Reservly Privacy Policy

Last updated: April 26, 2026

The short version

• Who we are. Reservly is a Wyoming limited liability company that operates the booking-platform software at reservly.io.
• We do not sell personal information. Not now, not on any roadmap. "Sell" here means what CCPA/CPRA means: exchanging personal information for money.
• We may "share" marketing-site visitor data with advertising platforms (Meta, Google, and similar) when Reservly runs paid campaigns — "share" is CCPA/CPRA's specific term for measurement and retargeting pixels. This is strictly opt-outable, consent-gated in EU / UK / EEA / CH / CA, and limited to the marketing site — never customer booking data. See Cookie Policy and Do Not Sell or Share.
• Where your data lives. Our primary database and application hosting are located in the United States (Supabase us-east-2 and Vercel iad1). Our error monitoring (Sentry) is in the European Union. Our sub-processor list at reservly.io/legal/subprocessors identifies every service that processes data on our behalf.
• What this policy covers. How Reservly collects, uses, discloses, and protects personal information when you use our platform — as a business owner subscribing to Reservly, or as an end user booking through a business's Reservly-hosted page.
• Your rights. Access, correct, delete, export, and opt out, among others. See § 9 — Your rights.
• Questions. Email support@reservly.io. Data-protection inquiries: support@reservly.io with subject line "Privacy Officer" (Privacy Officer: Stjepan Luburic, Founder, Reservly LLC).

This policy is designed to meet the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR, the Swiss Federal Act on Data Protection (nFADP), the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), the other US state privacy laws in force or scheduled to take effect, the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws, the Australian Privacy Act 1988, the Brazilian Lei Geral de Proteção de Dados (LGPD), the South African Protection of Personal Information Act (POPIA), the Indian Digital Personal Data Protection Act 2023, the UAE Personal Data Protection Law, the Singapore Personal Data Protection Act, the Japanese Act on Protection of Personal Information, the Hong Kong Personal Data (Privacy) Ordinance, the Nigerian Data Protection Act 2023, the Kenyan Data Protection Act 2019, the Ghanaian Data Protection Act (Act 843) of 2012, the Tanzanian Personal Data Protection Act 2022, the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention), the Argentine Personal Data Protection Law 25.326, the Colombian Statutory Law 1581/2012, the Mexican Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP), the Chilean Ley Marco de Datos Personales (Ley 21.719), the Peruvian Personal Data Protection Law 29733, the Uruguayan Privacy Law 18.331, the Ecuadorian Organic Law on Personal Data Protection (LOPDP 2021), and other applicable data-protection laws.

1. Who this policy applies to

This policy applies to:

• Business owners and their teams who sign up for a Reservly subscription and use the dashboard at reservly.io (we refer to you as the "Business").
• End users who make a booking, join a waitlist, attend an event, rent a property, or otherwise interact with a business's Reservly-hosted booking page (we refer to you as the "Customer").
• Visitors to Reservly's marketing website, documentation, legal pages, and support surfaces.

If you are a Customer of a Business that uses Reservly, that Business is the controller of your personal data for the purpose of your booking. Reservly is that Business's processor. This policy explains Reservly's practices; your Business may have its own privacy policy that controls in addition to ours.

2. Who we are

Reservly (the "Company", "we", "us", or "our") is a Wyoming limited liability company. Our legal-notice address is:

Reservly c/o Northwestern Registered Agent Services 30 N Gould St Ste R Sheridan, WY 82801 United States

For questions about this policy, data-protection inquiries, or to exercise your rights: support@reservly.io. To reach Reservly's designated Privacy Officer role, include the subject line "Privacy Officer".

Privacy Officer. Reservly's designated Privacy Officer is Stjepan Luburic, Founder, Reservly LLC, reachable at support@reservly.io with subject line "Privacy Officer". This designation satisfies the named Privacy/Information Officer publication requirements under PIPEDA (federal Canada) and the South African Protection of Personal Information Act (POPIA), among other applicable laws. The Privacy Officer also fulfils the encarregado function for Brazilian LGPD purposes.

Reservly does not currently operate under a Data Protection Officer (DPO) requirement because our processing activities fall outside the mandatory-appointment triggers of GDPR Article 37. We will appoint a DPO if our processing scales past those triggers (large-scale special-category processing, or processing that requires systematic monitoring of data subjects at scale). See § 14 — Our compliance roadmap.

EU Representative (GDPR Article 27). GDPR Article 27 requires controllers established outside the EU/EEA who systematically process EU personal data to appoint an EU representative. Reservly is in the process of appointing an EU Representative for GDPR Article 27 purposes. Until the appointment is complete, EU data subjects may contact Reservly directly at support@reservly.io with subject line "EU Privacy". See § 19 for more details.

UK Representative (UK GDPR Article 27). Reservly is also in the process of appointing a UK Representative under UK GDPR Article 27. Until the appointment is complete, UK data subjects may contact Reservly directly at support@reservly.io with subject line "UK Privacy". See § 19 for more details.

ICO Registration. Reservly's registration with the UK Information Commissioner's Office (ICO) is pending (registration reference: pending — see RA-27). UK data subjects may still exercise their rights and lodge complaints with the ICO as described in § 9.3.

3. Our two roles

Reservly wears two hats, and the legal obligations that attach to each are different.

3.1 Reservly as controller

Reservly is the controller of the personal data you give us directly when you sign up for a subscription, manage your account, contact our support, or visit our marketing website. For that data, this policy is our full notice under GDPR Articles 13–14 and equivalent laws.

3.2 Reservly as processor

Reservly is a processor of the personal data that Businesses collect through their Reservly-hosted booking pages from their end-user customers. The Business is the controller of that data; Reservly processes it on the Business's documented instructions, under the terms of the Reservly Data Processing Agreement. If you are an end-user customer of a Business, contact the Business for requests about your booking data; if the Business cannot help or has gone offline, contact us and we will route your request.

3.3 Independent controllers we use

A few services that we rely on are themselves independent controllers of a limited slice of data — most notably Paddle (which, as our merchant of record for subscription billing, acts as an independent controller for billing contact and payment-method data), Stripe and PayPal (which, when a Business connects its own account to Reservly to accept customer payments, act as independent processors engaged by the Business — not sub-processors of Reservly — for the payment-flow data the Business sends them), and Google, Microsoft, Zoom, and Dropbox (which, when a Business connects an integration, act as independent controllers inside their own services). Those services have their own privacy policies; we do not direct how they use the data they hold as controllers.

4. What we collect and why

4.1 Business owner / team data (we are controller)

When you sign up and use Reservly as a Business:

• Account data. Name, email, scrypt-hashed password, time zone, language, and any profile details you add.
• Business data. Business name, address, phone, website, logo, social links, and anything else you place on your booking page.
• Subscription and billing data. Tier, status, trial dates, and a pointer to your Paddle subscription identifier. Paddle (not Reservly) stores your payment method — we see only transaction references and the last four digits for display.
• Integration tokens. OAuth access and refresh tokens for any calendar, meeting, storage, or payment integration you connect (Google, Microsoft, Zoom, Dropbox, Stripe, PayPal). Tokens are encrypted at rest using Supabase Vault. Reservly uses these tokens only for the specific integration purpose you authorised — writing booking events to your calendar, creating virtual meeting links, writing backup files to your designated storage folder, or processing payments on your behalf. Tokens are deleted when you disconnect the integration or close your account.
• Usage telemetry. Pages you visit in the dashboard, features you use, email send counts against your tier limit, booking counts. We use this for product improvement, tier-limit enforcement, and to help you troubleshoot.
• Support correspondence. The emails you send us and our replies.

4.2 Customer booking data (we are processor on behalf of the Business)

When you book through a Business's Reservly-hosted booking page:

• Contact. Name, email, and (if requested) phone number.
• Booking details. Service, event, or rental selected; date and time; staff preferences; notes to the business; party size; guests.
• Form responses. Anything you fill into custom form fields the Business has configured. Those fields are the Business's responsibility; they should not be used to collect protected health information or other special-category data (see § 6.4).
• Payment references (if the Business collects payment). A Stripe or PayPal transaction identifier and the last four digits of the payment method for display. Full card details never reach Reservly.
• Technical data. IP address (transiently, for anti-abuse), browser type, locale, and a reservly_ref cookie that records your referral source for 30 days when a Business has tracking enabled.
• Consent records. Timestamped checkbox selections for marketing email and SMS opt-ins at booking time, together with the submitting IP address (for TCPA and GDPR Article 7 proof-of-consent). Bookings created before 2026-04-26 retain the consent boolean but do not have a discrete timestamp; the opt-in record for those bookings is the customer record's has_marketing_consent flag.

