1. Who We Are
This Privacy Policy (“Policy”) explains how Bluelly LLC, Identification Code: 405751315, registered and operating in accordance with the legislation of Georgia (“Bluelly”, “we”, “us”, “our”) — collects, uses, stores, protects, and discloses your personal data when you use Bluelly’s website (“Site”) and mobile application (“App”), collectively referred to as the “Platform”.
Bluelly operates as a digital intermediary platform connecting users for short-term and long-term accommodation bookings, Experiences (tours, hikes, culinary activities, excursions), and group travel formation based on an exclusive compatibility algorithm.
We act as the Data Controller for the personal data collected through the Platform under the Law of Georgia “On Personal Data Protection” and, where applicable, the EU General Data Protection Regulation (GDPR).
2. Legal Framework
This Policy is designed to comply with:
- The Law of Georgia “On Personal Data Protection”;
- Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation — GDPR);
- The California Consumer Privacy Act (CCPA), to the extent that it applies to users residing in the United States;
- Official developer policy guidelines mandated by Apple App Store (Guideline 5.1 — Data Privacy) and Google Play Store.
3. Categories of Personal Data We Collect
We collect and process the following categories of data depending on how you interact with the Platform:
3.1. Information You Provide Directly to Us
- Account Information: First name, last name, personal identification number, date of birth, gender, nationality, email address, telephone number, and profile picture.
- Identity Verification (KYC/AML Data): Copies of state-issued identity cards, passports, driver’s licenses, and biometric facial data (selfies) processed for identity verification.
- Listing and Service Data (For Hosts and Organizers): Property addresses, ownership deeds, business registration numbers, tax identifiers, certificates, licenses, and media files (photos/videos) of properties or activity sites.
- Special Category Data (Group Travel Assessment): Results of psychological evaluations, personality traits, communication styles, lifestyle preferences, and travel habits. This data is processed exclusively upon your explicit and voluntary consent for the group travel feature.
3.2. Data Collected Automatically (Technical & Usage Data)
- Device and Connection Technical Details: IP address, unique device identifiers (UDID, IMEI), MAC address, operating system, browser type, mobile carrier, and internet service provider.
- Usage and In-App Interactions: Search parameters, booking histories, listings viewed, session durations, clickstream analytics, and user communications within the Platform’s messaging framework.
- Location Data: Precise or approximate geographical coordinates derived from your mobile device’s GPS, Wi-Fi, or cellular network signals. This tracking occurs only if you grant explicit permission within your device settings.
3.3. Financial and Transaction Data
- Payment Credentials: Credit/debit card types, card expiration dates, bank account details, and transaction logs. Crucial Note: Raw payment card credentials (PAN, CVV) are processed and encrypted directly by our licensed payment gateways (e.g., Bank of Georgia, TBC Bank) under strict PCI-DSS regulations and are never stored on Bluelly’s servers.
4. Legal Bases for Data Processing
Under applicable frameworks, we process your personal records only under the following lawful titles:
- Contractual Performance: To activate profiles, manage reservations, process financial payouts, and deliver requested marketplace services.
- Legitimate Corporate Interests: To optimize interface stability, execute system upgrades, counter fraudulent behaviors, secure property boundaries, and enforce our Terms and Conditions.
- Statutory Obligations: To fulfill financial accounting, anti-money laundering (AML), tax reporting, and counter-terrorist financing obligations under Georgian and international law.
- Explicit User Consent: For analyzing individual psychological matrices for algorithmic group matching, utilizing real-time GPS tracking, and delivering customized commercial marketing materials.
5. Algorithmic Profiling and Artificial Intelligence (AI)
5.1. The Group Travel Service evaluates psychological test responses using an automated algorithmic engine to assess compatibility scores.
5.2. No Discriminatory Elements: The AI model is strictly prohibited from evaluating or categorizing sensitive identifiers, including religious beliefs, political orientations, racial backgrounds, sexual preferences, or medical backgrounds.
5.3. Human Intervention Rights: In compliance with the EU Artificial Intelligence Act (AI Act) and GDPR Article 22, users have the right to challenge automated matching decisions and request a manual human review of their assessment profiles.
6. Data Retention Protocols
6.1. Personal data is preserved only as long as necessary to satisfy the specific operational purposes for which it was gathered or to fulfill statutory obligations.
6.2. Operational Profiles: General account files are kept active for the entire duration of the user’s subscription lifecycle.
6.3. Statutory Financial Records: Transaction files, billing logs, and tax identities are securely archived for the minimum mandatory periods prescribed by the Tax Code of Georgia.
6.4. Identity Verification Assets: Biometric images and raw passport scans utilized during identity authentication (KYC) are permanently erased from active servers within 30 days following successful identity confirmation.
7. Authorized Data Disclosures and International Transfers
We do not sell your personal information. Your records are shared with external entities strictly under the following scenarios:
- Transactional Counterparties: Limited data points (first name, phone number, nationality) are revealed to a Host or Organizer only after a reservation is officially finalized and paid for.
- Integrated Vendor Systems: Data is shared with automated third-party validation engines (e.g., Identomat for KYC), cloud hosts (e.g., AWS), and payment gateways.
- Legal Enforcement Mandates: Data is disclosed to judicial authorities, tax investigators, or police forces upon the presentation of valid, legally binding subpoenas or official state orders.
- International Cross-Border Routines: Where data transfers cross national borders (e.g., to EU cloud infrastructures), Bluelly enforces strict Standard Contractual Clauses (SCCs) to guarantee equivalent protection levels.
8. User Privacy Rights
You maintain absolute legal command over your personal records. Depending on your jurisdiction (GDPR/CCPA/Georgian Law), you possess the right to:
- Access and Portability: Request full copies of all personal data held within our systems.
- Correction and Rectification: Demand immediate correction of inaccurate or outdated information.
- Erasure (“Right to be Forgotten”): Request the complete deletion of your account and personal history, subject to statutory retention limits.
- Consent Withdrawal: Revoke authorization for marketing distributions, tracking, or AI evaluations at any time.
- Restriction of Processing: Limit how your data is handled during active legal disputes or verification periods.
9. Account Deletion and Retention Adjustments
9.1. In strict compliance with Apple App Store Connect and Google Play Developer Console requirements, the App provides a direct, accessible mechanism for account deletion.
9.2. Users can initiate immediate deletion by navigating to: Settings → Account Profile → Delete Account.
9.3. Upon confirming deletion, all non-statutory data points are purged instantly. Data required by tax or AML laws will be isolated in an encrypted archive until the statutory retention period expires.
10. Digital Tracking and Cookies
10.1. We utilize tracking cookies, web beacons, and mobile SDKs to retain authentication states, preserve currency preferences, and analyze traffic patterns.
10.2. Users can manage or entirely block cookie functions through their browser or mobile device operating system settings.
11. Data Security Architecture
11.1. We enforce enterprise-grade administrative, technical, and physical safeguards to defend files against unauthorized breaches, alterations, or destructions.
11.2. Active data pathways are shielded using Secure Socket Layer (SSL) and Transport Layer Security (TLS) cryptographic encryption frameworks.
12. Protection of Minors
Our marketplace services are strictly restricted to individuals who are at least 18 years of age. We do not knowingly collect personal data from children. If we discover that a minor has registered an account, the profile will be terminated immediately.
13. State-Specific Disclosures (CCPA — USA)
For residents of California, USA, the California Consumer Privacy Act (CCPA) grants specific additional privileges:
- The right to know what personal categories are gathered and whether they are disclosed;
- The right to opt-out of data commercialization (Bluelly does not sell user data);
- The right to non-discrimination for exercising your privacy rights.
14. Third-Party Links and Integrations
The Platform may contain links to third-party digital portals or embedded plugins. Bluelly holds zero liability or oversight regarding the standalone tracking habits or data frameworks utilized by external operators. We strongly recommend reviewing their respective privacy terms independently.
15. Policy Modifications and Update Notifications
15.1. We reserve the right to revise this Privacy Policy to reflect changing legal requirements or platform updates.
15.2. If material changes are made, we will notify you at least 30 days in advance via in-app push alerts or registered emails, updating the “Last Updated” marker at the top of the document.
16. Contact Information and Data Protection Officer (DPO)
For any questions regarding your data, privacy rights, or to submit a formal request to our Data Protection Officer, contact us at:
- Corporate Entity: Bluelly LLC (Identification Code: 405751315)
- Email Address: privacy@bluelly.app
- Registered Address: Tbilisi, Georgia