This Privacy Policy describes how SPARTAN LABS LLP ("ZenHost", "we") collects, processes and retains personal data of users of its short-term rental management service. It is drawn up in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (United Kingdom), as well as Regulation (EU) 2016/679 (the "EU GDPR") for data subjects established in the European Economic Area (art. 3 GDPR — extraterritorial application).
1. Data controller
The data controller, within the meaning of article 4(7) of the UK GDPR and the EU GDPR, is SPARTAN LABS LLP, a Limited Liability Partnership (LLP) registered with Companies House under number OC457265, with registered office at 24-26 Arcadia Avenue, Fin009/8659, London N3 2JU, United Kingdom.
For any question relating to the protection of your data, you may contact our privacy officer at support@zenhost.com. A Data Protection Officer (DPO) will be appointed where the thresholds of article 37 of the UK GDPR / EU GDPR are reached; their contact details will be published on this page where applicable.
SPARTAN LABS LLP undertakes to respond to requests relating to the processing of your personal data within the timeframes set out in article 12(3) of the GDPR / UK GDPR (one month, extendable by two months).
2. Scope
This Policy applies to all processing activities carried out (i) through the consultation of the public site at https://app.zenhost.com, (ii) through the subscription to and use of the ZenHost service by our professional customers (property owners, agencies, property-management companies), and (iii) during commercial interactions with prospects who have filled in a demo request form or joined our waitlist.
Guest data hosted by our customers is processed by SPARTAN LABS LLP as a processor (within the meaning of article 28 of the UK GDPR / EU GDPR) under the Data Processing Agreement (DPA) entered into with each customer.
3. Data collected
We collect only the categories of data strictly necessary for the purposes pursued:
- Account data: email address, first name, last name, authentication credentials, language and time zone, interface preferences.
- Business data: legal name, company number, address, role, phone number.
- Billing data: information necessary for issuing invoices and collecting payment. Bank data (card number, security code) is processed directly by our provider Stripe and never stored on our servers.
- Service data: listings, calendars, messages exchanged with guests, check-in documents, content you upload into your workspace.
- Technical data: IP addresses, session identifiers, activity logs, browser and operating-system information, collected for security and diagnostic purposes.
- Commercial data: contact details provided during a demo request or waitlist signup, and history of exchanges.
4. Purposes of processing
Each processing activity is based on an explicit legal basis in accordance with article 6 of the UK GDPR / EU GDPR:
| Purpose | Data involved | Legal basis |
|---|---|---|
| Service provision and contract performance | Account, business and service data | Performance of contract — art. 6(1)(b) |
| Billing and accounting | Billing data, payment history | Legal obligation — art. 6(1)(c) (Companies Act 2006 s.388) |
| Service security and fraud prevention | Activity logs, IP addresses, technical identifiers | Legitimate interest — art. 6(1)(f) |
| Commercial prospecting and waitlist management | Commercial data, business contact details | Consent — art. 6(1)(a) / B2B legitimate interest (PECR 2003) |
| Compliance with legal obligations | Billing data, history of reports | Legal obligation — art. 6(1)(c) |
| Handling rights requests and disputes | All data necessary for the request | Legal obligation and legitimate interest — art. 6(1)(c) and (f) |
5. Recipients and subprocessors
Data is processed by authorised personnel of SPARTAN LABS LLP. It may be disclosed to processors within the meaning of article 28 of the UK GDPR / EU GDPR, acting exclusively on instruction and under contracts imposing an equivalent level of protection:
- Infrastructure & service: Supabase (database — Canada, AWS Montreal), Vercel (application hosting — EU/US), Cloudflare Turnstile (anti-bot captcha on public forms). - Payments: Stripe (independent controller for card data). - Communications: Resend (transactional email — EU).
