Article 1 — Data controller

The controller of personal data processing is:

Triptic SAS

Registered office: 57 rue Raspail, 92300 Levallois-Perret, France

SIRET: 889 274 510 00011

Represented by: Olivier BAILLEUX, President

DPO / Data Protection contact:  dpo@triptic.io

Article 2 — Data collected

Triptic collects the following categories of data, depending on the User's role and use of the Platform:

2.1 Identification data

• last name, first name, email address, telephone number;
• postal address;
• date of birth (optional);
• occupation (optional);
• employer (optional);
• profile picture (optional);
• username (@username);
• for professional Hosts and Organizations: company name, SIRET number, business address.

2.2 Connection and technical data

• IP address, connection logs;
• browser type, operating system, device used;
• connection dates and times.

2.3 Transaction data

• Booking history (dates, amounts, status);
• billing information related to Subscriptions;
• Stripe identifiers (Stripe Customer ID, Stripe Connected Account ID); Triptic does not store credit card numbers, which are processed exclusively by Stripe.

2.4 Content data

• published Listings (descriptions, photos, prices, calendars);
• messages exchanged via the internal messaging service;
• reviews, comments, travel stories;
• traveler personality quiz results (tags, archetype, scores).

2.5 Geolocation data

Triptic may collect approximate location data (city, region) based on the IP address. Precise geolocation is used only for displaying maps (Leaflet/OpenStreetMap) and for address geocoding (Nominatim). These services operate client-side or via anonymous requests and do not require specific consent.

Article 3 — Purposes and legal bases for processing

Personal data is processed for the following purposes:

3.1 Performance of the contract (article 6.1.b of the GDPR)

• user account management and authentication;
• connecting Hosts and Travelers;
• processing Bookings and payments;
• communication between Members via the messaging service;
• provision of SaaS rental management tools;
• generation of the traveler profile (Traveler Portrait).

3.2 Legal obligation (article 6.1.c of the GDPR)

• retention of billing data (accounting and tax obligations);
• retention of connection data (host obligation under the LCEN);
• response to judicial and administrative requests.

3.3 Legitimate interest (article 6.1.f of the GDPR)

• improvement of the Platform and audience analysis (via Umami, without personal data);
• fraud prevention and Platform security;
• technical support and dispute resolution;
• sending communications relating to the operation of the Service (Booking notifications, Terms updates, security alerts).

3.4 Consent (article 6.1.a of the GDPR)

• sending newsletters and marketing communications;
• placement of non-essential cookies where applicable;
• precise geolocation.

Consent may be withdrawn at any time, without affecting the lawfulness of processing based on consent carried out before its withdrawal.

Article 4 — Data recipients

Personal data may be communicated to the following categories of recipients:

4.1 Technical data processors

• Stripe (Stripe Payments Europe, Ltd., Ireland): payment processing and fraud prevention;
• OVH SAS (France): hosting of the Platform and data;
• Brevo / Sendinblue (France): sending transactional emails and newsletters;
• OpenStreetMap Foundation (United Kingdom): map tiles and Nominatim geocoding (open data, anonymous requests).

Each data processor is bound by a data processing agreement (DPA) compliant with article 28 of the GDPR.

4.2 Other Members

Some data is visible to other Members in the course of operating the Platform: first name, profile picture, @username, public traveler profile, published reviews, Listings. Full contact details (email, telephone) are only shared in the case of a confirmed Booking, to the extent necessary for the performance of the rental contract.

4.3 Public authorities

Triptic may be required to communicate personal data to judicial, administrative or tax authorities in response to a legal request.

Article 5 — Transfers outside the EU

Data is hosted in France (OVH). The data processor Stripe may transfer data to countries located outside the European Economic Area (EEA), in particular the United States. Mapping services (OpenStreetMap, Nominatim) operate via anonymous requests without transferring personal data.

These transfers are governed by the safeguards provided for by the GDPR:

• adequacy decision of the European Commission (EU-US Data Privacy Framework for the United States, where applicable);
• standard contractual clauses (SCCs) adopted by the European Commission;
• additional technical measures (encryption, pseudonymization) where necessary.

Article 6 — Retention period

Personal data is retained for the following periods:

• Account data (identification, profile): for the entire duration of registration, then deleted within thirty (30) days following account closure, subject to legal archiving obligations.
• Billing data: ten (10) years from the end of the accounting year (accounting obligation).
• Connection data (logs, IP): one (1) year from the creation of the data (LCEN obligation).
• Messages exchanged: for the entire duration of the account, then anonymized or deleted upon closure.
• Booking data: five (5) years after the end of the stay (civil limitation period).
• Consent data (newsletter): three (3) years from the last contact or from the collection of consent.
• Subscription data after termination: six (6) months (reactivation period), then deleted or anonymized.

Article 7 — Rights of data subjects

In accordance with the GDPR (articles 15 to 22) and the French Data Protection Act, every User has the following rights:

• Right of access (art. 15): obtain confirmation that data concerning them is being processed and receive a copy of it.
• Right to rectification (art. 16): request the correction of inaccurate or incomplete data.
• Right to erasure (art. 17): request the deletion of their data, subject to legal retention obligations.
• Right to restriction of processing (art. 18): request the suspension of processing in the cases provided for by the GDPR.
• Right to portability (art. 20): receive their data in a structured, commonly used and machine-readable format, and transmit it to another data controller.
• Right to object (art. 21): object to the processing of their data based on legitimate interest or commercial prospecting.
• Right to withdraw consent: withdraw consent at any time for processing based on consent, without affecting the lawfulness of prior processing.
• Post-mortem directives: set directives concerning the fate of their data after their death (specific French right, art. 85 of the Data Protection Act).

To exercise these rights, the User may submit their request:

• by email:  dpo@triptic.io;
• by post: Triptic SAS — DPO — 57 rue Raspail, 92300 Levallois-Perret, France.

Triptic undertakes to respond within one (1) month from receipt of the request, extendable by two (2) months in case of complexity.

In case of difficulty, the User may lodge a complaint with the French Data Protection Authority (CNIL): https://www.cnil.fr.

Article 8 — Data security

Triptic implements appropriate technical and organizational measures to ensure a level of security adapted to the risk, in accordance with article 32 of the GDPR, including in particular:

• encryption of communications in transit (HTTPS/TLS);
• encryption of sensitive data at rest;
• strict access control to servers and data;
• access monitoring and intrusion detection (fail2ban, audit logs);
• regular backups and business continuity plan;
• regular updates of systems and software dependencies.

In the event of a personal data breach presenting a risk to the rights and freedoms of data subjects, Triptic will notify the CNIL within seventy-two (72) hours and inform the data subjects as soon as possible, in accordance with articles 33 and 34 of the GDPR.

Article 9 — Minors

The Platform is not intended for persons under the age of eighteen (18). Triptic does not knowingly collect personal data from minors. If Triptic were to discover that it had collected data from a minor without the consent of their legal representative, such data would be deleted without delay.