Privacy Policy
How OXLY collects, uses, shares, and protects personal data.
Effective Date: 1 July 2026
Last Updated: 1 July 2026
This Privacy Policy (the “Policy”) explains how IN SPOT SLU, with registered office at Carretera d’Engolasters 27A 2-1, Andorra, tax / registration number L-919089-T (“OXLY,” “Company,” “we,” “us,” or “our”), collects, uses, discloses, stores, and otherwise processes personal data in connection with the OXLY platform (the “Platform”).
This Policy applies to personal data processed through:
- the website currently available at oxly.eu and related domains, including without limitation oxly.eu, oxly.eu, and future related domains or localized versions;
- any OXLY mobile application;
- related booking, messaging, profile, payment, support, verification, trust, and promotional features;
- communications with us by email, contact form, customer support, or other official channels.
This Policy should be read together with the Terms of Platform Use, Payments & Payout Terms, Provider Terms, Booking, Cancellation & Refund Policy, Cookie Policy, and other applicable Platform policies.
1. Who We Are
The controller of your personal data for the purposes described in this Policy is:
IN SPOT SLU
Carretera d’Engolasters 27A 2-1, Andorra
Tax / Registration No.: L-919089-T
Legal contact: a.samoylov@inspot.ad
Support contact: help@oxly.eu
Privacy contact: [insert dedicated privacy email if you want one]
Data Protection Officer (if appointed): [insert name / contact details]
If we appoint a Data Protection Officer or another dedicated privacy contact, we may update this Policy accordingly.
2. Scope of This Policy
This Policy applies to personal data relating to:
- visitors to the Platform;
- registered users;
- Customers;
- Providers;
- Employees authorized to manage Provider functions;
- business contacts;
- persons who communicate with us;
- persons whose data appears in content, messages, listings, or booking-related materials submitted through the Platform.
This Policy does not apply to processing carried out independently by third parties that are not under our control, including independent Providers acting as their own controllers for their own business operations, or third-party websites, apps, social networks, payment providers, or verification services that have their own privacy notices.
3. Categories of Personal Data We Collect
Depending on how you use the Platform, we may collect and process the following categories of personal data.
3.1 Data You Provide Directly
This may include:
- full name;
- email address;
- phone number;
- password or login credentials information;
- profile information;
- profile photo;
- social media links or identifiers;
- business name and business profile information;
- service category information;
- descriptions, portfolios, logos, before/after materials, and other uploaded content;
- booking details;
- messages sent through the Platform;
- support requests and related correspondence;
- marketing preferences;
- information you provide when participating in surveys, promotions, waitlists, or onboarding flows.
3.2 Provider and Business Verification Data
If you act as a Provider, or where verification is required, we may collect or receive:
- identity data;
- date of birth, where required;
- government-issued ID data;
- selfie or liveness-check data where required by the verification flow;
- business registration data;
- tax identifiers;
- bank or payout-related information;
- beneficial ownership or legal representative information;
- professional license or permit information;
- insurance information;
- other compliance or risk-review materials.
3.3 Booking and Transaction Data
If you request, manage, or provide services, we may process:
- booking dates and times;
- service type and category;
- customer and provider identifiers;
- booking status;
- rescheduling and cancellation data;
- refund and complaint data;
- service-related communications;
- pricing information;
- subscription and promotional purchase data;
- billing information;
- payment-related metadata received from payment providers.
3.4 Technical and Usage Data
When you use the Platform, we may automatically collect certain technical information, such as:
- IP address;
- device type;
- operating system;
- browser type;
- app version;
- language and locale settings;
- date and time of access;
- log data;
- cookies and similar technologies data;
- identifiers associated with sessions, devices, or analytics tools;
- crash reports, diagnostics, and performance data;
- approximate location inferred from IP or device settings where applicable.
3.5 Data From Third Parties
We may receive personal data from third parties, such as:
- payment providers;
- identity verification providers;
- login providers such as Google or Apple;
- analytics and hosting vendors;
- customer support tools;
- fraud-prevention, trust, and security providers;
- social platforms where you connect your account or provide public business information;
- other users who submit booking requests, reviews, complaints, or messages involving you.
4. How We Collect Personal Data
We collect personal data:
- directly from you when you create an account, complete a profile, make a booking, send a message, purchase a subscription, contact support, or otherwise interact with the Platform;
- automatically through cookies, logs, SDKs, device signals, and similar technologies;
- from third-party service providers that support authentication, payments, analytics, verification, fraud prevention, hosting, communication, or customer support;
- from other users where relevant to bookings, reviews, complaints, disputes, or moderation.
5. Purposes of Processing and Legal Bases
We process personal data only where we have an appropriate legal basis under applicable data protection law.
Depending on the context, we may process personal data for the following purposes.
5.1 To Provide the Platform and Manage Accounts
This includes:
- creating and maintaining user accounts;
- enabling login and authentication;
- displaying and managing profiles;
- enabling bookings, messaging, reviews, and account features;
- delivering subscriptions, promotion services, and other digital services.
Legal basis: performance of a contract or steps taken at your request before entering into a contract.
5.2 To Operate Bookings and User-to-User Features
This includes:
- creating, managing, confirming, rescheduling, and canceling bookings;
- enabling customer-provider communications;
- handling service-related workflows;
- processing complaints, disputes, and refund reviews.
Legal basis: performance of a contract; legitimate interests in operating and improving the Platform.
5.3 To Verify Users and Protect Trust & Safety
This includes:
- identity checks;
- provider verification;
- fraud prevention;
- security monitoring;
- policy enforcement;
- risk-based review of categories or accounts;
- handling abuse, prohibited services, and suspicious conduct.
Legal basis: legitimate interests in protecting users, the Platform, payment systems, and legal compliance; legal obligations where applicable.
5.4 To Process Payments, Billing, and Payouts
This includes:
- processing subscriptions and paid features;
- supporting payment and payout setup where enabled;
- working with payment providers;
- keeping financial records;
- handling reversals, chargebacks, disputes, and related support.
Legal basis: performance of a contract; legal obligations; legitimate interests in financial administration, fraud prevention, and payment security.
5.5 To Communicate With You
This includes:
- sending transactional emails, booking updates, account notices, and support responses;
- sending service messages related to security, legal updates, billing, moderation, or material product changes;
- responding to requests, complaints, and legal notices.
Legal basis: performance of a contract; legal obligations; legitimate interests in operating the service.
5.6 To Improve, Secure, and Develop the Platform
This includes:
- analytics and service improvement;
- debugging, troubleshooting, and performance monitoring;
- preventing misuse;
- product research, feature development, and internal reporting;
- maintaining logs and audit trails.
Legal basis: legitimate interests in maintaining, securing, and improving the Platform; consent where required for certain cookies or tracking tools.
5.7 To Comply With Legal and Regulatory Obligations
This includes:
- responding to lawful requests from authorities;
- complying with accounting, tax, sanctions, anti-fraud, or data-protection obligations;
- maintaining records;
- notifying security breaches where required by law.
Legal basis: legal obligation.
5.8 To Send Marketing or Promotional Communications
Where permitted by law, we may send you newsletters, promotional information, product announcements, or marketing messages.
Legal basis: your consent where required; otherwise our legitimate interests in marketing our services where lawful. You may opt out at any time.
6. Sensitive Data and High-Risk Categories
The Platform is not intended to require routine submission of special categories of personal data unless this is necessary for a particular lawful feature or category and appropriate safeguards are in place.
Users should not upload or share unnecessary sensitive personal data through listings, messages, or profile content. If a Provider, Customer, or other User submits sensitive data, they remain responsible for ensuring that they are entitled to do so and that the disclosure is lawful.
Where we must process sensitive or high-risk data in a lawful context, we will do so only on an appropriate legal basis and with appropriate safeguards.
7. Verification and Trust Signals
If the Platform displays a “verified” badge or similar trust signal, we may process personal data to support that feature, including identity verification, business verification, or document review.
A verification badge reflects only the limited scope of the relevant verification process. It does not mean that we guarantee legality, safety, professional competence, ongoing compliance, or suitability for a specific purpose.
8. Cookies and Similar Technologies
We use cookies, SDKs, local storage, and similar technologies for purposes such as:
- essential platform functionality;
- authentication and session management;
- security;
- preferences;
- analytics;
- performance;
- marketing, where applicable and lawful.
Further information should be provided in the Cookie Policy and, where required, in our cookie banner or consent management tools.