4.3 Visitor data (we are controller)

When you visit reservly.io without logging in:

• Technical data. IP address, browser user-agent, request timestamps, referring URL. We use this to operate the site, detect abuse, and (when you consent) remember your cookie preferences.
• Cookies. See § 15 and the separate Cookie Policy.

4.4 Data we do not collect

• We do not collect biometric data, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health data, genetic data, sex-life or sexual-orientation data, or criminal-offence data, and our Acceptable Use Policy prohibits Businesses from using Reservly to collect or store such data (see § 6.4).
• We do not collect data from children. Reservly's Terms of Service require Business account holders to be 18 or older, and Reservly is not directed at children.
• We are not a data broker. We do not buy, sell, rent, or trade personal data for money. When Reservly runs paid advertising campaigns, we use standard measurement and retargeting pixels (Google Analytics 4, Meta Pixel, Google Ads conversion pixel, and similar) on our marketing site only — never on Reservly-hosted booking pages, never involving end-user booking data. These are consent-gated for EU / UK / EEA / CH / CA residents and opt-out for other regions, as disclosed in our Cookie Policy.

4.5 Calendar and integration data (Business owner and their staff)

Google Calendar (when connected by a Business or staff member)

Reservly uses the https://www.googleapis.com/auth/calendar.app.created scope. This scope limits Reservly to reading and managing only the events that Reservly itself has created in your calendar — Reservly cannot see, read, modify, or delete your existing personal or work calendar events.

• What Reservly writes to Google Calendar: when a booking is confirmed, Reservly creates an event in your connected calendar containing: service or event name, booking date and time, customer name, customer email, and — if applicable — virtual meeting link. Customers are listed as attendees only if the booking type includes a virtual meeting invitation.
• What Reservly reads from Google Calendar: Reservly reads back only the events it has previously created, for the purpose of updating or deleting them if a booking is rescheduled or cancelled. Reservly does not read any other event on your calendar.
• What Reservly does NOT do: Reservly never reads your personal or pre-existing calendar events, never stores calendar event data in the Reservly database beyond the booking record it already holds, and never uses calendar data for any purpose other than writing, updating, or deleting booking-related events.
• Retention: Calendar events created by Reservly remain in your Google Calendar until you delete them or disconnect the integration. Reservly's copy of the booking record is retained per the retention schedule in § 11.
• Revocation: Disconnect Google Calendar from Dashboard → Integrations → Google Calendar → Disconnect, or revoke Reservly's access directly at myaccount.google.com/permissions.

Google API Limited Use disclosure (required by Google API Services User Data Policy): Reservly's use of information received from Google APIs is limited to providing and improving the calendar synchronisation feature described above. Reservly does not use Google user data for serving advertisements, does not allow humans to read Google user data except as required to provide the service or for security purposes or as required by law, does not transfer Google user data to third parties except as necessary to provide the service or as required by law, and does not use Google user data for any purpose that violates the Google API Services User Data Policy.

Microsoft / Outlook Calendar (when connected by a Business or staff member)

Reservly uses the Calendars.ReadWrite Microsoft Graph permission. Although this scope technically permits read access, Reservly's implementation limits read operations to fetching only Reservly-created events. Microsoft does not currently offer a scope equivalent to Google's calendar.app.created that restricts reads to app-created events only. Reservly has adopted a behavioural policy: no code reads pre-existing calendar events, and this policy is enforced via code review and documented in Reservly's internal security controls.

• What Reservly writes to Microsoft Calendar: same categories as Google Calendar above.
• What Reservly does not do: Reservly never reads pre-existing personal or work calendar events, never stores Microsoft calendar event data beyond the booking record, and never uses calendar data for any purpose beyond booking synchronisation.
• Revocation: Disconnect Microsoft Calendar from Dashboard → Integrations → Microsoft Calendar → Disconnect, or revoke Reservly's access at account.microsoft.com/privacy/app-access or from your Microsoft Entra admin centre under Enterprise Applications.

Zoom (when connected by a Business or staff member)

Reservly uses Zoom OAuth to create virtual meeting links for bookings configured as virtual or hybrid sessions.

• What Reservly writes to Zoom: meeting topic (derived from the service name), start time, and duration. Customer contact details are not sent to Zoom at meeting creation time.
• What Reservly reads from Zoom: Reservly does not read Zoom meeting records, attendance data, or any other Zoom account information. The integration is write-only.
• Revocation: Disconnect Zoom from Dashboard → Integrations → Zoom → Disconnect, or revoke access from your Zoom App Marketplace installed apps.

Google Drive / Microsoft OneDrive / Dropbox (when connected as a backup target)

Reservly offers an optional cloud backup feature that exports booking and business data to a cloud storage folder you own.

• Google Drive: Reservly requests the drive.file scope. This grants Reservly permission only to create and manage files that Reservly itself uploads — Reservly cannot access, read, or modify any other files in your Google Drive.
• Microsoft OneDrive: Reservly requests the Files.ReadWrite.AppFolder permission. This limits Reservly to a dedicated application folder. Reservly cannot access files outside this folder.
• Dropbox: Reservly requests App Folder access, limiting Reservly to a dedicated /Apps/Reservly/ folder. Reservly cannot access files in any other location.
• What Reservly writes: structured backup files (JSON/CSV) containing booking records, customer contact data (name, email, phone as present in bookings), and business configuration. Reservly does not read from any of these storage locations.
• Revocation: disconnect from Dashboard → Integrations → [Provider] → Disconnect, or revoke at the provider's connected-apps settings.

4.6 Payment-adjacent information — what we see and what we do not

Reservly is a software platform, not a payment processor. The following describes precisely what payment-related data Reservly handles.

For Reservly's own SaaS subscriptions (Paddle as merchant of record): Paddle processes the full transaction and acts as the independent merchant of record. Reservly stores only: Paddle subscription identifier (a reference string), subscription status, billing tier, and the last four digits of your payment method (for display only). Reservly never receives or stores full card numbers, CVV codes, bank account numbers, or billing addresses beyond what Paddle provides in their subscription event webhooks.

For payments your Customers make to your Business (Stripe Connect / PayPal Commerce): When a Business connects its own Stripe or PayPal account and uses Reservly to collect payments from Customers, the following applies:

• The Business is the merchant of record through its own Stripe or PayPal account.
• Card and payment data flows directly from the Customer to Stripe or PayPal. It never touches Reservly's servers.
• Reservly stores only: a payment-intent or order identifier (a reference string), the last four digits of the payment method (for display in the Business's dashboard and the Customer's confirmation email), and payment status (pending, captured, refunded, partially refunded).
• The Stripe Connect OAuth access and refresh tokens that enable Reservly to create charges and issue refunds on behalf of the Business are stored in encrypted form (Supabase Vault) and are deleted on disconnect or account closure.

Stripe and PayPal collect data as independent controllers under their own privacy policies: stripe.com/privacy and paypal.com/us/legalhub/privacy-full.

We are at PCI-DSS SAQ-A scope for cardholder-data security purposes because we do not handle cardholder data directly. See § 16 for the high-level summary.

5. Legal bases we rely on (GDPR, UK GDPR, LGPD, and equivalent)

The table below maps Reservly's activities to the lawful bases we rely on for processing. Where more than one basis could apply, the table names the primary one.

Under LGPD, we rely on the equivalent bases (execução de contrato, legítimo interesse, cumprimento de obrigação legal, consentimento). Under Brazil's Marco Civil da Internet (Lei 12.965/2014 Art. 7, VII), Reservly additionally requires explicit consent before using any personal data of Brazilian internet users for direct-marketing or advertising purposes — consistent with the LGPD consent basis described above. Our marketing opt-in checkbox satisfies this requirement. Under the CCPA/CPRA, we disclose collection and purposes as a "business" and act as a "service provider" when processing customer booking data for a Business.

6. How we use your data

6.1 Operate the service

To provide the Reservly platform — host your booking page, process bookings, send confirmations, sync calendars, facilitate payments, provide analytics and reporting.

