Privacy Policy
Last updated: April 2026
Who we are
Gusty ([legal name], NIF: [NIF]) operates the booking management platform at gustyapp.com.
Gusty acts as a data processor on behalf of the schools (data controllers) for student data. For school admin and platform usage data, Gusty acts as the data controller.
- Privacy contact: privacy@gustyapp.com
- General contact: hello@gustyapp.com
What data we collect and why
| Data | Who provides it | Purpose | Lawful basis |
|---|---|---|---|
| Name, email, phone | School admin (signup) | Account management, communication | Contract performance (Art. 6(1)(b)) |
| School business data (name, address, NIF) | Admin (setup) | Service provision, invoicing | Contract performance |
| Instructor name, bio, certifications, photo | Admin (setup) | Scheduling, mini site display | Legitimate interest (Art. 6(1)(f)) |
| Student name, email, phone | Student (booking) | Booking fulfillment, communication | Contract performance |
| Student skill level | Student (booking) | Lesson matching, weather safety | Contract performance |
| Student weight (optional) | Student (booking) | Equipment matching | Consent (Art. 6(1)(a)) |
| Payment data (card numbers) | Student (checkout) | Payment processing | Never touches Gusty servers |
| Usage data (pages visited, actions) | Automatic | Service improvement, debugging | Legitimate interest |
| Essential cookies | Automatic | Site functionality | Strictly necessary |
Note on student weight: This data is collected only when the student voluntarily provides it to help the school prepare appropriate equipment. It is treated as health-related data under GDPR Article 9. You may decline to provide it or request its deletion at any time.
Who we share data with
We share personal data only with the following sub-processors, each of which has a Data Processing Agreement in place:
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | EU region |
| DigitalOcean | Application hosting | EU region |
| Stripe | Payment processing | EU-US Data Privacy Framework |
| Meta (WhatsApp Business API) | Booking notifications via WhatsApp | EU-US Data Privacy Framework |
| Resend | Email delivery | EU-US Data Privacy Framework |
| Sentry | Error tracking and monitoring | EU-US Data Privacy Framework |
International data transfers
For schools operating within the EU, your data stays within the European Union (Supabase EU region, DigitalOcean EU region).
US-based sub-processors (Stripe, Meta, Resend, Sentry) are covered by the EU-US Data Privacy Framework.
For schools outside the EU (e.g. Brazil, Indonesia), Standard Contractual Clauses (2021 SCCs, Commission Implementing Decision 2021/914) apply. Transfer Impact Assessments are conducted where required.
How long we keep data
- Active school:data is retained while the school's subscription is active.
- Cancelled school: data is retained for 90 days, then anonymized or deleted. Schools may request a data export during this period.
- Student booking data:retained while the school's account is active (the school is the data controller for student data).
- Invoicing data: retained for 10 years as required by Portuguese tax law.
- Audit logs: retained for 2 years.
Your rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access(Art. 15) — request a copy of your data
- Right to rectification (Art. 16) — correct inaccurate data
- Right to erasure(Art. 17) — request deletion (“right to be forgotten”)
- Right to restriction of processing (Art. 18) — limit how we use your data
- Right to data portability (Art. 20) — receive your data in a machine-readable format
- Right to object(Art. 21) — object to processing based on legitimate interest
- Right to withdraw consent — for weight data and any marketing communications, at any time
To exercise any of these rights, email privacy@gustyapp.com. We will respond within one month. For complex requests, this may be extended to three months with notice.
Automated decision-making
Gusty uses automated processing for weather safety flagging: when forecast conditions exceed school-configured safety thresholds for a student's skill level, the booking is automatically flagged as “needs reschedule.”
This is a recommendation, not a binding decision. The school and student always have the final say. No fully automated decisions with legal effects are made on individuals.
Cookies
We use only essential cookies necessary for the service to function: session cookies, authentication tokens, and CSRF protection. No analytics, tracking, or third-party cookies are used.
As these are strictly necessary, no consent is required under Lei 41/2004, Article 5.
Complaints
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Portuguese data protection authority:
CNPD — Comissão Nacional de Proteção de Dados
Av. D. Carlos I, 134 - 1.º
1200-651 Lisboa, Portugal
Website: www.cnpd.pt
Changes to this policy
We may update this privacy policy from time to time. Material changes will be communicated via email and a notice on the website. The date of the last update is displayed at the top of this page.
We encourage you to review this policy periodically.