Livappy

1. Introduction

We are committed to protecting your privacy. This Privacy Policy explains how our platform collects, uses, and safeguards your personal data when you use our services. It outlines what personal data we process, the purposes and legal bases for processing, the recipients of your data, any transfers of data outside the EU, the periods for which data is retained, your rights under data protection law, and any profiling or automated decision-making that may occur.

By using our platform, you agree to the practices described in this Privacy Policy.

2. Personal Data We Process

We process various categories of personal data necessary for operating our platform. This includes:

Identification and contact information (such as your full name, email address, telephone number, and date of birth)
Account credentials (e.g. login email and password)
Profile details (like a profile photo or biography)
Information related to property listings you provide (such as the property's address and characteristics)
Location information (for example, the property location or your approximate location if you choose to share it)
Usage and analytics data (e.g. how you navigate our website, your clicks and page views, IP address, device and browser information, cookies data)
Any other information you voluntarily provide to us

If you register as or on behalf of a legal entity, we may also collect business information (e.g. company name, identification number, registered address) as well as personal details of the company's contact person.

3. Purposes of Processing

We use your personal data for the following purposes:

Account Registration and Management:

To register you as a user (host or guest) and maintain your account, including profile creation and authentication.

Identity Verification:

To verify your identity and eligibility (for example, confirming your age or performing Know-Your-Customer (KYC) checks via identity verification providers) in order to increase trust and comply with platform requirements.

Service Provision (Listings and Transactions):

To enable you to list properties or find and book properties, to facilitate rental or reservation agreements between hosts and guests, and to process transactions (including sending booking confirmations and processing payments).

Communication:

To communicate with you about your account, bookings, inquiries, or support requests – for instance, sending notifications, updates, and responding to your questions.

Marketing (with Consent):

To send you promotional materials or newsletters about our services or partner offers, only if you have given us your consent to receive marketing communications.

Personalization and Recommendations:

To personalize your experience on the platform, such as by recommending properties or showing content tailored to your preferences and past behavior.

Analytics and Improvement:

To analyze how users use our website and services (e.g. monitoring aggregate usage patterns and site traffic) in order to improve our platform's functionality, user experience, and offerings.

Security and Fraud Prevention:

To ensure the safety and integrity of our platform – for example, monitoring and detecting fraudulent activities, security incidents, or violations of our terms, and taking appropriate action.

Legal Compliance:

To fulfill our legal obligations and exercise our legal rights – for instance, keeping required records, complying with lawful requests by public authorities, or enforcing our Terms of Service.

4. Legal Basis for Processing

Our processing of personal data is based on various legal grounds under the General Data Protection Regulation (GDPR).

Performance of a contract: Primarily, we process most data in order to perform our contract with you – for example, data needed to provide our services, facilitate your bookings, or otherwise fulfill the agreements we have with you.

Consent: In certain cases, we rely on your consent – for instance, we will send you marketing emails or use optional cookies only if you have given consent.

Legitimate interests: In other situations, we process data on the basis of our legitimate interests (balanced against your rights and freedoms) – for example, using analytics to improve our services, ensuring security and fraud prevention, or sending direct marketing about similar services to existing customers (within permissible limits), which we consider necessary for the operation and improvement of our platform.

Legal obligations: Additionally, some processing may be necessary for us to comply with legal obligations – such as retaining transaction records for accounting/tax purposes or providing information to authorities if required by law.

We will inform you when the provision of certain personal data is mandatory (for example, we may require identity documents to verify hosts); if you choose not to provide such data, it may result in us being unable to provide the related service or feature.

5. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described above, unless a longer retention period is required or permitted by law.

In general, information associated with your account is kept for the duration of your account being active. If you delete your account or it is terminated, we will delete or irreversibly anonymize your personal data after a set period of time, except for any data we are required to keep longer to meet legal obligations or protect our legitimate interests.

For example, we may need to retain certain transaction records or communications for a number of years to comply with accounting laws or to resolve possible disputes.

We periodically review the personal data we hold and erase or anonymize any data that is no longer needed for the purposes for which it was collected. After the expiration of the applicable retention period, or upon your valid request for erasure, we will securely delete your personal data or anonymize it in our systems.

6. Data Recipients

In order to run our services, we may share your personal data with certain third parties and partners on a need-to-know basis. All such recipients are contractually obligated to handle your data securely and in compliance with privacy laws. The categories of recipients of personal data include:

Other Users (Transaction Counterparties):

When you engage in a booking or similar transaction on our platform, some of your personal information will be shared with the other party. For example, if you are a guest making a reservation, the host will receive your name, contact information, and booking details so they can fulfill the reservation; likewise, as a host, your relevant details (such as your first name, contact info, property address) will be shared with the guest. This exchange of information is necessary to carry out the contract between guests and hosts.

Service Providers:

We use trusted third-party service providers to help us operate the platform. This includes hosting and cloud infrastructure providers (for example, AWS – Amazon Web Services), analytics and performance tools (to analyze user behavior and improve our services), and email/SMS delivery services (to send verification codes, notifications, or newsletters). These providers process personal data on our behalf and according to our instructions.

Payment Processors and Financial Institutions:

If our platform involves payments (such as booking fees or payouts to hosts), personal data will be shared with payment processing companies or banking institutions to handle these transactions. For instance, when you make or receive a payment, relevant personal and transaction information is provided to our payment gateway or payment processor (and possibly the associated credit card network or bank) to process the payment and comply with anti-fraud checks.

Identity Verification (KYC) Services:

We may partner with specialized third-party providers to verify user identities as part of our trust and safety measures. If we require hosts or users to undergo KYC (Know Your Customer) verification, personal data such as your identification documents or biometric data (e.g. a selfie for identity match) will be securely transmitted to these verification service providers.

Business Partners and Affiliates:

In some cases, we might share data with business partners or affiliates who are assisting in delivering our services or providing additional features. For example, if we collaborate with a partner for additional insurance for rentals, we might share the necessary booking or personal details with that insurance partner. We will only share the data required for the specific service provided by the partner and pursuant to appropriate agreements.

Law Enforcement and Authorities:

If we are under a legal obligation to do so, we may disclose personal information to public authorities or law enforcement (for example, in response to a lawful request such as a court order or subpoena). We may also share information when necessary to enforce our Terms of Service or to protect the rights, property, or safety of our users, the public, or our company (this may include exchanging information with fraud prevention agencies or legal counsel).

Professional Advisors:

Where necessary, we may share data with our professional advisors such as lawyers, accountants, or auditors. This will only occur under strict confidentiality and only to the extent needed for consultation or compliance with our legal and financial obligations.

We ensure that all third-party recipients of data are bound by appropriate confidentiality and data protection obligations. If any service providers process personal data outside the European Economic Area, we implement safeguards as described in the next section.

7. International Data Transfers

We primarily store and process personal data within the European Union using AWS cloud infrastructure in EU regions. However, some of our service providers or partners may be located in countries outside the European Economic Area (EEA), or may use servers located outside the EEA (for example, a cloud service provider like AWS may host data in the United States).

In the event that personal data is transferred to a country outside the EEA, we will ensure that appropriate safeguards are in place to protect the data in accordance with Chapter V of the GDPR. Such safeguards may include:

Transferring data only to countries that the European Commission has officially deemed to have an adequate level of data protection
Implementing Standard Contractual Clauses (SCCs) approved by the European Commission (contractual commitments that legally oblige the recipient to protect your data)

In some cases, we may also rely on other permitted transfer mechanisms, such as binding corporate rules or specific consent from you, if applicable. We will take all necessary measures to ensure that your personal information remains protected to the standard required by EU law when it is transferred internationally.

8. Your Rights

As a user of our platform and a data subject, you have several rights regarding your personal data under applicable data protection laws (especially the GDPR). In summary, you are entitled to the following:

Right to be Informed:

You have the right to be informed about the collection and use of your personal data. This Privacy Policy, along with any just-in-time notices we provide, is intended to keep you informed about how and why your data is processed.

Right of Access:

You have the right to request access to your personal data that we hold. This means you can ask us to confirm whether we are processing your personal information and provide you with a copy of that data, as well as details about how we use it.

Right to Rectification:

If you believe that any personal data we have about you is inaccurate or incomplete, you have the right to request that we correct or update it. We will rectify inaccurate information without undue delay and complete any incomplete information as needed.

Right to Erasure:

You have the right to request deletion of your personal data in certain circumstances – for example, if the data is no longer necessary for the purposes it was collected, or if you withdraw consent and we have no other legal basis to continue processing. This is sometimes called the "right to be forgotten." We will honor valid erasure requests and delete your data, provided we are not legally required or otherwise permitted to retain it.