6.2 Secure the service

To detect, prevent, and respond to abuse, fraud, and security incidents. Rate-limiting, audit logs, and error monitoring are part of this purpose.

6.3 Improve the service

To understand feature usage, prioritise bug fixes, and guide product decisions. We aggregate and anonymise where possible.

6.4 Special-category data and regulated-healthcare use

Reservly is not designed to meet sector-specific health-data requirements in any jurisdiction, and our Terms of Service and Acceptable Use Policy prohibit use by HIPAA-covered entities, GDPR Article 9 health-data controllers, Canadian PHIPA-regulated providers, LGPD sensitive-data controllers, Australian Privacy Act health-service providers, and similarly regulated healthcare providers. Non-medical wellness services (fitness, yoga, massage, aesthetic medspa, nutrition coaching, cash-only acupuncture) that are not regulated as healthcare under their local law are permitted; the Business remains responsible for compliance with anything local law does require of it.

6.5 What we commit not to do — and how "sell" differs from "share"

• We do not sell your personal data. Not now, not on any roadmap. "Sell" here means what CCPA/CPRA means: exchange of personal information for money or equivalent consideration. This is a permanent commitment.
• We do not share end-user booking data — the personal information a Business's customers submit through Reservly-hosted booking pages — with advertising platforms, analytics providers, or data brokers. Ad pixels (when active) live on the Reservly marketing site only.
• We do share marketing-site visitor data with advertising platforms (Meta, Google, and similar) when Reservly runs paid advertising campaigns, for measurement and retargeting — strictly consent-gated (opt-in in EU / UK / EEA / CH / CA, opt-out in the US) and disclosed in our Cookie Policy. "Share" is CCPA/CPRA's specific term for this; it is distinct from "sell." You can opt out at any time via the cookie banner, the Do Not Sell or Share My Personal Information page, or by sending the Global Privacy Control signal.
• We do not use your data to train general-purpose AI models. Not our models, not third-party models.
• We do not combine the data one Business's booking flow gives us with data we hold for another Business, except as needed to operate the shared platform (for example, abuse detection) or where both Businesses are customers of the same account.

7. Who we share your data with

Reservly shares personal data only in the ways listed below. The current list of sub-processors is published at reservly.io/legal/subprocessors and updated with at least 30 days' advance notice before changes take effect.

• Sub-processors. Third-party services we use to operate the platform — hosting (Vercel), database (Supabase), object storage (Cloudflare R2), email delivery (Resend), error monitoring (Sentry), subscription billing (Paddle), payment facilitation (Stripe, PayPal), calendar and meeting integrations (Google, Microsoft, Zoom), backup integrations (Google Drive, Microsoft OneDrive, Dropbox), rate limiting (Upstash), AI translation (Mistral AI — EU), and SMS facilitation (Telnyx, Infobip, and — when a Business brings its own Twilio account — Twilio). Each sub-processor is bound by a data-processing contract that is no less protective than this policy.
• Businesses. If you are an end user, your booking data is shared with the Business you booked with. That is the point of the booking.
• Independent controllers. Paddle, Stripe, PayPal, Google, Microsoft, Zoom, and Dropbox also act as independent controllers inside their own services. They have their own privacy policies. Stripe and PayPal are independent processors engaged by the Business (as merchant of record) — not Reservly sub-processors — for customer-payment flows.
• Legal requirements. We will disclose personal data if required by a valid legal process (subpoena, court order, warrant), to enforce our Terms of Service, to detect or prevent fraud, or to protect the rights, property, or safety of Reservly, our customers, or the public. We will push back on overly broad requests and will notify the affected Business where we are legally permitted to do so.
• Business transfers. If Reservly is involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. Any successor will be bound by a privacy policy no less protective than this one.

We do not disclose personal data to any other third party.

8. International data transfers

Our primary database and application infrastructure are hosted in the United States (Supabase us-east-2, Vercel iad1). Our error monitoring (Sentry) is hosted in the European Union. If you are located outside the United States, your personal data will be transferred to — and processed in — the United States and other jurisdictions where our sub-processors operate.

We protect those transfers as follows:

• EU / EEA transfers. We rely on the 2021 European Commission Standard Contractual Clauses (Module 2, Controller to Processor) incorporated by reference in our Data Processing Agreement, and on the EU–US Data Privacy Framework for onward transfers to DPF-certified sub-processors where that certification is valid.
• UK transfers. We rely on the UK International Data Transfer Addendum (IDTA, version B1.0) to the EU Standard Contractual Clauses, and on the UK–US Data Bridge where the relevant sub-processor holds a valid UK–US Data Bridge certification. UK data subjects may request details of the specific transfer mechanism applicable to their data by contacting support@reservly.io with subject line "UK Privacy".
• Swiss transfers. We rely on the SCCs with the FDPIC-endorsed amendments, and on the Swiss-US Data Privacy Framework where applicable.
• Other jurisdictions. We rely on the transfer mechanism appropriate to the jurisdiction — typically the statutory safeguards listed in the applicable law, consent where contextually appropriate, or the local equivalent of Standard Contractual Clauses.
• Transfer Impact Assessment. We have conducted a Transfer Impact Assessment for each onward transfer to a sub-processor in a non-adequate country and will update it on material change.

For Brazilian residents specifically (LGPD Art. 33): When Reservly transfers personal data from Brazil to the United States (our current infrastructure), we rely on the following mechanism under LGPD Art. 33, II: contractual guarantees between Reservly and each sub-processor that impose data-protection obligations equivalent to those required under LGPD. These guarantees are documented in our sub-processor Data Processing Agreements and incorporated into the Reservly Data Processing Agreement. We also provide standard contractual clauses adapted to Brazilian law requirements where applicable. Reservly treats data from Brazilian residents with the protections described throughout this policy and in our DPA, in a manner consistent with LGPD requirements, regardless of the processing location. Brazilian residents may request a copy of the transfer safeguards in place by contacting support@reservly.io with subject line "LGPD Transfer Safeguards". Note: If Reservly migrates its primary database to EU infrastructure (as planned under RA-21), the EU protections would represent an equivalent-or-better standard under LGPD Art. 33.

EU Representative (GDPR Article 27). Reservly is in the process of appointing an EU Representative as required by GDPR Article 27. GDPR Article 27 applies to controllers established outside the EU/EEA who engage in systematic processing of EU personal data. The appointment is in progress; contact support@reservly.io with subject line "EU Privacy" in the interim. See § 19 for the representative contact block once appointed.

UK Representative (UK GDPR Article 27). Reservly is in the process of appointing a UK Representative under UK GDPR Article 27. Contact support@reservly.io with subject line "UK Privacy" in the interim. See § 19 for details.

For Quebec residents: Quebec is not a currently available Reservly market (see Geographic Availability). Quebec's exclusion from our service means that Quebec Law 25's Privacy Impact Assessment and cross-border transfer requirements are not currently triggered for Reservly's operations. If the Quebec exclusion is lifted in the future, this policy will be updated accordingly.

9. Your rights

Depending on where you live, you have rights under one or more of the privacy laws listed below. We honour these rights regardless of where you are located, to the extent technically possible.

9.1 Universal rights (apply everywhere)

• Access. Request a copy of the personal data we hold about you.
• Correction. Ask us to correct information that is inaccurate.
• Deletion. Ask us to delete your personal data, subject to limitations we set out below.
• Portability. Request a structured, machine-readable export of your data.
• Withdraw consent. Where we rely on consent, withdraw it (without affecting the lawfulness of processing that already took place).
• Complain. Contact Reservly to raise a concern; we will respond promptly and can escalate to a supervisory authority at your request.

9.2 European Union and European Economic Area (EU GDPR)

In addition to the universal rights, EU/EEA residents have:

• The right to object to processing based on legitimate interests (Art. 21 EU GDPR).
• The right to restriction of processing (Art. 18 EU GDPR).
• The right not to be subject to solely-automated decision-making that produces legal or similarly significant effects (Art. 22 EU GDPR). Reservly does not engage in solely-automated decision-making of this kind.
• The right to lodge a complaint with a supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement (Art. 77 EU GDPR).

9.3 United Kingdom (UK GDPR + DPA 2018)

UK residents have the same rights as EU/EEA residents above under the UK GDPR, and may lodge a complaint with the UK Information Commissioner's Office (ICO):

Information Commissioner's Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Tel: 0303 123 1113 ico.org.uk/make-a-complaint

Reservly's ICO registration reference is pending (registration in progress — see RA-27). UK residents may still exercise all rights and contact the ICO regardless of registration status.

