Privacy Policy

Last updated: May 9, 2026 — Compliant with GDPR (EU 2016/679), CCPA, UK-GDPR, LGPD

1. Data controller

2. Data we collect

We collect only data strictly necessary to provide our services:

We do NOT collect credit card data, official identification numbers, health data, political data or any special category under Art. 9 GDPR.

3. Legal basis

• Contract performance (Art. 6.1.b GDPR): to manage your account and listings.
• Legitimate interest (Art. 6.1.f GDPR): fraud prevention, security, service improvement.
• Consent (Art. 6.1.a GDPR): optional cookies and marketing communications.
• Legal obligation (Art. 6.1.c GDPR): tax/accounting record retention when applicable.

4. Retention periods

• Account data: while account is active + 3 years after closure.
• Published listings: while active + 6 months after withdrawal.
• Messages between users: 2 years.
• Cookie consent logs: maximum 1,000 entries (FIFO).
• Access logs (IP, browser): 12 months.

5. Sharing with third parties

We do NOT sell, rent or transfer your data to third parties for commercial purposes.

We may share limited data only with:

• Processors providing services (hosting, transactional email), all with GDPR contracts.
• Other marketplace users: when you contact a seller, they see your email and name to reply.
• Authorities when legally required.

6. International transfers

Our main servers are in the European Union (Germany). If we ever use services outside the EEA (e.g. AI APIs in the US), we ensure the provider guarantees EU Commission standard contractual clauses or is certified under the EU-U.S. Data Privacy Framework.

7. Your rights (GDPR)

• Access (Art. 15): know what data we hold about you.
• Rectification (Art. 16): correct inaccurate data.
• Erasure / “right to be forgotten” (Art. 17): delete your data.
• Restriction (Art. 18): temporarily suspend certain uses.
• Portability (Art. 20): receive your data in structured format (JSON/CSV).
• Objection (Art. 21): object to legitimate interest processing.
• Withdraw consent at any time (no retroactive effect).
• No automated decisions (Art. 22) — we do not apply automated decisions with legal effects on you.

How to exercise your rights

Email info@timeshare.deals with subject “GDPR rights exercise” indicating which right you wish to exercise and attaching a copy of your ID for identification. We respond within 30 days.

8. California residents (CCPA/CPRA)

You have the right to:

• Know what personal information is collected, used, shared or sold.
• Delete personal information held about you.
• Opt out of the sale of personal information (“Do Not Sell My Personal Information”).
• Non-discrimination for exercising your privacy rights.

Exercise these rights at info@timeshare.deals.

9. Other jurisdictions

• Brazil (LGPD): similar rights via ANPD.
• UK (UK-GDPR): similar rights via ICO.
• Switzerland (FADP): similar rights via FDPIC.
• Quebec (Law 25): similar rights.

10. Supervisory authority

If you believe your data is not being processed in accordance with regulations, you can file a complaint with the Spanish Data Protection Agency (AEPD): www.aepd.es.

11. Security

We apply technical and organizational measures: HTTPS encryption, bcrypt-hashed passwords, HTTP-only tokens, access auditing, daily backups, ISO 27001 certified datacenter.

12. Minors

The service is intended for users 18 and over. We do not knowingly collect data from minors. If you detect a minor has provided us data, contact us for immediate deletion.

13. Changes to this policy

This policy may be updated. We will notify you by email if changes substantially affect your rights.

14. Related documents

• Legal Notice
• Cookie Policy