Privacy Policy

Last updated: 14 February 2026

1. Data Controller

  1. The data controller for your personal data is Next Orbit OÜ, trading as LocaYo ("LocaYo", "we", "us", or "our"), a private limited company (osaühing) registered in the Republic of Estonia, registry code [TO BE ADDED], registered address [TO BE ADDED UPON REGISTRATION].
  2. For data protection enquiries, contact our data protection contact at privacy@locayo.app or via our Help Centre contact form.
  3. We process personal data in accordance with:
    • EU/Estonia: General Data Protection Regulation (GDPR) 2016/679 as directly applicable in Estonia
    • EU/EEA: General Data Protection Regulation (GDPR) 2016/679
    • Poland: RODO (Polish implementation of GDPR) and related Polish data protection laws

2. Information We Collect

2.1 Information You Provide

  • Account information: name, email address, phone number, password, profile photo
  • Profile information: bio, location, business details (for business accounts)
  • Listing information: descriptions, photos, pricing, availability
  • Communications: messages with other Users, support requests
  • Reviews: ratings and review content
  • Verification data: identity documents (if you choose to verify)
  • Payment information: payment details for premium features (Boosts) processed by our payment provider Stripe — we do not store full payment card details

2.2 Tax Compliance Information (Providers Only)

We are legally required to collect the following information from Providers under EU Council Directive 2021/514 (DAC7) as implemented in Estonian law.

  • Tax identification data: Tax Identification Number (TIN), including PESEL/NIP (Poland), Steuer-IdNr (Germany), Isikukood (Estonia), or equivalent in your country of tax residence
  • Date of birth (for individual Providers)
  • Tax residence: country or countries of tax residence
  • Full address: primary residential or business address
  • Entity type: whether you are an individual or a business entity
  • Business registration number (for business accounts, where applicable)
  • VAT identification number (where applicable)
  • Bank account details (if available to the Platform — see Section 3 for details)

2.3 Information We Collect Automatically

  • Device information: IP address, browser type, operating system, device identifiers
  • Usage information: pages viewed, features used, search queries, clicks
  • Location data: general location based on IP, precise location if you enable it
  • Cookies and similar technologies: see our Cookie Policy

2.4 Information from Third Parties

  • Social login providers: if you sign in with Google or Facebook, we receive your basic profile information
  • Payment processor: Stripe may provide us with transaction confirmations and limited account information for premium feature purchases
  • Other Users: reviews and reports about you

2.5 Transaction Data

  • Booking data: details of confirmed bookings including dates, duration, listed price, booking status, and number of transactions per Provider per quarter
  • Pickup/delivery addresses: When you complete a booking, addresses may be shared between Provider and Customer
  • Data minimisation: We recommend providing approximate location rather than exact home address
  • Automatic deletion: Address data from completed bookings is automatically anonymised after 30 days

3. How We Use Your Information

PurposeLegal BasisRetention
Platform operationContract (Art. 6(1)(b))Account lifetime + 3 years
Safety and securityLegitimate interests (Art. 6(1)(f))12 months
Customer supportContract (Art. 6(1)(b))Resolution + 2 years
Transaction addressesContract (Art. 6(1)(b))30 days post-booking
Tax reporting compliance (EU DAC7)Legal obligation (Art. 6(1)(c))5 years after last reportable period
Premium feature payments (VAT compliance)Legal obligation (Art. 6(1)(c))10 years (VAT OSS record-keeping)
AnalyticsLegitimate interests (Art. 6(1)(f))26 months (anonymised)
MarketingConsent (Art. 6(1)(a))Until opt-out
Other legal complianceLegal obligation (Art. 6(1)(c))As required by law

Note on tax compliance data: Processing of tax compliance data (TIN, date of birth, address, tax residence) is based on our legal obligation under EU DAC7 (Council Directive 2021/514) as implemented in Estonian law and does not require your consent. However, you will be informed before this data is collected and have the right to understand how it is used. The data will only be used for the purpose of fulfilling our tax reporting obligations and will not be used for marketing or other unrelated purposes.

4. Who We Share Your Data With

  1. Other Users: Information necessary for transactions (name, profile photo, contact details when booking confirmed).
  2. Service Providers (Sub-processors): We use the following third-party services to operate the Platform:
    • MongoDB Atlas (MongoDB, Inc.) — database hosting and storage
    • Cloudinary (Cloudinary Ltd.) — image hosting and processing
    • Render (Render Services, Inc.) — application hosting
    • Stripe (Stripe, Inc.) — payment processing for premium features
    • Google Analytics (Google LLC) — website analytics (with consent)
    • Socket.io / hosting provider — real-time messaging infrastructure

    Each sub-processor processes data only on our instructions and is bound by appropriate data processing agreements. A full, up-to-date list of sub-processors is available upon request.

