YallaChalet
ع

Privacy Policy

Last updated May 7, 2026

⚠️ TEMPLATE — operator replaces with hand-authored final copy before launch (SETUP-5)

1. Introduction

YallaChalet ("the service", "we", "us") is an Arabic-first directory of chalet rentals in Jordan. This document describes what data we collect when you browse the directory, contact a chalet owner, or claim a listing as an owner. We have written this policy to be honest about what crosses the wire and what does not, in plain language a renter or owner can read in five minutes.

This is a starter template. Final copy will be reviewed by counsel before public launch.

2. Data we collect

We collect only what we need to operate the directory and to give chalet owners aggregate statistics about how their listings perform.

  • yc_sid session cookie — a randomly generated identifier set as an HttpOnly, Secure, SameSite=Lax cookie with a 14-day lifetime. We use it to count distinct sessions per chalet listing for the owner-facing analytics dashboard. It contains no name, no email, no phone number, and no advertising profile. The cookie is functional under PECR and does not require consent.
  • Google Analytics 4 — page-level traffic metrics (page views, referrer, approximate region, device class). GA loads ONLY after you accept the cookie banner. Until you accept, no Google Analytics scripts run and no Google cookies are set.
  • Server logs — your IP address, user agent, requested URL, and response status are written to short-lived application logs for security and abuse-prevention purposes. We never publish these logs and we never join them to your yc_sid.
  • Owner contact details — if you claim a listing as a chalet owner, we store your phone number (in E.164 format and in hashed form for fraud-detection lookups) and the WhatsApp OTP code we sent you (hashed, never in plain text, deleted after verification).

3. Data we do NOT collect

  • We do not assign you any advertising identifier.
  • We do not sell, rent, or share data with third-party advertisers, data brokers, or marketing networks.
  • We do not use yc_sid to track you across sites we do not own. The cookie is SameSite=Lax and is read only by yallachalet.com.
  • We do not store your raw OTP code, your raw phone number unmasked, or any biometric data.

4. Third parties

The directory runs on a small number of third-party services. Each is listed below with the reason we use it.

  • Google Analytics — page-level analytics, loaded only after consent. Subject to Google's own privacy policy.
  • Replit Postgres — managed Postgres database that holds chalet listings, owner records, and aggregate event counts. Hosted by Replit Inc.
  • Replit App Storage — image hosting for chalet photos. Hosted by Replit Inc.
  • Twilio — WhatsApp Business API used to deliver one-time-password messages during owner verification. The phone number is the only field passed to Twilio.
  • MapTiler — map tile delivery for the chalet location map. Subject to MapTiler's own privacy policy.

5. Your rights

Under applicable Jordanian and EU/UK data-protection law, you may:

  • Access — request a copy of the data we hold about you.
  • Correct — request correction of any inaccurate data.
  • Delete — request deletion of your data (account closure, erasure of cookies on this device, removal of an owner record).
  • Withdraw consent — withdraw GA consent at any time via the cookie banner; existing GA cookies are then cleared.
  • Object — object to processing on legitimate-interest grounds.

To exercise any of these rights, contact us at the email below. We respond within 30 days.

6. Retention

  • yc_sid cookie — 14 days from the last visit, then automatically deleted by your browser.
  • Server logs — 30 days, then rotated out.
  • Owner records — for the lifetime of the claimed listing, plus 12 months after last activity.
  • Aggregate event counts — indefinite (these are non-identifying counters keyed by chalet, not by user).

These retention periods are starting defaults and will be revised before public launch.

7. Contact

For privacy questions, data-subject requests, or complaints:

  • Email: privacy@yallachalet.example (placeholder — replace before launch)
  • Postal: legal-entity-name, address-line-1, Amman, Jordan (placeholder)

If we cannot resolve your concern, you may also contact your local data-protection authority.

8. Changes

We update this policy when our data handling changes, when a new third party joins the stack, or when the law changes. Each version is dated at the top of the page (lastUpdated). Material changes will be announced via a banner on the homepage for at least 14 days before the new version takes effect.