Privacy Policy

1. Data Controller

For any questions relating to the processing of your personal data, or to exercise any of your rights under this Policy, please contact us at info@recal.co.

2. What Personal Data We Collect

2.1 Account registration (mandatory)

When you create a Recal account, we collect the following information:

• Email address
• Password (stored in encrypted form via AWS Cognito — we never store passwords in plain text)
• First name
• Last name
• Country
• Account type (standard account or staff account)
• Subscription tier selected (Starter, Host, Manager, or Business)

2.2 Optional profile information

After registration, users may optionally provide additional profile information:

• Username and user tag
• Phone number
• Profile picture and banner image
• Company name and account company name
• Short bio and full bio
• Website URL
• Social media profiles (Instagram, Facebook, LinkedIn)
• Address information (street, city, ZIP code)
• Date of birth
• Preferences (language, timezone, date format, base currency, notification settings, profile visibility settings)

2.3 Property and operational data

When using the platform, users input and manage operational data relating to their properties and business, including property details, booking information, contact lists, task records, notes, documents, and files. This data belongs to the user. Recal processes it solely to provide the platform services.

2.4 Technical and usage data

We automatically collect certain technical data when you use the platform, including:

• IP address and device/browser information for authentication and security purposes;
• Platform usage data (pages visited, features used, session duration) via PostHog analytics, subject to your cookie consent;
• Platform usage analytics via Vercel Analytics, subject to your cookie consent;
• Performance telemetry via Vercel Speed Insights, collected as strictly necessary for platform reliability and performance monitoring;
• Error and crash reports via Sentry, collected as strictly necessary for platform stability (no personally identifiable information is included);
• Payment transaction data processed by Stripe (we do not store card numbers — all payment data is handled directly by Stripe);
• Property location data (latitude/longitude) sent to WeatherAPI for weather forecast display;
• Push notification subscription data, if you choose to enable browser notifications.

3. Purposes and Legal Basis for Processing

We process your personal data for the following purposes, each with its specific legal basis:

3.1 Provision of the platform service

Legal basis: Performance of a contract (Article 6(1)(b) GDPR). We process your registration data and operational data to create and manage your account, authenticate your identity, provide you with access to the platform features included in your subscription tier, and communicate with you about your account and the service.

3.2 Billing and payment processing

Legal basis: Performance of a contract (Article 6(1)(b) GDPR). We use your billing information and subscription data to process subscription payments via Stripe, manage subscription upgrades and cancellations, and issue any applicable invoices or receipts.

3.3 Platform security, stability, and fraud prevention

Legal basis: Legitimate interests (Article 6(1)(f) GDPR). We process technical data to protect the security and integrity of the platform, detect and prevent unauthorised access, fraud, and abuse, and maintain the reliability of the service for all users. This includes error tracking via Sentry and performance monitoring via Vercel Speed Insights, both of which operate without collecting personally identifiable information and are classified as strictly necessary for service integrity.

3.4 Platform analytics and improvement

Legal basis: Consent (Article 6(1)(a) GDPR). Subject to your explicit consent via our cookie banner, we use PostHog and Vercel Analytics to analyse how users interact with the platform in order to identify issues, improve usability, and develop new features. You may withdraw this consent at any time by adjusting your cookie preferences.

3.5 Legal compliance

Legal basis: Compliance with a legal obligation (Article 6(1)(c) GDPR). We may process and retain certain data as required by applicable Spanish and European law, including tax and accounting obligations.

4. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Policy:

• Account data and operational data (properties, bookings, contacts, files, etc.) are retained for the duration of your active account. Upon account deletion, all account data and operational data are deleted immediately from our systems, including from our authentication provider (AWS Cognito) and database.
• If you wish to retain a copy of your data before deleting your account, you may request a data export by contacting info@recal.co.
• Billing and payment records are retained by Stripe in accordance with Spanish fiscal obligations (Ley General Tributaria). Upon account deletion, any active Stripe subscription is cancelled at the end of the current billing period. Transaction history is retained by Stripe per its own data retention policies.
• Analytics data (PostHog) is retained for up to 12 months.
• Error tracking data (Sentry) is retained for the duration of the session and then deleted automatically.

5. Data Sharing and Third-Party Processors

Recal does not sell, rent, or share your personal data with third parties for marketing purposes. We share data only with the following categories of service providers, strictly as necessary to operate the platform. Unless otherwise noted below, all third-party processors are bound by GDPR-compliant Data Processing Agreements (DPAs) — either incorporated automatically into their service terms, or formally accepted by Recal:

All third-party processors have been selected with due regard for their data protection practices. A current list of processors and their DPA status is maintained internally and is available to users upon written request to info@recal.co.

6. International Data Transfers

Some of our third-party processors (including AWS, Stripe, and Mapbox) may process data outside the European Economic Area (EEA). Where such transfers occur, we ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or transfers to countries recognised as providing an adequate level of data protection. Details of applicable transfer mechanisms for specific processors are available on request.

7. Your Rights

As a data subject under the GDPR, you have the following rights regarding your personal data:

• Right of access: you may request a copy of the personal data we hold about you.
• Right to rectification: you may request correction of inaccurate or incomplete data.
• Right to erasure: you may request deletion of your personal data, subject to legal retention obligations.
• Right to restriction of processing: you may request that we limit how we use your data in certain circumstances.
• Right to data portability: you may request your data in a structured, commonly used, machine-readable format. To request a data export, please contact info@recal.co.
• Right to object: you may object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at info@recal.co. We will respond within 30 days of receiving your request. You also have the right to lodge a complaint with the Spanish Data Protection Authority (Agencia Espanola de Proteccion de Datos — www.aepd.es).

8. Data Security

Recal implements appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• All data transmissions are encrypted in transit using TLS/HTTPS;
• User passwords are managed through AWS Cognito and are never stored in plain text;
• Access tokens are stored as HttpOnly cookies, inaccessible to client-side scripts;
• File storage is maintained in a private AWS S3 bucket with no public access;
• Access to user data within Recal is restricted by role-based permissions.

While we take all reasonable steps to protect your data, no system is entirely immune to security risks. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay, as required by the GDPR.

9. Children's Privacy

The Recal platform is intended for professional use by adults. By creating an account and accepting our Terms of Use, you represent that you are at least 18 years of age. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that we have collected data from a minor, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. When we make material changes, we will notify users via email or a prominent notice within the platform, and update the ‘Last updated’ date at the top of this document. Continued use of Recal after any update constitutes acceptance of the revised Policy.

11. Contact

For any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, please contact: