Privacy Policy

We collect the following categories of personal data:

• Account & sign-in details — your name, email address, password, and the one-time email verification codes and trusted-device tokens used to sign you in securely. If you choose Sign in with Google, Google shares your basic profile information (name, email address and profile picture) with us to create or access your account; we do not receive your Google password.
• Contact & identity profile — phone number and country dialing code, nationality, profile picture, preferred display currency, and (for providers) your headline, bio, languages, service area and base location.
• Location & address data — service addresses you enter (street, locality, country). Address autocomplete suggestions are powered by a third-party mapping service (see "Where your data is stored").
• Provider verification (KYC) data — for providers only: identity documents (ID front/back and a selfie), qualifications and certificates, your CV if you upload one, and, for non-EU applicants, residence-permit type and expiry plus an eligibility-to-work confirmation. Collected for vetting and legal compliance.
• Payout & banking data — for providers: bank account holder name, IBAN and BIC/SWIFT. Identity and bank verification for payouts is performed by Stripe (Stripe Connect).
• Booking & transaction data — the services you book or provide, dates, times, schedules, locations, amounts, escrow/payment status, payouts, withdrawals, disputes, refunds, and any reason you give when cancelling or declining a booking.
• Payment data — your card details are entered directly with Stripe and are never stored on our servers. We receive limited information such as payment status and the card brand/last digits.
• Communications & content — in-app chat messages and shared images, reviews and ratings, reports you submit about content, and messages you send to our support team through the in-app help and support feature.
• Presence & activity — online/last-seen status and read receipts within chats, and your provider availability (working hours or "available now").
• Technical & usage data — device, browser, IP address and how you interact with the Platform, collected to keep it secure and working.
• Notifications — if you allow them, we deliver in-app/push and email notifications (for example booking updates), which you can unsubscribe from.

We use personal data to:

• create and manage your account and authenticate sign-ins (including OTP codes);
• operate the marketplace — match customers and providers, manage availability and schedules, take bookings, and process payments and payouts;
• hold funds in escrow and release them to providers once a job is completed or auto-released;
• verify provider identity and eligibility, and keep the marketplace safe and trusted;
• send service messages (verification codes, booking requests/updates and receipts);
• provide support, moderate reported content, and handle disputes and refunds;
• enforce our Terms, including suspending or removing accounts that break the rules;
• improve and secure the Platform and prevent fraud and abuse;
• comply with legal obligations, including KYC/AML and DAC7 reporting where applicable.

We rely on the following GDPR legal bases:

• Contract — to provide the Platform and the services you request.
• Legal obligation — for tax, accounting, KYC/AML and DAC7 requirements.
• Legitimate interests — to secure the Platform, prevent fraud, moderate content and improve our services, balanced against your rights.
• Consent — for optional features such as push notifications; you can withdraw consent at any time.

Your data is hosted by the infrastructure providers below, who act as our processors (or, for Stripe, as an independent controller for payment/identity data). Our primary database, authentication and file storage are hosted in the European Union (Ireland). Where a provider (such as Stripe or our email service) processes data outside the EEA, we rely on appropriate safeguards (see "International transfers").

• Lovable Cloud (built on Supabase) — our database, authentication and file storage. This holds your account, profile, contact and nationality details, bookings, messages, reviews, and uploaded files. Passwords are stored only as salted hashes by the authentication service — we never store or have access to your plain-text password. Verification documents (ID, selfie, certificates, CV) are kept in a private storage bucket accessible only via short-lived signed links to authorised compliance staff.
• Stripe — payments, payouts and provider identity/bank verification (Stripe Connect). Full card numbers and bank credentials are held by Stripe, not by us (Stripe is certified to the PCI-DSS standard). We only see limited status data.
• Google (Sign in with Google) — if you choose to sign in with Google, Google authenticates you and shares your basic profile (name, email, profile picture) so we can create or access your account. Your use of Google sign-in is also subject to Google's own privacy policy.
• Email delivery provider — to send transactional emails (sign-in codes, booking notifications). It processes your email address and the message content.
• Mapping/geocoding provider — when you use address autocomplete, the text you type is sent to a third-party mapping service to return address suggestions.
• Currency rates provider — we fetch exchange rates to display prices in your chosen currency. No personal data is sent for this.

We do not sell your personal data. If you would like the current list of sub-processors and their hosting regions, contact us at servumt@gmail.com.

We share personal data only as needed to run the Platform:

• Between customers and providers — the information needed to fulfil a booking (for example, the booking details, the service address and the in-app chat).
• With the processors listed above — acting on our instructions to operate the Platform.
• Authorities — where required by law (for example, tax/DAC7 reporting or valid legal requests).

Some providers (such as payment and infrastructure services) may process data outside the EU/EEA. Where they do, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses to protect your data.

We keep personal data only as long as necessary for the purposes above — for as long as you have an account, and afterwards where needed to meet legal, tax, accounting or dispute-resolution obligations (for example, KYC/AML and DAC7 records, and transaction records, are kept for the periods required by law). Moderated/removed chat messages may be retained for a limited period for safety and dispute purposes.

Under the GDPR you have the right to:

• access the personal data we hold about you;
• have inaccurate data corrected;
• have your data erased where applicable;
• restrict or object to certain processing;
• receive your data in a portable format;
• withdraw consent at any time, without affecting prior processing.

You can delete your account at any time from Settings, which removes your profile and associated data (subject to records we must retain by law). To exercise any right, contact us at servumt@gmail.com. You also have the right to lodge a complaint with the Maltese Information and Data Protection Commissioner (IDPC) at idpc.org.mt.

We use technical and organisational measures to protect your data, including encryption in transit (HTTPS), hashed passwords, row-level access controls on our database, private storage for verification documents with short-lived signed links, and handling card and bank data only through Stripe. No system is perfectly secure, but we work to protect your information and to respond promptly to any incident.

We use a small number of cookies and similar technologies (such as local storage) that are necessary to sign you in, keep your session, and remember preferences like your theme and display currency. We do not use them to sell your data.

The Platform is intended for adults (18+). We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will remove it.

We may update this Privacy Policy from time to time. If we make material changes, we will take reasonable steps to notify you. The "Last updated" date above shows when it last changed.

For any privacy question or request, email us at servumt@gmail.com. You can also review our Terms & Conditions.