Privacy Policy

1. Who We Are

The Service is operated by Malaya Technologies LLC, a Wyoming limited liability company with its operating office at 2 N Central Ave STE 1800, Phoenix, AZ 85004, United States.

For the purposes of the EU/UK General Data Protection Regulation (GDPR), Malaya Technologies LLC is the data controller of the personal data described in this Policy. For the purposes of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), Malaya Technologies LLC is the business.

You can reach our privacy team at privacy@furnishedunfurnished.com.

2. Information We Collect

We collect the following categories of personal information:

• Identity and contact data. Full name, email address, phone number, and, for hosts, business name and mailing address.
• Account credentials. Password hashes, authentication factors (such as one-time codes and TOTP secrets), and session tokens.
• Payment information. Billing name, billing address, and card metadata (last four digits, brand, expiry). We do not store full card numbers. Payments are processed by Stripe, Inc. and card data is transmitted directly to Stripe's PCI-compliant environment.
• Profile data. Display name, profile photo, cover image, biography, company affiliation, hometown, and public-facing contact preferences you choose to share.
• Location data. Property addresses, city, state, ZIP code, and approximate geographic coordinates when you submit a listing. We intentionally fuzz exact coordinates before displaying them to the public.
• User content. Listings, photos, descriptions, amenities, messages, housing requests, reviews, inquiries, and AI-assistant conversations.
• Device and usage data. IP address, browser type, operating system, device identifiers, referring URLs, pages viewed, interaction events (clicks, impressions, shares), timestamps, and approximate location derived from your IP address.
• Communications with us. Support tickets, email correspondence, and feedback you send us.
• Cookies and similar technologies. As described in Section 6.

3. How We Use Your Information

We use personal information to:

• Provide, operate, and maintain the Service, including creating and authenticating your account.
• Process subscription payments and manage billing, renewals, refunds, and invoices.
• Publish listings, deliver inquiries, and route messages between hosts and tenants.
• Verify listings, verify user identity, and prevent fraud, spam, and abuse.
• Send transactional emails and in-app notifications (for example, new messages, inquiries, receipts, account changes, and subscription reminders).
• Send marketing emails where permitted by law. You can unsubscribe at any time using the link in any marketing message or in your account settings.
• Measure product performance, analyze usage patterns, and improve features, safety, and reliability.
• Respond to support requests and communicate with you about the Service.
• Comply with legal obligations, enforce our Terms of Service, defend legal claims, and cooperate with lawful law enforcement requests.

No automated decision-making with legal or similarly significant effects. We do not use automated decision-making technology (including as defined by the California Privacy Protection Agency's Automated Decisionmaking Technology (ADMT) regulations effective in 2026) to make decisions that produce legal or similarly significant effects concerning you.

4. Legal Bases (if You Are in the EU/EEA or UK)

If you are located in the European Economic Area or the United Kingdom, we rely on the following legal bases to process your personal data under Article 6 of the GDPR:

• Contract (Art. 6(1)(b)). To create your account, deliver the Service, process your subscription, and respond to your requests.
• Legitimate interests (Art. 6(1)(f)). To secure the platform, prevent fraud, measure and improve the Service, and communicate with our users. We balance our interests against your rights and freedoms.
• Consent (Art. 6(1)(a)). For non-essential cookies, optional analytics, and marketing emails where consent is required. You can withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)). To keep tax and accounting records and to respond to lawful government requests.

5. Who We Share Information With (Subprocessors)

We share personal information with service providers who process it on our behalf, under written contracts that restrict their use of the data. As of the date of this Policy, our subprocessors are:

• Supabase, Inc. — managed Postgres database, authentication, and file storage for account data, listings, photos, and messages.
• Stripe, Inc. — payment processing, subscription management, and storage of payment method details. Stripe is PCI-DSS Level 1 certified.
• Resend (Resend, Inc.). — delivery of transactional emails such as receipts, notifications, and account alerts.
• Mapbox, Inc. — map tiles, geocoding addresses to coordinates, and showing property locations on interactive maps.
• OpenAI, L.L.C. — large-language-model inference that powers our VELA AI assistant. We send only the conversation and minimal context needed to respond. OpenAI does not train its models on data we send through the API.
• Firecrawl (SideGuide Technologies Inc.). — URL scraping used only when a host explicitly asks VELA to import an external listing.
• Vercel Inc. — web application hosting, edge functions, and content delivery.
• PostHog Inc. — product analytics. PostHog only receives data if you consent to analytics cookies.
• Functional Software, Inc. d/b/a Sentry. — error monitoring and performance tracing to diagnose crashes and performance issues.
• Cloudflare, Inc. — Turnstile bot-protection and CAPTCHA-style challenges on signup and other sensitive endpoints.
• Upstash, Inc. — managed Redis used for rate limiting, including storage of request counters keyed by IP and user ID.

