providers (SMTP)
    • Data shared: Name, email, content of communications
    • Purpose: Sending confirmation emails and notifications
    • Legal basis: Performance of contract
  • Google LLC (only if you request Google Calendar invite)
    • Data shared: Booking information (when you request calendar invite)
    • Purpose: Creating events in Google Calendar
    • Legal basis: Consent
    • Privacy policy: https://policies.google.com/privacy

5.2. Legal obligations

We may disclose your personal data if required by law or in response to valid requests from public authorities.

5.3. International transfers

Some of our service providers may be located outside the European Economic Area (EEA). When we transfer data to third countries, we ensure that appropriate safeguards exist, such as:

  • Standard Contractual Clauses approved by the European Commission
  • European Commission adequacy decision
  • Privacy Shield (when applicable)

 

6. Data retention period

We retain your personal data only for as long as necessary for the purposes for which it was collected:

  • Booking data: Retained during the term of the contract and for a period of 7 years after completion of classes (to comply with accounting and tax obligations)
  • Payment data: Retained for 7 years after the transaction (legal obligation)
  • Audit logs: Retained for 2 years (legitimate security interest)
  • Marketing data: Retained until you withdraw consent or request deletion

After the retention period, data will be securely deleted or anonymized.

 

 

 

7. Data security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

  • Encryption: Sensitive data is transmitted through secure connections (HTTPS/TLS)
  • Sanitization: All input data is validated and sanitized before storage
  • Access control: Restricted data access only to authorized personnel
  • Rate limiting: Protection against abuse and unauthorized access attempts
  • Audit logs: Recording of all important actions for security purposes
  • Secure backups: Regular data backups

 

8. Your rights under the GDPR

Under the GDPR, you have the following rights:

8.1. Right of access (Art. 15 GDPR)

You can request a copy of the personal data we hold about you.

8.2. Right to rectification (Art. 16 GDPR)

You can request the correction of inaccurate or incomplete personal data.

8.3. Right to erasure (“Right to be forgotten”) (Art. 17 GDPR)

You can request the deletion of your personal data under certain circumstances, except when we have legal retention obligations.

8.4. Right to restriction of processing (Art. 18 GDPR)

You can request the restriction of processing of your personal data under certain circumstances.

8.5. Right to data portability (Art. 20 GDPR)

You can request the transfer of your personal data to another service provider in a structured, commonly used format.

8.6. Right to object (Art. 21 GDPR)

You can object to the processing of your personal data when based on legitimate interest or for direct marketing purposes.

8.7. Right to withdraw consent

When processing is based on consent, you can withdraw consent at any time, without affecting the lawfulness of prior processing.

8.8. Right to lodge a complaint

You have the right to lodge a complaint with the competent supervisory authority if you believe that the processing of your personal data violates the GDPR.

Supervisory authority in Portugal: National Data Protection Commission (CNPD) Rua de São Bento, No. 148, 3rd Floor 1200-821 Lisbon Phone: +351 213 928 400 Email: geral@cnpd.pt Website: https://www.cnpd.pt

 

 

9. How to exercise your rights

To exercise any of your rights, you can contact us through:

Email: [privacy contact email] Postal address: [full address]

We will respond to your request within one month. In complex cases, we may extend this period to two months, informing you in advance.

To ensure the security of your data, we may request proof of identity before processing your request.

 

 

10. Cookies and similar technologies

Our system uses cookies and similar technologies for:

  • Essential cookies: Necessary for the booking system to function
  • Security cookies: For security verification (nonces) and fraud prevention

We do not use tracking or marketing cookies without your explicit consent.

 

 

11. Minors

Our service is not intended for minors under 16 years of age. We do not intentionally collect personal data from minors under 16 without parental or legal guardian consent.

If we become aware that we have collected data from a minor under 16 without appropriate consent, we will take steps to delete that data immediately.

 

 

12. Changes to this policy

We may update this Privacy Policy periodically to reflect changes in our practices or for legal, operational, or regulatory reasons.

We will notify you of significant changes through:

  • Notice on our website
  • Email (when applicable)
  • “Last updated” date at the top of this policy

We recommend that you review this policy periodically to stay informed about how we protect your data.

 

 

13. Contact

  • Email: languageswithpriscila@gmail.com
  • Phone: +33 6 72 51 01 55

 

14. Additional processing information

14.1. Automated processing

Our system uses automated processing for:

  • Verification of schedule availability
  • Management of bookings and schedule conflicts
  • Payment processing through Stripe
  • Automatic sending of confirmation emails

We do not use automated processing for decision-making that produces legal effects or similarly significantly affects you.

14.2. Profiling

We do not perform profiling or automated user profiling.

14.3. Special data

We do not intentionally collect special personal data (data relating to health, racial or ethnic origin, political opinions, etc.), except if voluntarily provided in optional booking notes.

 

 

This Privacy Policy complies with the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679) and was specifically prepared for the online class booking system.