Privacy Policy

SpareHolidays collects several categories of information to provide and improve our marketplace services. Personal information includes your name, email address, profile avatar, and any additional details you provide during account registration through Clerk. When you complete identity verification via Stripe Identity, we may process government-issued identification documents and biometric data as required for verification purposes.

Financial information, including payment card details and bank account information, is collected and processed directly by our payment processor, Stripe. SpareHolidays does not directly store your full payment card numbers or sensitive financial credentials on our servers. We do retain transaction records, including amounts, dates, listing details, and payout information necessary for accounting, tax reporting, and dispute resolution.

We also collect content you upload to the Platform, such as listing photos, booking screenshots, and transfer proof documents, which may be analyzed by our automated verification systems. Usage data is automatically collected when you interact with the Platform, including IP addresses, browser type, device information, pages visited, and interaction patterns. This data helps us improve our services, detect fraud, and ensure platform security.

We use your personal information to create and manage your account, facilitate transactions between buyers and sellers, process escrow payments, and communicate with you about your transactions and account status. Transaction-related communications include purchase confirmations, transfer status updates, dispute notifications, and payout confirmations.

Your uploaded content, including booking screenshots and transfer proof, is processed by our automated verification system to assess authenticity, detect potential fraud, and verify transfer completion. Automated analysis generates confidence scores and flags that assist our human review team in making final determinations. We do not use automated analysis for purposes unrelated to transaction verification and platform integrity.

We use usage data and analytics to improve Platform performance, personalize your experience, identify and address technical issues, and prevent fraudulent or unauthorized activity. We may also use aggregated, anonymized data for research and analytical purposes. With your consent, we may send you marketing communications about new features, promotions, or relevant travel deals; you may opt out of marketing communications at any time.

SpareHolidays integrates with the following third-party service providers who process data on our behalf or as independent controllers: Clerk provides authentication and account management services, processing your email, password credentials, social login tokens, and session data. Stripe processes all financial transactions, escrow holds, payouts, and identity verification, operating as an independent data controller for payment data under its own privacy policy.

Pusher provides real-time notification delivery, processing anonymized user identifiers and notification content. Uploadthing handles secure file uploads, including listing images and transfer proof screenshots. Google Tag Manager facilitates analytics tracking to help us understand how users interact with the Platform; data collected through GTM is governed by Google's privacy policies.

Anthropic provides AI analysis capabilities through its Claude API, which we use for listing moderation, booking verification, and transfer proof analysis. Uploaded content sent to Anthropic for analysis is processed in accordance with Anthropic's data usage policies and is not used to train AI models. We require all third-party providers to maintain appropriate security measures and process personal data only as instructed by us and in compliance with applicable data protection laws.

SpareHolidays uses cookies and similar tracking technologies to ensure essential Platform functionality, remember your preferences, and analyze usage patterns. For comprehensive information about the types of cookies we use, their purposes, and how to manage them, please refer to our Cookie Policy.

We categorize cookies into three groups: essential cookies required for Platform operation (authentication, security, locale), analytics cookies that help us understand usage patterns, and preference cookies that remember your settings such as theme and language. You may manage your cookie preferences at any time through our cookie consent banner or your browser settings.

By using the Platform, you consent to the placement of essential cookies, which are strictly necessary for the Platform to function. Analytics and preference cookies are only placed with your explicit consent, in accordance with applicable EU ePrivacy regulations and similar laws.

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you are entitled to the following rights under the General Data Protection Regulation (GDPR) and equivalent legislation: the right of access to your personal data; the right to rectification of inaccurate or incomplete data; the right to erasure ("right to be forgotten") under certain circumstances; the right to restrict processing of your data; the right to data portability in a structured, commonly used, machine-readable format; and the right to object to processing based on legitimate interests or for direct marketing purposes.

You also have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significant effects on you. While our AI systems assist in transaction verification and dispute analysis, final decisions with material impact on your account or transactions are reviewed by human administrators.

To exercise any of these rights, please contact our Data Protection team at [email protected]. We will respond to your request within thirty (30) days, as required by law. If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority. Our designated Data Protection contact can be reached at [email protected].

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information. You have the right to know what personal information we collect, use, disclose, and sell or share; the right to delete personal information we have collected from you, subject to certain exceptions; the right to correct inaccurate personal information; and the right to opt out of the sale or sharing of your personal information.

SpareHolidays does not sell your personal information to third parties in exchange for monetary consideration. We may share certain data with third-party service providers as described in Section 3, which may constitute "sharing" under the CCPA. You may opt out of such sharing by adjusting your cookie preferences or contacting us directly.

You have the right to non-discrimination for exercising your CCPA rights. We will not deny you services, charge you different prices, provide a different quality of service, or retaliate against you for exercising any of your rights. To submit a CCPA request, please contact us at [email protected] or use the privacy request form available in your account settings. We will verify your identity before processing your request and respond within forty-five (45) days.

We retain your personal information for as long as your account remains active and as necessary to provide our services. Account profile data, including your name, email, and avatar, is retained until you delete your account or request erasure. Transaction records, including payment details, transfer documentation, dispute history, and tax-related information (such as VAT amounts, tax rates, jurisdiction data, and invoice records), are retained for a minimum of seven (7) years following the transaction date to comply with tax, accounting, and regulatory requirements under EU and Italian law.

Uploaded content such as listing images and transfer proof screenshots are retained for the duration of the transaction lifecycle plus an additional twelve (12) months to support potential dispute resolution. AI analysis results and verification scores are retained for twenty-four (24) months from the date of analysis for quality assurance and fraud prevention purposes.

Upon account deletion, we will remove or anonymize your personal data within thirty (30) days, except for data that we are legally required to retain, including tax records which must be preserved for the legally mandated retention period. Anonymized and aggregated data that cannot be used to identify you may be retained indefinitely for analytical and research purposes.

SpareHolidays implements industry-standard technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security). Data at rest is encrypted using AES-256 encryption.

Financial data is processed exclusively by Stripe, which maintains PCI DSS Level 1 compliance, the highest level of certification available in the payment card industry. SpareHolidays's systems are never exposed to raw credit card data. Access to personal data within our organization is restricted to authorized personnel on a need-to-know basis, and all access is logged and audited.

While we take every reasonable precaution to protect your data, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security but commit to promptly notifying affected users and relevant authorities in the event of a data breach, in accordance with applicable notification requirements under GDPR, CCPA, and other applicable laws.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using the following information:

Email: [email protected] Data Protection Officer (DPO): [email protected]

For Data Protection inquiries and to exercise your GDPR or CCPA rights, you may also contact our Data Protection team directly at [email protected].

We aim to respond to all privacy-related inquiries within thirty (30) days of receipt. For complex requests or where extensions are permitted by law, we will inform you of any delay and the reasons for it.

If you are located in the EU and are unsatisfied with our handling of your privacy concern, you have the right to lodge a complaint with your local data protection supervisory authority. For users in Germany, the competent authority is the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI), Graurheindorfer Str. 153, 53117 Bonn, Germany (www.bfdi.bund.de). Users in other EU member states may contact their respective national data protection authority.