We also share personal information (a) with your consent, (b) when required by law or legal process, (c) to protect the rights, property, or safety of Malaya, our users, or others, and (d) in connection with a merger, acquisition, financing, or sale of assets, in which case we will require the recipient to honor this Policy or notify you and give you a chance to opt out.

No sale or sharing for cross-context behavioral advertising. We do not "sell" personal information for money, and we do not "share" personal information for cross-context behavioral advertising, as those terms are defined in Cal. Civ. Code § 1798.140(ad) and § 1798.140(ah). If this ever changes in the future, we will update this Policy, provide advance notice, and honor applicable opt-out signals (including Global Privacy Control) before any such sale or sharing begins.

6. Cookies and Similar Technologies

We use cookies, local storage, and similar technologies for three purposes:

• Essential cookies. Required for the Service to work — for example, to keep you logged in, remember your role, and protect against cross-site request forgery. These are always on and cannot be turned off.
• Functional cookies. Remember preferences such as sidebar collapse state or accessibility settings. We treat these as essential because they support basic usability.
• Analytics cookies. Used by PostHog to measure how people use the Service. These load only after you consent via the cookie banner, and you can withdraw consent at any time.

You can clear cookies at any time through your browser settings. Clearing essential cookies will log you out.

7. Data Retention

We keep personal information only as long as needed for the purpose we collected it. Our standard retention periods are:

• Account data — until you delete your account, plus up to 30 days for backup and recovery. After that, we anonymize or delete the record.
• Subscription and billing records — for the period required by applicable law, typically seven (7) years under U.S. federal and state tax-records-retention guidelines (including IRS guidance).
• Audit and security logs — 1 year.
• Messages, inquiries, and reviews — retained for the life of the thread or listing so participants can refer back to the conversation. Deletion of your account anonymizes your identifying information on these records.
• One-time passcodes — deleted automatically after expiry or after a single successful use, whichever comes first.
• Server access logs — 90 days.
• Marketing email suppression list — kept indefinitely so we don't email people who have unsubscribed.

We may retain data longer where a law, regulation, court order, or active legal claim requires it.

8. Your Rights

Depending on where you live, you may have the right to:

• Access the personal information we hold about you.
• Correct personal information that is inaccurate or incomplete.
• Delete personal information, subject to the exceptions noted above.
• Export a portable copy of your information in a machine-readable format.
• Restrict or object to certain processing, including direct marketing.
• Withdraw consent where we rely on consent to process your data.
• Ask us not to make decisions about you based solely on automated processing.

You can exercise these rights from your account settings (for edits, notification preferences, deletion, and data export) or by emailing privacy@furnishedunfurnished.com. We will respond within 45 days. If we need more time, we will tell you why and how much longer we need.

We may need to verify your identity before acting on your request. We will not charge a fee unless your request is manifestly unfounded or excessive. You can authorize an agent to act for you by giving them signed permission; we will still verify the request directly with you.

9. California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code §§ 1798.100–1798.199.100), gives you additional rights:

• Right to know. You can request the categories and specific pieces of personal information we have collected, the sources, the business or commercial purpose, and the third parties we shared it with.
• Right to delete. You can ask us to delete personal information we collected from you, subject to statutory exceptions.
• Right to correct. You can ask us to correct inaccurate personal information.
• Right to opt out of sale or sharing. You can direct us not to sell or share your personal information. We do not sell personal information and we do not share it for cross-context behavioral advertising, but you can still submit a request at Do Not Sell or Share My Personal Information.
• Right to limit use of sensitive personal information. You can restrict our use of sensitive categories beyond what is necessary to provide the Service.
• Right to non-discrimination. We will not deny you service, charge you a different price, or give you a lower-quality Service for exercising your rights.

