Privacy Policy
This Privacy Policy explains how Dinosaur Mission Unipessoal Lda, trading as BoothyOps (“BoothyOps”, “we”, “us”), collects, uses, shares, and protects personal data when you use the BoothyOps monitoring service, web dashboard, progressive web app, and on-booth agent (together, the “Service”). We process personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and applicable Portuguese data-protection law.
1. Who we are (data controller)
The data controller responsible for your personal data is:
Dinosaur Mission Unipessoal Lda (trading as BoothyOps)
Tv. Chão do Poço 3C, 2640-012 Santo Isidoro, Portugal
Email: privacy@boothyops.com
Where you use the Service to monitor your own Booths, we act as the controller of the personal data relating to your Account and users. To the extent the Service processes personal data on your behalf as part of your business operations, we act as a processor and the data-protection terms in our agreement with you apply.
2. Data we collect
Account & profile data
- name, email address, and password or single sign-on identifier;
- company name and the role of users within your Account;
- contact and notification preferences, including quiet hours and channel routing.
Booth & monitoring data
- booth names, locations, operating hours, and partner/venue contact details and commission rates you enter;
- telemetry and status signals sent by the Agent, such as heartbeats, booth-software state, camera/payment-device and printer connectivity, prints remaining, error and event logs, and timestamps;
- technical details about the Booth PC needed for monitoring and updates, such as agent version, operating-system information, and a booth/device identifier.
Booth telemetry is operational data and is not intended to contain personal data of photo-booth guests. The Agent does not collect guests’ photos. You should not enter third parties’ personal data into free-text fields beyond what is necessary to manage your venues.
Billing data
- subscription plan, billing status, and invoices. Card and payment details are collected and processed directly by Stripe; we do not store full card numbers.
Notification & device data
- push-notification tokens/subscription identifiers and the platform of your device, used to deliver alerts to your phone or browser.
Usage & technical data
- log data such as IP address, browser type, pages viewed, actions taken, and diagnostic information, collected when you use the dashboard or PWA.
- support communications you send us.
3. How and why we use data
- to create and manage your Account and authenticate users;
- to provide the Service: ingest Booth telemetry, detect alert conditions, and deliver notifications by push, email, and SMS;
- to generate dashboards, event logs, and partner reports;
- to process payments, manage subscriptions, and prevent fraud;
- to provide customer support and respond to your requests;
- to maintain, secure, troubleshoot, and improve the Service, including the Agent’s self-update mechanism;
- to send service and administrative messages, and—where permitted—product updates;
- to comply with legal obligations and enforce our Terms.
4. Legal bases for processing
We rely on the following GDPR legal bases:
| Purpose | Legal basis |
|---|---|
| Providing the Service and account management | Performance of a contract (Art. 6(1)(b)) |
| Billing and processing payments | Performance of a contract (Art. 6(1)(b)) |
| Security, fraud prevention, and improving the Service | Legitimate interests (Art. 6(1)(f)) |
| Product marketing and non-essential cookies | Consent (Art. 6(1)(a)), where required |
| Meeting legal, tax, and accounting obligations | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interests, we balance them against your rights and freedoms. You may object to such processing as described below.
5. Sharing & sub-processors
We do not sell your personal data. We share it only with service providers (“sub-processors”) that help us operate the Service, under contracts that require them to protect it and use it only on our instructions. Our key sub-processors include:
| Provider | Purpose |
|---|---|
| Supabase | Database, authentication, and file storage |
| Vercel | Web application hosting and delivery |
| Knock | Notification orchestration (email, SMS, push) |
| OneSignal | Web and mobile push-notification delivery |
| Stripe | Payment processing and subscription billing |
| Featurebase | Helpdesk, support, and feedback |
| PostHog | Product analytics and session replay (EU-hosted; cookieless; form inputs and on-screen text masked) |
We may also disclose personal data where required by law, to enforce our Terms, to protect the rights, safety, and property of BoothyOps or others, or in connection with a merger, acquisition, or sale of assets (with notice where required).
6. International data transfers
Some of our sub-processors are located outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses or an adequacy decision, so that your data continues to receive an equivalent level of protection. You can request more information about these safeguards using the contact details below.
7. Data retention
- Account data is retained for as long as your Account is active and for a reasonable period afterwards.
- Booth telemetry and event logs are retained for the period needed to operate the Service and show recent history, after which they are deleted or aggregated.
- Billing records are retained as required by tax and accounting law (typically up to 10 years in Portugal).
- After Account closure, we delete or anonymise personal data within a reasonable period, except where we must keep it to meet legal obligations or resolve disputes.
8. Your rights
Subject to applicable law, you have the right to:
- access the personal data we hold about you;
- rectify inaccurate or incomplete data;
- erase your data (“right to be forgotten”) in certain circumstances;
- restrict or object to processing, including processing based on legitimate interests;
- data portability, where processing is based on consent or contract;
- withdraw consent at any time, without affecting prior processing;
- not be subject to solely automated decisions producing legal or similarly significant effects.
To exercise any of these rights, contact privacy@boothyops.com. We will respond within the timeframes required by law. We may need to verify your identity before acting on a request.
9. Cookies & similar technologies
We use cookies and similar technologies that are strictly necessary to run the Service (for example, to keep you signed in and to secure sessions). For product analytics and product improvement we use a privacy-preserving, cookielesstool (PostHog, EU-hosted) that stores its identifiers in your browser’s local storage rather than in cookies, and that masks form inputs and on-screen text in any session recordings. You can control non-essential cookies through your browser settings or any cookie controls we provide. Disabling strictly necessary cookies may prevent the Service from working.
10. Push notifications
If you enable push notifications, we (through Knock and OneSignal) store a device token to deliver alerts. You can turn push notifications off at any time in your device or browser settings, or by removing the installed app. Doing so will stop push delivery but you can still receive alerts via email or SMS if configured.
11. Security
We use technical and organisational measures appropriate to the risk, including encryption in transit, access controls, row-level data isolation, and least-privilege practices. No method of transmission or storage is completely secure, so we cannot guarantee absolute security. Please keep your credentials confidential and notify us promptly of any suspected breach of your Account.
12. Children
The Service is intended for business users and is not directed to children. We do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, contact us and we will delete it.
13. Changes to this Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you (for example, by email or an in-app notice) and update the “Last updated” date above. Your continued use of the Service after the changes take effect constitutes acceptance of the updated Policy.
14. Contact & complaints
For any privacy question or to exercise your rights, contact us at privacy@boothyops.com or by post at Dinosaur Mission Unipessoal Lda, Tv. Chão do Poço 3C, 2640-012 Santo Isidoro, Portugal.
If you are in the EEA and believe we have not handled your personal data properly, you have the right to lodge a complaint with your local supervisory authority. In Portugal, this is the Comissão Nacional de Proteção de Dados (CNPD), www.cnpd.pt. We would, however, appreciate the chance to address your concerns first.