Privacy Policy

1. Who We Are and How to Contact Us

1.1 Data Controller Identity

The data controller responsible for your personal data is:

CU DPK (trading as Peekabl)
Registered in the Republic of Bulgaria
Registered address: Sofia, Bulgaria
Email: legal@peekabl.com
Data protection contact: legal@peekabl.com
Website: peekabl.com

1.2 Supervisory Authority

As a Bulgarian-registered entity, our lead supervisory authority for GDPR purposes is the Commission for Personal Data Protection of the Republic of Bulgaria (CPDP):

Commission for Personal Data Protection
2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
Website: cpdp.bg
Email: kzld@cpdp.bg

You have the right to lodge a complaint with the CPDP or with the supervisory authority in your country of residence at any time.

2. What Personal Data We Collect

We only collect personal data that is necessary for the purposes described in this Policy. The categories of data we collect depend on whether you are a user, a host, or simply a visitor to our website.

2.1 Data You Provide Directly

• Account registration data: name, email address, username, password (where required and stored in hashed form), date of birth (to verify age eligibility)
• Profile data: profile photo, bio, location (country or city level), language preferences
• Payment data: billing name, billing address, and payment method details — full card numbers are never stored by Peekabl and are handled exclusively by our payment processor (Stripe) under PCI DSS standards
• Communications: messages you send to Peekabl via support, email, or in-platform contact forms
• Reviews and ratings: content you post as reviews or ratings of hosts or experiences
• Chat messages: messages sent during live experience sessions
• Host application data (hosts only): identity verification documents, bank account details for payouts, experience descriptions, and profile content

2.2 Data Collected Automatically

• Device and technical data: IP address, device type, operating system, browser type and version, screen resolution
• Usage data: pages visited, features used, experiences viewed or joined, session duration, clicks, and navigation paths
• Log data: server logs including timestamps, errors, and access records
• Streaming session metadata: session start and end times, connection quality data, session identifiers — Peekabl does not record the content of live streams by default; any recording feature will be clearly disclosed and consent obtained separately
• Cookie and tracking data: as described in our Cookie Policy

2.3 Data We Receive From Third Parties

• Authentication providers: if you register or log in using Google or another supported third-party provider, we receive your name and email address from that provider
• Payment processor: transaction confirmation data, fraud signals, and payment status from Stripe
• Analytics providers: aggregated usage and behaviour data from analytics tools

2.4 Data We Do Not Collect

Peekabl does not collect:

• Biometric or facial recognition data
• Government-issued ID data from users (hosts may be asked for identity verification during onboarding — this is handled by a verified third-party identity provider and is not stored by Peekabl directly)
• Sensitive special category data under GDPR Article 9 (racial origin, health data, political opinions, etc.) unless you voluntarily provide this in free-text fields such as a bio or chat — in which case you control it and we process it on the basis of your explicit consent by voluntary submission

3. Why We Process Your Data — Lawful Basis

GDPR requires us to have a lawful basis for every type of data processing. This section explains exactly why we process each category of data and what legal basis we rely on. We do not process your data for any purpose not listed here.

3.1 To Provide the Platform and Perform Our Contract With You

Lawful basis: Contract (GDPR Article 6(1)(b))

We process the following data because it is necessary to deliver the service you signed up for:

• Account and profile data — to create and manage your account
• Payment data — to process purchases and manage subscriptions
• Usage data — to deliver experiences, track credits, and manage your account activity
• Host data — to onboard, verify, and pay hosts
• Session metadata — to connect users and hosts and ensure technical delivery of experiences

3.2 To Comply With Legal Obligations

Lawful basis: Legal obligation (GDPR Article 6(1)(c))

• Financial transaction records — required for tax and accounting compliance
• Identity verification data for hosts — required under applicable anti-money laundering regulations
• Data breach notifications — required under GDPR Article 33
• Responding to valid legal requests from courts or regulatory authorities

3.3 For Our Legitimate Interests

Lawful basis: Legitimate interests (GDPR Article 6(1)(f))

We rely on legitimate interests only where our interests are not overridden by your rights and freedoms. These purposes include:

• Platform security and fraud prevention — detecting, investigating, and preventing abuse, fraud, and security incidents
• Platform improvement — analysing aggregated usage data to improve features, performance, and user experience
• Trust and safety — investigating reports of conduct violations and enforcing our Community Guidelines
• Business communications — sending important operational notices about the Platform, your account, or changes to our policies
• Legal defence — maintaining records that may be needed to defend legal claims

3.4 With Your Consent

Lawful basis: Consent (GDPR Article 6(1)(a))

We rely on your consent for:

• Marketing communications — sending promotional emails, newsletters, or notifications about new features and experiences. You can withdraw consent at any time by clicking unsubscribe in any email or contacting us at legal@peekabl.com
• Non-essential cookies and analytics tracking — as described in our Cookie Policy. You can manage your preferences at any time via our cookie settings tool
• Any future recording features — if we introduce optional session recording, this will require separate explicit consent

4. How We Use Your Data — Specific Purposes

4.1 Account Management

We use your registration and profile data to create and maintain your account, authenticate your identity at login, enable account recovery, and communicate with you about your account.

4.2 Delivering Experiences

We use session metadata, usage data, and account data to match users with available experiences, facilitate connections between users and hosts, deliver the streaming infrastructure, process credits and payments, and provide post-session receipts and records.

4.3 Payments and Financial Processing

We share necessary billing data with Stripe to process your payments. We retain transaction records for accounting and legal compliance purposes. We do not use your payment data for any marketing or profiling purpose.

4.4 Safety, Trust, and Moderation

We use account data, usage data, and reported content to investigate complaints and reports of conduct violations, enforce our Community Guidelines and Terms & Conditions, detect and prevent fraud and abuse, and — where required by law — report illegal content to the relevant authorities.

Peekabl uses automated tools and, where necessary, human review to monitor chat messages and other user-generated content transmitted through the Platform. This monitoring is carried out for the purposes of safety, fraud prevention, illegal content detection, and enforcement of our Community Guidelines. We do not use chat content for commercial profiling or marketing purposes. Where we identify content that may be illegal — including content involving the exploitation of minors — we will take immediate action and report it to the relevant authorities.

Hosts who upload images or visual content to the Platform as part of their profile or experience listings have that content reviewed through an automated third-party moderation process to detect policy violations before publication. This is done to protect the safety and integrity of our community.

4.5 Platform Improvement and Analytics

We use aggregated and, where necessary, pseudonymised usage data to understand how users interact with the Platform, identify technical issues, and improve features and performance. Where we use analytics tools that involve personal data, this is disclosed in our Cookie Policy and appropriate safeguards are in place.

4.6 Marketing and Communications

With your consent, we may send you information about new experiences, hosts, features, and promotions. You can unsubscribe at any time. We do not sell your personal data to third parties for their marketing purposes and never have.

4.7 Video Viewing Data — VPPA Compliance

Peekabl is a video streaming platform. We are aware of and comply with the US Video Privacy Protection Act (VPPA). We do not knowingly disclose personally identifiable information about your video viewing activity — including which experiences you have joined or viewed — to any third party without your express written consent, except as required by law or as described in this Policy. Aggregated, non-identifying viewing statistics may be used internally for platform improvement purposes.

If we ever seek to share your specific video viewing data with a third party — including for analytics, advertising, or social sharing purposes — we will obtain your consent through a separate, standalone written consent form that is distinct from these Terms and from this Policy, as required by the VPPA. Consent for video data sharing will never be bundled into general terms acceptance. You may withdraw any such consent at any time by contacting legal@peekabl.com, and we will process that withdrawal within 30 days.

4.8 Future Use of Data for Personalisation

Peekabl does not currently use artificial intelligence or automated personalisation engines to make recommendations or decisions based on your personal data. However, we intend to introduce AI-powered experience recommendations in the future. Where we do so, we will use usage data, viewing history, and stated preferences to suggest experiences that may be relevant to you.

We are disclosing this intended future use now, in accordance with GDPR Article 13, so that you are aware of it at the time your data is collected. Before we activate any personalisation feature involving personal data, we will update this Policy and, where required by law, seek fresh consent. You will also be provided with a means to opt out of personalisation-based processing. Any future AI-based processing will not produce legally significant automated decisions about you without human review.

4.9 Location Data

Peekabl does not currently collect precise geolocation data from your device. We collect approximate location derived from your IP address for basic operational purposes such as currency display and applicable law determination. In future, we may request device-level location permissions to enhance features such as destination discovery. If and when we do so, we will ask for your explicit consent through your device's standard permission system, and this Policy will be updated to describe the specific purposes and lawful basis for that processing.

5. Who We Share Your Data With

Peekabl does not sell your personal data. We share data with third parties only where necessary to operate the Platform, comply with the law, or protect our legitimate interests.

5.1 Service Providers and Data Processors

We engage carefully selected third-party service providers who process data on our behalf and under our instruction. These providers are bound by Data Processing Agreements (DPAs) that require them to protect your data and use it only for the purposes we specify. Our current categories of processors include:

• Payment processing: Stripe — for processing all financial transactions
• Streaming infrastructure: GetStream — for delivering live video sessions and real-time chat functionality
• Cloud hosting and infrastructure: Microsoft Azure — for hosting the Platform and storing data securely
• Email communications (transactional and marketing): SendGrid (a Twilio service) — for sending automated user-facing emails including booking confirmations, receipts, and platform notifications
• Email communications (internal operations): Microsoft 365 — for internal business communications
• Analytics: Google Analytics — for aggregated platform usage analysis (configured with IP anonymisation; see our Cookie Policy for full details)
• Identity verification (hosts only): Stripe Identity — for host onboarding identity checks

5.2 Other Users and Hosts

Certain profile information is visible to other users and hosts on the Platform as part of normal Platform operation — for example, your display name and profile photo will be visible during a live session you join. You control what information you include in your public profile. Private information such as your email address, payment details, and account history are never shared with other users or hosts.

5.3 Legal and Regulatory Disclosure

We may disclose your personal data to law enforcement agencies, courts, regulators, or other public authorities where we are legally required to do so, or where disclosure is necessary to protect the safety of any person, prevent fraud, or defend Peekabl's legal rights.

5.4 Business Transfers

If Peekabl is involved in a merger, acquisition, asset sale, or similar transaction, your personal data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.

5.5 What We Never Do

• We never sell your personal data to third parties
• We never share your video viewing history with advertisers or third-party marketing platforms
• We never use your data to build advertising profiles for third-party ad targeting

6. International Data Transfers

Peekabl is registered in Bulgaria and operates within the EU. Some of our third-party service providers are located outside the EU/EEA, including in the United States. Where personal data is transferred outside the EU/EEA, we ensure that appropriate safeguards are in place as required by GDPR Chapter V.

The safeguards we rely on include:

• Standard Contractual Clauses (SCCs) approved by the European Commission — used in our agreements with US-based service providers
• Adequacy decisions — where the European Commission has determined that a country offers an adequate level of data protection
• Binding Corporate Rules — where applicable for group transfers

You may request a copy of the relevant transfer safeguards we have in place by contacting legal@peekabl.com.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention approach by data category is:

7.1 Active Account Data

Data associated with your active account is retained for as long as your account remains open. You can close your account at any time as described in our Terms & Conditions.

7.2 Financial and Transaction Records

Transaction and payment records are retained for a minimum of 5 years from the date of the transaction in accordance with Bulgarian and EU financial record-keeping requirements.

7.3 Account Closure

When you close your account, we will delete or anonymise your personal data within 90 days, except where we are required by law to retain it longer (for example, financial records) or where we need it to defend a legal claim. Please note that due to the way secure backup systems operate, residual copies of your data may persist in encrypted backup storage for a limited additional period before they are purged in the normal cycle. These copies are not accessible to our operational systems and are handled with the same security standards as live data.

7.4 Moderation and Safety Records

Records relating to conduct violations, safety investigations, or legal disputes may be retained for up to 3 years after the matter is resolved, to enable us to identify repeat violations and respond to any related legal proceedings.

7.5 Marketing Data

If you have consented to marketing communications, we retain your contact details for this purpose until you withdraw consent. After withdrawal, we retain a suppression record to ensure we do not re-contact you.

7.6 Public Content After Account Closure

Certain content you have shared publicly on the Platform — such as reviews and ratings of hosts or experiences — may remain visible to other users after your account is closed. This is because such content forms part of the trust and transparency infrastructure of the Platform and may be relied upon by other users in making booking decisions. Where technically feasible, we will anonymise this content upon your request. If you wish to request removal or anonymisation of specific public content, contact legal@peekabl.com.

8. Your Rights as a Data Subject

Your rights are real and we take them seriously. This section explains each right you have and how to exercise it. We respond to all valid requests within 30 days (or 45 days for California residents under CCPA).

8.1 Rights Under GDPR (EU/EEA Users)

If you are located in the EU or EEA, you have the following rights under GDPR:

Right of Access (Article 15)
You have the right to obtain confirmation of whether we process personal data about you, and if so, to receive a copy of that data together with information about how it is used. We will provide this free of charge within 30 days of a verified request.

Right to Rectification (Article 16)
You have the right to have inaccurate personal data corrected and incomplete data completed without undue delay. You can update most of your profile data directly in your account settings.

Right to Erasure — Right to be Forgotten (Article 17)
You have the right to request deletion of your personal data where it is no longer necessary for the purpose it was collected, where you withdraw consent, or where you object to processing based on legitimate interests. This right is subject to legal retention obligations — for example, we cannot delete financial records we are required by law to keep.

Right to Restriction of Processing (Article 18)
You have the right to request that we restrict processing of your data in certain circumstances — for example, where you contest the accuracy of the data while we verify it.

Right to Data Portability (Article 20)
Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

Right to Object (Article 21)
You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will stop processing immediately. Where you object to other legitimate-interest processing, we will stop unless we can demonstrate compelling legitimate grounds that override your interests.

Right to Withdraw Consent
Where processing is based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

Right to Lodge a Complaint
You have the right to lodge a complaint with the Bulgarian CPDP or the supervisory authority in your country of residence at any time. Contact details for the CPDP are in Section 1.2.

8.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following additional rights:

• Right to Know: you can request details of the personal information we collect, use, disclose, and sell (we do not sell personal information)
• Right to Delete: you can request deletion of personal information we hold about you, subject to certain exceptions
• Right to Correct: you can request correction of inaccurate personal information
• Right to Opt-Out of Sale or Sharing: Peekabl does not sell or share personal information for cross-context behavioural advertising
• Right to Limit Use of Sensitive Personal Information: you can limit our use of sensitive personal information to what is necessary for the service
• Right of Non-Discrimination: we will not discriminate against you for exercising any of these rights

To exercise California rights, contact us at legal@peekabl.com. We will respond within 45 days of a verified request, as required by California law.

8.3 Rights for Other US State Residents

Residents of Virginia, Colorado, Connecticut, Texas, and other states with applicable privacy laws have similar rights to those described in section 8.2. We honour these rights regardless of whether we have reached the technical threshold for mandatory compliance in your state. Contact legal@peekabl.com to exercise these rights.

8.4 How to Submit a Request

To exercise any of your rights, please contact us at legal@peekabl.com with the subject line: Data Rights Request. Please include your name, email address associated with your account, and a description of the right you wish to exercise. We may need to verify your identity before processing your request. We will never charge a fee for exercising your rights unless requests are manifestly unfounded or excessive.