9. Recipients and Categories of Third Parties
We may share personal data with the following categories of recipients where necessary:
- hosting and cloud infrastructure providers;
- analytics providers;
- customer support providers;
- authentication and login providers;
- communication and messaging tools;
- payment processors and payout providers;
- identity verification and fraud-prevention providers;
- legal, tax, accounting, or compliance advisers;
- regulators, courts, law-enforcement bodies, or other authorities where legally required;
- other users where necessary for bookings, messages, profiles, reviews, or dispute resolution;
- prospective acquirers, investors, or group entities in the context of a corporate transaction, subject to appropriate safeguards.
We do not sell personal data in the ordinary sense of transferring personal data to third parties for their own unrelated commercial use.
10. International Data Transfers
Because the Platform uses technical, payment, verification, support, and infrastructure partners, personal data may be processed in countries other than the country where you are located.
Where personal data is transferred internationally, we will seek to use an appropriate legal mechanism and suitable safeguards under applicable law, such as:
- adequacy decisions;
- contractual safeguards;
- processor obligations;
- other lawful transfer tools recognized by applicable law.
You may contact us for more information about the safeguards we rely on for relevant transfers.
11. Data Retention
We retain personal data only for as long as necessary for the purposes described in this Policy, including for:
- account administration;
- bookings and customer support;
- security and fraud prevention;
- legal, tax, accounting, and audit obligations;
- dispute handling and enforcement;
- backup and business continuity requirements.
Retention periods may vary depending on the type of data and the reason we hold it.
When personal data is no longer required, we may delete it, anonymize it, or retain it in blocked or restricted form where required for legal claims, recordkeeping, compliance, or defense of rights.
12. Data Security
We implement technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, loss, misuse, or destruction, taking into account the nature of the data and the risks involved. APDA and EDPB guidance both emphasize risk-based security measures and privacy by design/default.
No system can be guaranteed to be completely secure. You are also responsible for protecting your credentials, devices, and account access.
If we become aware of a personal data breach that triggers notification obligations under applicable law, we will act in accordance with those requirements. APDA states that reportable breaches must be notified to the authority without undue delay and, where applicable, within 72 hours, and affected individuals must also be informed where the risk is high.
13. Your Privacy Rights
Depending on applicable law, you may have the right to:
- access your personal data;
- correct inaccurate or incomplete data;
- request deletion of your data;
- object to certain processing;
- request restriction of processing;
- request portability of data;
- withdraw consent where processing is based on consent;
- lodge a complaint with the competent supervisory authority.
APDA states that these rights include access, rectification, objection, erasure, restriction, and portability, and that the controller should respond without delay and generally within one month, with a possible extension in more complex cases.
To exercise your rights, contact us at:
- help@oxly.eu
- a.samoylov@inspot.ad
- [insert privacy / DPO contact if you add one]
We may need to verify your identity before acting on certain requests.
14. Complaints to APDA
If you believe your personal data has been handled unlawfully, you may lodge a complaint with the Agència Andorrana de Protecció de Dades (APDA), the Andorran supervisory authority. APDA’s website states that it handles complaints, provides rights information, and is reachable at apda@apda.ad and (+376) 808 115, with its office at C/ Doctor Vilanova, 15-17 (planta -5), AD500 Andorra la Vella.
15. Marketing Choices
You may opt out of marketing emails by:
- clicking the unsubscribe link in the email, where available;
- changing your communication preferences in your account, where available;
- contacting us directly.
Even if you opt out of marketing, we may still send you non-promotional messages relating to your account, bookings, security, legal updates, billing, or support.
16. Children
The Platform is not intended to be used by persons who cannot lawfully enter into binding agreements under applicable law.
We do not knowingly collect personal data directly from children in a manner that is not authorized by law. If you believe that a child has provided personal data unlawfully through the Platform, please contact us so that we can review and take appropriate steps.
17. Changes to This Policy
We may update this Policy from time to time.
If we make material changes, we may notify users by:
- posting the updated Policy on the Platform;
- updating the Effective Date or Last Updated date;
- sending email or in-app notices where appropriate;
- using another reasonable means of communication.
Your continued use of the Platform after the effective date of an updated Policy means that the updated version will apply, to the extent permitted by law.
18. Contact Us
For privacy questions, requests, or complaints, contact:
IN SPOT SLU
Carretera d’Engolasters 27A 2-1, Andorra
Tax / Registration No.: L-919089-T
Legal contact: a.samoylov@inspot.ad
Support contact: help@oxly.eu
Privacy / DPO contact: privacy@oxly.eu