Privacy Policy - Borosome

1. Introduction

Welcome to Borosome ("we," "us," or "our"). We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and protect your information when you use our rental marketplace platform ("Service"), including our mobile application and website.

Data Controller: Borosome is the data controller responsible for your personal data. You can reach us at [email protected].

2. Information We Collect

Personal Information

We collect the following personal information directly from you when you create an account and use our services:

Name and contact information (email address, phone number)
Profile photos and avatar images
Location information for item listings
Payment information (processed securely by our third-party payment provider)
Government-issued ID for identity verification purposes (see Section 5 for details)

Usage Information

We automatically collect certain information about how you use our services:

Items you view, search for, and list
Messages and communications with other users
Rental history and transaction details
Device information (device model, operating system, unique device identifiers)
App usage data and interaction analytics
Crash reports and performance diagnostics
IP address and approximate location derived from it

3. Device Permissions

Our app may request the following device permissions. Each permission is optional unless stated otherwise, and you can manage them in your device settings at any time:

Camera — To take photos of items you want to list for rent. Not required; you can upload photos from your library instead.
Photo Library — To select existing photos for item listings and your profile picture.
Location (Foreground Only) — To show nearby items and set accurate listing locations. We use approximate location by default. Precise location is only used when you explicitly set an item's pickup location. We do not collect location data in the background.
Push Notifications — To send you rental updates, messages from other users, and important account alerts. You can opt out at any time through your device settings or in-app notification preferences.

4. Tracking and Advertising

We do not sell your personal information. We do not use your data for third-party advertising. We do not track you across other companies' apps or websites.

We use Firebase Analytics (provided by Google) to collect anonymous, aggregated usage data to help us understand how people use the app and to improve our Service. This may involve the collection of device identifiers (such as Firebase Installation ID). This data is not used to personally identify you or serve targeted advertisements.

We use Sentry for crash reporting and error tracking. Sentry collects device information and error context to help us diagnose and fix technical issues.

Apple App Tracking Transparency (ATT): We do not track you across apps or websites owned by other companies for advertising purposes. As such, we do not trigger Apple's ATT permission prompt. If this changes in the future, we will request your explicit permission before any cross-app tracking occurs.

Do Not Track (DNT) Signals: Our Service currently does not respond to "Do Not Track" browser signals, as there is no industry-standard technology for honoring DNT. However, since we do not engage in cross-site tracking or targeted advertising, the practical effect is the same.

5. Government-Issued ID and Sensitive Data

To help prevent fraud and maintain trust within our marketplace, we may ask you to submit a government-issued photo ID (such as a driver's license or passport) for identity verification.

Purpose: Solely for verifying your identity. We do not use ID information for any other purpose.
Processing: Your ID is compared against your profile information to confirm your identity. We do not extract or store biometric data (such as facial geometry) from your ID.
Storage: Your ID image is encrypted and stored securely. It is retained only for as long as necessary to complete verification and for a limited period to handle disputes, after which it is permanently deleted.
Access: Access to ID data is strictly limited to authorized personnel involved in the verification process.
Consent: ID submission is voluntary but may be required to access certain features (e.g., listing high-value items). By submitting your ID, you provide explicit consent for us to process it for verification purposes.

6. How We Use Your Information

We use your information for the following purposes, along with the legal basis for each (where applicable under GDPR):

Provide and improve our Service — Legal basis: Contract performance, Legitimate interest
Facilitate rentals between users — Legal basis: Contract performance
Process payments and handle disputes — Legal basis: Contract performance, Legal obligation
Send important notifications about your rentals — Legal basis: Contract performance
Verify user identities and prevent fraud — Legal basis: Legitimate interest, Legal obligation
Provide customer support — Legal basis: Contract performance
Monitor and enforce compliance with our Terms of Service — Legal basis: Legitimate interest
Send marketing communications (only with your opt-in consent) — Legal basis: Consent
Comply with legal obligations — Legal basis: Legal obligation

7. Third-Party Services

We work with the following third-party service providers to operate our platform. Each provider is contractually obligated to protect your data with the same or equivalent level of protection as described in this policy:

Google Firebase / Google Cloud — Authentication, database, cloud storage, hosting, and analytics
Stripe — Payment processing and payout management
Twilio — Phone number verification via SMS
Sentry — Error tracking and crash reporting
Resend — Transactional email delivery

These providers only receive the minimum data necessary to perform their specific function and are prohibited from using your data for any other purpose. Each provider maintains their own privacy policy, which we encourage you to review.

8. Information Sharing

We share your information only when necessary:

With other users during rental transactions (name, profile photo, contact information)
With the third-party service providers listed above for platform operation
With law enforcement when legally required or to protect safety
In connection with a merger, acquisition, or sale of assets (you will be notified of any such change)

We never sell your personal information to third parties.

9. International Data Transfers

Our Service is operated from the United States. Our third-party service providers (including Google Firebase, Stripe, Twilio, Sentry, and Resend) also primarily process and store data in the United States.

If you are accessing our Service from outside the United States, please be aware that your data will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country of residence.

When your data is transferred internationally, we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA/UK
Contractual data protection obligations with all third-party providers
Encryption of data in transit and at rest

10. Data Security

We implement industry-standard security measures to protect your data:

Encryption of data in transit (TLS/HTTPS) and at rest
Secure cloud storage with regular backups
Restricted access to personal information on a need-to-know basis
Regular security audits and updates

While we take reasonable precautions, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your data.

11. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where required by GDPR)
Notify affected users without undue delay via email and/or in-app notification
Provide details about the nature of the breach, the data involved, and the steps we are taking to address it
Offer guidance on steps you can take to protect yourself

12. Data Retention

We retain your personal data for as long as your account is active and as needed to provide our services. Specifically:

Account data — Retained while your account is active. Upon account deletion, personal data is permanently removed within 30 days.
Transaction records — Retained for 7 years after the transaction date to comply with financial and tax regulations.
Messages — Retained while your account is active and deleted within 30 days of account deletion.
Government-issued ID — Deleted within 30 days after successful verification, unless required for an ongoing dispute.
Usage analytics — Aggregated and anonymized data may be retained indefinitely. Identifiable usage data is deleted within 90 days of account deletion.

13. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Access — Request a copy of the personal information we hold about you
Correction — Update or correct inaccurate personal data
Deletion — Delete your account and all associated personal data (Settings > Delete Account in the app)
Data Portability — Receive your data in a structured, machine-readable format (JSON/CSV) by contacting support
Restrict Processing — Request that we limit how we use your data
Object to Processing — Object to processing based on legitimate interest
Withdraw Consent — Withdraw any previously given consent at any time
Opt Out of Marketing — Opt out of marketing communications via notification settings
File Complaints — Lodge a complaint with your local data protection authority

To exercise any of these rights, you can use the in-app settings or contact us at [email protected]. We will respond to your request within 30 days. If we need additional time (up to 60 additional days), we will inform you of the reason for the extension.

14. California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Right to Know — You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
Right to Delete — You may request the deletion of your personal information, subject to certain legal exceptions.
Right to Correct — You may request that we correct inaccurate personal information.
Right to Opt-Out of Sale/Sharing — We do not sell or share your personal information for cross-context behavioral advertising. As such, there is no need to opt out, but you may contact us if you have questions.
Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA/CPRA rights. You will not receive different pricing, a different quality of service, or any penalty for exercising your rights.

Categories of personal information collected in the preceding 12 months: Identifiers (name, email, phone number), commercial information (rental history, transaction details), internet or electronic network activity (usage data, device information), geolocation data (approximate location), and visual information (profile photos, item photos, government ID for verification).

To submit a verifiable consumer request, contact us at [email protected]. We will verify your identity before processing your request. You may also designate an authorized agent to submit a request on your behalf.

15. European Economic Area and UK Residents (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR apply to our processing of your personal data.

Legal Basis for Processing

We process your personal data under the following legal bases:

Contract Performance — Processing necessary to provide the Service you have signed up for (account management, facilitating rentals, processing payments, sending transactional notifications).
Legitimate Interest — Processing necessary for our legitimate business interests, such as fraud prevention, platform security, service improvement, and analytics, balanced against your rights and freedoms.
Consent — Processing based on your explicit consent, such as marketing communications and government ID verification. You may withdraw consent at any time.
Legal Obligation — Processing necessary to comply with applicable laws, such as tax and financial record-keeping.

Your GDPR Rights

In addition to the rights listed in Section 13, EEA/UK residents have the right to:

Request information about international data transfers and the safeguards in place
Object to processing based on legitimate interest (we will stop processing unless we have compelling legitimate grounds)
Not be subject to automated decision-making. We do not make decisions that produce legal or similarly significant effects based solely on automated processing.

To exercise your rights or for questions about our GDPR compliance, contact us at [email protected]. You also have the right to lodge a complaint with your local data protection supervisory authority.

16. Children's Privacy

Our Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information immediately. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected].

17. Changes to This Policy

We may update this privacy policy periodically. We will notify you of significant changes through the app or by email at least 30 days before the changes take effect. Your continued use of the Service after the effective date of the updated policy constitutes acceptance of the changes. If you disagree with the updated policy, you may delete your account before the changes take effect.

18. Governing Law

This privacy policy is governed by and construed in accordance with the laws of the State of New York, United States, without regard to conflict of law principles. Any disputes arising from this policy shall be subject to the exclusive jurisdiction of the state and federal courts located in New York, New York.

This does not affect your statutory rights under applicable local laws, including GDPR, UK GDPR, and CCPA/CPRA, which may provide you with additional or overriding rights.

19. Contact Us

If you have questions about this privacy policy, our data practices, or wish to exercise your rights, please contact us at:

Email: [email protected]

For GDPR-related inquiries, you may also contact our data protection team at the same email address. We aim to respond to all legitimate requests within 30 days.