Privacy Policy | AtlasOra

Data Controller

MasaOra Ltd

Trading as AtlasOra

Registered Office

128 City Road, London

EC1V 2NX, United Kingdom

Registration

England & Wales

Company No. 16538946

Data Protection Contact

Sam Dreier

sam@atlasora.com

Introduction

1.1MasaOra Ltd (AtlasOra, we, us, or our) is committed to protecting and respecting your privacy. This Privacy Policy (Policy) explains how we collect, use, disclose, and safeguard your personal data when you use our Platform at www.atlasora.com (the Platform).

1.2MasaOra Ltd is a private limited company incorporated in England and Wales under company number 16538946, with its registered office at 128 City Road, London, United Kingdom, EC1V 2NX.

1.3For the purposes of applicable data protection legislation, including the UK General Data Protection Regulation (UK GDPR) as retained in domestic law by the European Union (Withdrawal) Act 2018, the Data Protection Act 2018 (DPA 2018), and, where applicable to individuals in the European Economic Area, the EU General Data Protection Regulation (EU) 2016/679 (EU GDPR) (collectively, Data Protection Laws), MasaOra Ltd is the data controller of the personal data described in this Policy.

1.4Our nominated data protection contact is Sam Dreier, who can be reached at sam@atlasora.com. If you have any questions, concerns, or requests relating to this Policy or your personal data, please contact Sam in the first instance.

1.5This Policy should be read alongside our Terms of Service and Cookie Policy. Capitalised terms used but not defined in this Policy have the meanings given to them in our Terms of Service.

Personal Data We Collect

2.1We collect different categories of personal data depending on whether you use the Platform as a Guest, as a Host, or as a general visitor. We do not collect any special category data (such as health data, racial or ethnic origin, political opinions, religious beliefs, or biometric data).

2.2 Guest Data

2.2.1When you register as a Guest or make a Booking, we collect the following personal data:

Category	Data Collected	Source
Identity data	Full name	Provided by you at registration
Contact data	Email address	Provided by you at registration
Payment data	Payment card details (processed by Revolut; we do not store full card numbers)	Provided by you at checkout
Address data	Billing address associated with your payment card	Provided by you at checkout via payment card details
Technical data	IP address, browser type and version, device information, operating system, time zone setting, and platform usage data	Collected automatically when you use the Platform
Booking data	Booking dates, property selected, payment amounts and schedule, cancellation history, and communications with Hosts	Generated through your use of the Platform

2.3 Host Data

2.3.1When you register as a Host, we collect the following personal data:

Category	Data Collected	Source
Identity data	Full name, date of birth, nationality, and identity documents (passport, national ID card, or equivalent)	Provided by you and verified via Sumsub KYC process
Contact data	Email address and phone number	Provided by you at registration
Financial data	Bank account details for payout purposes	Provided by you in your account settings
Regulatory data	Short-term rental licence number and supporting documentation, property ownership documents	Provided by you during onboarding
KYC verification data	Identity verification results, selfie images, document scans, and verification status	Collected and processed by Sumsub on our behalf
Listing data	Property descriptions, photographs, pricing, availability, house rules, cancellation policy, and payment schedule selections	Provided by you when creating Listings
Technical data	IP address, browser type and version, device information, operating system, time zone setting, and platform usage data	Collected automatically when you use the Platform

2.4 All Users

2.4.1In addition to the data described above, we collect the following from all Users:

Communications data: the content of messages sent through the Platform, support enquiries, and any other correspondence with us.
Review and rating data: reviews, ratings, and feedback submitted by you on the Platform.
Cookie and tracking data: data collected through cookies and similar technologies, as described in Section 9 and our Cookie Policy.
Marketing preferences: your preferences regarding marketing communications from us.

How We Use Your Personal Data

3.1We process your personal data only where we have a lawful basis to do so. The table below sets out the purposes for which we process your data, the categories of data involved, and the lawful basis we rely upon.

