ຂ້າມໄປຫາເນື້ອຫາຫຼັກ

Privacy Policy

Last updated: 8 June 2026

Effective: 8 June 2026

1. Data Controller

  1. The data controller for your personal data is Next Orbit OÜ, trading as LocaYo ("LocaYo", "we", "us", or "our"), a private limited company (osaühing) registered in the Republic of Estonia, registry code 17501338, registered address: Sepapaja 6, 15551 Tallinn, Estonia.
  2. For data protection enquiries, contact our data protection contact at privacy@locayo.app or via our Help Centre contact form.
  3. We process personal data in accordance with:
    • EU/Estonia: General Data Protection Regulation (GDPR) 2016/679 as directly applicable in Estonia
    • EU/EEA: General Data Protection Regulation (GDPR) 2016/679
    • Poland: RODO (Polish implementation of GDPR) and related Polish data protection laws

2. Information We Collect

2.1 Information You Provide

  • Account information: name, email address, phone number, password, profile photo
  • Profile information: bio, location, business details (for business accounts)
  • Listing information: descriptions, photos, pricing, availability
  • Communications: messages with other Users, support requests
  • Reviews: ratings and review content
  • Verification data: identity documents (if you choose to verify)
  • Payment information: payment details for premium features (Boosts) processed by our payment provider Stripe — we do not store full payment card details

2.2 Tax Compliance Information (Providers Only)

We are legally required to collect the following information from Providers under EU Council Directive 2021/514 (DAC7) as implemented in Estonian law.

  • Tax identification data: Tax Identification Number (TIN), including PESEL/NIP (Poland), Steuer-IdNr (Germany), Isikukood (Estonia), or equivalent in your country of tax residence
  • Date of birth (for individual Providers)
  • Tax residence: country or countries of tax residence
  • Full address: primary residential or business address
  • Entity type: whether you are an individual or a business entity
  • Business registration number (for business accounts, where applicable)
  • VAT identification number (where applicable)
  • Bank account details (if available to the Platform — see Section 3 for details)

2.3 Information We Collect Automatically

  • Device information: IP address, browser type, operating system, device identifiers
  • Usage information: pages viewed, features used, search queries, clicks
  • Location data: general location based on IP, precise location if you enable it
  • Cookies and similar technologies: see our Cookie Policy

2.4 Information from Third Parties

  • Social login providers: if you sign in with Google or Facebook, we receive your basic profile information
  • Payment processor: Stripe may provide us with transaction confirmations and limited account information for premium feature purchases
  • Other Users: reviews and reports about you

2.4a Photos, Avatars and Documents — Public vs. Private Media

Important: we distinguish between public media (visible to everyone online) and private media (accessible only by LocaYo administrators).

Public media — visible to everyone:

  • Your avatar (profile photo): visible on your public profile, next to your listings and reviews. By uploading an avatar you consent to it being publicly accessible. You can delete it in your account settings at any time.
  • Listing photos: visible to all users and search engine crawlers (Google, Bing). After a listing is deleted, photos are removed from our CDN within 24 hours.
  • Business logo and banner (business accounts): visible on the public business profile.

Private media — accessible only by LocaYo administration, signed links with expiry:

  • Address verification documents: utility bills, tenancy agreements — stored on CDN with authenticated access (signed URLs with 5-minute TTL). Deleted immediately after admin decision (approved / rejected).
  • Identity verification documents: ID scan, passport, selfie with document — same as above, signed URLs + deleted after decision.
  • Business documents: tax ID, company registration, insurance, professional licences — same as above. Retained during verification + as required by law (e.g. DAC7).
  • Partner agreement scans: for Referral Programme Partners — retained for the duration of the agreement + 5 years after termination (tax and accounting obligations).

All private media is encrypted in transit (HTTPS/TLS) and stored on Cloudinary infrastructure in "authenticated delivery" mode. The raw file URL alone is insufficient for access — LocaYo authorisation and a cryptographic signature with expiry are required.

