Security · Transparency

What we hold, where it lives, who can see it.

One page with everything: the infrastructure, the channels, the legal bases, your rights. What is written here is what we actually do — nothing more, nothing less.

Last updated · 11 May 2026

SlotPrenotami is a personal project run by an individual. It is not a company. It has no team. It has no investors. It is one operator who built a useful tool and opened it to the community. That also means responsibility for your data sits with a single person — which is why we have chosen to keep the perimeter of that data as tight as possible.

What we actually collect

The full list of what gets stored in the database when you subscribe:

The email address we should send notifications to.
Your name, if you choose to provide it (optional).
The consulate you want monitored.
The specific service (passport, ID card, citizenship, etc).
A free-text note that you write, if you want to explain the urgency of your case.
The date and time of your subscription.
A random token used for one-click unsubscribe from the email footer.

We do not ask for, receive, or store: Prenot@Mi credentials, phone number, tax ID, date of birth, address, identity documents, payment data. The attack surface is deliberately minimal: if someone breached the database tomorrow, they would obtain a list of email addresses associated with a consulate. Nothing more.

The infrastructure, one piece at a time

Every part of the system is a known commercial service under a formal data-processing agreement, hosted in European jurisdictions where possible.

Database

Supabase

Region · EU (Frankfurt)

Subscriptions, configuration, unsubscribe tokens. Encrypted at rest and in transit. Row-Level Security enabled: rows are readable only by the system, not by subscribers among themselves.

Transactional email

Gmail SMTP

Region · United States

Slot notifications are sent via Gmail's SMTP infrastructure using a dedicated service account. No marketing email, ever.

Hosting

Static hosting

Region · EU

The site you are reading consists only of static HTML pages served over HTTPS. No user-facing backend, no session cookies, no client-side login.

Analytics

Google Analytics

Region · United States

For aggregate visit counts only. No personal data is cross-referenced with the subscriber database. You can block it with any anti-tracking extension.

Transport

The entire site is served exclusively over HTTPS. Database requests use public keys limited to the single operation they need (insert a subscription, update status on unsubscribe). No public endpoint exists that allows reading the subscriber list without administrator credentials.

How we write to you, and why only this way

There is one communication channel: email. There is no live chat, no WhatsApp, no app, no phone number. Everything that reaches you from us comes from a single address, and everything you want to tell us goes through that address. This is not a technical limit — it is a choice. Keeping one channel means: one place to protect, one place to consult, one place to look if something gets lost.

The legal basis for processing

We operate under EU Regulation 2016/679 (GDPR) and, where applicable, the UK GDPR / Data Protection Act 2018 and the Australian Privacy Act 1988. The legal basis for processing is the explicit consent (Art. 6.1.a GDPR) you give by ticking the box at signup. You can withdraw that consent at any time, in which case your data is removed from the active database within 24 hours.

If something goes wrong

In the event of a personal data breach that may pose a risk to your rights, we will notify the relevant supervisory authority within the 72 hours required by Art. 33 GDPR. Where the breach poses a high risk, you will be informed directly and without undue delay (Art. 34). We will not use reassuring language to minimise: we will tell you what happened, when, and what we believe took place.

Your rights, in practice

Under the GDPR (EU Regulation 2016/679), you have the right to:

Access (Art. 15): know exactly what data we hold about you.
Rectification (Art. 16): correct inaccurate information.
Erasure (Art. 17): the right to be forgotten. Within 24 hours of request.
Restriction (Art. 18): pause processing while you dispute something.
Portability (Art. 20): receive your data in a readable format.
Objection (Art. 21): object to processing.
Complaint to the supervisory authority: file a complaint with your national data protection authority, at any time.

To exercise any of these rights, write to prenotami.monitor@gmail.com. We respond within 30 days — usually much sooner.

What we will never ask

Never your Prenot@Mi password. We do not need it and would not know where to keep it.
Never a payment via email or private message. When paid tiers go live, payment will happen only through the official link on the site, handled by Stripe. Emails asking you to pay via a "quick link" are not from us.
Never identity documents, passport scans, or tax IDs.
Never your card details on our database. When we activate payments, we will use Stripe: payment data never passes through our servers.
Never asking you to reply "URGENT" or click a suspicious link — if you receive something like that in our name, it is not ours.

Service emails and the spam folder

Slot-availability notifications are sent from prenotami.monitor@gmail.com. Email providers — especially Gmail, Outlook, and Yahoo — sometimes automatically filter messages containing words like "appointment", "slot available", or links to government portals. Result: our notification can land in Spam, Promotions, or Updates without you noticing, and by the time you find it the slot is already taken.

To prevent this, do two things right after signing up:

Add prenotami.monitor@gmail.com to your contacts, or to your email client's address book.
Search your inbox for the first email we sent you, open it, and mark it as "Not spam" / "Move to inbox". On Gmail you can also drag it from the "Promotions" tab to "Primary" — Gmail will learn.

If you have not received the first email within 24 hours of signing up, please check these folders before writing to us.

One last note

Security is not a page — it is a posture. This page is reviewed every time something in the technical stack changes, and the date at the top reflects that. If you have a question not covered here, write to us. There is no legal department, no "privacy team" — there is one person who answers.