Enomads

Privacy Notice

Last updated: 2026

1. Who we are

Enomads ("we", "us", "our") is the data controller for personal data processed via enomads.eu and the Enomads mobile applications.

Controller: Enomads — Camil Predescu, sole trader, Bucharest, Romania.
Privacy contact: privacy@enomads.eu
General contact: hello@enomads.eu

2. Personal data we collect

  • Account data: name, email, password (hashed with bcrypt + checked against the Have I Been Pwned database), display name, avatar.
  • Profile data: home city, bio, account type (nomad/host).
  • Content you post: reviews, blog posts, comments, direct messages, location entries, photos.
  • Usage / telemetry: pages visited, features used, device type, browser, truncated IP address, referrer.
  • Payment data: handled directly by Paddle.com — we never see your card details. We only receive a transaction reference, currency and amount.
  • Support communications: messages you send us via email or in-app chat.

3. Why we use it & legal basis (GDPR Art. 6)

  • Provide the Service (account, content, messaging) — performance of the contract (Art. 6(1)(b)).
  • Process purchases & subscriptions via Paddle — performance of the contract + legal obligation for invoicing (Art. 6(1)(b) & (c)).
  • Security, abuse prevention, content moderation — legitimate interests (Art. 6(1)(f)).
  • Improve the product with aggregated usage data — legitimate interests.
  • Marketing & newsletters — only with your explicit consent (Art. 6(1)(a)), revocable at any time.
  • Tax & accounting records — legal obligation (Art. 6(1)(c)).

4. Sub-processors

We use the following sub-processors to deliver the Service. All have been contracted under GDPR-compliant Data Processing Agreements:

  • Supabase Inc. (USA / EU region) — database, authentication, file storage. Standard Contractual Clauses apply.
  • Cloudflare Inc. (USA / global) — CDN, DDoS protection, edge hosting.
  • Paddle.com Market Ltd. (UK) — Merchant of Record for payments, tax compliance, invoicing and chargeback handling.
  • Resend / Lovable Email — transactional email delivery (signup confirmation, password reset, notifications).
  • Google LLC — only if you sign in with Google (OAuth).
  • Firecrawl & Unsplash — image enrichment for venue listings (no personal data shared).

5. International transfers

Where data is transferred outside the UK/EEA (mainly to the USA), we rely on EU Standard Contractual Clauses (2021/914) and, where applicable, the EU-US Data Privacy Framework. We do not use sub-processors that have been ruled inadequate by the European Commission.

6. Retention

  • Account data: kept while your account is active, plus 30 days after deletion (for fraud prevention).
  • Public content (reviews, blog posts): kept indefinitely unless you delete it; deletion is honoured within 30 days.
  • Direct messages: 24 months after last activity, then permanently deleted.
  • Payment / invoice data: 7 years (Romanian tax law).
  • Server / security logs: 90 days, then anonymised.

7. Your rights (GDPR Art. 15-22)

You have the right to:

  • Access a copy of your data.
  • Rectify inaccurate or incomplete data.
  • Erase your account and associated data ("right to be forgotten").
  • Restrict or object to certain processing (e.g. direct marketing).
  • Data portability — receive your data in a machine-readable format (JSON).
  • Withdraw consent at any time (where processing is based on consent).
  • Lodge a complaint with your supervisory authority — in Romania, the ANSPDCP.

To exercise any of these rights, email privacy@enomads.eu. We respond within 30 days.

8. Security measures

  • TLS 1.3 encryption in transit (HTTPS everywhere).
  • Passwords hashed (bcrypt) and screened against the Have I Been Pwned breach database at signup.
  • Row-Level Security on every database table — users can only access their own data.
  • Role-based access control for admin/moderator features.
  • Security audit logs retained for 90 days.
  • Periodic dependency & vulnerability scanning.

9. Cookies, tracking & analytics

We use strictly necessary cookies for authentication and session management. We do not use third-party advertising or marketing cookies.

We use Google Analytics 4 (GA4) to understand how visitors use our site. GA4 collects anonymized data including pages visited, time on site, browser type, and country. We have configured GA4 with IP anonymization and Google Consent Mode v2 — analytics cookies are denied by default and only set after you explicitly click "Accept" on our cookie banner. We do not share data with advertising platforms. You can opt out at any time by clicking "Decline" on the banner, clearing the enomads_cookie_consent entry in your browser storage, or installing the Google Analytics Opt-out Browser Add-on.

10. Children

Enomads is not directed at children under 16. We do not knowingly collect data from minors. If you believe a child has registered, contact us and we will delete the account.

11. Changes to this notice

We will post material changes here and notify registered users by email at least 14 days before they take effect.

12. Contact

Questions about your data? Email privacy@enomads.eu.