Privacy policy

Last updated: April 2026

1. Introduction

This Privacy Policy explains how personal data is processed when using the Birsdy platform.

2. Data controller

The data controller is Birsdy (in formation).

For all enquiries, reach us at: info@birsdy.com

3. What data we process

3.1 Subscriber data (event organisers)

Upon registration and use of the platform, the following data is processed:

•first and last name of the contact person,

•company or business name,

•email address,

•phone number,

•billing address,

•user account data (username, password, subdomain),

•data related to the subscription and payments (e.g. selected plan, subscription status).

Payment card data is not processed or stored in the Birsdy system. Payment processing is carried out by an external payment service provider (Stripe Payments Europe Ltd.) in accordance with their terms and privacy policy.

3.2 Subscriber's customer data (event participants)

The platform enables subscribers to collect and process data about their customers. This data may vary depending on the subscriber's settings and typically includes:

•child's first and last name,

•child's age,

•number of participants,

•any health-related information (e.g. allergies – optional),

•parent's or guardian's first and last name,

•email address,

•phone number,

•address,

•additional messages or notes,

•other data defined by the subscriber in the booking form.

In relation to this data, Birsdy acts as a data processor, while the platform subscriber acts as the data controller for their customers' personal data.

3.3 Booking and event data

•booking data and selected services,

•booking status,

•payment status,

•assigned employees,

•notes and administrative records of the subscriber,

•other data entered by the subscriber in the system in the course of managing events and bookings.

3.4 Technical and usage data

•IP address,

•date and time of access,

•basic device and browser data,

•log files for ensuring security, system stability, detecting misuse and resolving errors,

•audit logs of user activities in the system for security and change-tracking purposes.

This data is not used for profiling individuals and is processed solely for technical and security purposes.

3.5 Subscriber's animator data

Where the subscriber uses the animator management module, the following data is processed:

•employee's first and last name,

•employee's email address,

•employee's assignments to individual bookings.

4. Purpose and legal basis of processing

We process personal data in accordance with the General Data Protection Regulation (GDPR) on the basis of appropriate legal grounds, primarily Article 6 GDPR, for the following purposes:

4.1 Performance of a contract (Article 6(1)(b) GDPR)

We process personal data for the purpose of providing and operating the Birsdy platform, in particular for:

•enabling use of the platform and access to user accounts,

•processing and managing bookings,

•organising and administering events,

•managing subscriptions, billing for services and issuing invoices,

•communicating with subscribers regarding use of the platform,

•providing technical support and resolving errors.

4.2 Legitimate interests of the provider (Article 6(1)(f) GDPR)

We may also process data on the basis of the provider's legitimate interests, where such interests do not override the rights and freedoms of individuals, for:

•ensuring secure and stable operation of the platform,

•preventing misuse, security incidents and unauthorised access,

•internal analytics and statistical analyses in anonymised or aggregated form,

•improving platform functionality and user experience,

•enforcing compliance with the Terms of Use and other legal claims,

•logging system activities (audit logs) to ensure security and traceability of changes in the system.

4.3 Compliance with legal obligations (Article 6(1)(c) GDPR)

Certain personal data is processed where necessary to fulfil legal obligations (e.g. accounting and tax obligations).

4.4 Special categories of personal data

Data about children's health conditions (e.g. allergies) is processed exclusively:

•on the basis of explicit consent from the parent or legal guardian,

•solely for the purpose of ensuring safe execution of the event,

•to the extent determined by the platform subscriber.

4.5 Direct marketing

The Birsdy platform does not use personal data of subscribers' customers for direct marketing.

Occasional notices about the operation, improvements or significant changes to the platform may be sent to subscribers in accordance with applicable law, and subscribers always have the option to unsubscribe.

5. Access to personal data and data sharing

Access to personal data is restricted and granted exclusively to those persons and entities that require the data for the lawful and uninterrupted operation of the Birsdy platform.

5.1 Platform provider

Personal data is processed by the Birsdy platform provider solely to the extent necessary for providing the platform, technical support, managing subscription relationships and ensuring system security. Access to data is limited to a small number of authorised persons bound by confidentiality obligations.

5.2 External service providers

The provider uses verified external service providers who act as data processors in accordance with Article 28 GDPR:

•Hosting and infrastructure: Supabase Inc. (EU region), Amazon Web Services (AWS) or comparable providers,

•Payment services: Stripe Payments Europe Ltd., Ireland,

•Email notifications: Amazon SES or comparable providers,

•File storage: Amazon Web Services – S3 or comparable providers,

•Performance monitoring: Sentry, PostHog or comparable providers.

Where transfers outside the EU/EEA occur, appropriate safeguards are ensured in accordance with the GDPR (e.g. standard contractual clauses).

The provider reserves the right to replace or add sub-processors where necessary for the operation or development of the platform. Subscribers will be notified of material changes in an appropriate manner.

5.3 Event organisers (platform subscribers)

When the Birsdy platform is used for booking events:

•the event organiser (platform subscriber) acts as the data controller for their customers' personal data,

•the Birsdy platform provider acts as the data processor.