Purpose	Data Used	Lawful Basis	Details
To register your account and verify your identity	Identity, contact, KYC verification, regulatory data	Performance of contract	Necessary to create and manage your account and comply with our Terms of Service
To process Bookings and payments	Identity, contact, payment, address, booking data	Performance of contract	Necessary to facilitate Bookings and process payments as Merchant of Record
To remit payouts to Hosts	Identity, financial data, booking data	Performance of contract	Necessary to pay Hosts their share of Booking revenues
To verify Host licensing and legal compliance	Regulatory data, identity data	Legal obligation	Required to comply with Spanish tourism regulations and anti-money laundering obligations
To conduct KYC and anti-money laundering checks	Identity, KYC verification data	Legal obligation	Required under the Money Laundering Regulations 2017 and applicable EU AML directives
To communicate with you about Bookings and your account	Identity, contact, booking data, communications data	Performance of contract	Necessary to manage Bookings and respond to enquiries
To display and moderate reviews and ratings	Review and rating data, identity data	Legitimate interest	To maintain trust and transparency on the Platform
To send marketing communications	Identity, contact data, marketing preferences	Consent	We will only send marketing emails where you have opted in. You may withdraw consent at any time
To improve the Platform and analyse usage	Technical data, cookie data, booking data	Legitimate interest	To improve our services, fix bugs, and understand how the Platform is used
To prevent fraud and ensure security	Technical data, identity data, payment data	Legitimate interest	To protect Users and the Platform from fraud, abuse, and security threats
To comply with legal obligations and respond to legal requests	All categories as required	Legal obligation	To comply with court orders, tax obligations, regulatory requests, and applicable law
To resolve disputes and enforce our Terms	All categories as required	Legitimate interest	To establish, exercise, or defend legal claims

3.2Where we rely on legitimate interest as the lawful basis for processing, we have carried out a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You may request details of these balancing tests by contacting us at sam@atlasora.com.

3.3Where we rely on consent as the lawful basis for processing (such as for marketing communications), you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

Who We Share Your Personal Data With

4.1We do not sell your personal data to third parties. We do not share your personal data with third parties for their own marketing purposes.

4.2We share your personal data with the following categories of recipients, only to the extent necessary for the purposes described in this Policy:

4.3 Between Users

4.3.1When a Booking is confirmed, we share the Guest's name and contact details with the Host, and the Host's name, property address, and contact details with the Guest. This sharing is necessary for the performance of the accommodation contract between Guest and Host.

4.4 Third-Party Service Providers (Data Processors)

4.4.1We use the following third-party service providers who process personal data on our behalf, under data processing agreements that comply with applicable Data Protection Laws:

Provider	Purpose	Data Processed	Location
Revolut	Payment processing (Merchant of Record infrastructure)	Payment card details, billing address, transaction data	United Kingdom / EEA
Sumsub	Identity verification and KYC checks for Hosts	Identity documents, selfie images, name, date of birth, nationality, verification results	EEA
Supabase	Cloud database hosting and backend infrastructure	All data stored on the Platform	EU region
Mapbox	Map display and geolocation services	IP address, location data (property coordinates), device data	United States (see Section 6)
Resend	Transactional email delivery	Email address, name, email content	United States (see Section 6)
Brevo	Marketing email communications	Email address, name, marketing preferences	European Union (France)
Tawk.to	Live chat customer support	Name, email address, chat messages, IP address	United States (see Section 6)

4.5 Other Disclosures

4.5.1We may also disclose your personal data where required by law, regulation, or legal process (such as a court order or subpoena), where necessary to protect the rights, property, or safety of MasaOra Ltd, our Users, or the public, to professional advisers such as lawyers, auditors, and insurers in connection with the provision of services to us, or in connection with a merger, acquisition, or sale of all or a portion of our business, in which case the acquiring entity will be bound by the terms of this Policy.

