Privacy Policy

1. Data controller

InhabitMe is the controller of your personal data. Contact us at privacy@inhabitme.com for any privacy-related questions.

2. Data we collect

We collect the following data depending on how you use the platform:

• Account data: name, email and profile photo provided on registration (via Clerk).
• Property data: title, description, images, location and features of listings published by hosts.
• Booking data: messages, stay dates and preferences provided when requesting a booking.
• Payment data: securely processed by Stripe. InhabitMe does not store card numbers or bank details.
• Usage data: pages visited, searches and performance metrics, collected anonymously.

3. Purpose and legal basis

We process your data for the following purposes:

• Service delivery (legal basis: contract): managing your account, processing bookings and facilitating communication between hosts and guests.
• Payments (legal basis: contract): processing platform fee payments.
• Service communications (legal basis: legitimate interest): notifying you about bookings, enquiries and platform updates.
• Product improvement (legal basis: legitimate interest): analysing aggregated, anonymised usage to improve the experience.
• Legal compliance (legal basis: legal obligation): retaining records as required by applicable law.

4. Data sharing

InhabitMe does not sell or transfer your personal data to third parties for commercial purposes. We only share data in the following cases:

• Service providers: Clerk (auth), Stripe (payments), Supabase (database), Cloudinary (image storage) and Resend (email) — all acting as processors under data protection agreements.
• Between users: when a booking is confirmed, hosts and guests receive each other's contact details to coordinate the stay.
• Legal obligation: when required by competent authorities under applicable law.

5. Data retention

We retain your data for as long as necessary to fulfil the stated purposes. As a general rule: account data is deleted within 30 days of account closure; transaction records are kept for 5 years for tax obligations; booking messages are kept for 2 years.

6. Your rights (GDPR)

As a European user you have the following rights, which you can exercise by writing to privacy@inhabitme.com:

• Access: request a copy of all data we hold about you.
• Rectification: correct inaccurate or incomplete data.
• Erasure: request deletion of your data when it is no longer necessary.
• Portability: receive your data in a structured, machine-readable format.
• Objection and restriction: object to processing based on legitimate interest or ask us to restrict it.
• Withdrawal of consent: where processing is based on consent, you may withdraw it at any time.

7. Security

We apply appropriate technical and organisational measures: in-transit encryption (HTTPS/TLS), access controls, secure authentication and incident monitoring. No system is 100% secure; in the event of a breach affecting your rights, we will notify you within the timeframes required by GDPR.