// PRIVACY POLICY

Privacy Policy

Last updated: 25 April 2026

1. Who we are

Spitly ("we", "our", "Spitly") is a technology platform connecting property owners with prospective tenants for mid-term furnished rentals in Athens and Piraeus, Greece. This policy explains how we collect and use your personal data.

Data controller: Spitly · Contact: privacy@spitly.gr · Website: https://spitly.gr

2. What data we collect

When you sign up or use Spitly, we collect:

  • Identity data: full name, email address, phone number (optional)
  • Profile data: role (tenant/owner), preferred language, profile photo
  • Property data (owners only): address, description, photos, pricing, availability
  • Usage data: pages you visit, actions you take on the platform, device type, IP address
  • Communications: messages sent through our in-platform messaging system

We do NOT collect: government ID numbers, bank account details (payments go through third-party providers), health data, political opinions, religious beliefs.

3. Why we collect it (legal basis)

  • Performance of contract (Art. 6(1)(b) GDPR): to provide the service you signed up for — listing properties, searching, messaging
  • Legitimate interest (Art. 6(1)(f) GDPR): to prevent fraud, moderate content, improve our service, send essential service emails
  • Consent (Art. 6(1)(a) GDPR): for marketing emails, analytics cookies, and any optional features

4. Who we share it with

We only share your data with:

  • Other Spitly users as necessary for the service (e.g. your listing's public fields are visible to searchers)
  • Service providers we use to operate Spitly: Supabase (database hosting in Frankfurt, Germany), Vercel (web hosting), Resend (email delivery)
  • Legal authorities when legally required

We do not sell your data to third parties. Ever.

5. International transfers

Your data is stored in the European Union (primarily Germany). We do not transfer data outside the EEA without appropriate safeguards.

6. How long we keep it

  • Account data: while your account is active, plus 30 days after deletion
  • Property listings: while active; archived after deactivation
  • Messages: 12 months from last activity
  • Server logs (IP, device): 90 days
  • Financial records: 10 years (legal requirement)

7. Your rights

Under GDPR you have the right to:

  • Access your data (we will provide a copy)
  • Correct inaccurate data
  • Delete your data ("right to be forgotten")
  • Restrict or object to processing
  • Data portability (export your data in machine-readable format)
  • Withdraw consent at any time
  • Complain to the Hellenic Data Protection Authority (HDPA — www.dpa.gr)

To exercise these rights, email privacy@spitly.gr. We will respond within 30 days.

8. Cookies

We use:

  • Essential cookies: required for the site to function (login session, language preference). No consent needed.
  • Analytics cookies: to understand how users use Spitly. Only set with your explicit consent via the cookie banner.

9. Security

We protect your data with:

  • HTTPS encryption on all connections
  • Passwords hashed with industry-standard algorithms (never stored in plain text)
  • Access controls on our database
  • Regular security reviews

In case of a data breach affecting your rights, we will notify you and the HDPA within 72 hours as required by law.

10. Children

Spitly is intended for users aged 18 and over. We do not knowingly collect data from users under 15 without parental consent.

11. Changes to this policy

We may update this policy. If changes are significant, we will email you and give you 30 days' notice before they take effect.

12. Contact

For any privacy-related questions: privacy@spitly.gr

Terms of Service →