Privacy Policy

Heispot B.V. ("Heispot", "we", "us" or "our"), registered in the Netherlands, is the data controller for personal data processed through the heispot.com platform.

We are committed to protecting your privacy and handling your personal data transparently and securely. This Privacy Policy explains what data we collect, why we collect it, how we use it, and what rights you have under the General Data Protection Regulation (GDPR) and Dutch privacy law (UAVG).

If you have any questions about this policy, please contact us at hello@heispot.com.

We collect the following categories of personal data:

Account data — name, email address, password (hashed), profile photo and account preferences, collected when you register.

Profile data — job title, location, phone number, languages spoken and a short biography, provided voluntarily by hosts to complete their public profile.

Booking and transaction data — dates, venue details, messages exchanged between guests and hosts, and payment-related information (payment is processed by Stripe; we do not store full card numbers).

Usage data — pages visited, search queries, filters used, IP address, browser type and device information, collected automatically via cookies and server logs.

Communications — emails or messages you send to our support team.

Reviews — ratings and written reviews you submit for hosts or venues.

We process your personal data on the following legal bases under Article 6 GDPR:

Contract (Art. 6(1)(b)) — to create and manage your account, process bookings and handle payments.

Legitimate interests (Art. 6(1)(f)) — to improve the Platform, prevent fraud, ensure security and send you service-related communications. We have assessed that these interests are not overridden by your rights.

Legal obligation (Art. 6(1)(c)) — to comply with tax, financial reporting and other applicable legal requirements.

Consent (Art. 6(1)(a)) — for marketing emails and non-essential cookies, where we ask for your permission. You can withdraw consent at any time.

We use your personal data to:

- Create and manage your account and verify your identity; - Facilitate bookings and communications between guests and hosts; - Process payments and send transaction confirmations; - Provide customer support and respond to enquiries; - Send transactional emails (booking confirmations, reminders, account alerts); - Send marketing emails about new venues, promotions or platform updates (with your consent); - Improve, personalise and develop the Platform; - Detect and prevent fraud, abuse or misuse; - Comply with legal and regulatory obligations.

We do not sell your personal data to third parties.

We share personal data with the following parties:

Hosts and Guests — when a booking is made, relevant contact and booking details are shared between the host and guest to facilitate the stay.

Payment processors — Stripe processes payments on our behalf and receives necessary billing information. Stripe is subject to its own privacy policy.

Service providers — we use trusted third-party services for hosting (Vercel), database management (Supabase), email delivery (Resend) and analytics. These providers act as data processors and are bound by data processing agreements.

Legal authorities — we may disclose personal data if required by law, court order or to protect the rights and safety of Heispot, its users or the public.

We do not transfer your data outside the European Economic Area (EEA) except where appropriate safeguards (such as Standard Contractual Clauses) are in place.

We use cookies and similar tracking technologies to operate the Platform and improve your experience.

Essential cookies — required for the Platform to function (authentication sessions, security tokens). These cannot be disabled.

Analytics cookies — help us understand how visitors use the Platform (e.g. pages visited, time on site). We use anonymised analytics and you can opt out via your browser settings.

Preference cookies — remember your settings such as dark mode or language.

You can manage cookies through your browser settings. Disabling cookies may affect Platform functionality.

We retain your personal data for as long as your account is active or as needed to provide our services.

If you delete your account, we will erase or anonymise your personal data within 30 days, except where we are required by law to retain certain records (e.g. financial transaction records, which we keep for 7 years under Dutch tax law).

Anonymised or aggregated data that cannot identify you may be retained indefinitely for analytics purposes.

Under GDPR, you have the following rights regarding your personal data:

Right of access — you can request a copy of the personal data we hold about you.

Right to rectification — you can ask us to correct inaccurate or incomplete data.

Right to erasure — you can request that we delete your personal data ("right to be forgotten"), subject to legal retention obligations.

Right to restriction — you can ask us to limit how we process your data in certain circumstances.

Right to data portability — you can request your data in a structured, commonly used machine-readable format.

Right to object — you can object to processing based on legitimate interests, including for direct marketing.

Right to withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting prior processing.

To exercise any of these rights, email us at hello@heispot.com. We will respond within one month. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss or misuse. These include:

- HTTPS encryption for all data in transit; - Hashed storage of passwords (never stored in plain text); - Row-level security on our database (Supabase RLS); - Restricted access to production data on a need-to-know basis; - Regular security reviews.

Despite these measures, no system is completely secure. If you believe your account has been compromised, please contact us immediately at hello@heispot.com.

The Platform is not directed at children under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify you by email or by displaying a notice on the Platform.

The date of the most recent revision is shown at the top of this page. We encourage you to review this policy periodically.

For any questions, requests or complaints about this Privacy Policy or our data practices, please contact our privacy team:

Heispot B.V. 1e Pijnackerstraat 38c 3036 GJ Rotterdam The Netherlands

Email: hello@heispot.com

You may also contact the Dutch Data Protection Authority: Autoriteit Persoonsgegevens autoriteitpersoonsgegevens.nl