Data Retention

5.1We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The following retention periods apply:

Data Category	Retention Period	Rationale
Account and identity data (Guest)	Duration of account plus 6 years after account closure	Limitation Act 1980: 6-year limitation period for contractual claims
Account and identity data (Host)	Duration of account plus 6 years after account closure	Limitation Act 1980 and AML record-keeping obligations (5 years post-relationship under MLR 2017)
KYC and identity verification documents	5 years after the end of the business relationship	Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, Regulation 40
Payment and transaction data	6 years from the date of the transaction	Limitation Act 1980; HMRC record-keeping requirements
Booking and communications data	6 years from the date of the Booking	Limitation Act 1980: potential contractual and tortious claims
Reviews and ratings	Duration of account plus 2 years after account closure or review deletion	Legitimate interest in maintaining Platform integrity; shorter period as lower risk
Marketing consent records	Duration of consent plus 2 years after withdrawal	Evidence of consent under PECR and UK GDPR; ICO guidance on retention of consent records
Technical and cookie data	13 months from collection	ICO guidance on cookie retention; industry standard
Customer support data	3 years from resolution of the enquiry	Legitimate interest in maintaining service quality and resolving follow-up issues
Host regulatory documents	Duration of Listing plus 6 years after Listing removal	Regulatory compliance evidence; Limitation Act 1980

5.2Where we are required by law to retain data for longer periods (for example, under tax or anti-money laundering legislation), we will do so in accordance with the applicable legal requirements.

5.3At the end of the applicable retention period, we will securely delete or anonymise your personal data, unless further retention is required by law or is necessary for the establishment, exercise, or defence of legal claims.

International Transfers of Personal Data

6.1We aim to keep personal data within the United Kingdom and the European Economic Area wherever possible. However, some of our third-party service providers are based in, or process data in, the United States. This includes Mapbox, Resend, and Tawk.to.

6.2Where personal data is transferred outside the United Kingdom or the EEA to a country that has not been deemed to provide an adequate level of data protection, we ensure that appropriate safeguards are in place to protect your data, including:

Standard Contractual Clauses (SCCs): We enter into the European Commission's Standard Contractual Clauses (or the UK International Data Transfer Agreement / Addendum, as applicable) with service providers who process data outside the UK/EEA.
Adequacy decisions: Where the UK Secretary of State or the European Commission has determined that a country provides an adequate level of data protection, we may rely on such adequacy decisions.
Supplementary measures: Where required, we implement supplementary technical and organisational measures (such as encryption and access controls) to ensure that your data is adequately protected.

6.3You may request a copy of the safeguards we have put in place by contacting us at sam@atlasora.com.

Your Rights Under Data Protection Laws

7.1Under the UK GDPR, the DPA 2018, and (where applicable) the EU GDPR, you have the following rights in relation to your personal data:

Right of access

You have the right to request a copy of the personal data we hold about you and to receive information about how it is processed (a “subject access request”).

Right to rectification

You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.

Right to erasure

You have the right to request that we delete your personal data in certain circumstances, for example where the data is no longer necessary for the purposes for which it was collected, or where you withdraw consent. This right is subject to legal retention obligations.

Right to restriction of processing

You have the right to request that we restrict the processing of your personal data in certain circumstances, for example where you contest the accuracy of the data or where you object to processing based on legitimate interest.

Right to data portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, where the processing is based on consent or contract and is carried out by automated means.

Right to object

You have the right to object to processing of your personal data based on legitimate interest or for direct marketing purposes. Where you object to direct marketing, we will stop processing your data for that purpose immediately.

Right to withdraw consent

Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

7.2To exercise any of these rights, please contact us at sam@atlasora.com. We will respond to your request within one (1) month of receipt. In complex or high-volume cases, we may extend this period by a further two (2) months, in which case we will inform you of the extension and the reasons for it within the initial one-month period.

7.3We will not charge a fee for responding to your request unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request, providing reasons.

7.4We may need to verify your identity before processing your request to protect your personal data from unauthorised access.

Automated Decision-Making

8.1We do not currently use any automated decision-making or profiling that produces legal or similarly significant effects on you. If this changes in the future, we will update this Policy and, where required, seek your explicit consent.

Cookies and Similar Technologies

9.1We use cookies and similar technologies on the Platform. Cookies are small text files placed on your device when you visit the Platform.

