1. Data controller
The controller of the data collected by the Service is Leo Virgo (the "Provider"), 6 rue d’Armaillé, 75017 Paris, registered with the Paris trade register under number 105 436 562.
For any question about how your data is processed, contact the Provider at contact@getparki.com.
2. Data collected
To run the Service, the Provider collects and processes the following categories of data, tied to a Slack workspace:
- Slack identifiers: the unique workspace identifier (
team_id), the unique identifier of each user (user_id), and the language preference (locale) returned by the Slack API. - Display name: the user's public name as it appears in Slack, used in the Service's interface messages.
- OAuth tokens: the bot token (
bot_token) issued by Slack at installation, stored encrypted and used only to interact with the workspace. - Business data: building and spot names, spot ↔ user assignments, reservations, releases, recurring absence rules. This data is entered by users to manage the car park.
- Billing data: for customers on a paid plan, the subscriber name, postal address, email address, and payment details are collected and stored by our provider Stripe. The Provider stores neither card number nor security code.
- Feedback: when a user runs the
/parki feedbackcommand, the free-text message they submit is stored together with their Slack identifier, so the Provider can read every message and reply to the person who sent it. Feedback is kept for as long as needed to handle it and improve the Service, and is deleted when the workspace is removed. - Technical logs: timestamps, session identifier, status and duration of executed commands, kept for diagnostics and security.
3. Purposes and legal bases
| Purpose | Legal basis | Retention |
|---|---|---|
| Provide the Service to the Customer (spot management, reservations, notifications) | Performance of the contract (art. 6.1.b GDPR) | Duration of the subscription |
| Billing and accounting | Legal obligation (art. 6.1.c GDPR) | Ten (10) years from the close of the financial year |
| Technical diagnostics, security, fraud prevention | Legitimate interest (art. 6.1.f GDPR) | Thirty (30) days for error logs |
| Improving the Service (aggregated, anonymous usage statistics) | Legitimate interest (art. 6.1.f GDPR) | Duration of the subscription |
4. Recipients and sub-processors
The data processed by the Provider is never sold for commercial purposes. It is shared with the following technical sub-processors, which are needed to run the Service:
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Slack Technologies LLC | Bot host platform | United States | Standard Contractual Clauses (SCC) and Data Privacy Framework |
| Supabase Inc | Database (hosted PostgreSQL) | Germany (eu-central region) | Supabase DPA, EU hosting |
| Stripe Payments Europe Ltd | Payment processing | Ireland | Stripe DPA, EU hosting for the European zone |
| Sentry EU GmbH | Application error monitoring | Germany | Sentry DPA, EU hosting |
| Inngest Inc | Async task orchestration | United States | Standard Contractual Clauses (SCC) |
Each sub-processor is bound to the Provider by a data processing agreement (DPA) that strictly limits the use of data to the agreed purposes. Transfers outside the European Union, where they occur, are framed by the Standard Contractual Clauses published by the European Commission.
5. Security
The Provider applies reasonable technical and organisational measures to protect data against destruction, loss, alteration, or unauthorised disclosure:
- encryption in transit (TLS 1.2 or higher) and at rest for authentication tokens;
- logical isolation per customer (PostgreSQL Row Level Security);
- access to production infrastructure limited to the Provider under multi-factor authentication;
- continuous error monitoring and audit logs.
6. Your rights
Under the GDPR, anyone whose data is processed by the Service has the following rights:
- right of access and to a copy;
- right to rectification;
- right to erasure ("right to be forgotten"), within the limits of the Provider's legal obligations (in particular accounting);
- right to restriction of processing;
- right to data portability;
- right to object to processing based on legitimate interest.
Exercise these rights by email to contact@getparki.com, providing proof of the requester's identity. The Provider replies within one (1) month. In case of disagreement, you have the right to lodge a complaint with the French data protection authority (CNIL, www.cnil.fr).
7. Cookies
The getparki.com site is a static information site that sets no tracking, advertising, or analytics cookie. No consent is required on that basis. The product itself runs only inside Slack and is governed by Slack's cookie terms.
8. Changes to the policy
The Provider may change this policy to reflect changes to the Service or the law. Any material change will be notified to the administrators of customer workspaces at least thirty (30) days before it takes effect.