Privacy Policy

1. Who We Are

Vale Park ("Vale", "we", "us") is a B2B smart parking management platform. We provide parking spot management, booking, and IoT gate access services to businesses ("Clients") and their customers ("End Users"). This privacy policy should be read alongside our Terms of Service.

We have determined that a Data Protection Officer is not required under Article 37 GDPR based on our current processing activities. For all privacy matters, contact privacy@valepark.org.

When our Clients use our platform to manage parking for their customers, we act as a data processor on behalf of the Client (the data controller). When we manage the platform and process payments, we act as the data controller.

2. What Data We Collect

Registered User Accounts

Created by Client administrators:

• Email address, full name, phone number (optional)
• Password (bcrypt hashed, never stored in plaintext)
• Language preference, location (optional), notification preferences

Bookings

• Client name, email, phone (optional)
• License plate (optional), booking times and location

Guest Bookings (via widget)

Guest name, email, and phone are encrypted at rest (AES-256-GCM). We also collect IP address, browser user agent, and GDPR consent record.

Payment Data

We do not store card numbers or CVVs. All payment processing is handled by Stripe (PCI DSS Level 1). We store only Stripe Customer ID, Payment Intent ID, and transaction amounts.

Cookies

We use only strictly necessary authentication cookies (access token: 45 min, refresh token: 7 days or 180 days with "remember me"). No analytics or tracking cookies.

3. How We Use Your Data

We process data exclusively for: service delivery, transactional communications, security, legal compliance (Dutch tax law), and anonymized analytics.

We do not sell data, use it for advertising, or engage in automated decision-making (Article 22 GDPR).

4. Who We Share Data With

For EU-to-US transfers, we rely on the EU-US Data Privacy Framework and Standard Contractual Clauses. A Transfer Impact Assessment has been conducted for each non-EU sub-processor.

5. Data Retention

6. Your Rights

Registered Users

From your Profile > Data & Privacy section:

• Access (Art. 15) — Export all your data as JSON
• Erasure (Art. 17) — Anonymize your data (cancels active bookings, retains anonymized financial records for 7 years)
• Rectification (Art. 16) — Update your profile at any time
• Portability (Art. 20) — JSON export format
• Restrict/Object (Art. 18/21) — Email privacy@valepark.org

Guest Users

Request your data or erasure by providing your email and booking reference number through the widget or by contacting the Client directly.

Complaints

Our lead supervisory authority is the Autoriteit Persoonsgegevens (Dutch DPA). You may also complain to your local EU/EEA supervisory authority.

7. Security

TLS encryption in transit, AES-256 at rest (Atlas), AES-256-GCM application-level encryption for guest PII, bcrypt password hashing, role-based access control, rate limiting, webhook signature verification, and sanitized error responses in production.

8. Changes

Material changes affecting your rights will require renewed consent where applicable. We will provide notice via email or dashboard notification.