Privacy policy

1. Identity of the platform provider

• Platform provider: FastCore Services Platform
• Name (controller): Norberto Ariel Fernandez Pereira y Alvarez
• Tax ID / VAT: 60129843T
• Address: C/Dodge 4, P.I. 7º B, 28041 Madrid, Spain
• Privacy contact: info@fcore.es

2. FastCore’s role in processing

When a user makes a booking through the widget embedded on a customer’s website, as a rule that customer acts as controller for the commercial and operational management of the booking, while FastCore acts as processor, providing the infrastructure, software, hosting, maintenance, technical support and technical operation of the tool.

However, FastCore may act as controller for certain processing necessary to ensure security, integrity, availability, technical traceability, auditing, support, fraud prevention, service monitoring and defence against claims or misuse of the platform.

This allocation of responsibilities is set out in the relevant service agreements and data processing agreements between FastCore and each customer.

3. Categories of data that may be processed

Depending on the customer’s configuration and use of the widget, FastCore may process the following categories of data:

• Identifying and contact data of the person making the booking, such as name, surname, email address and phone number.
• Booking-related data such as date, time, room or service booked, number of participants, notes, preferences and event details, as well as information about who made the booking, when and which options were selected, for managing and tracing bookings in the admin panel.
• Data relating to minors when the customer requests them for proper organisation of the event, such as the child’s name, age and date of birth.
• Administrative or financial data associated with the booking, such as payment status, amounts or payment method selected. For card payments, data are processed through the payment service provider Stripe, which acts as an independent controller from FastCore for payment processing purposes. FastCore does not store full card data.
• Technical and security data such as IP address, session identifiers, access logs, browser, device, error traces, timestamps of operations and audit logs.

4. Purposes of processing

FastCore may process personal data for the following purposes:

• To provide the SaaS booking platform to the customer and carry out the customer’s instructions regarding booking management, including registration and display of bookings in the customer’s admin panel.
• To manage automated operational communications on the customer’s behalf, such as booking confirmation emails, reminders and, where applicable, satisfaction surveys and communications related to the booking or similar services, provided the customer has enabled such features and has an appropriate legal basis.
• To ensure the correct technical operation of the widget, service continuity, platform availability and corrective and evolutionary maintenance.
• To manage technical support, incident resolution, technical supervision and operational assistance to the customer.
• To protect the platform and customers against unauthorised access, abuse, fraud, malicious use, security incidents or anomalous activity.
• To keep logs, technical traceability, auditing and system events necessary for security, compliance, diagnostics and operational improvement.
• To comply with legal, regulatory, tax, accounting or security obligations.

5. Legal bases

The legal bases for processing may include, as applicable:

• Performance of a contract or pre-contractual measures, in relation to providing the booking service to the customer and operating the widget, as well as managing operational communications and features activated by the customer that are necessary for proper performance of the contract.
• Compliance with legal obligations, when processing is necessary to meet obligations imposed by applicable law (e.g. tax, accounting, security or cooperation with authorities).
• Legitimate interest, for FastCore’s own processing related to security, logging, fraud prevention, monitoring, technical auditing, support and defence against claims, provided such interests are not overridden by the fundamental rights and freedoms of data subjects.

For processing based on legitimate interest, FastCore has carried out the corresponding assessment to ensure that its interests do not override the rights and freedoms of data subjects.

6. Processing of children’s data

The platform may process children’s data when necessary to organise the service requested by the customer, for example the child’s name, age or date of birth. FastCore recommends that customers apply data minimisation strictly and collect only data strictly necessary for the purpose of the event.

When FastCore processes children’s data on behalf of the customer, it does so as processor in accordance with the customer controller’s instructions, without reusing such data for its own incompatible purposes beyond providing the service.

In particular, FastCore does not use children’s data for its own marketing or to build its own commercial profiles, limiting processing to what is strictly necessary for technical delivery of the service and the purposes described in this policy.

7. Recipients, providers and subprocessors

Data may be accessible to technology providers that supply services to FastCore for cloud infrastructure, hosting, storage, backups, security, technical support, monitoring, transactional email or payment services, always on the basis of appropriate contracts and, where applicable, data processing agreements.

Among these providers is, by way of example, the payment service provider Stripe, which may process data necessary for payment management as controller in the field of electronic payments.

FastCore makes available to customers, upon request, an up-to-date list of subprocessors and relevant processing locations.

Data may also be disclosed to administrative, judicial or regulatory authorities when there is a legal obligation or a valid request.

8. International transfers

FastCore seeks to ensure that processing and storage of information take place within the European Economic Area (EEA). Currently, FastCore does not use providers that involve transfers to third countries outside the EEA. If providers outside the EEA become necessary in the future, appropriate safeguards under the GDPR will be adopted, including, where applicable, standard contractual clauses or other valid legal mechanisms.

9. Retention period

Data processed by FastCore on behalf of customers is retained for the duration of the service and in accordance with the customer’s instructions, unless there is a legal retention obligation or a need to block data for potential liability.

Logs and technical data processed by FastCore as controller are kept for as long as necessary for security, auditing, support, service continuity and regulatory compliance; as a general rule access logs are kept for a maximum of 24 months, unless security incidents require a longer period. Such data are then deleted, anonymised or blocked when no longer necessary.

10. Data subject rights

When FastCore acts as processor, requests regarding the content of a booking should preferably be addressed to the customer acting as controller. If FastCore receives a request directly for processing where it acts solely as processor, it will forward it to the customer controller where appropriate.

When FastCore acts as controller for its own technical processing, data subjects may exercise, where applicable, rights of access, rectification, erasure, objection, restriction and portability by writing to info@fcore.es.

Data subjects also have the right to lodge a complaint with the competent supervisory authority if they consider that processing does not comply with applicable law.

11. Security

FastCore applies appropriate technical and organisational measures proportionate to the risk, including, by way of example, encryption in transit, access controls, logical segregation, technical logs, privilege limitation, backups, security updates and incident response procedures.

12. Changes to this policy

FastCore may update this privacy policy to reflect legal, regulatory, technical or functional changes to the platform. The current version is the one published at any given time.