Privacy Policy

We collect the following categories of personal data:

• Account information: Your name, email address, and password (stored securely via Supabase Auth).
• Profile data: Travel style, preferred destinations, country of residence, and bio — provided voluntarily during onboarding.
• Social profiles: Instagram handle, YouTube channel, TikTok, Twitter/X, and personal website URLs — if you choose to provide them to improve AI pitch generation.
• Usage data: Hotel views, pitches sent, pitch statuses, points earned, and other in-app activity to personalise your experience.
• Payment information: Billing details are collected and stored entirely by Stripe. We never see or store your full card number. We receive a Stripe Customer ID and subscription status from Stripe.
• Referral data: Your unique referral code and a record of who you referred, to attribute contest entries and rewards.
• Device and technical data: IP address, browser type, and device identifiers, collected automatically by Supabase for authentication and security purposes.

We use the data we collect to:

• Provide the service: Create and manage your account, authenticate you, and give you access to hotel drops and pitch tools.
• Personalise your experience: Use your travel style and preferred destinations to surface relevant hotel opportunities.
• Generate AI pitches: Use your name, social profiles, and preferences as context for the Gemini AI model to craft personalised hotel pitches. Your data is sent to Google Gemini solely for this purpose.
• Process payments: Pass necessary billing information to Stripe to handle subscription payments.
• Run contests: Track contest entries and select and notify winners.
• Send communications: Send transactional emails (e.g., email confirmation, pitch updates) and, with your consent, marketing emails about new features and offers.
• Improve the platform: Analyse aggregate usage patterns to identify bugs, improve UX, and develop new features. We do not sell individual-level data to third parties.
• Comply with legal obligations: Retain records as required by applicable law.

We use the following third-party services to operate GlamVillas. Each provider is subject to their own privacy policy.

• Supabase— authentication, database storage, and real-time features. Data is stored in Supabase’s cloud infrastructure. See supabase.com/privacy.
• Stripe — payment processing and subscription management. Stripe is PCI-DSS compliant. See stripe.com/privacy.
• Google / Gemini AI — AI-powered pitch generation. Your profile data is sent to Gemini to generate personalised pitches. See policies.google.com/privacy.
• Vercel — hosting and edge network for the GlamVillas web application. See vercel.com/legal/privacy-policy.

We do not sell, rent, or trade your personal information to any third parties for their marketing purposes.

We retain your personal data for as long as your account is active, or as needed to provide you the service. If you request account deletion, we will delete or anonymise your personal data within 30 days, except where we are required to retain it by law (e.g., for tax or fraud prevention purposes).

Aggregated, anonymised analytics data may be retained indefinitely as it cannot be used to identify you.

If you are located in the EEA, UK, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and applicable local laws:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Ask us to correct inaccurate or incomplete personal data.
• Right to erasure (“right to be forgotten”): Request deletion of your personal data, subject to certain legal exceptions.
• Right to data portability: Receive your personal data in a structured, machine-readable format (e.g., JSON or CSV) and transfer it to another service.
• Right to restrict processing: Ask us to pause processing your data in certain circumstances.
• Right to object: Object to processing based on our legitimate interests, including direct marketing.
• Rights related to automated decision-making: You have the right not to be subject to solely automated decisions that produce legal or similarly significant effects.

To exercise any of these rights, please contact us at privacy@glamvillas.co. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

GlamVillas uses a minimal cookie footprint. We only set cookies that are strictly necessary for the service to function:

• Supabase authentication cookies: Used to maintain your logged-in session. These are session cookies that expire when your browser is closed, or after a set period of inactivity. They are strictly necessary and cannot be opted out of while using the service.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not use Google Analytics.

We take reasonable technical and organisational measures to protect your personal data, including:

• HTTPS encryption for all data in transit
• Row-Level Security (RLS) in Supabase to ensure users can only access their own data
• Passwords are never stored in plaintext — authentication is handled by Supabase Auth with bcrypt hashing
• Stripe handles all payment card data under PCI-DSS standards

No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

GlamVillas is not intended for children under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

Your data may be transferred to and processed in countries outside your own. Supabase, Stripe, and Google may store or process data in the United States and other countries. Where required, we rely on standard contractual clauses or other approved mechanisms to ensure adequate protection of your data.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or an in-app notification at least 14 days before the changes take effect. The “Last updated” date at the top of this page reflects when the policy was last revised.

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at: