Skip to main content

Curba Privacy Policy

Effective date: May 9, 2026 Last updated: June 3, 2026

1. Who We Are

"Curba" is a trade name of 2814447 Alberta Inc., an Alberta corporation (the "Operator", "Curba", "we", "us"). The Operator provides a peer-to-peer rental marketplace at https://curba.app (the "Platform"). This Privacy Policy explains what personal information we collect, how we use it, who we share it with, how long we keep it, and the rights you have over it.

Privacy Officer / Person in Charge of the Protection of Personal Information:

  • Name: Stanley Ekpunobi
  • Email: privacy@curba.app
  • Mailing address: 1034-1215 9th Ave SW, Calgary, AB T3C 0H9, Canada

Under Quebec Law 25 and PIPEDA, every organization must publicly identify an individual accountable for the protection of personal information. For small companies, this is by default the most senior officer of the company. Curba designates its founder as Privacy Officer until a dedicated officer is appointed.

Owner contact email: support@curba.app Phone: +1 825 256 5110

2. Information We Collect

2.1 Information you provide

  • Account info - first name, last name, email address, phone number, password
  • Profile info - profile photo, bio, location preferences
  • Identity verification - government-issued ID, selfie, date of birth, address (collected and verified by Stripe Identity on our behalf - Curba never stores the ID image or selfie)
  • Listing info (Hosts) - item descriptions, photos, pricing, pickup address, item value
  • Inquiry / booking info - dates, messages exchanged with the other party, pickup contact number, pickup instructions
  • Payment info - payment card and bank account details (collected and stored by Stripe; Curba never sees your full card or bank account number)
  • Support communications - messages you send to our support team

2.2 Information collected automatically

  • Device and log data - IP address, browser type, browser fingerprint, operating system, device identifiers, system logs
  • Usage data - pages viewed, features used, search queries, timestamps, time spent per page, navigation path
  • Location data - approximate location derived from IP, plus precise geolocation if you grant browser permission to find listings near you
  • Cookies, trackers, and similar technologies - see Section 8

2.3 Information from third parties

  • Stripe - verification results, payment status, payout status, connected account capabilities
  • Keycloak (our authentication provider) - sign-in events, account state
  • Google Maps / Places - when you enter an address, Google may share standardized address and coordinates with us
  • Cloudflare - bot/spam protection signals on contact forms (browser fingerprint, IP, trackers)
  • Public sources - limited information used for fraud prevention

3. How We Use Your Information

We use your personal information for the following purposes, each with the legal basis indicated:

PurposeLegal basis (PIPEDA / Law 25 / GDPR)
Create and manage your accountPerformance of contract
Process bookings, payments, and payoutsPerformance of contract
Verify your identity (Stripe Identity)Performance of contract; legitimate interest in fraud prevention; legal obligation (KYC/AML)
Match Hosts with Renters and display listingsPerformance of contract
Send transactional emails and notifications (booking confirmations, messages, payout updates)Performance of contract
Investigate fraud, abuse, or violations of our TermsLegitimate interest; legal obligation
Comply with legal obligations (tax reporting, court orders)Legal obligation
Improve and develop the PlatformLegitimate interest
Promote the Platform and individual listings, including through advertising on third-party channels such as social media (using listing content - photos, titles, descriptions)Legitimate interest (you may opt out - see Section 5)
Resolve disputes and process insurance / deposit claimsPerformance of contract
Traffic optimization and bot/spam protectionLegitimate interest

We do not use your personal information for automated decision-making with legal or similarly significant effects without disclosing it to you and giving you the right to a human review (Law 25 / GDPR requirement). Identity verification by Stripe is partly automated; you may request a human review of any rejection by contacting our Privacy Officer.

4. Information Shared Between Hosts and Renters

When a Host accepts a Renter's inquiry and the Renter pays, certain information is shared between them through the Platform:

  • Renter sees: Host's first name, profile photo, listing details, reviews, pickup address (after payment), and Host's pickup contact phone number
  • Host sees: Renter's first name, profile photo, reviews, pickup contact phone number, and the signed declaration (for Self-Declared listings)

When you receive another user's information, you become a separate controller of that information. You may use it only for the purpose of completing the rental and may not retain it after the rental ends except as required to operate your account or by law.

5. Service Providers and Sharing

We share personal information with the following categories of recipients only as needed. Where the recipient processes data outside Canada, the country is noted.

Payment processing and identity verification

Stripe, Inc. and Stripe Payments Canada, Ltd. - Place of processing: United States and Canada. Personal data processed: email address, first name, last name, government-issued ID, selfie, date of birth, address, payment card details, bank account details, IP address, trackers, usage data. Used for: payment processing, identity verification, host payout, fraud prevention. Stripe Privacy Policy

Authentication

Keycloak (self-hosted by the Operator) - Place of processing: Germany (Contabo VPS). Personal data processed: email address, password (hashed), sign-in events. Used for: registration, authentication, session management.

Hosting infrastructure

Contabo GmbH - Place of processing: Germany. Personal data processed: all application data necessary to operate the Platform. Used for: hosting Curba's application servers and PostgreSQL database.

Traffic optimization and security

Cloudflare, Inc. - Place of processing: United States (and globally distributed edge nodes). Personal data processed: IP address, browser fingerprint, browser information, trackers, usage data. Used for: traffic optimization (CDN), DNS, and Turnstile bot/spam protection on contact forms. Cloudflare Privacy Policy

Maps and addresses

Google LLC (Maps and Places APIs) - Place of processing: United States. Personal data processed: addresses you enter, coordinates of listings. Used for: address standardization, listing maps, distance calculations.

Email delivery - outbound transactional

Resend - Place of processing: United States. Personal data processed: email address, name, contents of transactional emails. Used for: account, booking, payment, host-payout, and identity-verification email notifications. Resend Privacy Policy

Email mailboxes - Curba support inbox

Microsoft Corporation (Microsoft 365 / Exchange Online) - Place of processing: United States and Canada (Microsoft data residency for Canadian tenants). Personal data processed: email address, name, full content of inbound and outbound mailbox messages (e.g. support@curba.app, claims@curba.app, privacy@curba.app), attachments. Used for: receiving and responding to user support, claims, and privacy correspondence. Microsoft Privacy Statement · Microsoft 365 data subprocessor list

Analytics - traffic and acquisition

Google LLC (Google Analytics 4) - Place of processing: United States. Personal data processed: IP address (anonymized in aggregate), browser type, device identifiers, pages viewed, session identifiers, custom event properties (e.g. tier, total), user_id (Curba's internal identifier). Used for: traffic measurement, acquisition source attribution, funnel analysis. Curba has configured Data Redaction in GA4 to scrub sensitive query-string parameters (auth tokens, payment-intent secrets, email/phone patterns) before ingestion. Google Signals (cross-device tracking) is disabled, and Curba does not allow Google to use your data for ad personalization or to share it with other Google services for advertising purposes. Google Privacy Policy

Analytics - product behaviour and backend errors

PostHog Inc. - Place of processing: United States (US Cloud region). Personal data processed:

  • Frontend (product analytics): anonymous device identifier, page views, custom event properties (e.g. tier, depositAmount, legalExpanded), user_id once you sign in (Curba's internal identifier), email and username (for support troubleshooting; configurable by you in your account settings - contact support to remove).
  • Backend (error tracking): unhandled-exception events from Curba's backend services. Each event includes the exception type, message, and stack trace; the route pattern and HTTP method of the request that triggered it; an internal request identifier; the Curba user_id that made the request (or anonymous if unauthenticated); your email address; and your role tags (e.g. user, admin). Stack traces may incidentally include parameter values from the failing call - Curba does not deliberately log payment card numbers, passwords, or government-ID fields, but if such a value were to appear in an exception message it could be captured here.

Used for: funnel analysis, drop-off detection, feature-flag evaluation, session replay for UX debugging, and surfacing backend errors so we can fix them quickly. PostHog Privacy Policy

Advertising and social media promotion

Meta Platforms, Inc. (Facebook, Instagram) - Place of processing: United States. Personal data processed: listing content you upload (photos, titles, descriptions), which may incidentally include personal data such as your first name or images, and aggregate campaign-performance metrics. Used for: advertising and promoting the Platform and individual listings on social media. We do not provide Meta with your email, phone number, or other contact details for ad targeting, and we do not build advertising profiles about you. You may opt out of off-platform promotion of your listing content at any time by contacting support@curba.app; we will stop using it for that purpose going forward. Meta Privacy Policy

Other recipients

  • Customer support tooling - to respond to your messages
  • Law enforcement and courts - when legally required, in response to a valid request
  • Professional advisors - lawyers, accountants, insurers, under confidentiality

We do not sell your personal information.

6. International Transfers

Some of our service providers (notably Stripe, Cloudflare, Google, Resend, and Contabo) store or process personal information outside Canada - primarily in the United States and the European Union (Germany). Privacy laws in those jurisdictions may differ from Canadian law and may permit access by foreign authorities. Before transferring information outside Canada, Curba assesses whether the destination provides adequate protection and uses contractual safeguards (such as standard contractual clauses) where appropriate.

By using the Platform you acknowledge that your information may be processed outside Canada.

7. Data Retention

We keep your personal information only as long as necessary for the purposes described in this Policy, or as required by law.

DataTypical retention period
Account profileWhile your account is active, plus up to 24 months after closure
Booking, payment, and payout recordsAt least 7 years (Canadian tax and accounting requirements)
Identity verification documentsAs long as required by Stripe and applicable AML / KYC rules (typically 7 years)
Messages between Hosts and RentersUp to 36 months after a rental ends
System logs and analyticsUp to 12 months
Session and local storageCleared when the browser session ends (sessionStorage) or until you clear it (localStorage)

After the retention period, we delete or anonymize personal information. The right of access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.

8. Cookies, Trackers, and Similar Technologies

We use cookies, trackers, browser storage, and similar technologies to:

  • Keep you signed in (Keycloak)
  • Process payments securely (Stripe)
  • Detect fraud and abusive behaviour (Cloudflare bot management; Cloudflare Turnstile on the Contact form)
  • Render maps and address autocomplete (Google Maps / Places)
  • Measure how the Platform is used so we can improve it (Google Analytics 4 and PostHog - see Section 5)
  • Hold short-lived state needed for the Platform to work (session and local storage in your browser)

We do not use third-party advertising or remarketing cookies on the Platform, and we do not sell your personal information. Separately, we may promote the Platform and individual listings through advertising on third-party channels such as social media, using listing content you upload (see Section 5) - this does not place advertising cookies on the Platform, and you may opt out of off-platform promotion of your listing content by contacting support@curba.app.

For the full list of cookies and trackers - including category, provider, purpose, and duration - and instructions for managing them, see our Cookie Policy, also published at https://curba.app/cookies.

You can disable cookies in your browser, but parts of the Platform may not function without them (in particular, you won't be able to sign in or complete a payment if strictly-necessary cookies are blocked).

9. Your Rights

You have the following rights with respect to your personal information:

  • Access - request a copy of the personal information we hold about you
  • Rectification - request correction of inaccurate or incomplete information
  • Withdrawal of consent - withdraw consent for processing based on consent; this may limit your ability to use parts of the Platform
  • Deletion / right to be forgotten - request deletion of your account and personal information, subject to retention obligations (see Section 7)
  • Restrict processing - ask us to limit how we process your data while we resolve a question or complaint
  • Object to processing - where processing is based on legitimate interest (rather than consent or contract)
  • Portability (Quebec residents under Law 25 and EU residents under GDPR) - receive your information in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible
  • Cessation of dissemination / de-indexing (Quebec residents under Law 25) - request that we stop disseminating your information or de-index it from search results in defined circumstances
  • Human review of automated decisions - request a human review of any decision made about you exclusively by automated means
  • Lodge a complaint - bring a claim before your competent data protection authority

To exercise any of these rights, contact our Privacy Officer at privacy@curba.app. We will respond within 30 days as required by Quebec Law 25 (and at the latest one month under GDPR; up to 60 days under PIPEDA in complex cases).

If you are not satisfied with our response, you have the right to file a complaint with:

  • Office of the Privacy Commissioner of Canada (OPC) - https://www.priv.gc.ca
  • Commission d'accès à l'information du Québec (CAI) - https://www.cai.gouv.qc.ca (Quebec residents)
  • Your local data protection authority in the EU/EEA, if applicable

10. Security

We use technical and organizational measures to protect personal information, including encryption in transit (HTTPS/TLS 1.2+), encryption at rest where applicable, role-based access controls, regular backups, and monitoring. No system is perfectly secure, and we cannot guarantee absolute security.

In the event of a privacy breach posing a real risk of significant harm, we will notify affected individuals and the appropriate regulator(s) as required by PIPEDA and Quebec Law 25.

11. Children

The Platform is not directed to anyone under 18, and we do not knowingly collect personal information from individuals under 18. If you believe we have collected information from a minor, please contact our Privacy Officer and we will delete it.

Your personal data may be used for legal purposes by Curba in court or in the stages leading up to possible legal action arising from improper use of the Platform. You should be aware that Curba may be required to disclose personal data upon request from public authorities.

13. Changes to This Policy

We may update this Policy from time to time. If we make material changes we will give notice on the Platform and, where required, by email at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent version. Where the changes affect processing performed on the basis of your consent, we will collect new consent where required.

14. Additional Information for EU/EEA and UK Users

This section supplements the rights above for individuals located in the European Union, European Economic Area, and the United Kingdom.

Curba may process personal data relating to you under one or more of the following legal bases:

  • Consent - you have given consent for one or more specific purposes
  • Contract - processing is necessary to perform our agreement with you, or to take pre-contractual steps at your request
  • Legal obligation - processing is required to comply with a law to which Curba is subject (e.g. tax records, KYC/AML)
  • Legitimate interests - processing is necessary for the legitimate interests pursued by Curba or a third party (e.g. fraud prevention, platform improvement), and these interests are not overridden by your fundamental rights

We will gladly clarify the specific legal basis that applies to a particular processing activity, and whether the provision of personal data is a statutory or contractual requirement.

How to exercise your GDPR rights

Send any request to privacy@curba.app. Requests are free of charge and we will respond within one month, providing you with the information required by law. We will pass on any rectification, erasure, or restriction of processing to each recipient (if any) to whom your data has been disclosed unless this proves impossible or involves disproportionate effort.

15. Definitions

The following terms have specific meanings throughout this policy.

  • Personal Data (or Data) - any information that directly, indirectly, or in connection with other information allows for the identification or identifiability of a natural person.
  • Usage Data - information collected automatically through the Platform or third-party services it uses, such as IP addresses, URIs requested, request methods, response sizes, status codes, country of origin, browser and operating system features, time spent on pages, navigation paths, and other device or environment parameters.
  • User - the individual using the Platform who, unless otherwise specified, coincides with the Data Subject.
  • Data Subject - the natural person to whom the Personal Data refers.
  • Data Processor (or Processor) - the natural or legal person, public authority, agency or other body that processes Personal Data on behalf of the Controller, as described in this policy.
  • Data Controller (or Owner / Operator) - the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of Personal Data, including the security measures concerning the operation and use of the Platform. The Data Controller, unless otherwise specified, is 2814447 Alberta Inc., the Alberta corporation operating under the trade name "Curba".
  • Service - the rental marketplace service provided by Curba as described in our Terms of Service and on the Platform.
  • European Union (or EU) - unless otherwise specified, all current member states of the European Union and the European Economic Area.
  • Cookie - a Tracker consisting of a small set of data stored in your browser.
  • Tracker - any technology (cookies, unique identifiers, web beacons, embedded scripts, e-tags, fingerprinting) that enables the tracking of Users, for example by accessing or storing information on the User's device.

16. Contact

For privacy questions, complaints, or to exercise your rights, contact:

  • Email: privacy@curba.app
  • General support: support@curba.app
  • Phone: +1 825 256 5110
  • Mail: Privacy Officer, 2814447 Alberta Inc. (operating as Curba), 1034-1215 9th Ave SW, Calgary, AB T3C 0H9, Canada

Generated portions of this document were originally produced via the iubenda Privacy and Cookie Policy Generator and adapted by Curba to reflect Canadian (PIPEDA, Quebec Law 25) and EU (GDPR) requirements alongside Curba's actual operating model.