Privacy Policy

Effective date: April 14, 2026

EN

This Privacy Policy explains how Lapas ("Platform", "we", "our", "us") collects, uses, and stores personal data when you use:

  • public business pages (business cards)
  • booking pages
  • business dashboard

The Platform is available at lapas.tech and its subdomains (including dashboard.lapas.tech, booking.lapas.tech, card.lapas.tech).

We operate from Lithuania (European Union) and process data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR).


1. Data Controller

Maksim Možeiko (individual activity) Individual activity certificate No. 1457771 Address: Zarasai, Lithuania Email: privacy@lapas.tech


2. What data we collect

2.1 Business accounts (dashboard)

  • email address
  • password (stored securely as a hashed value)

2.2 Business profile data

  • business name and description
  • address and map link
  • contact details (phone, email, social links)
  • language, timezone, currency
  • images (such as logo or service photos)
  • public page URL (slug)

2.3 Booking data (customers)

  • name
  • email address
  • phone number (optional)
  • booking notes or answers
  • appointment details (time, selected service, status)

2.4 Feedback and communication

  • message content
  • account or business reference (if applicable)

2.5 Technical and security data

We process limited technical data (such as IP address) to:

  • prevent abuse
  • apply rate limiting
  • protect the Platform

This data is not used for tracking or analytics.


3. Why we use your data

We use personal data to:

  • provide booking and business profile functionality
  • authenticate users and manage accounts
  • process and manage bookings
  • send booking-related communications
  • provide support
  • ensure Platform security and prevent abuse

Legal basis for processing:

  • performance of a contract
  • legitimate interests (security and platform operation)
  • legal obligations (where required)
  • consent (where explicitly provided, if applicable)

4. Where your data is stored

Your data may be stored using trusted service providers:

  • Database (PostgreSQL via Neon) — accounts, bookings, business data
  • Cloudflare R2 — images (logos, service images)
  • Resend — email delivery (booking notifications)

Some providers may process data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards (e.g. standard contractual clauses).


5. Cookies and local storage

We use cookies for essential functionality and user preferences. In the business dashboard only, our authentication library also uses a small amount of browser local storage to keep your session synchronized across tabs (see Local storage below).

Essential cookies

These cookies are strictly necessary for the operation of the Platform and cannot be disabled.

CookiePurposeDuration
__Secure-next-auth.session-tokenMaintains your authenticated session across lapas.tech subdomains (required for login and API access)30 days
__Host-next-auth.csrf-tokenCSRF protection for the sign-in processSession
__Secure-next-auth.callback-urlStores the redirect URL used after authenticationSession

Preference cookies

These cookies improve your experience but are not used for tracking.

CookiePurposeDuration
lapas-languageStores your selected interface language1 year
lapas-sidebar-stateStores dashboard sidebar layout preference1 year

Local storage (dashboard only)

When you sign in to the Lapas dashboard, our authentication library (NextAuth) writes a short technical message to your browser's local storage under the key nextauth.message. It is used only to keep your session state synchronized across open browser tabs — for example, so that signing out in one tab also signs you out in others.

Storage keyPurposeData storedDuration
nextauth.messageSynchronizes sign-in, sign-out, and session updates across browser tabsTechnical event type and timestamp only — no password, personal data, or session tokenOverwritten on each sign-in/sign-out/session-update event; not used as long-term storage

This is strictly necessary for providing the authentication service you requested and is treated the same way as our session cookies. It is only present while using the business dashboard; our public business pages and booking pages do not use browser local storage.

Additional notes

  • Cookies may be shared across lapas.tech subdomains to enable authentication between services
  • We do not use analytics, advertising, or tracking cookies, and local storage is not used for tracking

6. Data sharing

We do not sell your data. We only share data with service providers necessary to operate the Platform:

  • database hosting
  • email delivery
  • file storage

7. Data retention

We retain data only as long as necessary:

  • accounts — until deleted by the user
  • bookings — retained for up to 3 years or as required by legal obligations
  • feedback — retained for support purposes
  • uploaded content — until removed by the business

8. Your rights (EU/EEA)

You have the right to:

  • access your data
  • correct inaccurate data
  • request deletion
  • restrict processing
  • request data portability
  • object to processing

To exercise your rights, contact: privacy@lapas.tech

You also have the right to lodge a complaint with a supervisory authority.


9. Security

We apply reasonable technical and organizational measures, including:

  • password hashing
  • access control
  • secure booking management

10. Changes

We may update this Privacy Policy from time to time. The latest version will always be available on this page.