Privacy Policy

Soljahub is operated from Spain. This policy describes how we collect, use, and protect your personal data under the EU General Data Protection Regulation (GDPR) and Spanish data protection law (LOPDGDD).

1. Data we collect

• Account: email address (required), full name and phone number (optional)
• Bookings: studios, dates, times, rooms, and equipment you book
• Payments: amounts and transaction metadata. Card details are handled entirely by Stripe; we never see or store them.
• Usage data: if you grant analytics consent, we collect aggregate product analytics and error reports (see §4).

2. Lawful bases (GDPR Art. 6)

• Contract performance: processing your bookings, passes, and payments; authenticating you via magic link.
• Legal obligation: retaining transaction records for Spanish tax and accounting law.
• Legitimate interest: fraud prevention and core service security. Balanced against your rights.
• Consent: analytics, error diagnostics, and the feedback widget. You can change your choice any time in the cookie preferences banner or by clearing your browser storage.

3. Sub-processors we use

We share the minimum data needed with these providers. All non-EU providers operate under Standard Contractual Clauses for cross-border transfers.

• Stripe — payment processing (Ireland / US, PCI-DSS, SCCs).
• Resend — transactional email delivery (US, SCCs).
• Gleap — customer-support chat widget (Germany). Loaded on every page so you can always reach us for help. We only receive the messages you choose to send.
• PostHog EU — product analytics (Germany). Only loaded with your consent.
• Sentry — error monitoring (US, SCCs). Only loaded with your consent.

4. Cookies and trackers

We use essential cookies (the session cookie that keeps you signed in) and load the Gleap support-chat widget on every page so you can reach us for help. Non-essential scripts — PostHog, Sentry, and Google Translate — do not load until you accept them in the cookie banner. You can switch categories on or off at any time by clearing thesoljahub_consent_v1entry in your browser's local storage; the banner will reappear.

5. Retention

• Account data: kept while your account is active.
• Bookings and payments: up to six years after the transaction, as required by the Spanish Código de Comercio.
• Analytics events: aggregated and rolled up within a 12-month window.
• On account deletion, your name, email, and phone are erased. Booking and payment rows are retained in anonymized form for the legal retention period above.

6. Your rights (GDPR Art. 15–22)

• Access and portability: download a JSON copy of your data from Settings → Privacy & Data.
• Rectification: update your name and phone in Settings.
• Erasure: delete your account from Settings → Privacy & Data.
• Restriction and objection: write to us at [email protected].
• Withdraw consent: toggle analytics/feedback off in the cookie banner.
• Lodge a complaint: with the Spanish Data Protection Agency (AEPD) at www.aepd.es.

7. Security

Data is encrypted in transit (TLS) and at rest in our PostgreSQL database. Access to production systems is limited to authorized personnel on multi-factor-authenticated accounts. We do not store card numbers; all card data is handled by Stripe.

8. Changes to this policy

We will notify you of material changes by posting a notice on the Service and updating the date at the top of this page.

9. Contact

For data-related questions or to exercise any of the rights above, write to [email protected]. We respond within 30 days as required by GDPR.