Privacy Policy
Last Updated: March 2, 2026
Effective Date: March 2, 2026
Feki Development ("we," "us," or "our") operates the SlotlyBooking mobile application and related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
Feki Development acts as the data controller for personal data collected through the Service.
By using SlotlyBooking, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Name (required)
- Email address (required)
- Phone number (optional)
- Password (stored as a bcrypt hash; we never store your plaintext password)
If you sign in using a third-party provider (Google or Apple), we receive your name and email address from that provider. For Google Sign-In, we may also receive your profile photo. For Apple Sign-In, you may choose to hide your email address, in which case Apple provides a private relay address. We do not receive or store your Google or Apple password.
1.2 Business Information
If you register a business on SlotlyBooking, we collect:
- Business name and legal name
- Business email and address
- Business description
- Country, timezone, and currency preferences
- Social media links (Instagram, Facebook, Google Maps)
- Business operating hours and closed dates
- Services offered (names, descriptions, pricing, duration)
1.3 WhatsApp Integration Data
When you connect your WhatsApp Business Account, we collect and process:
- Meta Business Account ID and WhatsApp Business Account ID
- WhatsApp phone number ID
- WhatsApp access tokens (stored encrypted using AES-256-GCM)
- Incoming and outgoing message content (stored encrypted using AES-256-GCM)
- Message metadata (timestamps, delivery status, message type)
- Customer phone numbers and names from WhatsApp conversations
1.4 Reservation and Booking Data
For reservations made through the Service, we collect:
- Customer name, phone number, and email (if provided)
- Reservation date, time, and duration
- Service(s) booked and pricing
- Number of persons
- Reservation notes
- Booking source (WhatsApp, manual entry, or booking widget)
- Reservation status history
1.5 AI Conversation Data
When our AI-powered booking assistant processes messages, we collect:
- Conversation session data (start time, expiry)
- Detected intent (booking, cancellation, rescheduling, inquiry)
- Extracted entities (service, date, time, number of persons)
- AI confidence scores
- Token usage metrics
- Context summaries for ongoing conversations
1.6 Device and Technical Information
We automatically collect:
- Device type and operating system
- Language and locale preferences
- Timezone information
- Push notification tokens (for sending notifications)
- IP address and user agent (for audit logging)
1.7 Payment and Billing Information
For subscription management, we collect:
- Subscription plan and billing status
- Trial period information
- Usage counters (reservations and messages per month)
Note: All subscriptions are purchased through our website, not inside the mobile app. Payment card details are collected and processed directly by our payment processor. We do not store your credit card numbers on our servers.
- Konnect (all users): We retain your Konnect payment reference and subscription details for managing your account. Konnect is authorized by the Central Bank of Tunisia and supports both national and international bank cards (Visa, MasterCard). Payment details are handled by Konnect in accordance with Konnect's Privacy Policy.
2. How We Use Your Information
We use the information we collect to:
- Provide the Service: Process bookings, manage reservations, send and receive WhatsApp messages, and operate AI-powered booking features
- Communicate with you: Send email verifications, staff invitations, booking confirmations, reminders, and service-related notifications
- Process payments: Manage subscriptions, billing, and usage tracking through our payment processor (Konnect)
- Improve the Service: Monitor usage patterns, enforce plan limits, and enhance our AI booking assistant
- Ensure security: Authenticate users, prevent fraud, and maintain audit logs
- Comply with legal obligations: Respond to legal requests and enforce our Terms of Service
3. AI-Powered Features
SlotlyBooking uses artificial intelligence (powered by Google Gemini) to:
- Understand and respond to customer booking requests via WhatsApp
- Extract booking details (service, date, time, number of persons) from natural language messages
- Generate contextual responses in multiple languages (English, French, Spanish, German)
- Detect customer intent (new booking, cancellation, rescheduling, general inquiry)
Important: AI-generated responses may contain inaccuracies. Business owners can configure and disable AI auto-replies at any time. Messages flagged as low-confidence are routed to human staff for review.
Your WhatsApp message content is sent to Google's Gemini API for processing. Google's use of this data is governed by Google's Privacy Policy and Google Cloud Data Processing Terms.
4. How We Share Your Information
We do not sell your personal information. We share information only in the following circumstances:
4.1 Third-Party Service Providers
We use the following third-party services to operate SlotlyBooking:
| Provider | Purpose | Data Shared |
|---|---|---|
| Meta (WhatsApp Cloud API) | WhatsApp messaging and business account integration | Messages, phone numbers, business account data |
| Google (Gemini AI) | AI-powered booking assistant | Message content for intent detection and response generation |
| Google (OAuth) | Sign in with Google authentication | Name, email address, profile photo |
| Apple (Sign In with Apple) | Sign in with Apple authentication | Name, email address (or private relay email) |
| Konnect | Payment processing and subscription management | Email, billing information, subscription details |
| MailerSend | Transactional emails | Email addresses, names (for verification and invitation emails) |
| Expo | Push notifications and mobile app infrastructure | Push notification tokens, device information |
4.2 Legal Requirements
We may disclose your information if required to:
- Comply with applicable law, regulation, or legal process
- Respond to lawful requests from public authorities
- Protect the rights, property, or safety of Feki Development, our users, or the public
4.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on our Service before your information becomes subject to a different privacy policy.
5. Data Security
We implement robust security measures to protect your information:
- Encryption at rest: WhatsApp messages and access tokens are encrypted using AES-256-GCM with per-record nonces and authentication tags
- Encryption in transit: All data transmitted between your device and our servers uses TLS/HTTPS
- Password security: User passwords are hashed using bcrypt with a cost factor of 12
- Token security: Refresh tokens are hashed with SHA-256 before storage and expire after 7 days
- Access tokens: Short-lived JWT tokens for session authentication
- Secure mobile storage: Authentication tokens on your device are stored using platform-secure storage (Expo SecureStore)
- Audit logging: Sensitive operations are logged with IP address, user agent, and action details
While we strive to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.
