Privacy Policy — Fuego Social
← Back

Privacy Policy

Last updated: April 28, 2025 · Version 1.0

Summary: We use your name, email and payment details to operate the platform. We do not sell your data. You have the right to view, correct or delete everything we store. Questions: [email protected]

1. Data controller

The controller responsible for processing your personal data is Fuego Social, based in Luxembourg, Grand Duchy of Luxembourg ("we" or "the platform").

Contact: [email protected]

The processing of personal data is subject to Regulation (EU) 2016/679 (GDPR), Luxembourg data protection legislation and the ePrivacy Directive 2002/58/EC.

2. What data we collect

2.1 Data you provide to us

DataWhenRequired
Full nameRegistrationYes
Email addressRegistrationYes
Password (bcrypt hash)Email/password registrationYes
Phone numberRegistration / profileNo
Profile photoProfileNo
City and countryProfileNo
Payment information (tokenised)Booking / paymentTo pay
Identity dataHost verificationHosts only

2.2 Data we generate automatically

  • IP address and approximate location
  • Device type, browser and operating system (user-agent)
  • Pages visited, session duration and clicks (analytics)
  • Access logs, server errors and security logs
  • Date and time of transactions and bookings

2.3 Third-party data

  • Google OAuth: if you sign in with Google, we receive your name, email and public photo.
  • Stripe / MercadoPago: we receive payment identifiers (tokens). Your full card number never passes through our servers.

4. How we use your data

  • Operating the platform: managing accounts, processing bookings, payments and communication between hosts and guests.
  • Identity verification: confirming that hosts are who they say they are, for community safety.
  • Support and dispute resolution: responding to queries, mediating conflicts and processing refunds.
  • Security and anti-fraud: detecting suspicious activity and protecting accounts.
  • Transactional communications: booking confirmations, reminders and invoices (always linked to the service).
  • Marketing (consent only): news and offers. You can unsubscribe at any time.
  • Analytics and improvement: understanding how the platform is used to improve the experience.
  • DSA — content moderation: reviewing listings and profiles to ensure compliance with our rules and applicable law.

5. Third parties and international transfers

We share data only when necessary to operate the service:

ProviderPurposeCountrySafeguards (Art. 46 GDPR)
StripePayment processingUSA / EUStandard Contractual Clauses (SCCs)
MercadoPagoPayments in LATAMArgentina / BrazilSCCs
Google (OAuth, Analytics)Authentication, analyticsUSASCCs + EU-US Data Privacy Framework
Hosting provider (EU)InfrastructureEUGDPR direct

We do not sell your data or share it with advertisers.

An event's physical address is shared with the guest only after the booking is confirmed, in line with the service's purpose.

6. Retention period

CategoryPeriodReason
Active accountWhile the account existsActive service
Deleted account30 days (full technical deletion)Pending cancellations and disputes
Transaction records and invoices10 yearsTax obligation (Luxembourg)
Security and access logs12 monthsFraud detection
Messages between users2 years from the last messageDispute resolution
GDPR consent records5 yearsLegal obligation — accountability
Cookie consent records13 monthsePrivacy Directive

7. Your rights (GDPR)

Access (Art. 15)

Obtain confirmation and a copy of the personal data we process about you.

Rectification (Art. 16)

Correct inaccurate data or complete incomplete data.

Erasure (Art. 17)

Request the deletion of your data when it is no longer necessary ("right to be forgotten").

Portability (Art. 20)

Receive your data in a structured, machine-readable format (JSON/CSV).

Restriction (Art. 18)

Request that we pause processing while a dispute is being resolved.

Objection (Art. 21)

Object to processing based on legitimate interest or to direct marketing.

How to exercise your rights

Send your request to [email protected] with the subject "GDPR Request — [type of right]". We respond within a maximum of 30 days (extendable to 60 days in complex cases, with notice).

You can also manage many rights directly from My Account → Privacy.

8. Cookies

We use our own and third-party cookies. For full details, see our Cookie Policy. You can manage your preferences at any time from the cookie banner or from the page footer.

9. Minors

Fuego Social is not directed at persons under 18 years of age. We do not intentionally collect data from minors. If we detect an account belonging to a minor, we will delete it immediately. Notifications: [email protected].

10. Security

We implement appropriate technical and organisational measures in accordance with Art. 32 GDPR:

  • Password encryption with bcrypt (cost 12)
  • Encrypted transmission with TLS 1.3
  • Restricted access to personal data (principle of least privilege)
  • Continuous monitoring of access and anomalous activity
  • Encrypted backups with automatic rotation
  • Tokenisation of payment data (processed directly by Stripe/MercadoPago)

In the event of a security breach affecting your rights, we will notify you within 72 hours of becoming aware (Art. 34 GDPR).

11. Changes to this policy

We may update this policy to reflect changes in the service or in legislation. When changes are material, we will communicate them by email and/or via a notice on the platform with at least 30 days' notice. The "last updated" date in the header reflects the current version.

12. Contact and complaints

Privacy: [email protected]

If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority:

Commission Nationale pour la Protection des Données (CNPD)
https://cnpd.public.lu

If you reside in another EU country, you may also contact the data protection authority in your country of residence.