Privacy Policy

Account data — when you sign in through Google or Facebook, we receive your name, email address, profile picture and a unique provider identifier.

Activity data — listings you reveal host contacts for, host submissions you send us, demand requests you submit and reports you file. Each record includes timestamps and is associated with your account.

Content you submit — photos, descriptions and messages you send via our forms.

Technical data — IP address, browser user-agent, device information, approximate location derived from your IP, and standard server logs. We also use functional cookies (session, locale, consent) to operate the Platform.

We process personal data on the following bases:

• Performance of a contract (Art. 6(1)(b)) — to provide the Platform and fulfil contact-reveal, submission and demand-request functionality you request.

• Legitimate interests (Art. 6(1)(f)) — to prevent abuse and fraud, to secure the Platform, to keep anti-scraping and audit logs, and to measure usage at an aggregate level.

• Consent (Art. 6(1)(a)) — for optional communications and any cookies or pixels that are not strictly necessary.

• Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting and other laws applicable to us.

We use personal data to: create and manage your account; display listings and let you reveal host contact details; process host submissions and demand requests; handle listing reports; detect and prevent abuse, fraud and unauthorised access; respond to your questions; improve the Platform; and comply with our legal obligations.

We share personal data with the following categories of recipients, each acting as our processor or independent controller:

• Google LLC and Meta Platforms Ireland — OAuth authentication.

• Amazon Web Services EMEA SARL — hosting and image storage (EU regions).

• Cloudinary Ltd. — image processing and CDN.

• Mapbox Inc. — map tiles and geocoding.

• Vercel Inc. — web hosting in production.

• Our professional advisers (accountants, lawyers) where necessary.

We do not sell personal data. We do not share your email or contact details with hosts unless you choose to use a contact link that carries them (for example, if you email a host directly).

Some of our sub-processors are based outside the European Economic Area (for example, in the United States). When personal data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses or, where applicable, adequacy decisions, to provide an equivalent level of protection.

We keep personal data for as long as your account is active and for a reasonable period afterwards. Typical retention: account and profile data — until you delete your account and then up to 30 days in backups; contact-reveal and activity logs — up to 24 months for security and anti-abuse purposes; host submissions and demand requests — up to 24 months after their last update; reports — up to 24 months after resolution; server logs — up to 90 days. We may retain data longer where required by law (for example, accounting records).

Under the GDPR you have the right to: access your personal data; rectify inaccurate data; request deletion ("right to be forgotten") subject to legal retention obligations; restrict or object to certain processing; port your data to another service; and withdraw consent at any time. To exercise any of these rights, contact us at hello@midterm.rent. You also have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (cpdp.bg) or the supervisory authority in your country of residence.

We use a small number of cookies: a session cookie for authentication, a locale cookie to remember your language preference and, where required, a consent cookie to record your cookie choices. We do not use advertising cookies. You can clear cookies at any time through your browser settings.

We use industry-standard measures — encryption in transit (TLS), encryption of secrets at rest, access controls, image watermarking, and regular backups — to protect personal data. No system is perfectly secure; please choose a strong authentication method with your OAuth provider and contact us if you suspect unauthorised access to your account.

The Platform is not intended for children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

We may update this Privacy Policy from time to time. The "Last updated" date above reflects the latest revision. For material changes we will take reasonable steps to notify you (for example, through a banner or email).