1. Who We Are

Lodgaro (“we”, “our”, or “us”) is a vacation rental management platform that helps property owners create their own branded booking websites, manage reservations, and accept direct guest payments. This privacy policy explains how we collect, use, and protect your personal information when you use our services at lodgaro.com.

Data Controller: Lodgaro, Brussels, Belgium
Privacy inquiries: privacy@lodgaro.com

2. Information We Collect

Account Information

• Name and email address
• Phone number (if you verify via SMS)
• Password (hashed — never stored in plain text)
• Profile information you choose to provide
• Google account information (if you register via Google OAuth)

Property & Booking Information

• Property details, descriptions, and photos you upload
• Pricing, seasonal rates, and availability settings
• Booking records including guest name, email, check-in/out dates, and amounts paid
• iCal calendar feeds you connect for availability sync

Payment & Payout Information

• Billing address and subscription plan
• Payment card details are processed securely by Stripe and are never stored on our servers
• Bank account or payout details you provide for receiving payouts

Technical & Usage Information

• IP address and browser/device type
• Pages visited and features used
• Error logs and performance data
• Cookies and similar technologies (see Section 6)

3. How We Use Your Information

• Create and manage your account and subscription
• Generate and host your branded booking website
• Process bookings, payments, and payouts
• Send transactional emails (booking confirmations, invoices, security alerts)
• Sync calendars and manage availability
• Provision and manage custom domains you connect
• Respond to support requests
• Detect and prevent fraud or abuse
• Comply with legal obligations
• Send newsletters if you opted in (you can unsubscribe at any time)

4. Legal Basis for Processing (GDPR)

• Contract: Processing necessary to provide the service you signed up for (account, bookings, payments)
• Consent: Newsletter subscription, optional analytics
• Legitimate Interest: Fraud prevention, security, service improvements
• Legal Obligation: Tax records, compliance with applicable Belgian and EU law

5. Data Sharing

We never sell your personal data. We share data only when necessary:

• Stripe: For payment processing and subscription management
• Amazon Web Services (AWS): For cloud hosting, database storage, and authentication (servers located in the EU — eu-west-1, Ireland)
• Amazon SES: For transactional email delivery
• Your guests: Booking details are shared with guests as needed to fulfill a reservation
• Legal authorities: When required by law, court order, or to protect our rights

6. Cookies

• Essential: Authentication session tokens, CSRF protection — required for the platform to function
• Analytics: Usage statistics to improve the platform (only with your consent)

You can manage cookies through your browser settings. Disabling essential cookies will prevent you from logging in.

7. Your Rights (GDPR)

As an EU resident, you have the right to:

• Access: Receive a copy of all personal data we hold about you
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data (“right to be forgotten”)
• Portability: Receive your data in a structured, machine-readable format
• Restriction: Restrict how we process your data in certain circumstances
• Object: Object to processing based on legitimate interest
• Withdraw Consent: Withdraw any previously given consent at any time

To exercise these rights, email us at privacy@lodgaro.com. We will respond within 30 days.

8. Data Security

We implement industry-standard security measures: TLS encryption in transit, AES-256 encryption at rest, secure authentication via AWS Cognito, least-privilege access controls, and regular security reviews. No method of transmission over the Internet is 100% secure — if you believe your account has been compromised, contact us immediately at privacy@lodgaro.com.

9. Data Retention

We retain your account data for as long as your account is active. Upon account deletion, personal data is removed within 30 days. Booking records and financial data are retained for 7 years to comply with Belgian tax and accounting obligations. Anonymous analytics data may be retained indefinitely.

10. International Transfers

Your data is primarily processed within the European Economic Area (EEA). Our AWS infrastructure is hosted in Ireland (eu-west-1). Where data is transferred outside the EEA (e.g., Stripe's US operations), appropriate safeguards are in place under Standard Contractual Clauses (SCCs) approved by the European Commission.

11. Children's Privacy

Our services are intended for adults aged 18 and over. We do not knowingly collect personal information from individuals under 18. If we become aware that we have collected data from a minor, we will delete it promptly.

12. Changes to This Policy

We may update this policy periodically. For material changes, we will notify you by email and display a prominent notice in the platform at least 14 days before the change takes effect. The “Last updated” date at the top of this page reflects the most recent revision.

13. Contact & Complaints

• Email: privacy@lodgaro.com
• Address: Brussels, Belgium

You have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données) at dataprotectionauthority.be.