Legal

Privacy Policy

We take your data seriously. Here is exactly what we collect, why, and how you can control it.

Last updated: 15 May 2026

Data Controller

The data controller responsible for your personal data under this policy is:

Name: Faysal Badaoui Mahdad

NIF: 53923695B

Address: Kitchen, Aarhus Universitet, Aarhus, Denmark

Phone: +34 631 310 473

Email: faysal@faezlabs.com

Rezz.my is a product of FaezLabs. When we refer to “we,” “us,” or “our,” we mean Faysal Badaoui Mahdad operating under the Rezz.my brand.

What Data We Collect

We collect the following categories of personal data depending on how you use the platform:

Account data (Hosts)

Email address and password (hashed, never stored in plaintext)
Display name and public booking page slug
Access policy settings (domain restrictions, secret codes)
Stripe Connect account identifiers (for payment processing)

Booking data (Guests)

Email address (used to verify access and send confirmations)
Requested booking date, time, and item
Booking status (pending, confirmed, rejected)
Payment reference (if the booking involves payment)

Technical data

IP address and browser user agent (for security and fraud prevention)
Authentication tokens managed by Supabase
Usage logs for debugging and uptime monitoring

We do not collect sensitive personal data (health, race, religion, political opinion, etc.). We do not use tracking pixels or sell data to third parties.

How We Use Your Data

We use your personal data solely to operate and improve the Rezz.my service:

To create and authenticate your account
To process and manage booking requests between hosts and guests
To verify guest access against a host's domain or code restrictions
To send booking confirmation and notification emails
To process payments via Stripe (where applicable)
To provide customer support when requested
To detect and prevent fraudulent or abusive activity
To improve platform performance and reliability

We do not use your data for advertising, profiling, or any purpose beyond operating this service.

Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your data on the following legal bases:

Contractual necessity (Art. 6(1)(b))

Processing required to provide the service you signed up for — account creation, booking management, payment processing.

Legitimate interests (Art. 6(1)(f))

Security monitoring, fraud prevention, and service improvement — balanced against your rights and not overriding them.

Legal obligation (Art. 6(1)(c))

Retaining transaction records as required by applicable tax and financial regulations.

Consent (Art. 6(1)(a))

Where we explicitly ask for your consent — for example, for any optional communications beyond transactional emails.

How Long We Keep Your Data

We retain personal data only as long as necessary for the stated purposes:

Account dataRetained for the life of your account. Deleted within 30 days of account closure.

Booking recordsRetained for 5 years to comply with applicable tax and financial record-keeping obligations.

Authentication logsRetained for 90 days for security purposes, then automatically deleted.

Support correspondenceRetained for 2 years from the date of resolution.

Your Rights Under GDPR

If you are located in the European Economic Area (EEA), you have the following rights regarding your personal data:

Right of accessRequest a copy of the personal data we hold about you.

Right to rectificationRequest correction of inaccurate or incomplete data.

Right to erasureRequest deletion of your data where we have no legal obligation to retain it.

Right to restrictionRequest that we limit how we process your data in certain circumstances.

Right to portabilityReceive your data in a machine-readable format and transfer it to another service.

Right to objectObject to processing based on legitimate interests at any time.

Right to withdraw consentWhere processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, email us at faysal@faezlabs.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority — in Denmark, this is Datatilsynet.

Cookies and Tracking

Rezz.my uses only strictly necessary cookies required to operate the service. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

Session cookies

Set by Supabase to maintain your authenticated session. Deleted when you sign out or the session expires.

CSRF tokens

Short-lived tokens to protect form submissions from cross-site request forgery attacks.

We do not use Google Analytics, Meta Pixel, or any behavioural tracking tools.

Data Security

We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, or disclosure. These include: encrypted data transmission (TLS), hashed password storage (bcrypt via Supabase Auth), access controls limiting data to authorised personnel only, and regular security reviews. While no system is 100% secure, we take reasonable and industry-standard steps to protect your information.

International Data Transfers

Our sub-processors (Supabase and Stripe) may process data in the United States. These transfers are conducted under appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring your data receives equivalent protection outside the EEA.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. For significant changes, we will notify you by email at least 14 days before the change takes effect. Continued use of the platform after that date constitutes acceptance of the updated policy.

Contact

For any privacy-related questions, requests, or concerns, contact us at: