Allure — Privacy Policy

Last updated: April 30, 2026

Allure (the operators of allurexp.com) ("we", "us", "our") provides a mobile and web service that connects guests with partner venues and hosts. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and what rights you have over it.

This policy is written to satisfy the EU General Data Protection Regulation (GDPR 2016/679), the UK Data Protection Act 2018, and the California Consumer Privacy Act (CCPA). If you have questions, contact our Data Protection Officer at contact@allurexp.com.

1. Who is the data controller?

The data controller for personal information collected through the Allure app, website (allurexp.com) and related services is the operator of allurexp.com. A formal corporate entity is in the process of registration and this section will be updated with the registered company name and address as soon as registration is complete. In the meantime, you can reach the operator at contact@allurexp.com.

2. Information we collect

2.1 Information you give us

  • Account data: full name, email address, phone number (optional), password (stored hashed, never in plaintext), date of birth (for age-rating where required).
  • Profile data: profile photo, preferred role (guest / host / venue owner), language.
  • Venue / host onboarding data: business name, business address, contact details, social media handles, venue photos, Airbnb listing URLs, bank-transfer details (IBAN) for payouts.
  • Content you create: messages sent inside the in-app chat, reviews, tip amounts, staff invitations.

2.2 Information collected automatically

  • Transaction data: payment amounts, discount applied, staff tip, venue identifier, timestamp, payment status. Card details are handled by our payment processor and never stored on Allure servers.
  • QR / pass data: when you scan an Allure QR pass, we record a transaction reference, venue ID, and the time of the scan.
  • Approximate location: when you grant location permission, we use it only to show nearby partner venues on the map. We do not continuously track your location in the background.
  • Device & log data: device type, operating system, app version, IP address, crash logs, page views, session duration.
  • Cookies and local storage: session tokens, preferences, and PWA installation identifiers. See Section 9.

3. Why we use your data (legal bases)

  • To provide the service — account creation, authentication, scanning passes, processing payments, delivering messages, calculating host earnings and venue payouts. Legal basis: performance of a contract (GDPR Art. 6(1)(b)).
  • To comply with the law — tax, accounting, anti-money-laundering, fraud prevention. Legal basis: legal obligation (Art. 6(1)(c)).
  • To improve the service — aggregated, non-personally-identifiable analytics. Legal basis: legitimate interest (Art. 6(1)(f)).
  • To send you transactional emails — receipts, account verification, early-access approval, password reset. Legal basis: performance of a contract.
  • To send you marketing emails — only with your prior opt-in consent (Art. 6(1)(a)). You can withdraw consent at any time from Settings → Privacy.

4. Who we share your data with

We share your personal data only with the following categories of recipients, and only to the extent necessary:

  • Payment processor — Viva Wallet (Viva Payments S.A., Greece): card tokenisation, payment authorisation, settlement. Viva Wallet is a separate data controller under PSD2. See Viva Wallet privacy policy.
  • Transactional email provider — Resend (Resend, Inc., USA): delivery of account and transaction emails. See Resend privacy policy.
  • Voice / video infrastructure — Twilio (Twilio Inc., USA): TURN servers for in-app calls. See Twilio privacy policy.
  • Cloud database hosting — MongoDB Atlas (MongoDB, Inc.) in EU-based data centres.
  • Application hosting — Emergent Labs for preview and deployment infrastructure.
  • Authorities: where required by law, court order, or to prevent fraud.

We do not sell or rent your personal data to advertisers or data brokers.

5. International data transfers

Some processors (Resend, Twilio) are located in the United States. Transfers are protected by the EU Standard Contractual Clauses (2021/914) and, where available, the EU–US Data Privacy Framework.

6. How long we keep your data

  • Account data — while your account is active, plus 6 months after deletion request.
  • Financial and tax records — 10 years (statutory retention in the EU).
  • Messages inside in-app chat — up to 24 months.
  • Crash logs and session logs — 90 days.
  • Marketing opt-in records — until you unsubscribe + 24 months.

7. Your rights

Under GDPR and similar laws you have the right to:

  • Access the personal data we hold about you.
  • Ask us to correct inaccurate data.
  • Ask us to delete your data (“right to be forgotten”) — subject to legal retention obligations.
  • Ask us to restrict or object to processing.
  • Receive your data in a portable, machine-readable format (data portability).
  • Withdraw consent you previously gave, at any time.
  • Lodge a complaint with your national supervisory authority (in the UK — the Information Commissioner’s Office; in Greece — the Hellenic DPA).

To exercise any of these rights, email contact@allurexp.com. We respond within 30 days.

8. Security

We use industry-standard security measures: TLS 1.2+ in transit, encryption at rest, bcrypt-hashed passwords, JWT access tokens, role-based access controls, and audit logs. Despite all reasonable precautions, no system is 100% secure; if we detect a breach likely to result in a risk to your rights, we will notify you and the relevant authority within 72 hours as required by GDPR Art. 33–34.

9. Cookies and local storage

The Allure app stores a session token, your preferred role, and some UX preferences in your device’s local storage. These are strictly necessary for the service to function and therefore do not require consent under the ePrivacy Directive. We do not use third-party advertising cookies.

10. Children

Allure is not directed at children under 16. We do not knowingly collect personal data from minors. If you believe a child has provided us with data, contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. Material changes will be announced in the app and by email at least 14 days before they take effect. The “Last updated” date at the top of this page always reflects the current version.

12. Contact

Allure (the operators of allurexp.com)
Email: contact@allurexp.com
See also our Terms of Service.

Allure