9.4 Switzerland (nFADP)

Swiss residents may exercise the GDPR-aligned rights above and may lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC).

9.5 California (CCPA / CPRA)

If you are a California resident, you have, in addition to the universal rights:

• The right to know what categories of personal information we collect, sources, purposes, and categories of third parties we disclose to.
• The right to opt out of the sale or sharing of personal information. Reservly does not sell or share personal information, but the opt-out page is provided regardless: Do Not Sell or Share My Personal Information.
• The right to limit the use and disclosure of sensitive personal information. Reservly does not process sensitive PI for purposes beyond what is necessary to provide the service.
• The right to non-discrimination for exercising your rights — we will not deny service, charge different prices, or reduce service quality.
• Authorised agent. You may designate an authorised agent to make a request on your behalf. We may require the agent to submit a signed permission, and we may ask you directly to verify the request.
• Global Privacy Control (GPC). We honour the Global Privacy Control browser signal as an opt-out of any "sale" or "share" that might otherwise apply.
• Retention of requests. We keep a record of your rights requests and our responses for 24 months to demonstrate compliance.

To exercise your CCPA/CPRA rights, email support@reservly.io or visit our Do Not Sell or Share page.

Sensitive personal information (CCPA/CPRA). Reservly may process the following categories of sensitive personal information as defined by CCPA/CPRA: account log-in credentials (email + hashed password). We do not use this data for purposes other than providing the service. We do not "sell" or "share" sensitive personal information for cross-context behavioural advertising.

Annual disclosure metrics. As required by CCPA/CPRA, Reservly compiles and publishes annual metrics on the number of rights requests received, actioned, and denied within 12 months. Metrics are available at /legal/privacy#ccpa-metrics and updated no later than 90 days after the end of each calendar year. For the current operating year, metrics will be published once sufficient data is available.

9.6 Other US states

If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Florida, Delaware, New Jersey, Montana, Iowa, Tennessee, Indiana, New Hampshire, Kentucky, Rhode Island, Minnesota, or Maryland, you have rights substantially similar to those set out above, under your state's applicable privacy law (Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, Oregon OCPA, Florida FDBR, Delaware DPDPA, NJ DPA, Montana CDPA, Iowa ICDPA, Tennessee TIPA, Indiana CDPA, New Hampshire Privacy Act, Kentucky CDPA, Rhode Island DTPPA, Minnesota CDPA, Maryland Online Data Privacy Act).

To exercise these rights, email support@reservly.io. If we deny a request, residents of states whose law grants an appeal right (including Texas) may appeal the denial by replying to our response with the word "appeal" in the subject line; we will respond to the appeal within the time the state law provides, typically 45–60 days.

We honour universal opt-out mechanisms (including Global Privacy Control) in each state that requires us to do so.

9.7 Canada (PIPEDA + provincial laws)

Canadian residents (except Quebec — see below) have, in addition to the universal rights:

• The right to challenge the accuracy and completeness of your personal information and have it corrected or annotated.
• The right to withdraw consent, subject to legal or contractual restrictions.
• The right to file a complaint with the Office of the Privacy Commissioner of Canada: priv.gc.ca.

Provincial privacy laws. In addition to federal PIPEDA, British Columbia and Alberta each have substantially similar provincial legislation (BC PIPA — Personal Information Protection Act, SBC 2003; Alberta PIPA — Personal Information Protection Act, SA 2003) that applies to the collection, use, and disclosure of personal information in those provinces. Reservly's practices under PIPEDA are consistent with both provincial PIAPs. Residents of BC and Alberta may also file complaints with their respective provincial commissioners (OIPC BC at oipc.bc.ca and OIPC Alberta at oipc.ab.ca).

CPPA (Bill C-27). Canada's proposed Consumer Privacy Protection Act (Bill C-27) is currently before Parliament and, if enacted, will replace PIPEDA with a modernised framework broadly aligned with GDPR principles. Reservly monitors Bill C-27's progress. When enacted, we will update this section and our DPA accordingly. Our current PIPEDA-compliant practices are designed to be largely compatible with C-27's requirements.

Privacy Impact Assessments. Reservly conducts internal Privacy Impact Assessments for new features that involve new categories of personal data or new processing activities, in accordance with PIPEDA's accountability principle. Canadian residents may request information about our PIA process by contacting support@reservly.io with subject line "Privacy Officer".

CASL (Canadian Anti-Spam Legislation). Marketing email to Canadian Customers and Business owners requires express or implied consent under CASL. Express consent is collected via the booking form opt-in checkbox. Implied consent is valid for:

• 2 years from the date of a booking or purchase transaction with Reservly; or
• 6 months from the date of a non-purchase business inquiry (contact form, request for estimate, or other communication that did not result in a transaction).

After the applicable implied-consent period, express consent is required. Reservly retains proof of consent (opt-in record, consent type, and booking/inquiry reference) for 3 years, to satisfy CASL's reverse-onus requirement (CRTC enforcement requires showing that consent existed at the time of sending). Canadian recipients may unsubscribe from marketing messages at any time via the unsubscribe link in any email or by emailing support@reservly.io with subject line "Unsubscribe".

Quebec. Quebec is not a currently available Reservly market. Reservly has excluded Quebec from its service because Quebec's Charter of the French Language (as amended by Bill 96) requires software interfaces and consumer contracts to be available in French, and Reservly's platform is currently English-only. Quebec-resident businesses and their customers cannot sign up for or use Reservly until French-language versions are available. Canadian residents in all provinces other than Quebec are fully eligible to use Reservly. See Geographic Availability for details.

9.8 Australia (Privacy Act 1988 + APPs)

Australian residents have the right to access and correct their personal information and the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC): oaic.gov.au. We are subject to the Notifiable Data Breaches scheme and will notify the OAIC and affected individuals in accordance with that scheme when its threshold is met.

9.9 Brazil (LGPD)

Brazilian residents have the rights set out in LGPD Article 18, including confirmation, access, correction, anonymisation/blocking/elimination, data portability, information about third parties with whom Reservly shares data, and the right to revoke consent. Complaints may be lodged with the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd. Reservly currently operates as a small-scale processing agent under ANPD Resolution CD/ANPD No. 2/2022 guidance; our Privacy Officer handles LGPD inquiries.

Language note: This policy is currently available in English only. A Portuguese-language version (Política de Privacidade) is in preparation. Brazilian residents who require a Portuguese-language version may contact support@reservly.io with subject line "Política de Privacidade" for a Portuguese translation of the relevant sections.

Encarregado (LGPD Art. 41). LGPD requires both controllers and processors to designate an encarregado de proteção de dados (data protection officer equivalent). Reservly qualifies for the simplified regime for small processing agents under ANPD Resolution CD/ANPD No. 2/2022, which provides a proportional compliance path for companies below the small-enterprise revenue threshold (Complementary Law 123/2006). Reservly's Privacy Officer (reached at support@reservly.io, subject line "Privacy Officer") fulfils the encarregado function. Reservly will appoint a formally designated encarregado if its processing scale or Brazilian-resident data volumes grow past the small-agent threshold.

9.10 South Africa (POPIA)

South African residents have the right to be notified of collection, the right to access and correct their personal information, the right to request deletion, the right to object to processing, and the right to withdraw consent at any time. Complaints may be lodged with the Information Regulator at inforegulator.org.za.

Reservly's Information Officer. Our Privacy Officer serves as Reservly's designated Information Officer for POPIA purposes and can be reached at support@reservly.io with subject line "Privacy Officer".

POPIA cross-border transfer. Reservly's primary database is located in the United States (Supabase, Ohio). This constitutes a transfer of personal data to a third country under POPIA section 72. The transfer is authorised on the basis of: (a) it is necessary for the performance of a contract between you and Reservly or the business whose booking page you used (POPIA s. 72(1)(b)); and (b) Reservly maintains appropriate contractual safeguards (EU Standard Contractual Clauses, incorporated into its Data Processing Agreement) with Supabase and other sub-processors for the protection of your personal data.

