Privacy Policy

Last updated: June 2026 (v1.2)

This policy explains what personal data Zilentino collects, why, on what legal basis, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR).

1. Who is responsible (controller)

The controller for personal data processed through Zilentino's own platform is:

Andrei Rezneac IT-Solutions (Einzelunternehmen)
Owner: Andrei Rezneac
Wegedornstr. 257N, 12524 Berlin, Germany
Email: contact@zilentino.org

A note on roles. When a student books with a teacher, the teacher is the controller of their own students' data for the purposes of running their teaching business. Zilentino acts as the platform provider. For data we process to operate and improve the platform itself (accounts, billing, security), we are the controller as described here.

2. What data we collect

Account & profile data

Name, email address, time zone, account identifiers, and the booking-page information a teacher chooses to publish. When a teacher connects Google Calendar, we also obtain the email address of that Google account. Your email address is used to identify your account and to send service-related (transactional) communications.

Booking & lesson data

Lesson types, availability, scheduled lessons, cancellations, and lesson credits. For students this includes name, email, time zone, and booking history with a teacher.

Payment data

For teacher subscriptions and student payments, payment processing is handled by Stripe. We receive limited confirmation and status data (such as whether a payment or subscription succeeded). We do not collect or store full card numbers.

Calendar data

If a teacher connects Google Calendar, we read calendar events to determine availability and prevent double-booking. We also create, update, and delete calendar events on the connected calendar to reflect lessons booked, rescheduled, or cancelled through Zilentino. This access is limited to operating the booking and scheduling features the teacher connects it to.

To compute availability and let you manage which events block your Zilentino availability, we store a copy of your upcoming calendar events — their busy times and titles — in our EU database. This cache is limited to roughly the next 60 days, is refreshed on each sync (so past events are not retained), and is deleted entirely when the calendar is disconnected or access is revoked. Hiding a cached event in Zilentino only changes your Zilentino availability; it never alters your Google Calendar.

Technical data

Basic technical information needed to run the service securely, such as IP address, browser type, and log data generated when you use the platform.

3. Why we process it, and our legal basis

PurposeLegal basis (GDPR Art. 6)
Creating and running your account; providing booking and scheduling featuresPerformance of a contract (Art. 6(1)(b))
Processing the teacher's €19/month subscriptionPerformance of a contract (Art. 6(1)(b))
Sending transactional emails (login links, confirmations, notices)Performance of a contract (Art. 6(1)(b))
Google Calendar sync for availabilityPerformance of a contract (Art. 6(1)(b)); your connection/consent
Keeping the platform secure and preventing abuseLegitimate interests (Art. 6(1)(f))
Meeting legal, accounting, and tax obligationsLegal obligation (Art. 6(1)(c))

4. Service providers (processors) we use

We use a small number of trusted providers to run Zilentino. Where they process personal data on our behalf, we have data-processing agreements in place.

ProviderPurposeData location
SupabaseDatabase, authentication & backendEU (eu-central-1, Frankfurt)
VercelFrontend hosting & deliveryGlobal edge network (incl. US)
ResendSending transactional emailUS / global
StripePayment processing (teacher's own Stripe account for student payments; subscription billing)EU / US
GoogleCalendar availability sync (OAuth)EU / US

Note that student lesson payments go directly to the teacher's own Stripe account; Zilentino does not receive that money or the associated card data.

5. Google user data and Limited Use

When you connect your Google account, Zilentino accesses your Google profile email address (to identify your account and send service-related communications) and your Google Calendar events (to read your availability and to create, update, and delete events for lessons booked through Zilentino).

Zilentino's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: data obtained through Google APIs is used only to provide and improve the booking and scheduling features you connect it to; it is not transferred to others except as necessary to provide or improve these features, to comply with applicable law, or as part of a merger or acquisition; it is not used for advertising; and no humans read this data except with your consent, for security purposes, to comply with applicable law, or where the data has been aggregated and anonymized.

6. International transfers

Our database is hosted in the EU (Frankfurt). Some providers above may process data outside the EU/EEA (for example, in the United States). Where that happens, transfers are protected by appropriate safeguards such as the European Commission's Standard Contractual Clauses and, where applicable, the provider's certification under the EU–US Data Privacy Framework.

7. How long we keep data

  • Account and booking data: for as long as your account is active.
  • After account closure: we delete or anonymise personal data within a reasonable period, unless we must keep certain records longer to meet legal obligations (e.g. accounting and tax records, typically up to 10 years under German law).
  • Technical logs: kept only as long as needed for security and operations.

8. How we protect your data

We apply technical and organisational measures designed to protect personal data — including sensitive data such as your Google Calendar information — against unauthorised access, loss, or disclosure:

  • Encryption in transit. All traffic between your browser, our servers, and third-party APIs (including Google) is encrypted using TLS/HTTPS.
  • Encryption at rest. Our database is hosted on Supabase in the EU (Frankfurt), where stored data is encrypted at rest.
  • Access controls. Database access is restricted by row-level security so that records are only accessible to the account they belong to, and administrative access is limited to authorised personnel on a need-to-know basis.
  • Least-privilege Google access. We request only the Google scopes required to read your calendar's busy times for availability and to identify the connected Google account, and the resulting access tokens are stored with restricted access and used only to provide those features.
  • Revocability. You can disconnect Google Calendar at any time from your Zilentino settings, or revoke access from your Google Account permissions. When you disconnect in Zilentino, we immediately delete the stored connection, including the OAuth tokens, the connected Google account email, and the cached copy of your calendar events. If you instead revoke access from your Google Account, our access stops working and we delete the stored connection the next time we detect that access was revoked.
  • Secret management & monitoring. Credentials and API secrets are kept in a secure secret store (not in source code), and we keep security logs to detect and respond to abuse.

No method of transmission or storage is ever completely secure, but we work to protect your data and to keep these measures up to date as the platform evolves.

9. Your rights

Under the GDPR you have the right to:

  • access the personal data we hold about you;
  • have inaccurate data corrected;
  • have your data deleted ("right to be forgotten"), where applicable;
  • restrict or object to certain processing;
  • receive your data in a portable format;
  • withdraw consent at any time, where processing is based on consent.

To exercise any of these rights, email contact@zilentino.org. You also have the right to lodge a complaint with a supervisory authority — in our case, the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit).

10. Cookies

Zilentino uses cookies and similar technologies that are strictly necessary to run the service — for example, to keep you logged in. For usage statistics we use PostHog, a privacy-friendly analytics tool hosted in the EU (Frankfurt), configured in cookieless mode: it sets no cookies, stores nothing on your device, and does not identify you or build a profile of you. Visits remain anonymous, so no consent banner is required. We do not use advertising trackers.

11. Children

Teacher accounts are intended for adults (18+). Where a teacher offers lessons to minors, the teacher is responsible for obtaining any necessary parental consent and for handling that data lawfully.

12. Changes to this policy

We may update this Privacy Policy as the platform evolves. We will post the new version with an updated date and, for significant changes, notify you.

See also our Terms & Conditions (including cancellations & refunds) and Imprint.