Last updated · 2026-05-04 · Pre-launch alpha (Rev. 1.0)

Privacy notice.

Conforme is regulatory infrastructure for short-term rental operators in the European Union. To do that we process operator account data, property data, guest-identification data, and — for Pro-tier customers — public listing data and operator-supplied financial data. This notice tells you exactly what, why, where, with whom, and for how long.

1. Who we are

Conforme is a product of [Entity name], registered in Portugal. Our primary contact for general queries is [email protected].

Privacy questions, GDPR rights requests, and data-protection correspondence should go to [email protected]. We are not required to appoint a Data Protection Officer under Article 37 GDPR, but we maintain a dedicated privacy mailbox so requests are not lost in a general inbox.

For the purposes of GDPR, Conforme acts as a data controller for operator account data and marketing data, and as a data processor on behalf of operators for the guest data we transmit to authorities under their legal obligation. A Data Processing Agreement is available on request — see section 12 of the terms of service.

2. What data we collect

Data is grouped by the flow that produces it, not by an abstract taxonomy. If you only ever use the free audit, we only ever hold the first row.

2.1 Free audit form

What: Listing URL, your email address, your language preference (en / es / pt).
How it’s stored: Persisted to the marketing_audit_requests table on our primary database.
What we do with it: We generate a one-shot compliance audit PDF and email it to you. If you tick the “keep me posted” box, we may follow up at most twice with related product updates — you can unsubscribe via the link in any email and we will permanently honour it.

2.2 Signup and account

What: Organisation name, owner email address, plan tier (Basic or Pro), expected property count, the country your operation is based in, and the Stripe customer + subscription IDs created when you start the trial.
What we don’t hold: We never see your card number, expiry, or CVV. Stripe holds that and gives us back an opaque customer ID.

2.3 Compliance data (Basic and Pro)

Properties: Address, type (apartment, villa, hostel, etc.), legal capacity, registration number(s) and their status (RNAL for Portugal, VUT / NRUA for Spain, CIN for Italy, Declaloc for France — whichever applies).
Operator identity for authority submissions: Owner / responsible-party name and identification document, where the local authority requires it for submissions (SIBA in Portugal; SES — the successor to Spanish “Registro de Viajeros” — in Spain).
Guest pre-arrival data: Where you have configured automated authority submissions, we collect the guest data each authority mandates — full name, document type, document number, document scan, date of birth, nationality, address, dates of stay, and (Spain) means and date of payment. This data is encrypted at rest with a per-tenant key, decrypted only for the duration of a submission, and subject to the retention rule in section 5.
Check-in events: Booking confirmation, check-in confirmation, authority submission status, parity-check results.

2.4 Operator Intel data (Pro tier only)

OTA listing snapshots: For listings you authorise us to monitor, we periodically fetch the public listing page (Airbnb, Booking, Vrbo) via our scraping provider and store: title, description, price, calendar availability, the registration number visible in the listing, and references (URLs) to the listing photos. We do not store or process guest data from listings — only the public-facing operator content.
Market benchmark data: Anonymised public comp-set data sourced from Inside Airbnb (free quarterly snapshots), our scraping providers, and our own crawl. Comp-set data is aggregated at city or sub-city level and is not customer-PII; we do not republish other operators’ pricing in identifiable form.
P&L entries: Per-property revenue (sourced from your channel-manager integration where you have one connected) and expense categories you log manually in the dashboard.
Guest info pages: The content you author for the guest-facing arrival pages we host on your behalf (house manuals, check-in instructions, Wi-Fi codes, multilingual notes).

2.5 Email and communications

Transactional and product email is sent via Resend. We retain delivery status (delivered, bounced, complained, unsubscribed) so that we can stop sending to addresses that have asked us to. Marketing emails are only sent with explicit consent and carry a one-click unsubscribe header per RFC 8058.

2.6 Telemetry

Standard server logs (request path, response code, duration), IP addresses (held only transiently for rate-limiting and fraud prevention), and Sentry error reports. Sentry is configured with data scrubbing on for known PII patterns — emails, identification numbers, IBANs, bearer tokens — and we run Conforme on the EU region of Sentry. We do not use third-party analytics: no Google Analytics, no Meta pixel, no LinkedIn Insight tag, ever.

2.7 Web analytics

We log every public-page request to conforme.info — the URL visited, your IP address, browser user-agent, referring URL, and timestamp — for traffic diagnostics, abuse mitigation, and to understand which pages are useful. The capture happens server-side in our own marketing app and is stored in our own EU-region database (Hetzner Falkenstein); no third-party analytics provider is involved. Raw IPs are retained for 90 days; aggregated daily totals (page, country, bot/human split, hit count) are kept indefinitely. Lawful basis: legitimate interest under GDPR Art. 6(1)(f). To request deletion of records associated with your IP, email [email protected] — we identify your records by hashing the IP you send us with the same salt used at capture, so the raw IP never leaves your client.

3. Third-party processors

The list below is exhaustive at the time of this revision. Any addition triggers an update to this notice and, where the change is material, an email to active customers 30 days in advance.

Processor	What it processes	Region	Why
Stripe Payments Europe Ltd.	Card data, billing address, subscription state.	IE (some processing US)	Subscription billing. Privacy · DPA
Resend	Transactional and product email content, delivery state.	US (sub-processor: AWS SES, eu-west-1)	Email delivery. Privacy · DPA
Cloudflare, Inc.	Request metadata for DNS, CDN, WAF, and DDoS mitigation.	US (EU edge nodes)	DNS, edge proxy, DDoS protection. Privacy · DPA
Hetzner Online GmbH	All operator and guest data at rest. Application servers, primary database, daily snapshots.	DE (Falkenstein)	Hosting. Privacy · DPA
Sentry (Functional Software, Inc.)	Error reports and stack traces with PII scrubbing on.	DE (Frankfurt — EU region)	Error monitoring. Privacy · DPA
ScrapingBee	Public OTA listing pages for the Pro-tier listing-health and market-intel features.	FR (Paris)	Public-page scraping. Privacy
Apify Technologies s.r.o.	Public OTA listing pages and host-profile pages for Pro-tier comp-set sourcing. Currently used at low volume.	CZ (Prague)	Comp-set sourcing. Privacy · DPA
Inside Airbnb	Public quarterly snapshot dataset of Airbnb listings used for market benchmarks (no operator-PII).	US (public dataset)	Market benchmark baseline. About
Migadu	Email inbox hosting for `[email protected]` and related staff inboxes.	CH (Switzerland)	Inbound email mailbox. Privacy

Currently disabled: Backblaze B2 (US) for off-site encrypted backups. The integration is wired but uploads are paused until our storage cap is raised; we will update this notice before re-enabling. Until then, backups live on Hetzner only (daily VM snapshots in Falkenstein plus hourly local Postgres dumps).

Removed since the previous revision: Postmark. The Postmark account was created during initial scaffolding but never verified for production sending; transactional email is now handled exclusively by Resend.

3.1 Authorities that receive compliance submissions

These are not “processors” in the GDPR sense — they are public bodies that act as independent controllers of the data we transmit to them on the operator’s behalf. We disclose them here as recipients:

Portugal — SEF / AIMA (Serviço de Estrangeiros e Fronteiras / Agência para a Integração, Migrações e Asilo) for the SIBA guest declaration; Turismo de Portugal for RNAL registration lifecycle events.
Spain — Ministerio del Interior via the SES platform (the successor to the legacy “Registro de Viajeros” / Hospederias) for guest declarations; the relevant autonomous-community tourism registry (e.g. RTC in Catalonia, REAT in Andalusia) for VUT registration; AEAT (Agencia Estatal de Administración Tributaria) where the transmission is required for tax purposes.

4. Lawful basis

Performance of a contract (Art. 6(1)(b)): Operator account data, billing data, property data, the act of submitting to authorities you have directed us to submit to, and the audit trail.
Compliance with a legal obligation (Art. 6(1)(c)): The actual content of the guest declarations we transmit on your behalf — the operator’s legal obligation under Spanish RD 933/2021 and Portuguese DL 9/2007 is the basis for processing.
Legitimate interests (Art. 6(1)(f)): Telemetry, error monitoring, fraud and abuse prevention, and the scraping of public listing pages that you authorise us to monitor on your behalf. Our interest in these processing activities is balanced against the rights of data subjects, and in each case the data is either non-personal (aggregated comps) or pseudonymised in flight (Sentry / logs).
Consent (Art. 6(1)(a)): Marketing follow-up after a free audit (the “keep me posted” checkbox), and any optional intel features you turn on in-app. Consent can be withdrawn at any time without affecting the lawfulness of past processing.

