This Privacy Policy explains how TheBareStay (“we”, “us”) collects, uses, and protects personal data when you use thebarestay.com. We act as data controller within the meaning of the EU General Data Protection Regulation (GDPR).
1. Data Controller
Lola Arrou-Vignod — Toulon, France.
Contact: thebarestay@gmail.com
2. Data We Collect
Account data
- Email address and display name
- Authentication credentials (managed by our backend provider)
- Account creation date and onboarding state
Contribution data
- Hotel stays you report (hotel, month, year)
- Items, brands, ratings, comments, and photos you submit
- Moderation flags you raise on other contributions
Technical data
- Authentication session cookie (strictly necessary)
- Basic request logs (IP, user-agent, timestamps) kept by our infrastructure providers for security purposes
We do not use advertising cookies, tracking pixels, or analytics cookies.
3. Why We Process Your Data (Legal Bases)
- Providing the Service (contract): account creation, sign-in, displaying your contributions.
- Legitimate interest: moderation, fraud prevention, service security and improvement.
- Legal obligation: responding to lawful requests from competent authorities.
4. Cookies
We use only strictly necessary cookies, primarily a session cookie required to keep you logged in. These cookies do not require consent under EU law.
5. Third Parties
We share limited data with the following providers, strictly to operate the Service:
- Supabase — database, authentication, and file storage. Hosts account data, contributions, and uploaded photos.
- Google Places API — hotel search and photo lookup. We send hotel names, cities, and Place IDs; we do not send personal data.
We do not sell your personal data and we do not share it with advertisers or data brokers.
6. International Transfers
Some processors may store data outside the European Economic Area. Where this is the case, transfers are protected by appropriate safeguards (such as the EU Standard Contractual Clauses).
7. Retention
- Account data: kept while your account exists, deleted within 30 days of account deletion.
- Contributions and photos: kept as long as they remain useful to the Service, even after account deletion they may persist in aggregated/anonymised form.
- Moderation logs: kept up to 2 years for abuse-prevention purposes.
8. Your Rights
Under the GDPR you have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request erasure (“right to be forgotten”)
- Request restriction of processing or object to processing
- Request data portability
- Withdraw any consent you have given
- Lodge a complaint with a supervisory authority — in France, the CNIL (cnil.fr)
To exercise your rights, email thebarestay@gmail.com. We aim to respond within one month.
9. Security
We rely on industry-standard practices to protect your data, including encryption in transit (HTTPS), encrypted storage at our backend provider, and row-level security policies on our database. No system is 100% secure; we cannot guarantee absolute security.
10. Children
The Service is intended for users aged 18 and over. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact us so we can delete it.
11. Changes
We may update this Privacy Policy. Material changes will be announced on the Service. The “Last updated” date at the top of this page reflects the latest revision.