Privacy Policy
Last updated: June 2026 (v1.2)
This policy explains what personal data Zilentino collects, why, on what legal basis, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR).
1. Who is responsible (controller)
The controller for personal data processed through Zilentino's own platform is:
Andrei Rezneac IT-Solutions (Einzelunternehmen)
Owner: Andrei Rezneac
Wegedornstr. 257N, 12524 Berlin, Germany
Email: contact@zilentino.org
2. What data we collect
Account & profile data
Name, email address, time zone, account identifiers, and the booking-page information a teacher chooses to publish. When a teacher connects Google Calendar, we also obtain the email address of that Google account. Your email address is used to identify your account and to send service-related (transactional) communications.
Booking & lesson data
Lesson types, availability, scheduled lessons, cancellations, and lesson credits. For students this includes name, email, time zone, and booking history with a teacher.
Payment data
For teacher subscriptions and student payments, payment processing is handled by Stripe. We receive limited confirmation and status data (such as whether a payment or subscription succeeded). We do not collect or store full card numbers.
Calendar data
If a teacher connects Google Calendar, we read calendar events to determine availability and prevent double-booking. We also create, update, and delete calendar events on the connected calendar to reflect lessons booked, rescheduled, or cancelled through Zilentino. This access is limited to operating the booking and scheduling features the teacher connects it to.
To compute availability and let you manage which events block your Zilentino availability, we store a copy of your upcoming calendar events — their busy times and titles — in our EU database. This cache is limited to roughly the next 60 days, is refreshed on each sync (so past events are not retained), and is deleted entirely when the calendar is disconnected or access is revoked. Hiding a cached event in Zilentino only changes your Zilentino availability; it never alters your Google Calendar.
Technical data
Basic technical information needed to run the service securely, such as IP address, browser type, and log data generated when you use the platform.
3. Why we process it, and our legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Creating and running your account; providing booking and scheduling features | Performance of a contract (Art. 6(1)(b)) |
| Processing the teacher's €19/month subscription | Performance of a contract (Art. 6(1)(b)) |
| Sending transactional emails (login links, confirmations, notices) | Performance of a contract (Art. 6(1)(b)) |
| Google Calendar sync for availability | Performance of a contract (Art. 6(1)(b)); your connection/consent |
| Keeping the platform secure and preventing abuse | Legitimate interests (Art. 6(1)(f)) |
| Meeting legal, accounting, and tax obligations | Legal obligation (Art. 6(1)(c)) |
4. Service providers (processors) we use
We use a small number of trusted providers to run Zilentino. Where they process personal data on our behalf, we have data-processing agreements in place.
| Provider | Purpose | Data location |
|---|---|---|
| Supabase | Database, authentication & backend | EU (eu-central-1, Frankfurt) |
| Vercel | Frontend hosting & delivery | Global edge network (incl. US) |
| Resend | Sending transactional email | US / global |
| Stripe | Payment processing (teacher's own Stripe account for student payments; subscription billing) | EU / US |
| Calendar availability sync (OAuth) | EU / US |
Note that student lesson payments go directly to the teacher's own Stripe account; Zilentino does not receive that money or the associated card data.
5. Google user data and Limited Use
When you connect your Google account, Zilentino accesses your Google profile email address (to identify your account and send service-related communications) and your Google Calendar events (to read your availability and to create, update, and delete events for lessons booked through Zilentino).
Zilentino's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: data obtained through Google APIs is used only to provide and improve the booking and scheduling features you connect it to; it is not transferred to others except as necessary to provide or improve these features, to comply with applicable law, or as part of a merger or acquisition; it is not used for advertising; and no humans read this data except with your consent, for security purposes, to comply with applicable law, or where the data has been aggregated and anonymized.
6. International transfers
Our database is hosted in the EU (Frankfurt). Some providers above may process data outside the EU/EEA (for example, in the United States). Where that happens, transfers are protected by appropriate safeguards such as the European Commission's Standard Contractual Clauses and, where applicable, the provider's certification under the EU–US Data Privacy Framework.
7. How long we keep data
- Account and booking data: for as long as your account is active.
- After account closure: we delete or anonymise personal data within a reasonable period, unless we must keep certain records longer to meet legal obligations (e.g. accounting and tax records, typically up to 10 years under German law).
- Technical logs: kept only as long as needed for security and operations.
8. How we protect your data
We apply technical and organisational measures designed to protect personal data — including sensitive data such as your Google Calendar information — against unauthorised access, loss, or disclosure:
- Encryption in transit. All traffic between your browser, our servers, and third-party APIs (including Google) is encrypted using TLS/HTTPS.
- Encryption at rest. Our database is hosted on Supabase in the EU (Frankfurt), where stored data is encrypted at rest.
- Access controls. Database access is restricted by row-level security so that records are only accessible to the account they belong to, and administrative access is limited to authorised personnel on a need-to-know basis.
- Least-privilege Google access. We request only the Google scopes required to read your calendar's busy times for availability and to identify the connected Google account, and the resulting access tokens are stored with restricted access and used only to provide those features.
- Revocability. You can disconnect Google Calendar at any time from your Zilentino settings, or revoke access from your Google Account permissions. When you disconnect in Zilentino, we immediately delete the stored connection, including the OAuth tokens, the connected Google account email, and the cached copy of your calendar events. If you instead revoke access from your Google Account, our access stops working and we delete the stored connection the next time we detect that access was revoked.
- Secret management & monitoring. Credentials and API secrets are kept in a secure secret store (not in source code), and we keep security logs to detect and respond to abuse.
No method of transmission or storage is ever completely secure, but we work to protect your data and to keep these measures up to date as the platform evolves.
9. Your rights
Under the GDPR you have the right to:
- access the personal data we hold about you;
- have inaccurate data corrected;
- have your data deleted ("right to be forgotten"), where applicable;
- restrict or object to certain processing;
- receive your data in a portable format;
- withdraw consent at any time, where processing is based on consent.
To exercise any of these rights, email contact@zilentino.org. You also have the right to lodge a complaint with a supervisory authority — in our case, the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit).
10. Cookies
Zilentino uses cookies and similar technologies that are strictly necessary to run the service — for example, to keep you logged in. For usage statistics we use PostHog, a privacy-friendly analytics tool hosted in the EU (Frankfurt), configured in cookieless mode: it sets no cookies, stores nothing on your device, and does not identify you or build a profile of you. Visits remain anonymous, so no consent banner is required. We do not use advertising trackers.
11. Children
Teacher accounts are intended for adults (18+). Where a teacher offers lessons to minors, the teacher is responsible for obtaining any necessary parental consent and for handling that data lawfully.
12. Changes to this policy
We may update this Privacy Policy as the platform evolves. We will post the new version with an updated date and, for significant changes, notify you.
See also our Terms & Conditions (including cancellations & refunds) and Imprint.