IDL HUB Ltd.

Privacy Policy

Last updated: May 2026Version 1.3UK GDPR Compliant

1.Introduction

Welcome to PrivateStay.club. IDL HUB Ltd. (“we”, “us”, or “our”), a company incorporated in England and Wales, is the owner and operator of the PrivateStay.club platform (the “Platform”). We are committed to protecting your personal data and to being transparent about how we use it.

This Privacy Policy explains:

what personal data we collect about you and why;
the legal basis on which we process it;
with whom we share it;
how long we keep it; and
the rights you have in relation to it.

This policy applies to all users of PrivateStay.club — guests, property owners, and administrators — and is written in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).

IDL HUB Ltd. is the data controller for the purposes of this policy. This means we determine the purposes and means of processing your personal data. Our contact details and registered address are set out in Section 14.

Please read this policy carefully. By using the Platform, you acknowledge that you have read and understood this Privacy Policy.

2.About Us

Company name	IDL HUB Ltd.
Platform	PrivateStay.club — invite-only private rental platform
Registered address	c/o Adroit, Unit 8, Dock Offices, Surrey Quays Road, London SE16 2XU, United Kingdom
Contact email	hello@profitabletalents.com
ICO registration	Please contact us for our current ICO registration reference.

3.Personal Data We Collect

3.1 Data You Provide Directly

When you register and use the Platform, you may provide:

Account registration: Full name, email address, password (hashed and stored securely by Supabase — we never see your plain-text password), preferred language, and the invite code used.
Phone number (optional): Collected only if you choose to provide it; used solely for booking confirmations.
Property owner data: Property descriptions, photos, display coordinates (city and country level), pricing, availability, and amenities.
Booking data: Guest name, email address, phone number, check-in and check-out dates, number of guests, and any booking message.
Messages: Content of inbox messages exchanged between guests, property owners, and administrators.
Email preferences: Whether you have opted out of broadcast messages from property owners.
Two-factor authentication (optional): If you choose to enable 2FA, a TOTP factor (authenticator app binding) is enrolled and stored within your Supabase authentication record. We never see or store the underlying secret — it is handled entirely by Supabase.
Private owner notes about guests (property owners only): If you are a property owner, you may write private notes about guests — either specific to a booking or shared across all bookings with that guest. These notes are visible only to you and are stored in association with your property. Guests do not have access to notes written about them.

3.2 Data We Collect Automatically

When you use the Platform, we automatically collect a limited amount of technical and usage data:

Platform analytics (aggregate): Property page views, follow requests, and booking counts. For anonymous visitors, events are linked to the property only and no personal identifier is stored beyond the hashed IP described below.
Visitor identity analytics (logged-in users — visible to Pro property owners): When a logged-in user visits a property page they follow, their platform user account is associated with that page view. Property owners on the Pro plan can see the name, last visit date, and number of visits of each logged-in follower who has viewed their property page. This information is visible only to the property owner and is not shared with other users.
IP address (hashed): Where an IP address is processed as part of analytics, it is immediately hashed using SHA-256 and truncated to 16 characters. The raw IP address is never stored.
HTTP referrer URL: The URL of the page that referred you to PrivateStay.club.
Server logs: Standard web server request logs collected by our hosting provider, Vercel.

3.3 What We Do Not Collect

We want to be explicit about what we do not collect:

No device fingerprinting data
No behavioural or advertising tracking data
No social login data (we use email and password only — no Google or Facebook OAuth)
No raw IP addresses
No location data beyond what you explicitly enter as a property owner
No special category data (health, biometric, financial account data, etc.)

4.How and Why We Use Your Personal Data

UK GDPR requires us to have a valid lawful basis for each purpose for which we process your personal data. The table below sets out our processing activities, the data involved, the lawful basis relied upon, and the applicable retention period.

Processing Activity	Personal Data Used	Lawful Basis	Retention Period
Creating and managing your account	Full name, email, password (hashed), preferred language, phone (optional), invite code	Contract (Art. 6(1)(b))	Duration of account + 7 years
Authenticating your login session	Session token (via Supabase HTTP-only cookie)	Strictly necessary / Contract (Art. 6(1)(b))	Session duration only
Processing and managing bookings	Guest name, email, phone, check-in/out dates, number of guests, booking message	Contract (Art. 6(1)(b))	7 years (financial record-keeping)
Processing subscription payments	Stripe customer ID and subscription ID; email passed to Stripe. Card data never stored by us.	Contract (Art. 6(1)(b))	7 years (financial record-keeping)
Displaying property listings and maps	Property descriptions, photos, display coordinates, city/country, pricing, amenities	Contract (Art. 6(1)(b))	Until property is removed or account deleted
Translating property descriptions	Property text content only (no personal data) — processed by DeepL	Contract / Legitimate interests (Art. 6(1)(f))	Not retained by DeepL beyond the request
Sending transactional emails	Name, email address, message content — processed by Resend	Contract (Art. 6(1)(b))	Standard email log retention by Resend
In-platform messaging between guests and owners	Message content, sender/recipient identifiers	Contract (Art. 6(1)(b))	Duration of account + 7 years
Broadcast messages from property owners (opt-out available)	Email address; opt-out preference	Legitimate interests (Art. 6(1)(f)) — users may opt out at any time	Until opt-out or account deletion
Platform analytics (aggregate)	Hashed & truncated IP (SHA-256, 16 chars — raw IP never stored); HTTP referrer URL; event type; property ID	Legitimate interests (Art. 6(1)(f))	Retained for 12 months; no raw personal data stored
Visitor identity analytics — showing property owners which of their followers have visited (Pro plan only)	Platform user account ID and display name of logged-in followers who visit a property page	Legitimate interests (Art. 6(1)(f)) — enabling property owners to identify genuine interest from people they have personally invited	Retained for 12 months from the date of the page view event
Managing two-factor authentication (2FA) enrollment	TOTP factor binding stored in Supabase auth — we never hold the underlying secret	Contract (Art. 6(1)(b))	Duration of account or until 2FA is disabled
Preventing fraud and maintaining platform security	Login activity, session data	Legitimate interests (Art. 6(1)(f))	Rolling 90 days
Storing private owner notes about guests	Note content written by a property owner; guest identifier	Legitimate interests (Art. 6(1)(f)) — enabling owners to manage their rental business effectively	Until the note is deleted by the owner, or until the property or owner account is deleted
Complying with legal obligations	As required by applicable law	Legal obligation (Art. 6(1)(c))	As required by law

A note on legitimate interests: Where we rely on legitimate interests (Art. 6(1)(f) UK GDPR), we have carried out a balancing test and concluded that our interests do not override your rights and freedoms. You have the right to object to processing based on legitimate interests — see Section 11.

5.Who We Share Your Personal Data With

5.1 Data Processors

We use a carefully selected number of third-party service providers (“data processors”) who process personal data on our behalf and under our instructions. They may not use your data for their own purposes.

Processor	Location	Purpose	Data Shared	Transfer Safeguard
Supabase	US	Database hosting, user authentication, Row Level Security	All user account and platform data	UK IDTA / SCCs
Stripe	US	Subscription payment processing	Email address and user ID only — card data handled entirely by Stripe	UK IDTA / SCCs
Resend	US	Transactional email delivery	Name, email address, message content	UK IDTA / SCCs
Mapbox	US	Interactive property maps	Display coordinates only (not full property address)	UK IDTA / SCCs
DeepL	DE	Property description translation	Property text content only (no personal data)	UK GDPR equivalent (EU)
Vercel	US	Website hosting and CDN	Standard web server request logs	UK IDTA / SCCs

We have data processing agreements in place with each of our processors, as required by Art. 28 UK GDPR.

5.2 No Advertising or Data Broker Sharing

We do not sell, rent, or share your personal data with advertising networks, data brokers, or any third party for their own marketing purposes.

5.3 Legal Disclosures

We may disclose your personal data to third parties where required by law, court order, or regulation — for example, to law enforcement, HMRC, or a court. We will notify you of any such disclosure where we are legally permitted to do so.

5.4 Business Transfers

If IDL HUB Ltd. is involved in a merger, acquisition, or sale of all or a portion of its assets, your personal data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Platform of any change in ownership or use of your personal data.

6.International Data Transfers

Several of our data processors are based in the United States. When we transfer your personal data outside the UK, we ensure appropriate safeguards are in place as required by UK GDPR Chapter V. Specifically, we use:

UK International Data Transfer Agreements (IDTA): The UK-approved mechanism for transfers to countries not deemed adequate by the UK.
UK Addendum to EU Standard Contractual Clauses (SCCs): Where the IDTA has been adapted for use with EU SCCs.
EU adequacy framework (DeepL): DeepL is based in Germany, within the EEA, which is recognised as providing an adequate level of protection equivalent to UK GDPR.

You may request a copy of the relevant transfer safeguard documents by contacting us at hello@profitabletalents.com.

7.How Long We Keep Your Personal Data

We do not retain personal data for longer than is necessary. Our general approach is:

Account data: Retained for the duration of your account. If you request deletion, all associated data (profile, properties, bookings, messages, and any private notes you have written about guests) is removed via cascading database deletion. Private notes written about a guest by a property owner are also deleted when that owner deletes their property or account.
Booking and payment records: Retained for 7 years from the date of the transaction, in accordance with HMRC financial record-keeping requirements.
General personal data: Where no specific retention period applies, we retain personal data for up to 7 years after it is no longer needed for its primary purpose, in order to establish, bring, or defend legal claims.
Session cookies: Deleted at the end of your session or on logout.
Hashed analytics data: Retained in aggregated form only — no raw personal data is retained.

