Privacy Policy

If you are in the EU/EEA, our lead supervisory authority is the Romanian DPA (see Section 12), but you may also contact the data protection authority in your own country.

• We act as a controller for host account and billing data, for technical data on our website, and for the aggregated guide-usage statistics shown to hosts as “Guest insights”.
• We act as a processor for personal data that a host enters into a guide (e.g. an emergency contact). In that case the host is the controller, and the relationship is governed by a Data Processing Agreement (DPA) available to customers on request.

Host responsibility: the host warrants that it has a lawful basis for any third-party personal data included in a guide and informs the relevant individuals where required.

a) From hosts (account holders)

• identity and contact data: name, email;
• account data: password (stored encrypted), settings, branding (cover colors and images);
• property data entered by the host: name, address, access instructions, Wi-Fi, contacts (which may include third-party personal data — see Section 2);
• proof of acceptance of legal documents: timestamps and document version at sign-up;
• billing data: name, address, payment history (handled via Stripe; we do not store card details).

b) From guests who open a guide

• aggregated usage statistics: sections opened, clicks, views (used for “Guest insights” and to operate the Service), without storing identifying guest data;
• technical data processed automatically for operation, security and performance: device type, OS, browser, language, IP address at a technical level, access logs generated by our infrastructure providers;
• cookies and similar technologies (see our Cookie Policy).

Guests do not create accounts and do not submit identifying data to view a guide.

To run the Service we work with the following providers, acting as processors (sub-processors):

• Supabase — authentication, database, file/image storage, transactional email for auth flows;
• Vercel Inc. — hosting, deployment, content delivery;
• Bunny.net — CDN for delivering the video instructions in guides;
• Stripe — payment and subscription processing (Henora Guest does not store card details);
• professional advisers and public authorities where legally required.

We do not use behavioural marketing, advertising, commercial profiling, retargeting, Meta Pixel or Google Analytics, and we do not sell data to third parties. Fonts are self-hosted, with no requests to Google’s servers.

Some of our infrastructure (e.g. hosting on Vercel) may process data on servers outside the European Economic Area, including in the United States. Such transfers rely on appropriate safeguards — the European Commission’s Standard Contractual Clauses and/or applicable adequacy mechanisms. A copy of the safeguards is available on request.

• account and property data: for the duration of the subscription and up to 60 days after the account is closed (during which the account may be reactivated), then deleted or anonymized;
• proof of acceptance of the Terms: for the duration of the contractual relationship and the period needed to defend legal rights;
• billing/subscription data (Stripe): as required by tax and accounting obligations;
• usage statistics and technical logs: for limited periods, per technical need and the Cookie Policy;
• data processed on behalf of hosts: per their instructions and the DPA.

After these periods, data is deleted or anonymized.

You have the rights of access, rectification, erasure, restriction, data portability, objection, and to withdraw consent (without affecting prior processing), as well as the right not to be subject to a solely automated decision producing significant effects.

Exercise them at support@henora.app; we usually respond within one month. Where we process data on behalf of a host, please address your request to that host directly.

We apply appropriate technical and organizational measures (encryption in transit, access control, backups, logging). In the event of a personal-data breach posing a risk to your rights, we notify the competent supervisory authority and, where required, affected individuals, in line with the GDPR.

Our website and guides use cookies and similar technologies; details are in our Cookie Policy.

The Service is intended for adult hosts and is not directed at children under 16. We do not knowingly collect data from minors.

You may lodge a complaint with your local data protection authority. Our lead authority is the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) — 28-30 G-ral. Gheorghe Magheru Blvd., Sector 1, 010336 Bucharest, Romania; anspdcp@dataprotection.ro; www.dataprotection.ro.

We may update this policy; the current version with its update date is published on our site. Questions: support@henora.app or the address in Section 1.