Privacy Policy

1) Who we are (Controller)

“Puncta” (“we”, “us”, “our”) is the controller for personal data processed in connection with our platform that connects **hosts** who offer experiences with **customers** who book them. If you use Puncta, your personal data is processed under the EU General Data Protection Regulation (GDPR) and the Swedish Data Protection Act (Dataskyddslagen).

Controller: Puncta AB (placeholder)
Registered seat: Malmö, Sweden
Support: support@puncta.com • +46 (0)70 123 45 67

2) Scope

This policy applies to our website, dashboards, booking flows, messaging between host and customer, payments, customer support and marketing communications.

3) Data we collect

Account data: name, email, password hash, role (host/customer), phone, preferred contact, profile fields (country, city, languages, skills, interests, bio), avatar image.
Booking data: selected experience & slot, number of guests, price, reservation status, messages exchanged for a reservation, favorites.
Payment data: handled by Stripe (see §5). We do not store full card numbers.
Device/usage data: IP address, browser/device info, log events, and basic analytics.
Support data: messages you send to us and related metadata.

4) Purposes & legal bases (GDPR Art. 6)

Purpose	Examples	Legal basis
Provide the service	Account, search, booking, host–customer messaging	Contract performance (Art. 6(1)(b))
Payments & accounting	Process payments, prevent fraud, bookkeeping	Contract performance; Legal obligation (Art. 6(1)(c), e.g. Swedish Bokföringslagen)
Safety & abuse prevention	Detect misuse, secure our systems	Legitimate interest (Art. 6(1)(f))
Customer support	Answer questions, fix issues	Legitimate interest (Art. 6(1)(f))
Marketing	Email updates/newsletters, if you opt in	Consent (Art. 6(1)(a)); you may withdraw anytime
Analytics & improvements	Understand feature usage (aggregated)	Legitimate interest (Art. 6(1)(f)); where cookies are not strictly necessary we ask for consent

5) Payments (Stripe)

Payments are processed by Stripe. Stripe acts as an independent controller for card data. We receive status (paid/failed), amount, currency, and limited billing details (e.g., email) and a receipt URL. We do not store card numbers or CVV.

6) Sharing & processors

Host ↔ Customer: When a booking is completed, we share necessary contact details between the host and the customer for that experience (name, email, phone if provided, and booking details), so the experience can be arranged.
Service providers (processors): hosting, storage, email delivery, analytics, and support tools— bound by data processing agreements and only acting on our instructions.
Legal & compliance: if required by law or to protect rights, safety, and prevent fraud.

7) International transfers

If personal data is transferred outside the EU/EEA (for example by Stripe or certain cloud services), we ensure appropriate safeguards such as Standard Contractual Clauses (SCCs) and, where relevant, supplementary measures. Copies of the SCCs can be requested via the contact details below.

8) Retention

Account: kept while your account is active; deleted or anonymized within 30 days after closure unless we must retain certain records.
Bookings & financial records: retained up to 7 years to comply with Swedish bookkeeping laws (Bokföringslagen).
Messages (host–customer): up to 3 years after the experience or account closure, whichever is later, unless you request earlier deletion where legally possible.
Logs & security events: typically 12 months.

9) Cookies & similar tech

We use necessary cookies for login/session security and service operation. With your consent, we may use additional cookies for analytics and improvements. You can manage consent in our cookie banner or via your browser settings. Blocking strictly necessary cookies may break core features.

10) Security

We employ reasonable technical and organizational measures such as HTTPS/TLS, access controls, hashing of passwords (bcrypt), CSRF protection, and audits. No system is 100% secure; we monitor and respond to incidents, including notifications when legally required.

11) Your rights under GDPR & Swedish law

Access to your personal data
Rectification of inaccurate data
Erasure (“right to be forgotten”) where applicable
Restriction of processing in certain cases
Portability of data you provided to us
Objection to processing based on legitimate interests or direct marketing
Withdraw consent at any time (does not affect past lawful processing)
Complain to the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten – IMY): imy.se

To exercise your rights, contact us via the details in §14. We may need to verify your identity.

12) Children

Puncta is not intended for children under the age required by applicable law (generally 13–16 in the EU). We do not knowingly collect data from children under 13. If you believe a child has provided data, please contact us for deletion.

13) Changes to this policy

We may update this policy to reflect changes to our practices or legal requirements. The “Last updated” date shows the latest version. Significant changes will be announced on the website or by email where appropriate.

14) Contact & Data Protection Officer

For privacy questions, rights requests, or to obtain a copy of safeguards for international transfers, contact:

Email: privacy@puncta.com
Support: support@puncta.com
Postal: Puncta AB, Privacy, Södra Förstadsgatan 1, 211 43 Malmö, Sweden

We aim to respond within 30 days (GDPR Art. 12(3)).