2.5 Transaction Data

  • Booking data: details of confirmed bookings including dates, duration, listed price, booking status, and number of transactions per Provider per quarter
  • Pickup/delivery addresses: When you complete a booking, addresses may be shared between Provider and Customer
  • Data minimisation: We recommend providing approximate location rather than exact home address
  • Automatic deletion: Address data from completed bookings is automatically anonymised after 30 days

3. How We Use Your Information

PurposeLegal BasisRetention
Platform operationContract (Art. 6(1)(b))Account lifetime + 3 years
Safety and securityLegitimate interests (Art. 6(1)(f))12 months
Customer supportContract (Art. 6(1)(b))Resolution + 2 years
Transaction addressesContract (Art. 6(1)(b))30 days post-booking
Tax reporting compliance (EU DAC7)Legal obligation (Art. 6(1)(c))5 years after last reportable period
Premium feature payments (VAT compliance)Legal obligation (Art. 6(1)(c))10 years (VAT OSS record-keeping)
AnalyticsLegitimate interests (Art. 6(1)(f))26 months (anonymised)
MarketingConsent (Art. 6(1)(a))Until opt-out
Other legal complianceLegal obligation (Art. 6(1)(c))As required by law

Note on tax compliance data: Processing of tax compliance data (TIN, date of birth, address, tax residence) is based on our legal obligation under EU DAC7 (Council Directive 2021/514) as implemented in Estonian law and does not require your consent. However, you will be informed before this data is collected and have the right to understand how it is used. The data will only be used for the purpose of fulfilling our tax reporting obligations and will not be used for marketing or other unrelated purposes.

4. Who We Share Your Data With

  1. Other Users: information necessary to complete a transaction:
    • Rental / booking: name, profile photo and contact details shared with the other party once a booking is confirmed.
    • Job board (requests): when you post a request, its content (category, description, city, indicative budget) is visible to matching pros — without your contact details. Pros apply with an in-app message. Only when you choose a specific pro are phone numbers shared mutually (you see the pro's number, the pro sees yours) to enable direct contact. Until you choose, communication happens solely through in-app chat. Legal basis: Art. 6(1)(b) GDPR (steps taken at your request / performance of the service).
  2. Service Providers (Sub-processors): We use the following categories of third-party services to operate the Platform:
    • Application hosting (Hetzner Online GmbH, Germany) — server infrastructure in the EU
    • Database hosting (MongoDB, Inc., USA — data stored in the EU/Germany) — account and listing data storage
    • Image hosting (Cloudinary Ltd., Israel) — listing photos, avatars, verification documents
    • Payment processor (Stripe Payments Europe Ltd., Ireland) — payment processing for premium features
    • SMS verification (Twilio Inc., USA) — one-time code for phone number confirmation
    • Transactional email (Resend Inc., USA) — system emails (confirmation, password reset, notifications)
    • Social login & analytics (Google LLC, USA) — Google OAuth and Google Analytics (analytics only with consent)

    Each sub-processor processes data only on our instructions and is bound by appropriate data processing agreements. A full, up-to-date list of sub-processors (with technical details) is available upon request at privacy@locayo.app.

  3. Tax Authorities: We are legally required to share Provider information with:
    • Maksu- ja Tolliamet (Estonian Tax and Customs Board) — annual reports under EU DAC7 as implemented in Estonian law
    • EU member state tax authorities — Maksu- ja Tolliamet automatically exchanges reported information with the tax authorities of each Provider's country of tax residence under DAC7 provisions

    Information shared with tax authorities includes: Provider name, address, date of birth, TIN, total transaction value (based on listed prices), number of transactions, platform fees, and (for property rentals) property addresses and days rented. This sharing is based on our legal obligation under Art. 6(1)(c) GDPR.

  4. Legal and Regulatory: When otherwise required by law, court order, or to protect rights and safety.
  5. Business Transfers: In connection with merger, acquisition, or sale of assets.