6. Data Retention
We retain your information for as long as your account is active or as needed to provide the Service:
- Account data: Retained until you delete your account
- Reservation data: Retained for the duration of your business account for historical and analytics purposes
- WhatsApp messages: Retained in encrypted form (AES-256-GCM) for the duration of your business account
- AI conversation data: Session data expires automatically; conversation history is retained with thread data until account deletion
- Audit logs: Retained for security and compliance purposes
- Webhook events: Processed events are deduplicated and temporary data is stored in Redis with automatic expiration
- Billing records: Retained as required by applicable tax and financial regulations
When you delete your account, we will delete or anonymize your personal information within 30 days, except where retention is required by law.
7. Your Rights
Depending on your location, you may have the following rights regarding your personal information:
7.1 For All Users
- Access: Request a copy of the personal information we hold about you
- Correction: Request correction of inaccurate or incomplete information
- Deletion: Request deletion of your account and associated personal data
- Notification preferences: Configure which notifications you receive (new bookings, cancellations, rescheduling, reminders, marketing, new messages)
- AI controls: Enable or disable AI auto-replies
7.2 Additional Rights for EU/EEA Residents (GDPR)
If you are located in the European Economic Area, you also have the right to:
- Data portability: Receive your data in a structured, commonly used, machine-readable format
- Restriction of processing: Request we restrict the processing of your data under certain circumstances
- Object to processing: Object to processing of your data for certain purposes, including direct marketing
- Withdraw consent: Withdraw your consent at any time where we rely on consent as the legal basis for processing
- Lodge a complaint: File a complaint with your local data protection authority
Legal Bases for Processing (GDPR Article 6):
- Contract performance: Processing necessary to provide the Service you requested (account management, bookings, messaging)
- Legitimate interests: Processing for our legitimate business interests (security, fraud prevention, service improvement)
- Consent: Processing based on your explicit consent (push notifications, marketing communications)
- Legal obligation: Processing necessary to comply with legal requirements
7.3 How to Exercise Your Rights
To exercise any of these rights, contact us at contact@slotlybooking.com. We will respond to your request within 30 days (or sooner where required by law).
You can also:
- Delete your account through the app's Settings page
- Update your notification preferences in the app
- Manage your AI settings in the Business Settings
8. International Data Transfers
Feki Development is based in Tunisia. Your information may be transferred to and processed in countries other than your own, including countries where our third-party service providers operate (United States for Meta, Google, Apple, Expo; Tunisia for Konnect; varied locations for MailerSend).
For transfers of personal data from the EU/EEA, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- The data processing agreements of our service providers
9. Children's Privacy
SlotlyBooking is a business management tool intended for users aged 16 and older. We do not knowingly collect personal information from children under 16. If we learn that we have collected information from a child under 16, we will take steps to delete that information promptly.
If you believe a child under 16 has provided us with personal information, please contact us at contact@slotlybooking.com.
10. Device Permissions
SlotlyBooking may request the following device permissions:
| Permission | Purpose | Required |
|---|---|---|
| Push Notifications | Receive real-time alerts for new bookings, messages, and reminders | Optional |
| Secure Storage | Securely store authentication tokens on your device | Required |
| Internet Access | Communicate with our servers and third-party services | Required |
| Clipboard | Copy phone numbers and other information for convenience | Optional (on use) |
| Web Browser | Open OAuth authentication flows and external links | On demand |
| Localization | Detect your language and timezone for proper formatting | Automatic |
SlotlyBooking does not request access to your camera, contacts, microphone, location (GPS), or file storage.
11. Push Notifications
We may send you push notifications for:
- New booking requests and confirmations
- Booking cancellations and rescheduling
- New WhatsApp messages
- Booking reminders (available on paid plans)
- Marketing and promotional updates (with your consent)
You can manage your notification preferences in the app's Settings, or disable push notifications entirely through your device's system settings.
12. Third-Party Links
The Service may contain links to third-party websites or services (e.g., WhatsApp, Instagram, Facebook, Google Maps). We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any personal information.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by:
- Posting the updated policy within the app
- Updating the "Last Updated" date at the top of this policy
- Sending a notification for material changes
Your continued use of the Service after changes become effective constitutes acceptance of the revised Privacy Policy.
14. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Feki Development
Legal entity: Feki Development
Country: Tunisia
Address: Ariana 2080, Tunisia
Email: contact@slotlybooking.com
For GDPR-related inquiries, you may also contact your local data protection authority.
15. Data Safety Summary
This section provides a summary for app store Data Safety disclosures:
Data Collected
| Data Type | Collected | Shared | Purpose |
|---|---|---|---|
| Name | Yes | With service providers | Account, booking management |
| Yes | With service providers | Account, communications | |
| Phone number | Optional | With WhatsApp (Meta) | WhatsApp messaging |
| Password | Yes (hashed) | No | Authentication |
| Business info | Yes | No | Service provision |
| Messages | Yes (encrypted) | With Meta, Google AI | WhatsApp messaging, AI processing |
| Booking data | Yes | No | Reservation management |
| Payment info | Via payment processor | With Konnect | Subscription billing |
| Device info | Yes | With Expo | Push notifications |
| Usage data | Yes | No | Analytics, plan enforcement |
Security Practices
- Data encrypted in transit (TLS/HTTPS)
- Messages encrypted at rest (AES-256-GCM)
- Passwords hashed (bcrypt)
- Users can request data deletion
- Data is not sold to third parties