Privacy Policy

1. Overview

Destinali ("we", "us", "our") operates the website at destinali.com, a local business directory serving businesses worldwide. This Privacy Policy applies to all users of our website and services, including visitors, registered users, and business owners who list on our platform.

We are committed to protecting your personal data and processing it fairly and transparently in accordance with applicable data protection law.

For questions about this policy, contact our data team at hello@destinali.com.

2. Data we collect

2.1 Data you give us directly

• Account registration: First name, last name, email address, password (stored as a bcrypt hash; we never store your plain-text password), and optional phone number.
• Business listings: Business name, category, address, area, phone number, WhatsApp number, website URL, business email, social media links, business hours, year founded, team size, FAQs, and photographs.
• Contact forms: Name, email or phone, and the message content you submit through a listing's contact form or our general contact page.
• Verification documents: Where you choose to verify your listing, we may collect your business registration documentation. This is stored securely and used only for verification purposes.
• Payment information: When you subscribe to a paid plan, payment is processed by Stripe. We do not store card numbers or bank account details; Stripe handles all payment data. We receive a payment intent reference, the plan selected, and subscription status.
• Reviews: If you write a review on a listing, we store the review text, star rating, and your user ID.

2.2 Data we collect automatically

• Usage data: Pages visited, listings viewed, search queries made, buttons clicked (WhatsApp, Call, Website), and time spent on pages.
• Traffic source: The HTTP Referer header, which tells us how you arrived at a listing: whether from Google, a social platform, an AI tool, or another source.
• Device and browser data: Browser type, operating system, screen resolution, and IP address (used to detect approximate country for analytics).
• Cookies and local storage: Session tokens stored in an httpOnly cookie for authentication. Analytics preferences. See the Cookies section for details.

2.3 Data from third parties

• Stripe: Subscription status, plan type, and billing cycle information.
• Google Search Console: For business owners who connect GSC, we receive anonymised search query data for their listing URLs.

3. How we use your data

3.1 To operate the platform

• Create and manage your account
• Display business listings to visitors
• Process and verify listing claims
• Facilitate contact between visitors and business owners (via form submissions and WhatsApp/Call tracking)
• Manage subscriptions and payments
• Provide the business owner dashboard and analytics

3.2 To communicate with you

• Send transactional emails: account confirmation, password reset, listing approval or rejection, payment confirmation, new review notifications
• Send service updates directly related to your account or listing
• Respond to support requests and contact form submissions

3.3 To improve the service

• Analyse which categories, areas, and listing types are most used
• Understand traffic patterns including AI-referred traffic
• Identify and fix bugs
• Measure the effectiveness of SEO and content changes

3.4 Legal bases for processing

We process your data on the following legal bases:

• Contract performance: Processing needed to provide the directory service you signed up for.
• Legitimate interests: Analytics, fraud prevention, service improvement, and platform security, where these interests do not override your rights.
• Legal obligation: Retaining business records as required by applicable law.
• Consent: Marketing communications (where applicable) and optional integrations like Google Search Console. You may withdraw consent at any time.

4. Sharing with third parties

We do not sell, rent, or trade your personal data to third parties for marketing purposes. We share data only in the following circumstances:

• Service providers: We share data with the processors listed in Section 5 solely to operate the platform.
• Business listing visibility: Information in your public business listing (name, address, phone, hours, description, photos) is visible to all visitors by design. This is the core purpose of the directory.
• Contact form submissions: When a visitor submits a contact form on your listing, their name, contact detail, and message are forwarded to your registered business email. The visitor's email is not shown on the public listing.
• Legal requirements: We may disclose data if required by applicable law, a court order, or to protect the safety of our users or the public.
• Business transfers: If Destinali is acquired or merged, your data may transfer to the acquiring entity under the same privacy protections.

5. Data processors

We use the following third-party services to operate the platform. Each processor only receives data necessary for their specific function.

Data transfers to processors are governed by contractual safeguards consistent with applicable data protection requirements.

6. Data retention

We retain your data only as long as necessary for the purposes described in this policy.

• Account data: Retained for the life of your account. If you delete your account, your personal data is deleted within 30 days, except where we have a legal obligation to retain it.
• Business listing data: Retained while the listing is active. If a listing is deleted, the data is removed within 30 days.
• Payment records: Retained for 7 years in accordance with applicable financial record-keeping requirements.
• Analytics events: Aggregated usage data is retained indefinitely. Raw event logs are retained for 2 years.
• Contact form submissions: Retained for 12 months then deleted.
• Verification documents: Retained for 1 year after verification decision, then securely deleted.

7. Your rights

Under applicable data protection law, you have the following rights regarding your personal data:

Right to access

You may request a copy of the personal data we hold about you at any time.

Right to rectification

You may update or correct your personal data at any time through your account settings or by contacting us.

Right to erasure ("right to be forgotten")

You may request deletion of your account and personal data. We will comply within 30 days, except where retention is required by law or for legitimate business purposes (e.g. payment records).

Right to data portability

You may request an export of your data in a structured, machine-readable format.

Right to object

You may object to processing based on our legitimate interests at any time. We will stop processing unless we can demonstrate compelling legitimate grounds.

Right to withdraw consent

Where processing is based on consent (e.g. marketing emails), you may withdraw consent at any time by unsubscribing or contacting us. Withdrawal does not affect the lawfulness of prior processing.

How to exercise your rights

Send your request to hello@destinali.com. We will respond within 30 days. We may ask you to verify your identity before processing your request.

If you believe we have not handled your data appropriately, you may lodge a complaint with the data protection authority in your jurisdiction.

8. Cookies

We use the following cookies and browser storage:

Essential cookies (always active)

• destinali_session: httpOnly, Secure, SameSite=Lax. Stores your authentication JWT token. Required to keep you logged in. Expires after 30 days.

Analytics (no third-party trackers)

We track usage events (page views, listing clicks, WhatsApp clicks) using our own database, not Google Analytics, Facebook Pixel, or any third-party analytics service. No tracking cookies are set for analytics. Your browsing data stays on Destinali's servers.

No advertising cookies

We do not run advertisements. No advertising or retargeting cookies are set on destinali.com.

You may disable cookies in your browser settings. Disabling the session cookie will prevent you from staying logged in, but will not affect your ability to browse the directory as a visitor.

9. Children

Destinali is not intended for children under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at hello@destinali.com and we will delete the data promptly.

10. Security

We take reasonable technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction. These measures include:

• Passwords stored as bcrypt hashes (12 rounds), never in plain text
• Authentication via httpOnly, Secure, SameSite cookies, not localStorage
• All data transmitted over HTTPS
• Database access restricted to application servers
• Payment card data never stored on our servers; handled entirely by Stripe
• Cloudflare signed uploads: media uploaded directly to Cloudflare without passing through our servers

No system is completely secure. If you believe your account has been compromised, change your password immediately and contact us at hello@destinali.com.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users by email and update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

Continued use of Destinali after changes take effect constitutes acceptance of the revised policy.

12. Contact us

For privacy-related questions, data access requests, or complaints:

• Email: hello@destinali.com
• General contact: destinali.com/contact
• Address: Destinali, Delaware, United States

We aim to respond to all privacy requests within 30 days.