9.2We use the following categories of cookies:

Strictly necessary cookies: These are essential for the Platform to function and cannot be switched off. They are usually set in response to actions you take, such as setting your privacy preferences, logging in, or filling in forms.
Analytics cookies: These allow us to count visits and traffic sources so we can measure and improve the performance of the Platform. They help us understand which pages are the most and least popular and how visitors move around the Platform.
Marketing and advertising cookies: These may be set through the Platform by our advertising partners. They may be used to build a profile of your interests and show you relevant advertisements on other sites. They do not directly store personal data but are based on uniquely identifying your browser and device.

9.3In accordance with the Privacy and Electronic Communications Regulations 2003 (PECR) and, where applicable, the ePrivacy Directive, we will obtain your consent before placing any non-essential cookies on your device. You can manage your cookie preferences at any time through our cookie consent banner or your browser settings.

9.4Further details about the specific cookies we use, their purpose, and their duration are set out in our Cookie Policy, available on the Platform.

9.5We do not currently use tracking pixels from social media or advertising platforms (such as Meta Pixel, TikTok Pixel, or Google Ads tags). If this changes in the future, we will update this Policy and our Cookie Policy, and will obtain your consent before deploying such technologies.

Marketing Communications

10.1We will only send you marketing communications by email where you have given your prior opt-in consent, in accordance with Regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR).

10.2You may withdraw your consent and opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email, by updating your preferences in your account settings, or by contacting us at sam@atlasora.com.

10.3Please note that even if you opt out of marketing communications, we will still send you transactional and service-related communications (such as Booking Confirmations, payment reminders, and account notifications), as these are necessary for the performance of our contract with you.

10.4We use Brevo (formerly Sendinblue) to manage our marketing email communications. Your email address and name will be shared with Brevo solely for this purpose, under a data processing agreement.

Children's Privacy

11.1The Platform is not intended for use by individuals under the age of eighteen (18). We do not knowingly collect personal data from children. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at sam@atlasora.com and we will take steps to delete such data.

11.2Beyond the age declaration in our Terms of Service, we do not currently employ specific age-verification mechanisms. If we become aware that a User is under 18, we will suspend their account and delete their personal data.

Data Security

12.1We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

✓Encryption of data in transit and at rest
✓Access controls and authentication
✓Regular security assessments and monitoring
✓Staff training on data protection
✓Incident response procedures

12.2Payment card data is processed by Revolut in accordance with the Payment Card Industry Data Security Standard (PCI DSS). We do not store full payment card numbers on our systems.

12.3While we take reasonable steps to protect your personal data, no system of data transmission or storage is completely secure. We cannot guarantee the absolute security of your data, and any transmission is at your own risk.

Third-Party Links and Services

13.1The Platform may contain links to third-party websites, services, or applications that are not operated by us. This Policy does not apply to those third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party service before providing your personal data to them.

Changes to This Privacy Policy

14.1We may update this Policy from time to time to reflect changes in our processing activities, legal requirements, or best practice. Where we make material changes, we will notify you by email or by prominent notice on the Platform at least thirty (30) days before the changes take effect.

14.2We encourage you to review this Policy periodically. The date of the most recent update is shown at the top and bottom of this document.

14.3Your continued use of the Platform after the effective date of any update constitutes acceptance of the revised Policy. If you do not agree to the revised Policy, you must cease using the Platform and close your account.

Complaints

15.1If you are not satisfied with how we handle your personal data or respond to your rights request, you have the right to lodge a complaint with:

Information Commissioner's Office (ICO)

The UK's supervisory authority for data protection.
Website: www.ico.org.uk
Telephone: 0303 123 1113

Your local EU/EEA supervisory authority

If you are located in the EEA, you may also lodge a complaint with the data protection authority in your country of residence. A list of EEA supervisory authorities is available at edpb.europa.eu.

15.2We would appreciate the opportunity to address your concerns before you approach a supervisory authority. Please contact us first at sam@atlasora.com so we can try to resolve the matter directly.

Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us: