Privacy Policy
Last updated: July 17, 2026
1. Who we are
Oakslot ("Oakslot", "we", "us") provides an academic resource scheduling platform for universities and schools at oakslot.com. For personal data belonging to people who create an Oakslot account, Oakslot acts as the data controller. For academic records that an institution manages inside its organization — such as student and instructor records, enrollments, and timetables — the institution is the controller and Oakslot processes that data on its behalf.
Privacy contact: privacy@oakslot.com
2. Data we collect
- Account data — name, email address, hashed password, locale and theme preferences. If you choose Google Sign-In, Google also provides your stable Google account identifier, verified-email status, and profile image. We do not request access to Google Calendar, Contacts, Drive, Gmail, or other Google product data.
- Organization content — the scheduling data your institution manages in Oakslot: terms, courses, rooms, instructor and student records, enrollments, timetables, constraints, and approval workflows.
- Usage and security data — session tokens, IP address, user agent, and an audit trail of create/update/delete actions (who changed what, and when).
- Billing data — subscription plan, billing contact, and invoicing state. Payment card details are collected and stored by Stripe, never by Oakslot.
- Integration credentials — hashed API keys and calendar-feed tokens you create, with their scopes and usage metadata.
We do not run advertising or cross-site tracking. The only cookies we set are strictly necessary: session authentication and your theme/locale preferences.
3. Why we process it (legal bases)
- Performance of contract — operating your account, organization membership, and the scheduling service itself.
- Legitimate interest — authentication, session management, security audit logging, and error tracking to keep the service reliable and accountable.
- Consent — optional features you enable explicitly, such as personal calendar feeds (iCal) and API keys.
4. Google Sign-In
Google Sign-In requests only the openid, email, and profile scopes. We use the resulting Google account data only to authenticate you, create or link your Oakslot account, prefill your name and profile image, and protect the sign-in flow against abuse. We do not sell this data, use it for advertising, or use it to train generalized artificial-intelligence models.
Your name, email address, and profile image may be visible to authorized members of your Oakslot organization where needed for account administration and scheduling. We otherwise share Google user data only with the service providers listed below when necessary to operate and secure Oakslot, when you direct us to share it, or when the law requires it.
Google OAuth credentials returned during sign-in are encrypted at rest and are used only to complete authentication. Oakslot requests online access and does not request a Google refresh token. The linked-account record is retained until you unlink it or delete your Oakslot account, subject to the backup period described below.
Oakslot's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements.
5. Subprocessors
We use the following subprocessors, all covered by data processing agreements:
- Neon Inc. — PostgreSQL database hosting all application data (EU, Frankfurt).
- Cloudflare Inc. — edge hosting, CDN, and DNS; request metadata (global edge; persistent data stays in the EU).
- Railway Corp. — hosting for the scheduling solver and external API, which process organization scheduling data.
- Stripe, Inc. — subscription billing and payment processing.
- Resend Inc. — transactional email delivery (US; encrypted in transit; content not persisted beyond delivery).
- Functional Software, Inc. (Sentry) — error tracking with minimized, anonymized request data (90-day retention).
6. Data residency
The primary database runs in the EU (AWS eu-central-1, Frankfurt). Edge compute executes at the location nearest to the visitor, but persistent application data is stored in the EU.
7. Retention
- Account data — until you delete your account.
- Sessions — 7 days.
- Audit logs — 2 years (personal identifiers scrubbed on account deletion).
- API keys and calendar tokens — until revoked or expired.
- Error tracking events — 90 days.
- Database backups — 7-day point-in-time recovery window; deleted data leaves backups automatically within 7 days of erasure.
8. Your rights
Under the GDPR you can:
- Access and export your data as machine-readable JSON via Settings → Privacy → Download My Data.
- Erase your account via Settings → Privacy → Delete My Account (password confirmation, 48-hour cancellable grace period, then transactional erasure with PII scrubbing).
- Rectify your profile data directly in the application.
- Restrict or object to processing based on legitimate interest by emailing privacy@oakslot.com.
Automated requests are fulfilled immediately; manual requests within 30 days. You can also lodge a complaint with your local supervisory authority.
9. Security
Data is encrypted in transit, passwords are stored only as strong hashes, access is role-scoped per organization, and all our subprocessors maintain SOC 2 Type II compliance. If a personal data breach ever poses a risk to you, we will notify the supervisory authority within 72 hours and affected users without undue delay.
10. Changes
We will post any changes to this policy on this page and update the date above. Material changes are announced to account owners by email.