yumpara
Log in

Privacy Policy

Last updated: 2026-04-26

1. Who we are

The data controller for personal data processing pursuant to the EU Regulation 2016/679 ("GDPR") and the UK GDPR is yumpara. For any request you can write to us at [email protected].

2. Data collected

We only collect the data necessary to provide you with the service:

  • Account: username, email, password (stored only as a bcrypt hash).
  • Profile: optional avatar, city, approximate neighbourhood/area (within about 300 m of the actual point, randomised for privacy).
  • Listings: title, description, photos, category, individual listing location (also randomised).
  • Messages: content exchanged between users, stored on our systems.
  • Reviews and reports: ratings, comments and reports you submit.
  • Technical logs: IP address, user agent, date/time and pages visited, retained for security and anti-fraud purposes.
  • Payments (only if you subscribe to a Premium plan): processed exclusively by Stripe; we do NOT store card numbers.

3. Purpose of processing

We process your data for the following purposes and legal bases (Art. 6 GDPR):

  • Service provision (account creation, listing publication, messaging) — basis: performance of a contract (Art. 6.1.b).
  • Security, anti-fraud, moderation, access logs — basis: legitimate interest (Art. 6.1.f).
  • Legal obligations (e.g. responses to authorities) — basis: legal obligation (Art. 6.1.c).
  • Aggregate usage statistics via analytics cookies — basis: consent (Art. 6.1.a), revocable at any time.
  • Premium payments via Stripe — basis: performance of a contract (Art. 6.1.b).

4. Data retention

  • Active accounts: until deletion is requested by the user.
  • Deleted accounts: removed within 30 days; we only retain anonymised registration logs for legal obligations (maximum 2 years).
  • Rented listings: visible for 10 days, then archived and permanently deleted within 90 days.
  • Messages: retained for the duration of the conversation; deleted on user request or upon account closure.
  • Technical logs: maximum 12 months.

5. Data recipients and transfers

We share personal data exclusively with providers that help us operate the service, acting as data processors:

  • Hosting and infrastructure: servers located in the EEA.
  • Stripe (Stripe Payments Europe Ltd, Ireland) for Premium payments — only if you subscribe. Privacy: stripe.com/privacy.
  • Google Analytics (Google Ireland Ltd) — only if you accepted analytics cookies. Anonymised IP. Privacy: policies.google.com/privacy.
  • Nominatim/Photon (OpenStreetMap): external APIs used only to suggest neighbourhood names while typing — we do not send account data, only the partial string typed and the city's approximate location.

Any transfers outside the EEA (e.g. analytics backups to the USA by Google) take place under the Standard Contractual Clauses (SCC) approved by the European Commission pursuant to Art. 46 GDPR.

6. Your rights

At any time you can exercise the following rights (Art. 15-22 GDPR and UK GDPR):

  • access your data and obtain a copy;
  • rectify inaccurate data;
  • delete your account and related data ("right to be forgotten");
  • restrict or object to processing;
  • data portability in a structured format;
  • withdraw consent to analytics cookies (see the cookie section below);
  • lodge a complaint with the Italian Data Protection Authority (garanteprivacy.it) or, for the United Kingdom, with the Information Commissioner's Office (ico.org.uk).

You can delete your account directly from your Profile Settings. For other requests, write to us at [email protected]: we will reply within 30 days as required by the GDPR.

Account deletion

You can delete your Yumpara account and all associated data at any time, directly from the app or the website.

How to delete your account

  1. Open the Yumpara app or log in to yumpara.com with your credentials.
  2. Go to Profile → Settings.
  3. Scroll to the bottom of the page and click "Delete account".
  4. Confirm by entering your password. The account is deleted immediately.

What gets deleted

Deletion permanently removes:

  • Account, email, password, public profile
  • All your listings with their photos
  • All conversations and messages you sent
  • All reviews you received and wrote
  • Saved searches, favorites and wishlist
  • Avatar, profile photo and profile data

Lost access to your account (forgotten password, unreachable email)? Email [email protected] from the email address registered to your account. We will respond within 30 days with deletion confirmation.

Deletion is irreversible: deleted data cannot be recovered. Any backups containing your data are rotated and overwritten within 90 days.

7. Minors

yumpara is not intended for users under 16 (14 in Italy pursuant to Legislative Decree 101/2018). If we become aware of a minor's account, we will promptly remove it.

8. Security

Passwords are stored encrypted with bcrypt; the site runs entirely on HTTPS; sessions use HttpOnly and SameSite=Lax cookies. We implement rate limiting and monitoring of anomalous access.

9. Changes to this policy

We reserve the right to update this policy. Significant changes will be communicated with a notice on the site; the date of the latest update is shown at the top of the page.

Cookie Policy

This section supplements the policy above and describes the use of cookies and similar technologies pursuant to Directive 2002/58/EC ("ePrivacy") and the Italian Data Protection Authority Guidelines of 10 June 2021.

What cookies are

Cookies are small text files that the site saves in your browser to remember information (e.g. the login session, the selected language). Some are essential for operation, others are optional and require your consent.

Cookies used

Name Type Purpose Duration Consent
yumpara_session Technical Login session. Session Not required
XSRF-TOKEN Technical CSRF protection (security). Session Not required
yumpara_city Technical Stores the selected city. 1 year Not required
yp_ui_lang Technical Interface language. 1 year Not required
yp_cookie_consent Technical Stores your choice on this banner. 1 year Not required
_ga, _ga_* Analytical (third party — Google) Aggregate usage statistics. Anonymised IP. Up to 2 years Required
__stripe_mid, __stripe_sid Technical (third party — Stripe) Payment anti-fraud. Loaded ONLY during Premium checkout. 1 year / 30 min Not required (service requested by the user)

Your choices

When you arrive on the site we show you a banner with two options: Accept (also enables analytics cookies) or Reject (only strictly necessary technical cookies). You can change your mind at any time from the panel below. Your choice is stored in the yp_cookie_consent cookie.

Current status: No choice made

Disable cookies in your browser

Alternatively you can configure your browser to block or delete cookies. Note that disabling technical cookies will prevent the site from working correctly.