5. Data retention

Free audit requests: 90 days from submission. The PDF is generated, sent, and the row is deleted on a scheduled job thereafter. If you opted in to follow-up emails, the email address is moved to a separate marketing list with its own consent record.
Operator account data: Lifetime of the contract, plus 7 years thereafter for tax and statutory record-keeping (the longer of Portuguese and Spanish minimums).
Compliance submissions and the audit trail: 7 years — the statutory minimum imposed by the Spanish and Portuguese tax and tourism authorities. The cryptographic audit chain itself contains no PII; the underlying records do until retention expires.
Guest pre-arrival data (passport scans etc.): Encrypted scans are deleted from object storage as soon as the corresponding authority submission is acknowledged. The structured fields required by the audit trail (name, document number) live for the 7 years above.
Server logs and Sentry events: 30 days. After that, the underlying log lines and error reports are purged.
Backups: Hetzner VM snapshots: 30 days, rolling. Hourly local Postgres dumps: 7 days, rolling. Backblaze B2 off-site copies: deferred — see section 3.

If you ask us to delete your account via the in-dashboard “Cancel + Delete” flow, we delete operator account data and unencrypted property data immediately, retain only the data we are legally obliged to retain (audit trail, compliance submissions for 7 years), and confirm completion in writing.

6. International transfers

Conforme’s primary infrastructure is in the European Union (Hetzner Falkenstein, Sentry EU region, Resend’s AWS SES eu-west-1 sub-processor, Migadu in Switzerland which has an EU adequacy decision). The following transfers leave the EEA:

Stripe — some processing happens on Stripe’s US infrastructure. Covered by Stripe’s Standard Contractual Clauses and the EU–US Data Privacy Framework.
Resend (control plane) — Resend itself is US-incorporated; the actual email delivery sub-processor (AWS SES) we have configured is in eu-west-1. Covered by Resend’s SCCs.
Cloudflare — the company is US-based; edge nodes serving European traffic are in the EU. Covered by Cloudflare’s SCCs and the EU–US Data Privacy Framework.
Inside Airbnb — we ingest the public dataset they publish; no personal data of Conforme users is sent to them.

For each US transfer above we rely on the European Commission’s Standard Contractual Clauses (Module Two) and, where the recipient is certified, the EU–US Data Privacy Framework adequacy decision of 10 July 2023.

7. Your rights under GDPR

You have the right to access, rectify, erase, restrict, object to the processing of, and port your personal data. Specifically:

Access (Art. 15) — full export from the dashboard, plus a structured email summary on request.
Rectification (Art. 16) — edit in-app for everything; email [email protected] for anything you can’t reach in the UI.
Erasure / right to be forgotten (Art. 17) — one-click via the in-dashboard /billing → Cancel + Delete flow, or by emailing [email protected]. We delete encrypted PII columns and the underlying object-storage blobs inline; the request returns a hard error rather than a fake success if the deletion can’t be confirmed.
Restriction (Art. 18) and objection (Art. 21) — email [email protected].
Portability (Art. 20) — structured JSON or CSV export of everything we hold about you that originated from you. Requestable in the dashboard or by email.
Withdraw consent — one-click via the unsubscribe link in any marketing email, or by emailing us.

We respond to all rights requests within 30 days. If a request is unusually complex we may extend this by up to a further two months and will tell you so within the first 30 days, with reasons.

8. Complaints

If you believe our processing of your personal data infringes the GDPR, you can lodge a complaint with the supervisory authority in the EU member state of your habitual residence, your place of work, or where the alleged infringement took place.

Portugal — Comissão Nacional de Protecção de Dados (CNPD): cnpd.pt.
Spain — Agencia Española de Protección de Datos (AEPD): aepd.es.
Other EU member states — the European Data Protection Board maintains a directory at edpb.europa.eu.

We’d also welcome the chance to address any concerns directly first — [email protected].

9. Cookies and tracking

The marketing site uses no analytics cookies and no third-party trackers. The dashboard sets a single same-site session cookie carrying your authentication token and a CSRF token cookie. Both are essential for the service to work and are exempt from the ePrivacy Directive’s consent requirement under Article 5(3)’s “strictly necessary” carve-out.

We do not run Google Analytics, Meta Pixel, LinkedIn Insight, or any equivalent. If we ever add lightweight server-side or cookieless analytics (the Plausible model), we will update this notice first and the data stays in the EU.

10. Changes to this notice

We post changes here with an updated “last updated” date at the top. For material changes — new sub-processor in a new jurisdiction, change to retention periods, change to lawful basis — we email all active customers at least 30 days before the change takes effect.

Questions about anything on this page: [email protected].