Exceptions to the above apply where: the law requires a longer or shorter retention period; you exercise your right to erasure (where applicable); or you request retention for legal proceedings.

8.Cookies

We use a minimal number of cookies. We do not use advertising, tracking, or analytics cookies. Full details of the cookies we set, their purpose, duration, and your consent choices are set out in our separate Cookies Policy, available at privatestay.club.

9.Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures, including:

Row Level Security (RLS) on all database tables, enforced by Supabase PostgreSQL
HTTP-only session cookies, preventing client-side script access
Email and password authentication only — no third-party OAuth
Optional TOTP-based two-factor authentication (2FA) via authenticator app (Google Authenticator, Authy, 1Password, etc.), manageable from your account Security settings
SHA-256 hashing of IP addresses — raw IPs are never stored
Encryption of data in transit via TLS
Access controls limiting data access to authorised personnel only

However, no method of transmission over the internet is completely secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security. If you believe your account has been compromised, please contact us immediately at hello@profitabletalents.com.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and will inform you without undue delay where required.

10.Children's Privacy

PrivateStay.club is an invite-only platform intended for adults. We do not knowingly collect personal data from anyone under the age of 18. Access to the Platform requires an invite code, which serves as a practical gatekeeping mechanism.

If we become aware that we have inadvertently collected personal data from a person under 18, we will delete it promptly. If you believe a minor has provided us with their data, please contact us at hello@profitabletalents.com.

11.Your Rights Under UK GDPR

You have the following rights in relation to your personal data. We will respond to all valid requests within one calendar month of receipt (or within two months for complex requests, with notice given). To exercise any of these rights, please contact us at hello@profitabletalents.com. We may ask you to verify your identity before processing your request.

Your Right	What This Means
Right of Access	You may request a copy of the personal data we hold about you (a Subject Access Request). We will respond within one calendar month.
Right to Rectification	If any information we hold about you is inaccurate or incomplete, you may ask us to correct it. You can update many details directly within your account profile.
Right to Erasure (‘Right to be Forgotten’)	You may ask us to delete your personal data. We will do so unless we are required to keep it (e.g. for legal or financial compliance). You can delete your account directly from your account page (Subscription & Billing → Delete account). Deletion is immediate and permanent — it cascades and removes all associated profiles, properties, bookings, and messages. If you are unable to use the self-serve option, contact us at hello@profitabletalents.com and we will process your request promptly. Note: if you are a guest, property owners may hold private notes about you within their own accounts. Those notes are deleted automatically when the property owner deletes their property or account. You may also contact us to request their deletion and we will process your request promptly.
Right to Restrict Processing	You may ask us to pause processing of your data in certain circumstances — for example, while you contest its accuracy, or while we investigate an objection.
Right to Object	Where we rely on legitimate interests as our lawful basis, you may object to that processing. We will stop unless we can demonstrate compelling legitimate grounds that override your interests.
Right to Data Portability	Where processing is based on consent or contract, you may request your data in a structured, machine-readable format (e.g. CSV). Please note: we do not yet have a self-serve data export feature. Contact us and we will fulfil your request manually.
Right to Withdraw Consent	Where processing is based on your consent (e.g. functional cookies, broadcast message opt-in), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
Rights Relating to Automated Decision-Making	We do not make decisions about you using solely automated means that produce legal or similarly significant effects. You may contact us if you believe this position has changed.
Right to Lodge a Complaint	If you are unhappy with how we have handled your data, you have the right to complain to the Information Commissioner's Office (ICO): ico.org.uk \| 0303 123 1113. Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

12.Automated Decision-Making and Profiling

We do not make decisions about you using solely automated processing that produce legal or similarly significant effects. We do not build behavioural profiles of our users for automated decision-making. We will update this Privacy Policy and inform you if this position changes.

13.Changes to This Privacy Policy

We may update this Privacy Policy from time to time — for example, if we introduce new features, change our processors, or if there are changes in applicable law. We will notify you of significant changes by:

updating the “Last updated” date at the top of this document;
posting a notice on the Platform; and/or
sending you an email notification where the change is material.

Changes will take effect 7 days after the date of notification, or from the date we post the updated policy, whichever is earlier. We encourage you to review this policy periodically.

14.Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or to how we handle your personal data, please contact us:

Company	IDL HUB Ltd.
Platform	PrivateStay.club
Email	hello@profitabletalents.com
Registered address	c/o Adroit, Unit 8, Dock Offices, Surrey Quays Road, London SE16 2XU, United Kingdom

If you are unhappy with our response, you have the right to escalate your complaint to the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.