PAIA Manual. South African law (Promotion of Access to Information Act 2 of 2000, s. 51) requires private bodies to maintain a manual describing their information holdings and how to request access. Reservly's PAIA Manual is available on request by emailing support@reservly.io with subject line "PAIA Manual request". We are preparing a published version of the Manual and will link it here when available.

Direct marketing. Reservly collects consent for marketing email separately from booking consent, in accordance with POPIA section 69. You may withdraw your marketing consent at any time using the unsubscribe link in any marketing email.

9.11 Nigeria (NDPA 2023)

Nigerian residents have rights under the Nigeria Data Protection Act 2023, including: the right to be informed of data collection; the right to access your personal data; the right to rectification; the right to erasure; the right to restriction of processing; the right to data portability; the right to object to processing; and the right not to be subject to solely automated decision-making with legal effects. Reservly does not engage in solely automated decision-making of this kind.

Complaints may be directed to the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.

Cross-border transfer. Your personal data is processed in the United States. Reservly maintains EU Standard Contractual Clauses (which the NDPC accepts as appropriate safeguards) with its sub-processors for data transferred outside Nigeria.

Data Controller registration. Reservly will register with the NDPC as a Data Controller of Major Importance (DCMI) when its processing of Nigerian personal data exceeds the statutory threshold (2,000 data subjects per month or entry into a sensitive processing sector). Our Privacy Officer handles NDPA inquiries at support@reservly.io with subject line "Privacy Officer".

9.12 Kenya (Data Protection Act 2019)

Kenyan residents have rights under the Kenya Data Protection Act 2019, including: the right to be informed of data processing; the right of access; the right to rectification; the right to erasure; the right to restriction; the right to data portability; the right to object; and the right to withdraw consent. Reservly does not engage in solely automated decision-making with legal effects.

Complaints may be lodged with the Office of the Data Protection Commissioner (ODPC) at odpc.go.ke.

Cross-border transfer. Your personal data is processed in the United States. Reservly relies on EU Standard Contractual Clauses (which the ODPC accepts as appropriate safeguards) for transfers from Kenya to Reservly's US infrastructure.

ODPC registration. Reservly is in the process of registering with the ODPC as a data controller. Kenyan residents may exercise their rights by contacting support@reservly.io with subject line "Privacy Officer".

9.13 Ghana and Tanzania

Ghana (Data Protection Act, Act 843 of 2012). Ghanaian residents have the right to access, correct, and request deletion of their personal data, and the right to object to processing, under Ghana's Data Protection Act. Complaints may be lodged with the Data Protection Commission (DPC) at dataprotection.org.gh. Cross-border transfer: Reservly relies on EU Standard Contractual Clauses as appropriate safeguards for transfers from Ghana to Reservly's US infrastructure. Reservly will register with the DPC before processing Ghanaian personal data at scale.

Tanzania (Personal Data Protection Act 2022). Tanzanian residents have rights substantially equivalent to those in § 9.12 above. Complaints may be lodged with the Personal Data Protection Commission (PDPC). Cross-border transfer: EU Standard Contractual Clauses apply. Breach notification: Tanzania's PDPA requires notification within 48 hours — Reservly will meet this stricter timeline for Tanzanian data subjects in the event of a breach affecting their personal data, notwithstanding the general 72-hour standard in § 12 of this policy.

9.14 India (DPDP Act 2023)

Indian residents have the right to access, correction, erasure, and grievance redressal under the Digital Personal Data Protection Act, 2023. Grievances may be directed to our Privacy Officer; if our response is unsatisfactory, you may approach the Data Protection Board of India under the procedure established by DPDP Rules.

9.15 United Arab Emirates (PDPL)

UAE residents have rights substantially similar to GDPR under Federal Decree-Law No. 45 of 2021. Concerns may be raised with the UAE Data Office.

9.16 Singapore (PDPA)

Singapore residents have the right to access and correction, and may withdraw consent at any time. Complaints may be lodged with the Personal Data Protection Commission at pdpc.gov.sg. For Do Not Call obligations, marketing messages to Singapore numbers are filtered against the national Do Not Call Registry where applicable.

9.17 Japan (APPI)

Japanese residents may exercise the rights set out in the Act on Protection of Personal Information, including disclosure, correction, cessation of use, and cessation of third-party provision. Complaints may be directed to the Personal Information Protection Commission at ppc.go.jp.

9.18 Hong Kong (PDPO)

Hong Kong residents may exercise the rights set out in the Personal Data (Privacy) Ordinance, including access and correction. Complaints may be lodged with the Office of the Privacy Commissioner for Personal Data at pcpd.org.hk.

9.19 All other jurisdictions (global residents)

If you are located in a jurisdiction not specifically listed above, we will honour the universal rights in § 9.1 and any local rights that apply, to the extent technically possible. Email support@reservly.io to make a request.

For residents of Morocco, Egypt, Ethiopia, Rwanda, and other African Union member states, Reservly's practices align with the principles of the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention). Country-specific rights disclosures will be added as Reservly expands its formal presence in those markets.

9.20 Argentina (Personal Data Protection Law 25.326)

Argentine residents have the following rights under Law 25.326 and its regulatory Decree 1558/2001:

• Acceso. The right to obtain from Reservly free of charge information about your personal data held in our files, after verification of your identity.
• Rectificación. The right to request correction of inaccurate, incomplete, or outdated data.
• Supresión. The right to request deletion of personal data when the data is no longer necessary or when consent is revoked — subject to lawful retention requirements.
• Confidencialidad. The right to request that data that cannot be deleted be blocked or rendered confidential.

Data controller registration. Argentina's Law 25.326 Art. 21 requires controllers of personal data files to register with the AAIP. If you are an Argentine business using Reservly to manage your customers' bookings, you (the business, as data controller of your customers' data) may have an obligation to register your customer database with the AAIP's National Register of Databases. Consult Argentine counsel or the AAIP directly at aaip.gob.ar.

Cross-border transfer (Argentina → Reservly). Reservly's infrastructure is currently in the United States. Argentina's Law 25.326 Art. 12 restricts international transfers to countries that do not provide an adequate level of protection, unless contractual guarantees are in place. Reservly relies on contractual safeguards — specifically, DPA-level obligations imposed on each sub-processor — to provide protection equivalent to that required under Argentine law.

EU Adequacy note. Argentina has an EU adequacy decision (2003), which means that EU personal data may flow to Argentina without additional GDPR safeguards. If you are an Argentine business with EU customers, your use of Reservly (a GDPR-compliant platform) for booking management supports a compliant data-flow chain. If Reservly's primary database migrates to EU infrastructure (as planned), the data-processing relationship between Reservly and Argentine businesses will benefit from the EU↔Argentina adequacy framework in both directions.

To exercise your rights or lodge a complaint: email support@reservly.io with subject line "Argentina Privacy" or contact the AAIP at aaip.gob.ar.

9.21 Colombia (Ley Estatutaria 1581/2012 + Decreto 1377/2013)

Colombian residents have the following rights under Ley 1581 and its regulatory Decree 1377/2013:

• Conocer. The right to know what personal data is held and how it is being processed.
• Actualizar y rectificar. The right to update and correct personal data.
• Prueba del consentimiento. The right to request proof of consent given for data processing.
• Ser informado. The right to be informed about changes to the data protection policy.
• Revocar. The right to revoke consent, where consent was the legal basis.
• Acceder. Free access to personal data and information about how it is processed.
• Quejarse. The right to file complaints with the SIC.

Registro Nacional de Bases de Datos (RNBD). Colombia requires data controllers to register their personal data databases with the SIC's RNBD. If you are a Colombian business using Reservly to manage customer bookings, you (as the data controller of your customers' data) may have a registration obligation. Information on registration is available at sic.gov.co.

Cross-border transfer. Reservly transfers Colombian personal data to the United States under contractual guarantees that impose data-protection obligations consistent with Colombian law requirements. See DPA.

To exercise your rights or lodge a complaint: email support@reservly.io with subject line "Colombia Privacy" or contact the SIC at sic.gov.co.

9.22 Mexico (LFPDPPP)

Mexican residents have the following ARCO rights under the Ley Federal de Protección de Datos Personales en Posesión de los Particulares:

• Acceso. The right to obtain information about your personal data held by Reservly, the purposes for which it is processed, and the conditions of the processing.
• Rectificación. The right to correct inaccurate, incomplete, or outdated personal data.
• Cancelación. The right to request deletion of your personal data. Mexican law requires a "bloqueo" (blocking) period of 2 years before final deletion, during which the data is retained but not actively processed (except to comply with legal obligations or defend legal claims). This 2-year period differs from the immediate-deletion right in some other jurisdictions.
• Oposición. The right to object to specific processing activities, including receiving marketing communications.

