Privacy Policy — CoFloor

Table of Contents

Data Controller
Data We Collect
Purposes and Legal Bases
Data Retention
Third-Party Sharing
International Transfers
AI Assistant Aria
Minors
Your Rights
Changes to This Policy
Contact

1 Data Controller

Controller Details

Riccardo Peter Corti
Lecco, Italy
Email: info@cofloor.it
Website: https://cofloor.it

The Data Controller determines the purposes and means of processing the personal data of users who access CoFloor's website and services.

2 Data We Collect

Data you provide directly

Identity data: first name and last name
Contact data: email address
Accommodation data: property name, address, type, number of rooms, house rules, guest information
AI Aria conversations: messages, requests, and generated content

Data collected automatically

Usage data: IP address, browser type, operating system, pages visited, session duration
Interaction data: features used, access frequency, interaction events
Technical session data: Supabase authentication tokens (session cookies)
Cookies: see our Cookie Policy for full details

Payment data

Payment card details (card number, IBAN, etc.) are never stored on CoFloor servers. All payment processing is handled exclusively by Stripe, Inc., certified PCI DSS Level 1. CoFloor only receives confirmation of the transaction outcome.

3 Purposes and Legal Bases

Purpose	Legal Basis	GDPR Article
Providing the CoFloor service (account management, AI Aria)	Performance of a contract	Art. 6(1)(b)
Payment processing via Stripe	Performance of a contract	Art. 6(1)(b)
Tax and accounting obligations	Legal obligation	Art. 6(1)(c)
Statistical usage analysis (Google Analytics, Hotjar)	Consent	Art. 6(1)(a)
Platform security and fraud prevention	Legitimate interest	Art. 6(1)(f)
Service communications and updates	Legitimate interest	Art. 6(1)(f)

Where processing is based on consent, you have the right to withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

4 Data Retention

Data Category	Retention Period
Account data (name, email)	Duration of contractual relationship + 2 years after closure
Accommodation/property data	Duration of contractual relationship + 1 year
AI Aria conversations	12 months from each session
Payment records (Stripe)	10 years (Italian tax obligations)
Navigation and security logs	90 days
Analytics data (Google Analytics)	14 months (default GA4 configuration)
Session recordings (Hotjar)	365 days

At the end of the retention period, data is permanently deleted or irreversibly anonymised.

5 Third-Party Sharing

CoFloor does not sell or share your personal data with third parties for marketing purposes. Data is shared only with the following parties, to the strictly necessary extent:

Party	Role	Purpose	Location
Supabase, Inc.	Data processor	Database, authentication, storage	USA (EU servers)
Stripe, Inc.	Data processor	Payment processing	USA
Google LLC (Analytics)	Data processor	Traffic analytics	USA
Hotjar Ltd.	Data processor	Behavioural analytics, heatmaps	Malta (EU)
Competent authorities	Independent controller	Legal obligations, authority orders	Italy / EU

A Data Processing Agreement (DPA) pursuant to Art. 28 GDPR has been entered into with all data processors.

6 International Transfers

Some of our service providers (Google, Stripe, Supabase) are based in the United States. Data transfers are carried out in compliance with Arts. 45–49 GDPR, relying on:

Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914/EU)
EU-US Data Privacy Framework (for certified providers)

You may request a copy of the transfer mechanisms in place by writing to info@cofloor.it.

7 AI Assistant Aria

CoFloor integrates an artificial intelligence assistant called Aria, designed to help hosts manage guest communication and create property content.

How Aria conversations are processed

Conversations with Aria may contain property-related data (name, address, rules, guest messages). This data is used solely to generate in-session responses and improve the service. It is not used to train third-party AI models without explicit consent.

Aria messages are retained for 12 months from the session date, after which they are deleted. You may request early deletion at any time by writing to info@cofloor.it.

8 Minors

CoFloor's service is intended exclusively for individuals aged 18 or over. We do not knowingly collect personal data from minors. If you believe a minor has provided personal data, please contact us at info@cofloor.it and we will promptly delete it.

9 Your Rights

As a data subject, you have the following rights under Arts. 15–22 GDPR:

Access (Art. 15) Obtain confirmation of processing and a copy of your data.

Rectification (Art. 16) Correct inaccurate or incomplete data.

Erasure (Art. 17) Request deletion of your data ("right to be forgotten").

Restriction (Art. 18) Restrict processing in specific cases provided by law.

Portability (Art. 20) Receive your data in a structured, machine-readable format.

Objection (Art. 21) Object to processing based on legitimate interest.

Withdraw consent Withdraw consent at any time without affecting prior processing.

Lodge a complaint (Art. 77) File a complaint with the Italian or your local supervisory authority.

To exercise your rights, write to info@cofloor.it with subject line "GDPR Rights Request". We will respond within 30 days of receipt.

You may also file a complaint with the Italian Data Protection Authority (Garante Privacy):
Piazza Venezia 11, 00187 Rome, Italy — www.garanteprivacy.it

10 Changes to This Policy

CoFloor reserves the right to update this Privacy Policy at any time. Material changes will be communicated by email to the registered address or via a prominent notice on the platform, with at least 14 days' advance notice. The date of the last update is always shown at the top of this page.

11 Contact

Data Controller

Riccardo Peter Corti
Lecco, Italy
Email: info@cofloor.it
Website: https://cofloor.it

For any questions about how we process your personal data, please don't hesitate to get in touch.