5. International Transfers

  1. Your data may be transferred outside the European Economic Area (EEA). We use the following safeguards:
    • EU/EEA: Application hosting (Hetzner, Germany), payment processing (Stripe Payments Europe, Ireland) and database hosting (MongoDB — data stored in Germany) process data within the EU/EEA, where GDPR applies directly.
    • Israel: Image hosting (Cloudinary Ltd.) takes place in Israel, which is covered by a European Commission adequacy decision — transfers rely on that basis.
    • United States: SMS verification (Twilio), transactional email (Resend) and social login & analytics (Google) may process data in the US. These transfers are protected by the EU-US Data Privacy Framework (where the provider is certified) and/or Standard Contractual Clauses (SCCs) approved by the European Commission. MongoDB, Inc. — as a US-based entity — may potentially access data stored in the EU; we also safeguard this with SCCs/DPF.
  2. Tax compliance data (TIN, address, date of birth) is shared with the Estonian Tax and Customs Board (Maksu- ja Tolliamet), which automatically exchanges this data with the tax authorities of the Provider's country of residence under DAC7 automatic exchange provisions. As Estonia is an EU member state, these transfers occur within the EU/EEA framework.
  3. You can request more information about international transfers and the safeguards in place by contacting privacy@locayo.app.

6. Your Rights

Under EU GDPR and RODO, you have the following rights:

  1. Right of access — Request a copy of your personal data.
  2. Right to rectification — Request correction of inaccurate data.
  3. Right to erasure — Request deletion of your data in certain circumstances.
  4. Right to restrict processing — Request we limit how we use your data.
  5. Right to data portability — Request your data in machine-readable format.
  6. Right to object — Object to processing based on legitimate interests or for direct marketing.
  7. Rights related to automated decision-making — Rights regarding automated decisions that significantly affect you.
  8. Right to withdraw consent — Withdraw consent at any time where we rely on it.

Important note on tax compliance data: Your rights to erasure and restriction may be limited in respect of tax compliance data (TIN, date of birth, address, tax residence) where we are required by law to retain and process this data for tax reporting purposes. In such cases, we will explain the specific legal basis and any limitations that apply.

To exercise your rights, contact us at privacy@locayo.app or through our Help Centre. We respond to requests within one month (or up to three months for complex cases, with notification).

Supervisory Authorities:

  • Estonia (lead supervisory authority): Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate) — aki.ee
  • Poland: Urząd Ochrony Danych Osobowych (UODO) — uodo.gov.pl
  • Lithuania: Valstybinė duomenų apsaugos inspekcija (VDAI) — vdai.lrv.lt
  • Latvia: Datu valsts inspekcija (DVI) — dvi.gov.lv
  • UK: Information Commissioner's Office (ICO) — ico.org.uk
  • EU: Your local data protection authority

7. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (HTTPS)
  • Encryption at rest: All data stored in our database is encrypted at rest using industry-standard encryption provided by our cloud infrastructure
  • Field-level encryption: Highly sensitive data such as Tax Identification Numbers and bank account details are additionally encrypted at the application level using AES-256-GCM encryption before being stored in our database
  • Password hashing: Passwords are hashed using bcrypt and are never stored in plain text
  • Regular backups: Automated encrypted backups with secure storage
  • Access controls: Strict role-based access controls limiting who can access personal data, with enhanced restrictions on tax compliance data
  • Security monitoring: Continuous monitoring for unauthorised access and security incidents
  • Data minimisation: We collect only the data necessary for each purpose and delete it when no longer needed

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify affected individuals without undue delay.

8. Cookies

We use cookies and similar technologies. See our Cookie Policy for details.

9. Children's Privacy

  1. Our Platform requires users to be at least 16 years old (18 to be a Provider).
  2. We do not knowingly collect data from children under 16. If we learn we have, we will delete it promptly.

10. Changes to This Policy

  1. We may update this Privacy Policy to reflect changes in our practices or legal requirements.
  2. Material changes will be notified via email or prominent notice on the Platform at least 15 days before taking effect.
  3. The current version is always available on the Platform.

11. Contact Us

For privacy-related enquiries:

  • Data protection contact: privacy@locayo.app
  • Help Centre: locayo.app/help
  • General enquiries: hello@locayo.app

Related Documents

© 2026 LocaYo. All rights reserved.