Aviso de privacidad. Mexican law (LFPDPPP Arts. 15–16) requires a formal aviso de privacidad to be provided in Spanish at the point of data collection. Reservly is preparing a formal Spanish aviso de privacidad for Mexican data subjects. In the interim, this Privacy Policy constitutes the disclosure of your rights and our processing purposes. To receive a Spanish-language version, email support@reservly.io with subject line "Aviso de Privacidad".

Primary vs. secondary purposes. Under Mexican law, primary purposes (those necessary for the contractual relationship — operating your Reservly account, processing bookings, sending transactional emails) do not require separate consent but must be disclosed. Secondary purposes (product improvement, analytics, and marketing communications) require opt-in and you may opt out at any time without affecting the primary service.

To exercise your ARCO rights or lodge a complaint: email support@reservly.io with subject line "Mexico ARCO". You may also contact the INAI at inai.org.mx.

9.23 Chile (Ley 21.719 — Ley Marco de Datos Personales)

Chile's data protection framework is transitioning from the previous Ley 19.628 to the new Ley Marco de Datos Personales (Ley 21.719), which introduces comprehensive GDPR-style protections with full enforcement expected by December 2026. The Agencia de Protección de Datos Personales (ADPP) is the new data protection authority.

Chilean residents have the following rights under Ley 21.719:

• Acceso. The right to obtain confirmation of whether Reservly processes your personal data and, if so, a copy of that data.
• Rectificación. The right to correct inaccurate personal data.
• Supresión. The right to request deletion of personal data when no longer necessary or when consent is revoked.
• Portabilidad. The right to receive your personal data in a structured, commonly used, machine-readable format.
• Oposición. The right to object to processing for legitimate-interest purposes.
• Limitación. The right to restrict processing in certain circumstances.

Breach notification. Ley 21.719 requires notification of personal data breaches to the ADPP within 72 hours of becoming aware. This is consistent with Reservly's 72-hour breach notification commitment described in § 12 of this policy.

To exercise your rights or lodge a complaint: email support@reservly.io with subject line "Chile Privacy" or contact the ADPP at adpp.cl.

9.24 Peru (Ley 29733 de Protección de Datos Personales)

Peruvian residents have the following ARCO rights under Ley 29733 and its Regulation DS 003-2013-JUS:

• Acceso. The right to obtain comprehensive information about your personal data held by Reservly.
• Rectificación. The right to correct inaccurate or incomplete personal data.
• Cancelación. The right to request deletion of personal data when no longer necessary or when consent is revoked. Peruvian law requires the data to be blocked for a period before final deletion.
• Oposición. The right to object to processing activities.

Registro Nacional de Protección de Datos Personales. Peruvian law requires data controllers to register their personal data banks with the ANPDP. If you are a Peruvian business using Reservly to manage customer bookings, you (as the data controller of your customers' data) may have a registration obligation with the ANPDP. See gob.pe/anpdp.

To exercise your rights or lodge a complaint: email support@reservly.io with subject line "Peru Privacy" or contact the ANPDP via the Ministry of Justice website at minjus.gob.pe.

9.25 Uruguay (Ley 18.331 de Protección de Datos Personales e Información Pública)

Uruguayan residents have the following rights under Ley 18.331 and its regulatory Decree 414/009:

• Acceso. The right to obtain information about personal data held by Reservly and its processing.
• Rectificación. The right to correct inaccurate personal data.
• Supresión. The right to request deletion of personal data, subject to retention requirements.
• Actualización. The right to have outdated data updated.

EU Adequacy. Uruguay has a European Commission adequacy decision (2012), meaning that transfers of personal data from the European Union or EU-adequate countries to Uruguay are permitted without additional safeguards. If Reservly's primary database migrates to EU infrastructure (as planned — see § 8), the data-processing relationship between Reservly and Uruguayan Businesses will benefit fully from this adequacy framework.

Registro de bases de datos (URCDP). Uruguay's Law 18.331 requires databases containing personal data to be registered with the URCDP. If you are a Uruguayan business using Reservly, you (as the data controller of your customers' booking data) may have a registration obligation. See datospersonales.gub.uy.

To exercise your rights or lodge a complaint: email support@reservly.io with subject line "Uruguay Privacy" or contact the URCDP at datospersonales.gub.uy.

9.26 Ecuador (Ley Orgánica de Protección de Datos Personales — LOPDP, 2021)

Ecuadorian residents have the following rights under the LOPDP:

• Acceso. The right to obtain confirmation of whether Reservly processes your personal data and to receive a copy of that data.
• Rectificación. The right to correct inaccurate or incomplete personal data.
• Eliminación. The right to request deletion of personal data when the purpose of processing has ended or consent is revoked.
• Portabilidad. The right to receive your personal data in a structured, commonly used, machine-readable format.
• Oposición. The right to object to processing based on legitimate interest.
• Limitación. The right to restrict processing in specific circumstances.

To exercise your rights or lodge a complaint: email support@reservly.io with subject line "Ecuador Privacy" or contact the SIDPP at protecciondedatos.gob.ec.

10. How to exercise your rights

• Self-service. Business owners can export and delete their data from Settings → Account in the dashboard. End-user customers can cancel, reschedule, and request deletion from the booking-management link in their confirmation email.
• By email. support@reservly.io. To reach the Privacy Officer role directly, include subject line "Privacy Officer".
• Verification. We may ask you to confirm facts about your account or booking that only you are likely to know. We do not require proof of identification beyond what's necessary to prevent fraudulent requests.
• Turnaround. We aim to respond within 30 days and in any event within the time limit your jurisdiction's law requires (45 days for CCPA, 30 days for GDPR, longer for complex requests with notice).
• Authorised agents. You may authorise someone else to make a request for you. We will ask for their permission from you and may verify the request with you directly.
• No fee. Rights requests are free unless clearly unfounded or excessive (for example, repetitive identical requests), in which case we may charge a reasonable fee or decline.

10A. Communication preferences

10A.1 Email — types we send

Reservly sends email on behalf of Businesses to their Customers, and sends email on Reservly's own behalf to Business account holders.

Transactional email (sent on behalf of a Business to its Customers; no opt-in required; cannot be suppressed by a general marketing unsubscribe because they are functionally part of the booking contract):

• Booking confirmation
• Booking reminder
• Booking cancellation notice
• Reschedule confirmation
• Refund or payment notification

Non-transactional email (sent on behalf of a Business; opt-out respected; suppressed for any Customer who has unsubscribed):

• Post-visit follow-ups
• Promotional messages (if the Business enables them)
• Marketing emails where the Customer has opted in at booking time

Platform email (sent by Reservly to Business account holders; opt-out available from Settings → Notifications):

• Product updates, feature announcements
• Billing and subscription notices (transactional — cannot be opted out)
• Security alerts (transactional — cannot be opted out)

10A.2 Email — how we send it

All email is sent via Resend (a sub-processor listed at reservly.io/legal/subprocessors), using Reservly's verified sending domain reservly.io. Resend receives the recipient email address, the email subject and body, and delivery event data (sent, delivered, bounced, complained). Open tracking and click tracking are not currently active on Reservly's Resend domain configuration. If we activate either, we will update this section at least 30 days before activation.

10A.3 Email — consent and unsubscribe

Transactional email does not require marketing consent because it is functionally part of the booking agreement.

Marketing email requires explicit opt-in. Opt-in is collected at booking time via a clearly labelled, pre-unchecked checkbox on the Business's booking form. A Customer can opt out at any time:

• Unsubscribe link — every non-transactional email contains a one-click unsubscribe link and a List-Unsubscribe / List-Unsubscribe-Post header (RFC 8058 compliant).
• Reply — replying UNSUBSCRIBE to any email requires the Business to honour the request promptly under our Acceptable Use Policy.
• Contacting Reservly — if the Business is unresponsive, email support@reservly.io and we will suppress the address directly.

Opt-out is effective on the next scheduled send. Unsubscribing from marketing email does not affect transactional email.