No data is sold or transferred to third parties for commercial purposes. The full up-to-date list is published in the Legal Notice.
| Provider | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Supabase | PostgreSQL database, authentication and object storage | Canada and United States | Standard Contractual Clauses (UK IDTA / EU SCCs) |
| Vercel | Application hosting, content delivery and serverless runtime | Multiple regions | Standard Contractual Clauses (UK IDTA / EU SCCs) |
| Stripe | Payment processing and subscription management | Multiple regions | Standard Contractual Clauses (UK IDTA / EU SCCs) |
| Resend | Transactional email delivery (confirmations, notifications) | Multiple regions | Standard Contractual Clauses (UK IDTA / EU SCCs) |
| Cloudflare Turnstile | Bot protection on public forms (Turnstile captcha) | Global (captcha validation) | Standard Contractual Clauses |
6. Transfers outside the UK and EU
Some of our subprocessors may be established outside the United Kingdom and the European Economic Area (notably in Canada and the United States). In such cases, transfers are governed by:
- the European Commission's adequacy decision of 20 December 2001 (Decision 2002/2/EC) for transfers to Canada (applicable to Canadian organisations subject to PIPEDA); - the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914 of 4 June 2021) for transfers to third countries without an adequacy decision; - the UK International Data Transfer Agreement (IDTA) or the Addendum to the EU SCCs published by the ICO for users established in the United Kingdom; - where applicable, certification under the EU-US Data Privacy Framework (adequacy decision of 10 July 2023) and its UK Extension.
A copy of the applicable safeguards can be obtained upon written request to support@zenhost.com.
7. Retention periods
Data is retained only for the duration strictly necessary for the purposes for which it is processed:
- Account and service data: for the entire duration of the contractual relationship, then intermediate archiving for 6 years for evidentiary purposes under the Limitation Act 1980.
- Billing data: 6 years from the close of the accounting year (Companies Act 2006, s.388).
- B2B prospecting data: 3 years from the last contact initiated by the prospect.
- Connection logs: 12 months maximum from their recording.
- Data related to rights requests: 1 year after closing the request, or 6 years in the event of a dispute.
8. Your rights
In accordance with articles 15 to 22 of the UK GDPR and EU GDPR, you have the following rights over your personal data:
- Right of access (art. 15): obtain confirmation that your data is being processed and receive a copy of it.
- Right to rectification (art. 16): have inaccurate or incomplete data corrected.
- Right to erasure (art. 17): request the deletion of your data in the cases provided for.
- Right to restriction (art. 18): temporarily suspend the processing of your data.
- Right to portability (art. 20): receive your data in a structured, commonly used and machine-readable format.
- Right to object (art. 21): object to processing based on legitimate interest or to commercial prospecting.
- Right to withdraw consent at any time (art. 7(3)), without such withdrawal affecting the lawfulness of prior processing.
- Post-mortem rights (art. 85 of the French Data Protection Act, for French residents): give directions as to the fate of your data after your death.
9. Data security
In accordance with article 32 of the UK GDPR / EU GDPR, we implement appropriate technical and organisational measures: environment segregation, strong authentication for staff, access management following the principle of least privilege, logging of administrator access, regular security reviews and a backup plan. Encryption in transit (TLS) and at rest is provided at infrastructure level by our hosting sub-processors.
In the event of a personal data breach presenting a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours (article 33 of the UK GDPR / EU GDPR) and, where applicable, inform you individually in accordance with article 34.
10. Minors
The ZenHost service is intended exclusively for adult professional users. We do not knowingly collect data concerning minors (minimum age of consent: 13 years under the UK GDPR; 15 years in France under the French Data Protection Act). If you believe a minor has provided us with data, please contact us at support@zenhost.com so that we can delete it.
12. Changes
Unilateral modification. This Privacy Policy may be amended at any time at SPARTAN LABS LLP's sole discretion, in particular to reflect changes in the service, its subprocessors, processing purposes, applicable regulations or supervisory-authority guidance.
Effect on publication. Changes take effect against data subjects upon publication on this page, without any prior individual notice. The "Last updated" date shown at the top of this page determines the applicable version. It is your responsibility to check this page regularly to remain aware of the Policy in force.
Mandatory carve-out. Where a mandatory provision of the GDPR / UK GDPR, the Data Protection Act 2018 or any other applicable law requires a notification period or enhanced information for certain changes (in particular a substantial change of purpose or legal basis for an ongoing processing — art. 13(3) GDPR), such provision shall prevail over this clause and SPARTAN LABS LLP shall comply with it for the relevant change only.
13. Contact us
For any question or concern regarding the processing of your personal data, write to support@zenhost.com — we commit to responding within the deadline set by article 12(3) of the UK GDPR / EU GDPR.
In accordance with article 77 of the UK GDPR / EU GDPR, you also have the right to lodge a complaint with a competent supervisory authority if you believe your rights are not being respected.