Privacy Policy — Reebooot

Last updated: 1 May 2026 Effective date: 1 May 2026

1. Who We Are

Reebooot ("we", "us", "our") is operated by Asad Ijaz, trading as Reebooot, based in Torres Vedras, Portugal.

We operate the platform available at reebooot.com — a curated marketplace connecting immersive week-long bootcamp trainers, coliving venues, and participants.

Data Controller: Asad Ijaz / Reebooot Torres Vedras, Portugal Email: asadij@gmail.com

2. What Data We Collect

2.1 Data You Provide Directly

All users (participants, trainers, venue owners):

Full name
Email address
Password (stored encrypted — we never see it)
Profile photo
Bio and tagline
Phone number
LinkedIn, website, and social profile URLs

Participants additionally:

Areas of interest
Booking and payment information
Application motivation text
Bootcamp attendance history

Trainers additionally:

Years of experience
Areas of expertise
Training curriculum and bootcamp descriptions
Bank/payment details (when Stripe is integrated)

Venue owners additionally:

Venue name, address, and location
Venue capacity and amenities
Venue images and descriptions
Weekly hosting costs
WhatsApp contact number
Languages spoken

2.2 Data We Collect Automatically

When you use our platform we automatically collect:

IP address and approximate location
Browser type and version
Device type and operating system
Pages visited and time spent
Referral source (how you found us)
Cookie data (see Section 8)

2.3 Data From Third Parties

Supabase (our database provider): authentication data
Stripe (payment processor, when integrated): payment confirmation data — we do not store your card details
Resend (email provider): email delivery status

3. Why We Process Your Data (Legal Basis)

Under GDPR Article 6, we process your data on the following legal bases:

| Purpose | Legal Basis | |---|---| | Creating and managing your account | Contract (Art. 6(1)(b)) | | Processing bookings and payments | Contract (Art. 6(1)(b)) | | Sending booking confirmations and reminders | Contract (Art. 6(1)(b)) | | Platform security and fraud prevention | Legitimate interests (Art. 6(1)(f)) | | Improving our platform and services | Legitimate interests (Art. 6(1)(f)) | | Sending marketing emails | Consent (Art. 6(1)(a)) | | Cookie analytics | Consent (Art. 6(1)(a)) | | Legal compliance | Legal obligation (Art. 6(1)(c)) |

4. How We Use Your Data

We use your data to:

Operate the platform — create accounts, process applications and bookings, manage schedules
Facilitate bootcamp delivery — share relevant participant details with trainers and venue owners for confirmed bootcamps
Send transactional emails — booking confirmations, payment confirmations, application status updates, reminders
Enable trainer and venue profiles — display public profile information to help participants make informed decisions
Process payments — handle booking fees and revenue sharing (via Stripe when integrated)
Improve our services — analyse usage patterns to improve the platform
Ensure safety — detect and prevent fraud, abuse, and security incidents
Comply with legal obligations — respond to lawful requests from Portuguese and EU authorities

5. Who We Share Your Data With

We share your data only where necessary:

5.1 Within the Platform

Trainers see confirmed participant names, emails, and phone numbers for bootcamps they are running
Venue owners see confirmed participant names, emails, and phone numbers for bootcamps hosted at their venue
Participants can view trainer public profiles and (if confirmed booking) venue owner contact details

5.2 Third-Party Service Providers

| Provider | Purpose | Location | |---|---|---| | Supabase | Database and authentication | EU (Ireland) | | Vercel | Platform hosting | EU servers available | | Resend | Transactional email delivery | USA (SCCs apply) | | Stripe | Payment processing (future) | EU |

All third-party providers are bound by data processing agreements and GDPR-compliant data handling requirements.

5.3 Legal Requirements

We may disclose your data to Portuguese authorities (CNPD), EU regulators, or law enforcement where required by law or to protect our legal rights.

We never sell your personal data to third parties.

6. Data Retention

We retain your data for as long as your account is active. Specifically:

| Data Type | Retention Period | |---|---| | Account data | Until account deletion + 30 days | | Booking records | 7 years (Portuguese tax law requirement) | | Payment records | 7 years (legal obligation) | | Application data | 2 years after application | | Browse history | 90 days | | Email logs | 1 year | | Security logs | 2 years |

When you delete your account we anonymise or delete your personal data within 30 days, except where we are legally required to retain it.

7. Your Rights Under GDPR

As a data subject in the EU you have the following rights:

Right of access (Art. 15): Request a copy of all personal data we hold about you.

Right to rectification (Art. 16): Correct inaccurate or incomplete personal data.

Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.

Right to restrict processing (Art. 18): Ask us to limit how we use your data in certain circumstances.

Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.

Right to object (Art. 21): Object to processing based on legitimate interests, including for direct marketing.

Right to withdraw consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent (e.g. marketing emails).

Right to lodge a complaint: You have the right to complain to the Portuguese data protection authority:

CNPD — Comissão Nacional de Proteção de Dados Rua de São Bento, 148-3°, 1200-821 Lisboa www.cnpd.pt | geral@cnpd.pt

To exercise any of these rights, contact us at: asadij@gmail.com

We will respond within 30 days. We may need to verify your identity before processing your request.

8. Cookies

We use cookies and similar technologies. Please see our Cookie Policy for full details.

In summary:

Essential cookies: Required for the platform to function. No consent needed.
Analytics cookies: Help us understand how the platform is used. Require consent.
Preference cookies: Remember your settings. Require consent.

You can manage your cookie preferences at any time via the cookie settings link in our footer.

9. International Data Transfers

Some of our service providers (including Resend) are based outside the EU/EEA. Where we transfer data internationally we ensure appropriate safeguards are in place including:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions where applicable

10. Children's Privacy

Reebooot is not intended for persons under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

Encryption in transit (HTTPS/TLS)
Encrypted password storage (never stored in plain text)
Row-level security on our database
Access controls limiting who can see your data
Regular security reviews

No system is completely secure. If you discover a security vulnerability please report it responsibly to asadij@gmail.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Email to your registered address
A prominent notice on the platform

Your continued use of the platform after changes constitutes acceptance of the updated policy.

13. Contact Us

For any privacy-related questions, requests, or concerns:

Asad Ijaz / Reebooot Torres Vedras, Portugal Email: asadij@gmail.com

We aim to respond to all enquiries within 5 business days.

This Privacy Policy is governed by Portuguese law and EU Regulation 2016/679 (GDPR).