GDPR / ePrivacy (EU/UK): Marketing email to EU and UK Customers requires a positive opt-in checkbox that is not pre-ticked. Transactional email is sent on the basis of contract performance (GDPR Art. 6(1)(b)). UK PECR business-to-business communications: The UK Privacy and Electronic Communications Regulations (PECR) provide a soft opt-in for marketing to business email addresses (e.g., a business's own email address at its domain), where the sender has an existing customer relationship and is marketing similar products or services. Reservly's own marketing emails to Business subscribers may rely on this soft opt-in where applicable, subject to Business subscribers' right to opt out at any time.

CASL (Canada): Marketing email to Canadian Customers and Business owners requires express or implied consent. Express consent is collected via the booking form opt-in. Implied consent timelines: 2 years from a booking/purchase, or 6 months from a non-purchase inquiry. After the applicable window, express consent is required. Reservly retains consent records for 3 years (CASL reverse-onus requirement).

10A.4 SMS — Reservly's model

Reservly provides an optional SMS feature (a paid add-on) that allows Businesses to send booking-related text messages to their Customers. Reservly is not the SMS sender. Each Business connects its own Twilio account. SMS messages flow through the Business's Twilio account, under the Business's registered phone number, at the Business's cost. Reservly acts as the facilitator.

What Reservly stores: Twilio account SID and auth token (encrypted at rest in Supabase Vault), the sending phone number, and a log of SMS send events (timestamp, delivery status) for the Business's dashboard.

What Reservly does not store: the full text of individual SMS messages (only the template type), recipient phone numbers in plaintext (only delivery event metadata), or message content beyond template variables.

10A.5 SMS — consent and opt-out

For US recipients (TCPA): No automated SMS message may be sent without prior express written consent. The SMS opt-in checkbox on the Reservly booking form satisfies the written-consent requirement. Every SMS must include opt-out instructions. A recipient who replies STOP, UNSUBSCRIBE, CANCEL, END, or QUIT must receive a single confirmation and then no further messages. SMS opt-in consent must not be a mandatory condition of booking — it must remain a separate, optional checkbox.

For EU/UK recipients (GDPR/ePrivacy/PECR): Explicit prior consent is required for marketing SMS. Transactional reminders sent with the Customer's booking consent fall within the contractual basis combined with the ePrivacy existing-customer-relationship exception, provided they are limited to booking subject matter.

For Canadian recipients (CASL): Express consent is required for marketing SMS. The booking opt-in checkbox satisfies this. Implied consent lasts 2 years from the booking date or 6 months from a non-purchase inquiry.

For Singapore recipients: Reservly's SMS pipeline filters against the Singapore Do Not Call Registry where technically feasible.

10A.6 Consent records

Reservly retains proof of consent (opt-in checkbox value, consent timestamp, and booking reference) for the lifetime of the booking record plus 2 years (TCPA/GDPR), and for 3 years for Canadian residents (CASL reverse-onus requirement), in order to demonstrate compliance under applicable laws. This retention is in addition to the general booking-record retention described in § 11.

11. Data retention

We retain personal data only for as long as we need it for the purposes set out in this policy or as required by law. Our operational retention schedule:

Where applicable law requires a longer retention, we comply with that law. Where your deletion right applies and we can comply without disturbing a legal obligation, we delete within 30 days of your request.

12. Security and breach notification

We maintain technical and organisational measures appropriate to the risk, summarised in § 5 of our Data Processing Agreement and including: encryption in transit (TLS 1.2+) and at rest (AES-256), per-tenant PostgreSQL row-level security, Supabase Vault for integration tokens, Sentry error monitoring with PII scrubbing, 30-day encrypted backups, documented incident-response playbooks, and continuous CI gates (TypeScript strict mode, build, lint, and Playwright tests).

If a personal-data breach affects your personal data and poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority without undue delay, and in any event within 72 hours of becoming aware, to the extent EU GDPR Article 33 or an equivalent law requires.
• Notify affected individuals without undue delay when the breach is likely to result in a high risk (EU GDPR Article 34 and equivalent).
• Notify affected Businesses (where Reservly is processor) so they can meet their own notification obligations to their customers.
• Notify state Attorneys General and other regulators where US state breach-notification laws require, including the Wyoming Data Breach Notification Act (W.S. § 40-12-501 et seq.) for Wyoming-resident personal identifying information.
• Notify affected individuals and the Personal Data Protection Commission (Tanzania) within 48 hours if the breach affects personal data of Tanzanian data subjects — Tanzania's PDPA imposes a 48-hour notification window, which is stricter than the 72-hour standard applied in all other jurisdictions.

For Brazilian residents (Resolution CD/ANPD No. 1/2021): Security incidents affecting Brazilian residents' personal data must be reported to the ANPD and affected individuals within 2 working days of Reservly becoming aware of the incident, when there is relevant risk of damage to data subjects. This is a shorter window than the GDPR 72-hour requirement above. Where the same incident involves both EU/UK and Brazilian data subjects, we will comply with whichever deadline is shorter — meaning all affected parties will be notified within 2 working days in that scenario.

For Canadian residents: In addition to the general federal breach notification obligations under PIPEDA (Report a Breach of Security Safeguards Regulations), Reservly will notify the applicable provincial regulator (as required by regulation) and affected individuals when a breach creates a real risk of significant harm. Timelines: CAI (Quebec-applicable) within 72 hours; OPC (Office of the Privacy Commissioner, other Canadian provinces) as soon as feasible following the PIPEDA reasonable-risk assessment.

Security researchers: please report vulnerabilities through our Responsible Disclosure policy.

13. Children's privacy

Reservly is not directed at children, and our Terms of Service require Business account holders to be at least 18 years old. We do not knowingly collect personal data from children. If you believe a child under 13 has provided us with personal data, email support@reservly.io with the subject line "Children's data" and we will delete it promptly.

14. Our compliance roadmap

Reservly is a small, independent company. Several compliance commitments below become more concrete as we grow:

• EU Representative (GDPR Article 27). Reservly is in the process of appointing an EU Representative. GDPR Article 27 applies to any controller not established in the EU/EEA who engages in systematic processing of EU personal data — this applies to Reservly from its first EU subscription. We will publish the representative's name and contact details in § 19 when the appointment is complete.
• UK Representative (UK GDPR Article 27). Same timeline — appointment in progress, to be published in § 19.
• Data Protection Officer (EU GDPR Article 37). Reservly will appoint a DPO if we add processing that systematically monitors data subjects at scale, or if our processing of special-category data crosses Article 37(1) thresholds.
• Swiss Representative (nFADP Article 14). We will appoint a Swiss representative if thresholds under the nFADP are triggered by our Swiss-resident data subject volume.
• SOC 2 Type II attestation. We are pursuing SOC 2 Type II attestation. We will publish availability on our Security page when the first report issues.
• Professional accessibility audit. We commission regular accessibility reviews and continuous internal testing; see our Accessibility Statement for details.
• EU AI Act Article 50 (effective 2 August 2026). When the planned Reservly Assistant feature interacts directly with customers on booking pages, we will implement clear AI identity disclosure at the start of every session. This is required under Article 50(1) (deployers must inform users they are interacting with an AI system) and is our practice regardless of legal obligation.
• African DPA registrations. Reservly will register with the following national data-protection authorities as it expands active marketing in those markets: ODPC (Kenya — before formal Kenya market launch), NDPC (Nigeria — when processing exceeds the DCMI threshold of 2,000 data subjects/month), DPC (Ghana — on Ghana market launch), and PDPC (Tanzania — before formal Tanzania market launch). Registration status per market will be noted when completed.
• Malabo Convention. Reservly's practices are designed to align with the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention, in force June 2023). As AU member states adopt implementing legislation, Reservly will expand the per-country sections of this policy accordingly.
• Morocco and Egypt. Reservly will add dedicated coverage for Moroccan (Law 09-08 and successor law) and Egyptian (Personal Data Protection Law 151/2020) data subjects when: (a) the AI translation feature enables French- and Arabic-language privacy notices, and (b) Reservly formally engages the CNDP (Morocco) and PDPC (Egypt) registration/licensing processes.
• French-language translation. Reservly is evaluating French-language translations of its platform and legal pages as part of a planned Quebec market entry programme. Until available, Quebec residents are excluded from the service. French translations would also serve Moroccan and Rwandan markets.