The event organiser is responsible for the lawfulness of collecting and processing their customers' data and for ensuring appropriate legal bases (e.g. consent).

5.4 Public authorities and legal proceedings

Personal data may be disclosed to competent public authorities where necessary to comply with legal obligations, enforce legislation or protect the legal interests of the platform provider.

5.5 Data processing agreement

The processing of personal data between the Birsdy platform provider (as processor) and the platform subscriber (as controller) is governed by the Terms of Use and this Privacy Policy, which constitute the contractual arrangement for data processing within the meaning of Article 28 GDPR. At the subscriber's request, the provider and subscriber may also enter into a separate Data Processing Agreement (DPA).

6. Data retention

6.1 Platform subscriber data

Personal data of subscribers is retained for the duration of the subscription relationship and for up to 12 months after the subscription ends, for the purpose of enabling data export, resolving potential disputes and fulfilling legal obligations. Accounting and tax data is retained in accordance with applicable legislation. Invoices and related data are retained in accordance with applicable tax and accounting legislation.

6.2 Subscribers' customer data (parents, children)

Data is retained for the duration of the subscription relationship and for a maximum of 90 days after termination to enable data export. After this period, data is permanently deleted or anonymised, unless the law requires longer retention.

6.3 Statistical and analytical data

Anonymised statistical data that does not enable identification of individuals may be retained for longer periods for the purpose of analysing platform performance and making improvements.

Technical log files used to ensure security and stability of the system may be retained for a limited period (up to 90 days) required for detecting security incidents and resolving errors.

6.4 Withdrawal of consent

Where personal data is processed on the basis of consent, the individual has the right to withdraw their consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

7. Individual rights

Under the GDPR, individuals have the following rights:

•the right to access their personal data,

•the right to rectification of inaccurate or incomplete data,

•the right to erasure of personal data ("right to be forgotten"),

•the right to restriction of processing,

•the right to data portability,

•the right to object to processing,

•the right to withdraw consent.

Submit your request to: info@birsdy.com

The provider will respond to requests no later than one month from receipt.

If an individual believes that the processing of their personal data infringes applicable personal data protection legislation, they have the right to lodge a complaint with the competent supervisory authority (Information Commissioner of the Republic of Slovenia).

8. Transfer of personal data to third countries

Personal data may in certain cases be transferred outside the EU/EEA when using external service providers (infrastructure, email, payments, analytics).

Transfers are carried out only with appropriate safeguards in place in accordance with the GDPR:

•adequacy decisions of the European Commission, or

•standard contractual clauses (SCCs).

The Birsdy platform provider ensures that appropriate technical and organisational measures are in place for such transfers to protect personal data and that personal data is processed solely for the purposes set out in this Privacy Policy.

8.1 Individual rights in relation to transfers to third countries

Individuals have the right to request additional information regarding the transfer of their personal data outside the EU/EEA, in particular regarding:

•the countries to which personal data may be transferred,

•the legal bases and safeguard mechanisms used for such transfers (e.g. adequacy decisions, standard contractual clauses),

•a copy or summary of the applicable safeguards, where required under the GDPR.

Requests may be submitted to: info@birsdy.com

The provider will respond to requests in accordance with applicable law and within the statutory deadlines.

9. Security

The Birsdy platform provider applies appropriate technical and organisational measures to protect personal data, including in particular:

•restricted access to personal data,

•use of secure communication connections (HTTPS),

•monitoring of system operation and security incidents,

•regular updating and maintenance of the software infrastructure,

•logging of system activities to ensure system security.

User passwords are not stored in readable form but are protected with secure cryptographic hash functions.

Despite appropriate security measures, complete security of data transmission or storage on the internet cannot be guaranteed. In the event of a personal data breach, the provider will act in accordance with applicable law.

10. Changes to the privacy policy

The Birsdy platform provider reserves the right to occasionally amend or update this Privacy Policy. In the event of significant changes, users will be notified by email. The updated version takes effect on the date of publication on the platform website.

11. Cookies and similar technologies

The Birsdy platform uses cookies to ensure proper operation, improve user experience and provide basic usage analytics.

Types of cookies:

•Essential cookies – required for basic platform operation (e.g. logging into an account). No consent is required for these.

•Functional cookies – enable storage of user preferences and improve the user experience (e.g. language selection or other customisations).

•Analytical cookies – collect anonymous data about platform usage for the purpose of improving performance. These are only used with the user's consent.

We do not use advertising cookies. Cookie settings can be managed in your web browser settings.

12. Source of personal data

Personal data is generally collected directly from individuals or platform subscribers when using the Birsdy platform (e.g. upon registration or submission of a booking).

In certain cases, business contact details may also be obtained from publicly available sources (e.g. company websites or public business profiles) where necessary to establish business contact in relation to Birsdy platform services.

13. Contact

For all questions regarding privacy, please contact us at:

info@birsdy.com