Privacy Policy
Last updated: 2026-02-27
2.1 Introduction and Scope
[COMPANY NAME] ("we," "us," "our") is committed to protecting the privacy and personal data of all individuals who interact with the UGC Travel SaaS Platform ("Platform"). This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and your rights in relation to it.
This Policy applies to:
- Registered users and subscribers of the Platform;
- Visitors to ugc-platform.com;
- Individuals whose email addresses are displayed to Platform users (establishment contacts).
Data Controller. [COMPANY NAME], [ADDRESS], privacy@ugc-platform.com, is the data controller for personal data processed through the Platform, within the meaning of the EU General Data Protection Regulation (GDPR) Regulation (EU) 2016/679.
2.2 Data We Collect
2.2.1 Data You Provide Directly
| Category | Examples | Purpose |
|---|---|---|
| Account data | Name, email address, company name | Account creation and authentication (via Clerk) |
| Payment data | Billing address, last 4 digits of card (tokenized) | Subscription management (processed by Stripe — we never store raw card data) |
| Profile data | Professional role, social media handles, portfolio links | Service personalization |
| Communications | Support messages, feedback submissions | Customer support |
| Email content | Templates and messages composed on the Platform | Delivering the email prospection service |
2.2.2 Data Collected Automatically
| Category | Examples | Purpose |
|---|---|---|
| Usage data | Pages visited, features used, clicks, session duration | Service improvement and analytics |
| Device/technical data | IP address, browser type, OS, screen resolution | Security, fraud prevention, compatibility |
| Log data | Server logs, error reports, timestamps | Debugging and security monitoring |
| Cookie data | Session identifiers, preference cookies, analytics identifiers | See Cookie Policy |
2.2.3 Data from Third Parties
| Source | Data type | Purpose |
|---|---|---|
| Clerk | OAuth tokens, SSO data | Authentication |
| Bright Data | Publicly available business data (establishment names, addresses, phone numbers) | Core search feature |
| Hunter.io | Publicly inferred business email addresses | Email enrichment feature |
| Public hotel/establishment data via Google OAuth-linked searches | Search functionality | |
| Stripe | Payment status, subscription events | Billing management |
We do not knowingly collect personal data from individuals under 18 years of age.
2.3 How and Why We Use Your Data (Legal Bases)
| Purpose | Data used | Legal basis (GDPR Art. 6) |
|---|---|---|
| Account creation and authentication | Account data | Contract (Art. 6(1)(b)) |
| Delivering the Platform's features | Usage data, email content, search queries | Contract (Art. 6(1)(b)) |
| Processing payments | Payment data | Contract (Art. 6(1)(b)) |
| Customer support | Communications data | Contract / Legitimate interest (Art. 6(1)(f)) |
| Security and fraud prevention | Technical data, log data | Legitimate interest (Art. 6(1)(f)) |
| Platform improvement and analytics | Usage data, technical data | Legitimate interest (Art. 6(1)(f)) |
| Sending service communications (transactional) | Email address | Contract (Art. 6(1)(b)) |
| Sending marketing communications | Email address | Consent (Art. 6(1)(a)) |
| Legal compliance | All relevant data | Legal obligation (Art. 6(1)(c)) |
2.4 Establishment Contact Data
The Platform displays publicly available contact information about hospitality establishments (names, addresses, phone numbers, business email addresses) retrieved from third-party data providers.
This data is processed as business contact information. Where individual employees' email addresses are retrieved, we rely on the legitimate interest of professional B2B prospection (GDPR Recital 47 and applicable national guidance on B2B marketing), provided:
- The data was made publicly available by the individual or their employer;
- The prospection is relevant to the individual's professional role;
- The individual is provided with a clear opt-out mechanism in every communication.
Users of the Platform are independently responsible for ensuring that their use of establishment contact data complies with applicable data protection and anti-spam laws in the recipient's jurisdiction.
2.5 Data Sharing and Disclosure
We do not sell your personal data to third parties.
We share personal data only in the following circumstances:
- Service providers (data processors): Third-party providers acting on our documented instructions, including Clerk (authentication), Stripe (payments), Inngest (background job processing), Bright Data (data sourcing), Hunter.io (email enrichment), and hosting providers. All processors are bound by data processing agreements.
- Legal requirements: Where required by law, court order, or regulatory authority; or where necessary to protect the rights, property, or safety of the Company, its users, or the public.
- Business transfers: In connection with a merger, acquisition, financing, or sale of all or a portion of the Company's assets, provided the acquiring party commits to uphold the protections in this Policy.
- With your consent: For any other purpose with your explicit prior consent.
2.6 International Data Transfers
Some of our service providers (including Stripe, Clerk, Bright Data, and Hunter.io) operate outside the European Economic Area (EEA). Where personal data is transferred to countries not recognized by the European Commission as providing an adequate level of protection, we implement appropriate safeguards in accordance with GDPR Chapter V, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission; and/or
- Binding Corporate Rules (BCRs) where applicable.
You may request a copy of the relevant transfer safeguards by contacting us at privacy@ugc-platform.com.
2.7 Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law.
| Data type | Retention period |
|---|---|
| Account data | Duration of account + 3 years after closure |
| Payment records | 10 years (French tax/accounting law) |
| Email campaign logs | 3 years |
| Support communications | 3 years |
| Server logs and security logs | 12 months |
| Analytics data (aggregated) | 25 months (CNIL recommendation) |
When a retention period expires, data is securely deleted or anonymized.
2.8 Security
We implement technical and organizational measures appropriate to the risk, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256);
- Access controls and role-based permissions;
- Regular security reviews and penetration testing;
- Incident response procedures aligned with GDPR 72-hour notification requirements.
No transmission over the internet is 100% secure. While we use industry-standard safeguards, we cannot guarantee absolute security.
2.9 Your Rights
Depending on your location, you have the following rights regarding your personal data:
| Right | Description |
|---|---|
| Access (Art. 15 GDPR) | Request a copy of the personal data we hold about you |
| Rectification (Art. 16 GDPR) | Request correction of inaccurate or incomplete data |
| Erasure (Art. 17 GDPR) | Request deletion of your personal data ("right to be forgotten") |
| Restriction (Art. 18 GDPR) | Request that we restrict processing in certain circumstances |
| Portability (Art. 20 GDPR) | Receive your data in a structured, machine-readable format |
| Objection (Art. 21 GDPR) | Object to processing based on legitimate interest, including direct marketing |
| Withdraw consent (Art. 7(3) GDPR) | Withdraw consent at any time where processing is consent-based |
| Lodge a complaint | File a complaint with a supervisory authority (France: CNIL — www.cnil.fr) |
CCPA rights (California residents). California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, the right to delete, the right to opt out of sale (we do not sell data), and the right to non-discrimination. To exercise these rights, contact us at privacy@ugc-platform.com.
To exercise your rights, submit a request to privacy@ugc-platform.com. We will respond within thirty (30) days (extendable by sixty (60) additional days with notice for complex requests). We may need to verify your identity before processing your request.
2.10 Data Protection Officer
If you have questions about our data protection practices or wish to contact our data protection officer, please reach us at privacy@ugc-platform.com.
2.11 Changes to this Policy
We may update this Policy from time to time. We will notify you of material changes at least thirty (30) days in advance by email or in-app notification. The "Last updated" date at the top of this Policy reflects the most recent revision.
2.12 Contact
For all privacy-related inquiries: privacy@ugc-platform.com — [COMPANY NAME], [ADDRESS].