List your rental today!Learn More
roomsHatch

Data Privacy & GDPR

Your data privacy rights and how roomsHatch complies with data protection regulations.

Last updated February 26, 2026

1. Our Commitment to Data Privacy

At roomsHatch, we are committed to protecting your personal data in compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws. This page outlines your rights and how we handle your data.

2. Data Controller

roomsHatch acts as the data controller for personal information collected through our platform. This means we determine the purposes and means of processing your personal data.

3. Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Contractual necessity — To provide the services you've signed up for (account management, bookings, payments)
  • Legitimate interest — To improve our platform, prevent fraud, and ensure security
  • Consent — For marketing communications, analytics cookies, and non-essential data processing
  • Legal obligation — To comply with tax, accounting, and regulatory requirements

4. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdictions with similar laws, you have the following rights:

Right of Access

You can request a copy of all personal data we hold about you. We will provide this within 30 days of your request.

Right to Rectification

You can request correction of any inaccurate or incomplete personal data we hold about you.

Right to Erasure ("Right to Be Forgotten")

You can request deletion of your personal data. We will comply unless we have a legal obligation to retain it (e.g., financial records for tax purposes).

Right to Restrict Processing

You can request that we limit how we process your data in certain circumstances, such as when you contest the accuracy of the data.

Right to Data Portability

You can request your personal data in a structured, commonly used, machine-readable format (e.g., JSON or CSV) and transfer it to another service.

Right to Object

You can object to processing of your personal data for direct marketing purposes. We will stop processing immediately upon receiving your objection.

Right to Withdraw Consent

Where processing is based on consent, you can withdraw that consent at any time without affecting the lawfulness of processing before the withdrawal.

5. Your Rights Under CCPA

If you are a California resident, you additionally have the right to:

  • Know what personal information is being collected
  • Know whether your personal information is sold or disclosed and to whom
  • Opt out of the sale of your personal information (roomsHatch does not sell personal data)
  • Access your personal information
  • Request deletion of your personal information
  • Not be discriminated against for exercising your privacy rights

6. Data We Collect

We collect and process the following categories of personal data:

  • Identity data: Name, email, phone number, profile photo
  • Account data: Login credentials, preferences, role (seeker/host)
  • Listing data: Property details, photos, pricing (hosts only)
  • Transaction data: Booking history, payment records (processed by Stripe/PayPal)
  • Communication data: Messages exchanged through the platform
  • Technical data: IP address, browser type, device information, usage logs

7. International Data Transfers

Your data may be transferred to and processed in countries outside your jurisdiction. When we transfer data internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

8. Data Retention

We retain personal data only as long as necessary for the purposes described in our Privacy Policy:

  • Active accounts: Data is retained while your account is active
  • Deleted accounts: Data is erased within 30 days of account deletion, except where legal retention is required
  • Financial records: Retained for up to 7 years for tax and accounting compliance
  • Support tickets: Retained for 2 years after resolution

9. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by GDPR.

10. Exercising Your Rights

To exercise any of your data privacy rights, please contact our Data Protection Officer:

We will respond to all legitimate requests within 30 days. If your request is complex, we may extend this by an additional 60 days, and we will inform you of the extension.

11. Complaints

If you believe we have not handled your data properly, you have the right to lodge a complaint with your local data protection supervisory authority.

12. Updates

This page may be updated periodically. We encourage you to review it regularly. Significant changes will be communicated by email or through a prominent notice on the platform.