Categories we collect. In the last 12 months we have collected the following statutory categories: identifiers; customer records; commercial information; internet or network activity; geolocation data; and inferences. The only sensitive personal information we collect, as defined by Cal. Civ. Code § 1798.140(ae), is (i) account log-in credentials (a username in combination with a password or other credential allowing access to your account) and (ii), when a host submits a listing, precise geolocation (property latitude and longitude). We do not collect other categories of sensitive personal information enumerated in § 1798.140(ae), such as government identifiers, genetic or biometric data, health information, or information about sexual orientation. We use sensitive personal information only to operate the Service, secure accounts, and as otherwise permitted by Cal. Civ. Code § 1798.121(a).

Global Privacy Control (GPC). We recognize the Global Privacy Control browser signal as a valid opt-out-of-sale-and-sharing request under Cal. Civ. Code § 1798.185(a)(20) and its implementing regulations. If your browser or extension sends a GPC signal while you visit our website, we will treat it as a request to opt out of sale and sharing for that browser and device and, where we can reasonably link the signal to a known account, for your account.

Definitions of "sale" and "share." The terms "sale" and "share" in this Section use the meanings given in Cal. Civ. Code § 1798.140(ad) and § 1798.140(ah), respectively.

Verified consumer requests. Submit a request by emailing privacy@furnishedunfurnished.com or through your account settings. We will match the information in your request against the information we hold. If there is no match, we will ask for more information so we can verify you are the person you say you are.

Financial incentives. We do not offer any financial incentive or price or service difference in exchange for personal information.

Shine the Light. California residents may ask for a list of third parties to which we disclosed personal information for their direct marketing purposes during the prior calendar year (Cal. Civ. Code § 1798.83). We do not disclose personal information to third parties for their direct marketing purposes.

10. EU/EEA and UK Residents (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the rights listed in Section 8 above, which correspond to Articles 15 through 22 of the GDPR: right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), objection (Art. 21), and not being subject to a decision based solely on automated processing (Art. 22).

You also have the right to lodge a complaint with your national data protection authority. In the UK, this is the Information Commissioner's Office (ico.org.uk).

International data transfers. Personal information is processed in the United States and in other countries where our subprocessors operate. When we transfer data out of the EEA, we rely on the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), together with supplementary measures where needed (such as encryption in transit and at rest). For personal data transferred from the United Kingdom, we rely on the UK International Data Transfer Addendum (IDTA) to the EU Standard Contractual Clauses, as issued by the UK Information Commissioner's Office. For personal data transferred from Switzerland, we rely on the Swiss Federal Data Protection and Information Commissioner's adequacy framework together with the Standard Contractual Clauses as adapted for Swiss FADP compliance. Copies of the applicable clauses are available on request.

11. Children

The Service is intended for adults. You must be at least 18 years old to create an account, list a property, or send a housing request.

We do not knowingly collect personal information from children 13 years of age or younger, consistent with the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506. If you believe a child 13 or younger has given us personal information, contact us at privacy@furnishedunfurnished.com and we will delete it promptly.

12. Security

We apply reasonable technical and organizational safeguards to protect personal information. These include encryption in transit (TLS) and at rest, role-based access controls, row-level security in our database, secret management, audit logging, automated backups, and vendor review.

No system is perfectly secure and we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential, enabling two-factor authentication, and notifying us at privacy@furnishedunfurnished.com if you believe your account has been compromised.

If a security incident affects your personal information, we will notify affected users and, where required, regulators as and within the timeframes required by applicable data-breach-notification statutes. In the United States this includes the breach-notification laws of each state and territory whose residents are affected (for example, Cal. Civ. Code § 1798.82 and its counterparts in all fifty states, the District of Columbia, and the U.S. territories). For users in the EU/EEA and UK, we will notify the competent supervisory authority in accordance with Article 33 of the GDPR and the UK GDPR.

13. Changes to This Policy

We may update this Policy from time to time. The revised Policy will be posted on this page with a new "Last updated" date. If we make material changes, we will notify you by email or through an in-app notice at least 30 days before the changes take effect, where reasonably feasible.

Continuing to use the Service after the effective date of an update means you accept the updated Policy. If you do not agree with the update, you may close your account before it takes effect.

14. Contact Us

Questions about this Policy, or about how we handle your personal information:

Privacy inquiries: privacy@furnishedunfurnished.com

General support: support@furnishedunfurnished.com