9. Cookies and Tracking Technologies

Peekabl uses cookies and similar tracking technologies to operate the Platform, remember your preferences, analyse usage, and — with your consent — support marketing activities. Our full Cookie Policy sets out in detail what cookies we use, why, and how you can manage your preferences.

9.1 Categories of Cookies We Use

• Essential cookies: required for the Platform to function — for example, session cookies that keep you logged in. These cannot be disabled.
• Functional cookies: remember your preferences such as language and display settings.
• Analytics cookies: help us understand how the Platform is used. We only deploy these with your consent.
• Marketing cookies: used to deliver relevant communications. We only deploy these with your explicit consent.

9.2 Managing Your Cookie Preferences

When you first visit the Platform, you will be presented with a cookie consent banner that allows you to accept or decline non-essential cookies. You can update your preferences at any time via the cookie settings tool in the Platform footer. Note that disabling certain cookies may affect Platform functionality.

10. Data Security

Peekabl takes the security of your personal data seriously. We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, destruction, or disclosure. These measures include:

• Encryption of data in transit using TLS and at rest using industry-standard encryption
• Access controls ensuring that only authorised personnel can access personal data, on a need-to-know basis
• Regular security assessments and penetration testing of our infrastructure
• Vendor due diligence — all third-party processors are assessed for security and privacy practices before engagement
• Incident response procedures — we have a documented process for identifying, containing, and reporting data breaches

10.1 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Bulgarian CPDP within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay, as required by GDPR Article 34.

10.2 Your Role in Security

You also play a role in keeping your data secure. Please use a strong, unique password for your Peekabl account, do not share your login credentials, and notify us immediately at legal@peekabl.com if you suspect any unauthorised access to your account.

11. Children's Privacy

Peekabl is not directed at children under the age of 18, and we do not knowingly collect personal data from anyone under 18. Our Terms & Conditions require all users to confirm they are at least 18 years of age at registration.

If we become aware that we have collected personal data from a user under 18 without verified parental consent, we will delete that data promptly. If you believe a minor has created an account on Peekabl, please notify us at legal@peekabl.com and we will investigate and take appropriate action.

12. Third-Party Links and Services

The Platform may contain links to third-party websites, services, or content. This Privacy Policy applies only to Peekabl's own processing of your data. We are not responsible for the privacy practices of third-party websites or services. We encourage you to review the privacy policy of any third-party service you access through or alongside the Platform.

13. Automated Decision-Making and Profiling

Peekabl may in future use AI-driven personalisation to recommend experiences to users based on their preferences and activity on the Platform. This processing involves automated analysis of your usage data and stated preferences.

This personalisation does not constitute automated decision-making that produces legal or similarly significant effects in the sense of GDPR Article 22. It is a recommendation tool only — you are never required to follow recommendations and we never make binding decisions about you using solely automated means.

If we introduce any automated decision-making that does produce significant effects — for example, automated account suspension decisions — we will update this Policy and ensure you have the right to human review, as required by GDPR Article 22.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in law, our data practices, or the Platform. When we make material changes, we will:

• Post the updated Policy on the Platform with a revised effective date
• Notify you by email or in-Platform notification at least 30 days before the change takes effect where the change materially affects your rights

We encourage you to review this Policy periodically. Continued use of the Platform after a revised Policy takes effect constitutes your acceptance of the updated terms, except where applicable law requires us to obtain fresh consent.

15. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data rights, or have a concern about how we handle your personal data, please contact us:

Peekabl (CU DPK)
Data Protection Contact: legal@peekabl.com
General Support: support@peekabl.com
Website: peekabl.com
Registered address: Sofia, Bulgaria

We aim to respond to all privacy-related enquiries within 5 business days and to all formal data rights requests within 30 days (45 days for California residents).

If you are not satisfied with our response, you have the right to escalate your complaint to the Bulgarian Commission for Personal Data Protection (cpdp.bg) or the supervisory authority in your country of residence.