Right to Restrict Processing:

You have the right to ask us to restrict (temporarily halt) the processing of your personal data in certain cases – for instance, if you contest the accuracy of the data or object to our processing, until we address your concern. While processing is restricted, we can store your data but not use it (except for certain exempt purposes like legal claims).

Right to Data Portability:

You have the right to obtain the personal data you have provided to us in a structured, commonly used and machine-readable format, and you have the right to transmit that data to another controller. Where technically feasible, you can also request that we transfer the data directly to another provider. This right applies when the processing is based on your consent or on a contract and carried out by automated means.

Right to Object:

You have the right to object to certain types of processing of your personal data. Notably, you can object at any time to the processing of your data for direct marketing purposes – if you object, we will stop using your data for marketing. You can also object when we base processing on legitimate interests, and your particular situation gives rise to an objection (unless we demonstrate compelling legitimate grounds for the processing that override your interests or rights).

Right not to be Subject to Automated Decisions:

You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects on you or similarly significantly affects you. This means that, if we ever were to make a purely algorithmic decision about you with significant impact (for example, an automated refusal of a service without human involvement), you can request that a human review the decision, or that we provide an explanation, and you may contest the decision.

Right to Withdraw Consent:

Where we rely on your consent to process personal data (for example, for sending marketing communications or using certain cookies), you have the right to withdraw your consent at any time.

How to Exercise Your Rights:

To exercise any of your rights, you can contact us using the details below. For security reasons, we may need to verify your identity before fulfilling certain requests. We will respond to your request without undue delay and in any event within one month of receiving it (with the possibility of an extension by two further months in certain complex cases, of which we will inform you). Exercising your rights is free of charge. If we cannot fulfill your request (for example, if an exemption applies), we will explain the reasons to you.

9. Profiling and Automated Decision-Making

Our platform uses certain automated processes to enhance your experience and to maintain trust and safety; some of these processes may constitute profiling under the GDPR. For example:

We may use algorithms to score or rate hosts (e.g. automatically calculating a host's rating based on guest reviews, responsiveness, and reliability)
We provide personalized property recommendations to users based on search history, saved properties, location, and other preferences
We might use automated systems to sort or prioritize search results for guests
We use automated systems to detect fraudulent activity or violations of our terms

Important: While these processes involve automated analysis of personal data, no purely automated decisions are made that would have legal or similarly significant effects on you without human intervention. Any automated fraud or risk flags are reviewed by our team before taking action such as suspending an account, so there is human oversight.

If you believe an automated process has significantly negatively affected you, you can contact us to have the decision reviewed by a human. We are transparent about these profiling activities, and if you have any questions or concerns about how we use algorithms in our platform, you can reach out to us and we will provide further information.

10. Withdrawal of Consent

Where we rely on your consent to process personal data (for example, for sending marketing communications or using certain cookies), you have the right to withdraw your consent at any time.

Withdrawing consent will not affect the lawfulness of any processing we conducted based on consent before its withdrawal, but once consent is withdrawn, we will cease the specific processing that was based on consent.

There are no negative consequences for withdrawing consent, but some services or features may not be available after consent is withdrawn.

11. Contact Information

The data controller responsible for your personal data is:

Livappy OÜ

Harju maakond, Tallinn, Kesklinna linnaosa, Sakala tn 7-2, 10141

Email: info@livappy.com

If you have any questions, concerns, or requests regarding your personal data or this Privacy Policy, you can contact us using the above details.

As of now, Livappy OÜ has not appointed a Data Protection Officer (DPO). If you wish to exercise your data protection rights or have questions about how we handle personal data, please email us at info@livappy.com.

Contact email: info@livappy.com

Effective date: September 10, 2025

Operator: Livappy OÜ (registrikood 17298558)
Harju maakond, Tallinn, Kesklinna linnaosa, Sakala tn 7-2, 10141, Estonia
Registered with Tartu County Court Registry Department, commercial register card no. 1.

Google Workspace (Google Ireland Limited) acts as one of our trusted service providers. We use Google Workspace for email, calendar, and document management. As part of this processing, personal data such as email addresses and communications may be handled by Google Ireland Limited within the EU. Where data is transferred outside the EEA, Google ensures protection using Standard Contractual Clauses (SCCs). For more details, see Google's Privacy Policy: https://policies.google.com/privacy.