  3. Tax Authorities: We are legally required to share Provider information with:
    • Maksu- ja Tolliamet (Estonian Tax and Customs Board) â€" annual reports under EU DAC7 as implemented in Estonian law
    • EU member state tax authorities â€" Maksu- ja Tolliamet automatically exchanges reported information with the tax authorities of each Provider's country of tax residence under DAC7 provisions

    Information shared with tax authorities includes: Provider name, address, date of birth, TIN, total transaction value (based on listed prices), number of transactions, platform fees, and (for property rentals) property addresses and days rented. This sharing is based on our legal obligation under Art. 6(1)(c) GDPR.

  4. Legal and Regulatory: When otherwise required by law, court order, or to protect rights and safety.
  5. Business Transfers: In connection with merger, acquisition, or sale of assets.

5. International Transfers

  1. Your data may be transferred outside the UK/EEA. We use the following safeguards:
    • United States: MongoDB Atlas, Cloudinary, Render, Stripe, and Google Analytics may process data in the US. These transfers are protected by the EU-US Data Privacy Framework (where the provider is certified) and/or Standard Contractual Clauses (SCCs) approved by the European Commission and the UK Secretary of State.
    • EU/EEA: Where possible, we configure services to process data within the EU/EEA (e.g., MongoDB Atlas EU region). Transfers between the UK and EU/EEA are covered by adequacy decisions.
  2. Tax compliance data (TIN, address, date of birth) is shared with the Estonian Tax and Customs Board (Maksu- ja Tolliamet), which automatically exchanges this data with the tax authorities of the Provider's country of residence under DAC7 automatic exchange provisions. As Estonia is an EU member state, these transfers occur within the EU/EEA framework.
  3. You can request more information about international transfers and the safeguards in place by contacting privacy@locayo.app.

6. Your Rights

Under EU GDPR and RODO, you have the following rights:

  1. Right of access — Request a copy of your personal data.
  2. Right to rectification — Request correction of inaccurate data.
  3. Right to erasure — Request deletion of your data in certain circumstances.
  4. Right to restrict processing — Request we limit how we use your data.
  5. Right to data portability — Request your data in machine-readable format.
  6. Right to object — Object to processing based on legitimate interests or for direct marketing.
  7. Rights related to automated decision-making — Rights regarding automated decisions that significantly affect you.
  8. Right to withdraw consent — Withdraw consent at any time where we rely on it.

Important note on tax compliance data: Your rights to erasure and restriction may be limited in respect of tax compliance data (TIN, date of birth, address, tax residence) where we are required by law to retain and process this data for tax reporting purposes. In such cases, we will explain the specific legal basis and any limitations that apply.

To exercise your rights, contact us at privacy@locayo.app or through our Help Centre. We respond to requests within one month (or up to three months for complex cases, with notification).

Supervisory Authorities:

  • Estonia (lead supervisory authority): Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate) — aki.ee
  • Poland: Urząd Ochrony Danych Osobowych (UODO) — uodo.gov.pl
  • Lithuania: Valstybinė duomenų apsaugos inspekcija (VDAI) — vdai.lrv.lt
  • Latvia: Datu valsts inspekcija (DVI) — dvi.gov.lv
  • UK: Information Commissioner's Office (ICO) — ico.org.uk
  • EU: Your local data protection authority

7. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (HTTPS)
  • Encryption at rest: All data stored in our database is encrypted at rest using industry-standard encryption provided by our cloud infrastructure
  • Field-level encryption: Highly sensitive data such as Tax Identification Numbers and bank account details are additionally encrypted at the application level using AES-256-GCM encryption before being stored in our database
  • Password hashing: Passwords are hashed using bcrypt and are never stored in plain text
  • Regular backups: Automated encrypted backups with secure storage
  • Access controls: Strict role-based access controls limiting who can access personal data, with enhanced restrictions on tax compliance data
  • Security monitoring: Continuous monitoring for unauthorised access and security incidents
  • Data minimisation: We collect only the data necessary for each purpose and delete it when no longer needed

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify affected individuals without undue delay.

8. Cookies

We use cookies and similar technologies. See our Cookie Policy for details.

9. Children's Privacy

  1. Our Platform requires users to be at least 16 years old (18 to be a Provider).
  2. We do not knowingly collect data from children under 16. If we learn we have, we will delete it promptly.

10. Changes to This Policy

  1. We may update this Privacy Policy to reflect changes in our practices or legal requirements.
  2. Material changes will be notified via email or prominent notice on the Platform at least 15 days before taking effect.
  3. The current version is always available on the Platform.

11. Contact Us

For privacy-related enquiries:

Related Documents

© 2026 LocaYo. All rights reserved.