15. Tracking technologies and cookies

15.1 What we use and why

Reservly uses cookies, browser localStorage, and — for multi-step booking flows — sessionStorage to operate the platform. The complete inventory with cookie names, durations, and purposes is published in our separate Cookie Policy. The summary:

Reservly does not use advertising, marketing, or cross-site behavioural-tracking cookies today. When we activate analytics or advertising cookies in the future, we will update this policy and the Cookie Policy with at least 30 days' advance notice and will require consent (opt-in in the EU/UK/EEA/CH/CA; opt-out in the US) before setting them.

15.2 Consent model

• EU, EEA, UK, Switzerland, and Canada: opt-in consent is required before any non-essential cookies or localStorage entries are written. You will see a modal on your first visit. Your choice is recorded in reservly_cookie_consent for 12 months. You can change your choice at any time from the Cookie Policy page or the footer "Cookie preferences" link.
• United States and other regions: functional cookies are active by default (as US state privacy laws permit), and you can opt out at any time using the opt-out banner, the Do Not Sell or Share My Personal Information page, or the Global Privacy Control signal.
• Global Privacy Control (GPC): if your browser sends the GPC signal, we honour it automatically as an opt-out — you will not see the cookie banner.

15.3 Legal basis for cookies

Strictly necessary cookies are processed on the basis of legitimate interests (EU GDPR Art. 6(1)(f)) and contract performance (Art. 6(1)(b)). They are exempt from the consent requirement under the ePrivacy Directive. Functional cookies and localStorage entries are processed on the basis of consent (EU GDPR Art. 6(1)(a)) for EU/UK/EEA/CH/CA visitors and on the basis of legitimate interests (Art. 6(1)(f)) for US visitors, subject to your opt-out right.

Full details are in our separate Cookie Policy.

16. Payment data

Reservly is a software platform, not a payment processor. Payment data Reservly handles is limited:

• For Reservly's own subscriptions. Paddle is our merchant of record and handles your payment data end-to-end. Reservly stores only a Paddle subscription identifier and the last four digits of your payment method for display.
• For payments your Customers make to your Business. When a Business uses Reservly to collect payments from its Customers through Stripe or PayPal, the Business is the merchant of record through its own Stripe or PayPal account. Card data flows directly from the Customer to Stripe or PayPal and never touches Reservly. We store only a payment-intent or order identifier and the last four digits for display.

We are at PCI-DSS SAQ-A scope for cardholder-data security purposes because we do not handle cardholder data directly.

16A. AI processing

16A.1 AI features overview

Reservly uses an AI translation service to help businesses translate their service names, descriptions, and policies into multiple languages. Future features may include an AI assistant for customer booking queries. This section describes how personal data is handled in connection with these features.

16A.2 What data is sent to the AI provider

The AI translation feature sends business-authored content to the AI provider. This content is written by business owners and may incidentally include personal data if the owner has included personal information (such as staff names or contact details) in their service descriptions. Reservly recommends that business owners avoid including personal data in service description fields. Customer personal data — names, email addresses, phone numbers, booking details — is never sent to AI providers as part of the translation feature.

16A.3 AI provider and data location

Current provider: Mistral AI (Mistral AI SARL, 15 rue des Halles, 75001 Paris, France — EU entity).

Data processed for AI translation is hosted in the European Union. Because Mistral AI is an EU-based entity and stores data in the EU by default, no international data transfer takes place for this processing.

16A.4 Legal basis for AI processing

The legal basis for processing business-authored content via the AI translation service is Article 6(1)(b) EU GDPR (performance of a contract — specifically, Reservly's service contract with the business to provide the multi-language booking platform) and Article 6(1)(f) EU GDPR (legitimate interests — enabling business owners to reach customers in their preferred language).

16A.5 No training on customer or business data

Mistral AI does not use data submitted through the paid API to train its models. Reservly does not sell, license, or otherwise share any data with AI providers for model training purposes. The commitment in § 6.5 that "we do not use your data to train general-purpose AI models" applies here.

16A.6 EU AI Act

Reservly's current AI use (translation) does not trigger Article 50 transparency obligations because the AI interaction is with the business owner (not a customer) and the output is a draft translation shown in a preview before saving. When the planned Reservly Assistant feature (future roadmap) is introduced, customers will be clearly informed at the start of every interaction that they are interacting with an AI system, as required by EU AI Act Article 50 (applicable from 2 August 2026) and as Reservly's practice regardless of legal obligation. See our separate AI Features page for the full AI disclosure.

17. Accessibility

Reservly is committed to WCAG 2.1 Level AA accessibility for reservly.io and for Reservly-hosted booking pages. If you encounter an accessibility barrier, email support@reservly.io with the subject line "Accessibility". See our separate Accessibility Statement for commitments, known limitations, and our feedback SLA.

18. Automated decision-making and profiling

We do not use personal data for solely-automated decision-making that produces legal or similarly significant effects (EU GDPR Article 22). If that changes, we will update this policy and notify affected individuals before relying on such processing.

19. EU and UK representatives

EU Representative (GDPR Article 27). Reservly is in the process of appointing an EU Representative as required by GDPR Article 27 for controllers established outside the EU/EEA who systematically process EU personal data. Appointment is in progress; contact Reservly's Privacy Officer directly in the interim:

Interim EU/EEA contact: Privacy Officer: Stjepan Luburic, Founder, Reservly LLC Email: support@reservly.io (subject line: "EU Privacy") Mailing address: Reservly LLC, c/o Northwestern Registered Agent Services, 30 N Gould St Ste R, Sheridan, WY 82801, United States

This interim arrangement will be replaced with a named EU representative contact block when the appointment is complete.

UK Representative (UK GDPR Article 27). Reservly is also in the process of appointing a UK Representative under UK GDPR Article 27. Until the appointment is complete, UK data subjects may contact:

Interim UK contact: Privacy Officer: Stjepan Luburic, Founder, Reservly LLC Email: support@reservly.io (subject line: "UK Privacy") Mailing address: Reservly LLC, c/o Northwestern Registered Agent Services, 30 N Gould St Ste R, Sheridan, WY 82801, United States

ICO (UK). UK data subjects may also contact the Information Commissioner's Office directly:

Information Commissioner's Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Tel: 0303 123 1113 ico.org.uk ico.org.uk/make-a-complaint

20. Changes to this policy

We may update this policy as Reservly changes or as the law changes. We will:

• Update the Last updated date at the top.
• Notify registered Business account holders by email at least 30 days before material changes take effect, unless the law requires a shorter period (for example, to address a security-critical issue).
• Keep an archive of prior versions available on request at support@reservly.io.

Your continued use of Reservly after a change takes effect indicates your acceptance of the updated policy. If you disagree with a change, you may cancel your subscription and request deletion of your data under § 10.

21. Contact us

Reservly c/o Northwestern Registered Agent Services 30 N Gould St Ste R Sheridan, WY 82801 United States

Email: support@reservly.io Privacy Officer: Stjepan Luburic, Founder, Reservly LLC — support@reservly.io (subject line "Privacy Officer"). This designation satisfies named Privacy/Information Officer requirements under PIPEDA (Canada), POPIA (South Africa), and other applicable laws. Security disclosures: security@reservly.io Do Not Sell or Share: see Do Not Sell or Share My Personal Information EU Privacy inquiries: support@reservly.io (subject line "EU Privacy") UK Privacy inquiries: support@reservly.io (subject line "UK Privacy")

21.1 Google API Services — Limited Use disclosure

Reservly's use of information received from Google APIs — including Google Calendar, Google Drive, Google Meet, and Gmail OAuth scopes — adheres to the Google API Services User Data Policy, including the Limited Use requirements. In compliance with those requirements, Reservly:

• Uses Google user data only to provide and improve the specific integration feature the user authorised (calendar sync, drive backup, or meeting creation).
• Does not use Google user data to serve advertisements or for any other commercial purpose.
• Does not allow humans to read Google user data except where necessary to provide the service, for security purposes, or as required by law.
• Does not transfer Google user data to third parties except as necessary to provide the service or as required by law.
• Does not use Google user data for any purpose that violates the Google API Services User Data Policy.

This Privacy Policy works together with our Terms of Service, Data Processing Agreement, Sub-Processor List, Cookie Policy, Acceptable Use Policy, Accessibility Statement, and Refund Policy. Each of those documents, where relevant, is incorporated into this Privacy Policy by reference for the subject matter it covers.