Privacy Policy

[en] This Privacy Policy is a draft. Not final until legal review (PLAN 4.12.f) is complete.

[en] Last updated: 2026-05-23

[en] This policy is an Art.13 direct-collection notice. Slim does not collect personal data indirectly from third parties (Art.14 not applicable).

[en] 1. Data Controller (Art.13 §1(a))

[en] The data controller for this service is identified below.

[en] Name
Kim Wonmin
[en] Enterprise number
1037.548.919
[en] VAT number
BE 1037.548.919
[en] Contact email
kim.wonmin91@gmail.com

[en] DPO (Art.13 §1(b)) [en] This service is not required to designate a DPO under GDPR Art.37 (sole trader, no high-risk processing).

[en] 2. Processing Purposes and Legal Basis (Art.13 §1(c))

[en] PA-01 Comparison Request Processing

  • [en] Purpose: Calculate and provide telecom plan comparison results based on user input (postal code, household type, current provider, usage).
  • [en] Legal basis: GDPR Art.6(1)(b) — performance of the comparison service contract.
  • [en] Data collected: Postal code (PC4), household type, current provider ID, per-category usage. No IP or device information collected.

[en] PA-02 Permanent Storage of Comparison Results

  • [en] Purpose: Provide a permanent link (/r/[shortId]) so comparison results can be retrieved at any time.
  • [en] Legal basis: GDPR Art.6(1)(b) — service performance.

[en] PA-03 Affiliate Click Attribution

  • [en] Purpose: Record that a user navigated to an affiliate provider's site after giving consent, and settle commission.
  • [en] Legal basis: Art.6(1)(a) consent (click record) + Art.6(1)(c) legal obligation (Belgian accounting retention).

[en] PA-04 Security Logging

  • [en] Purpose: Detect security incidents and monitor system anomalies.
  • [en] Legal basis: Art.6(1)(f) legitimate interests — service security operations.

[en] PA-05 Follow-up Email

  • [en] Purpose: Send one follow-up email 7 days after an affiliate click (beta conversion measurement).
  • [en] Legal basis: Art.6(1)(a) explicit consent (separate checkbox, pre-checked=false).

[en] 3. Legitimate Interests (Art.13 §1(d))

[en] PA-04 Security Logging: Detecting fraud and malicious access constitutes a legitimate interest in service security. Balance with data subject interests: data collected is minimised and proportionate to the security purpose.

[en] 4. Recipients and Third Parties (Art.13 §1(e))

[en] PA-01/PA-02 comparison data is not transferred externally. Third-party data processors are listed below.

  • [en] Sentry — error monitoring (security log). Sentry Inc. (US, SCCs applied).
  • [en] PostHog — product analytics (security log). EU region option used.
  • [en] Neon — database hosting. EU-Central-1 (Frankfurt). Neon DPA in place.
  • [en] Vercel — service hosting. EU edge deployment (FRA1).
  • [en] Resend — follow-up email sending (PA-05). EU region used.

[en] Affiliate redirects: Users navigate directly to provider sites via browser. Slim does not transmit personal data to providers (not a GDPR third-party transfer).

[en] 5. International Transfers (Art.13 §1(f))

[en] Neon, Resend, and PostHog use EU regions. Sentry is a US entity; transfers are governed by SCCs (Standard Contractual Clauses). Transfer adequacy details will be confirmed by external audit (pre-beta).

[en] 6. Retention Periods (Art.13 §2(a))

  • [en] Comparison request PII (postal code, household type, usage): 90 days. Thereafter generalised or set to NULL.
  • [en] Comparison results: retained permanently (permanent link SLA). PII-derived fields within results: NULL after 90 days.
  • [en] Affiliate click FKs: SET NULL after 90 days. Settlement fields: Belgian accounting obligation (7–10 years).
  • [en] Email address: NULL immediately after successful sending. Meta columns: deleted after 90 days.

[en] 7. Data Subject Rights (Art.13 §2(b))

[en] Data subjects may exercise the following rights by contacting the controller at the email address below.

  • [en] Right of access (Art.15)
  • [en] Right to rectification (Art.16)
  • [en] Right to erasure (Art.17)
  • [en] Right to restriction of processing (Art.18)
  • [en] Right to object (Art.21)
  • [en] Right to data portability (Art.20)
  • [en] Right to withdraw consent (Art.7(3)) — affiliate consent, follow-up email consent, and analytics cookie consent can each be withdrawn separately.

[en] 8. Withdrawal of Consent (Art.13 §2(c))

[en] Processing based on Art.6(1)(a) consent (PA-03/PA-05/analytics cookies) may be withdrawn at any time. Withdrawal methods: affiliate consent — contact operator email; follow-up email — 1-click unsubscribe in the email; analytics cookies — Cookie settings below.

[en] 9. Right to Lodge a Complaint (Art.13 §2(d))

[en] Data subjects may lodge a complaint with the following supervisory authorities.

  • [en] Belgium: Autorité de protection des données (APD) / Gegevensbeschermingsautoriteit (GBA) — www.autoriteprotectiondonnees.be
  • [en] Netherlands: Autoriteit Persoonsgegevens (AP) — www.autoriteitpersoonsgegevens.nl
  • [en] Luxembourg: Commission nationale pour la protection des données (CNPD) — www.cnpd.public.lu

[en] 10. Nature of Data Provision Obligation (Art.13 §2(e))

[en] Comparison request inputs (postal code, household type, usage) are necessary for service performance (Art.6(1)(b)). If not provided, comparison results cannot be calculated.

[en] 11. Automated Decision-Making (Art.13 §2(f))

[en] Slim's comparison engine performs only arithmetic savings calculations. There is no automated individual decision-making or profiling within the meaning of GDPR Art.22. Comparison rankings are not based on profiling of personal characteristics, but are the arithmetic result of comparing provider tariff data against input assumptions.

[en] 12. Contact

[en] For privacy inquiries and rights requests, please contact us at the email address below.

kim.wonmin91@gmail.com

Privacy Policy · Slim