Privacy Policy

The data controller for personal data processed through the Service is:

If you have any questions about this Privacy Policy or how we process your data, please contact us at the address above.

When you connect your X account via OAuth (required for Creators, optional for other users), we receive:

• Public profile data: X user ID, handle, display name, bio, profile image URL, banner image URL, follower count, following count, post count.
• Profile email address: The email associated with your X account, used as your contact email on the Platform if you do not already have one on file.
• OAuth tokens: Access and refresh tokens needed to read profile data and, for active Campaigns, update profile Surfaces on your behalf.

When you sign in with Google, we receive your Google email address and basic profile information (name, profile picture) to create or identify your account. Your Google email address is used as your contact email on the Platform for transactional notifications and account communications. We do not request or receive access to your Google Drive, Gmail, Calendar, or any other Google services.

Under the General Data Protection Regulation (GDPR), we rely on the following legal bases to process your personal data:

Where we rely on legitimate interests, we have conducted balancing tests to ensure that our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us.

We process personal data for the following purposes:

• Providing the Service: Creating and managing your account, authenticating logins, facilitating the Contract lifecycle (negotiation, payment, Campaign execution, completion, Payouts).
• Payment processing: Transmitting necessary data to our Payment Processor to collect payments from Buyers, hold funds in Escrow, and execute weekly Payouts to Creators.
• Communications: Sending transactional emails (booking invitations, Contract updates, Campaign reminders, payout confirmations, security alerts) and, where you consent, marketing communications.
• Profile verification: Periodically refreshing public X profile data (follower counts, handle, display name, images) to keep Creator listings accurate.
• Dispute resolution: Reviewing Contract history, messages, and Proof of Delivery when mediating disputes between Buyers and Creators during the Recourse Window.
• Moderation & safety: Detecting and preventing fraud, enforcing our Terms (including prohibited content and conduct), protecting the integrity of the marketplace.
• Service improvement: Analysing aggregate, anonymised usage patterns to improve features, performance, and user experience.
• Legal compliance: Retaining records as required by tax, accounting, and other legal obligations.

The Platform is a two-sided marketplace. Certain data is shared between users to facilitate Contracts:

• Creator listings are publicly visible on the marketplace and include your X handle, display name, profile image, follower count, Surface descriptions, and pricing.
• Buyer identity is shared with Creators as a display name and username when a booking is created. We do not share your email address with the other party.
• In-Contract messages are visible to both parties in the Contract and to Platform moderators if a dispute arises.

We use the following third-party sub-processors to operate the Service. All sub-processors are bound by data processing agreements and process data only on our instructions.

We may update this list when we add or change sub-processors. Material changes will be communicated via email or in-app notification.

We may disclose personal data if required to do so by law, regulation, or legal process, or if we believe in good faith that disclosure is necessary to:

• Comply with a legal obligation or lawful request from a public authority.
• Protect the rights, property, or safety of RentMyX, our users, or the public.
• Detect, prevent, or address fraud, security incidents, or technical issues.
• Enforce our Terms of Service.

If we are involved in a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you by email and/or prominent notice on the Service before any such transfer and before your data becomes subject to a different privacy policy.

Our primary infrastructure is hosted exclusively within the European Union (AWS eu-central-1). Email delivery (Brevo) and website analytics (Simple Analytics) are also EU-based.

Certain sub-processors may transfer data outside the EU/EEA:

• Stripe: Processes payment data in the EU and US. Transfers rely on Standard Contractual Clauses (SCCs) approved by the European Commission and Stripe's Data Processing Agreement.
• X (Twitter) API: OAuth tokens and public profile data are processed by X Corp. in the US. This data is inherently public on X's platform and the transfer is necessary for the performance of the contract (Art. 49(1)(b) GDPR).
• Google OAuth: Authentication data is processed by Google in the EU and US under Google's GDPR-compliant Data Processing Terms.

We do not transfer personal data to countries outside the EU/EEA except through the sub-processors listed above and only with appropriate safeguards in place.

We retain personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

When an account is deleted (see Section 11), personal data is anonymised or deleted. Transaction records required by law are retained in a pseudonymised form (with personal identifiers removed) for the remainder of the applicable retention period.

We use a minimal set of cookies and browser storage:

We do not use advertising cookies, third-party tracking cookies, or fingerprinting techniques. For more detail, see our Cookie Policy.

We use Simple Analytics, a privacy-focused analytics service that does not use cookies, does not collect personal data, and does not track users across websites. Simple Analytics is EU-hosted and processes only anonymised page view data (page URL, referral source, country derived from anonymised IP). No consent is required because no personal data is processed.

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of the personal data we hold about you, together with information about how it is processed.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data. You can update most account data directly through your account settings.
• Right to erasure (Art. 17): Request deletion of your personal data. You can initiate account deletion through Settings (see Section 11). Certain data may be retained where we have a legal obligation or legitimate interest (e.g., financial records).
• Right to restriction (Art. 18): Request that we limit the processing of your data in certain circumstances, for example while we verify the accuracy of your data or assess an objection.
• Right to data portability (Art. 20): Request a copy of the personal data you provided to us in a structured, commonly used, machine-readable format (e.g., JSON or CSV).
• Right to object (Art. 21): Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
• Right to withdraw consent (Art. 7(3)): Where processing is based on consent (e.g., marketing emails), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority. If you are in Austria, the competent authority is the Austrian Data Protection Authority (Datenschutzbehörde, dsb.gv.at). A list of EEA supervisory authorities is available at edpb.europa.eu.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
• Encryption at rest: Database and file storage are encrypted at rest using AES-256 via AWS.
• Passwordless authentication: We do not store passwords. Authentication uses OAuth (X, Google) or one-time codes (magic links and OTPs), which are cryptographically hashed (SHA-256) before storage.
• Access controls: Internal access to personal data is restricted to authorised personnel on a need-to-know basis.
• Payment security: Credit card and bank account details are processed exclusively by our PCI DSS-compliant Payment Processor (Stripe). We never see or store these details.
• Token security: OAuth tokens are stored encrypted. Magic link tokens and OTP codes expire after fifteen (15) minutes and are single-use.

No system is perfectly secure. While we take reasonable precautions, we cannot guarantee absolute security. If we become aware of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within seventy-two (72) hours and notify affected users without undue delay, as required by GDPR Art. 33 and 34.

You may request deletion of your account at any time through your account Settings. The process works as follows (see also Section 4.5 of the Terms of Service):

• Deletion request: You initiate a deletion request through Settings. We send a confirmation email.
• Active Contract check: Deletion is blocked if you have active Contracts or pending Payouts. These must be completed or resolved first.
• 30-day grace period: After confirmation, a thirty (30) day grace period begins. During this period, you can cancel the deletion by logging in.
• Permanent deletion: After thirty (30) days without cancellation, your account is permanently deleted.

What happens to your data on deletion:

• Personal identifiers (email, display name, profile image, X handle) are removed or anonymised.
• Linked OAuth tokens (X, Google) are deleted immediately.
• Contract and transaction records are pseudonymised (personal identifiers replaced with anonymous IDs) and retained for the legally required retention periods (see Section 7).
• Messages within completed Contracts are retained in pseudonymised form for the dispute resolution retention period.
• Campaign media (Proof of Delivery screenshots, creative assets) are deleted.
• The Payment Processor (Stripe) retains payment data according to its own retention policy and applicable financial regulations.

The Service is not directed at and may not be used by individuals under eighteen (18) years of age. We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child under 18, we will take steps to delete that data as promptly as possible. If you believe a child has provided us with personal data, please contact us at hello@rentmyx.app.

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you within the meaning of GDPR Art. 22. Platform features such as Campaign auto-completion (triggered by the expiry of the 24-hour Recourse Window) are based on objective time-based rules, not profiling.

We may update this Privacy Policy from time to time to reflect changes in our practices, sub-processors, or applicable law. When we make material changes, we will:

• Post the revised policy on this page with an updated "Last updated" date.
• Notify you by email or in-app notification at least fourteen (14) days before the changes take effect.

Your continued use of the Service after the effective date constitutes acknowledgement of the updated policy. If a change materially affects processing based on your consent, we will seek renewed consent where required.

If you have questions about this Privacy Policy, wish to exercise your data protection rights, or want to raise a concern about how we process your data, please contact us:

We aim to respond to all data protection inquiries within thirty (30) days.