Privacy policy

Last updated: 15/06/2026

Homeforswap, published by Echangersamaison SAS, places paramount importance on the protection of your personal data. This policy explains what data we collect, why, and how you can exercise your rights.

1. Data controller

Echangersamaison SAS, 4 rue Michel-Ange, 75016 Paris (France). SIREN 534 910 617. For any data-related question: support@echangersamaison.com.

2. Data collected

  • Registration data: last name, first name, email, password (encrypted), date of birth, gender, spoken language.
  • Profile data: photo, biography, phone (if verified), address.
  • Listing data: photos, description, location, amenities.
  • Usage data: connection IP address, login log (kept for up to 12 months).
  • Communications: messages exchanged between members (encrypted at rest).
  • Payment data: no banking data is stored. Payment is handled by our PCI-DSS-certified provider.

3. Processing purposes

  • Provide the home exchange service;
  • Enable members to connect;
  • Secure the platform (anti-fraud);
  • Improve the service (anonymised usage statistics);
  • Inform you (newsletter, notifications — opt-in).

4. Legal basis

  • Contract performance: data needed for the service;
  • Consent: newsletter, non-essential cookies, audience measurement (Google Analytics);
  • Legitimate interest: security, anti-fraud;
  • Legal obligation: retention of certain data for invoicing.

5. Recipients

Your data is never sold. It may be shared with:

  • Our technical sub-processors (hosting, email, SMS, payment, audience measurement) bound by GDPR contractual clauses;
  • Other members only at your initiative (messaging, public profile);
  • Competent authorities upon judicial request.

6. Sub-processors

  • Hosting: Amazon Web Services (Ireland region, EU) — covered by the AWS DPA and the EU Commission Standard Contractual Clauses.
  • Photo storage: Amazon S3 (Ireland, EU).
  • Transactional email: Brevo (Sendinblue SAS, France).
  • Verification SMS: Twilio Inc. (Ireland, EU).
  • Payment: Stripe Inc. — PCI-DSS Level 1 certified. No banking data passes through our servers.
  • Audience measurement: Google Analytics 4 (Google LLC, USA). Involves a data transfer outside the EU, framed by the Standard Contractual Clauses and the Data Privacy Framework. Subject to your prior consent via our cookie banner.

7. Retention period

  • Active account: duration of service use;
  • Deleted account: immediate anonymisation (exchanges are kept in anonymised history);
  • Login logs: 12 months;
  • Accounting data: 10 years (legal obligation);
  • Analytics cookies: 13 months maximum (CNIL recommendation).

8. Your rights

Under GDPR, you have the following rights:

We commit to respond to any request to exercise your rights within a maximum of one month, pursuant to GDPR article 12.

9. Security

We implement technical and organisational measures to protect your data: TLS encryption, Argon2id-hashed passwords, at-rest encryption of sensitive data, regular access audits, least-privilege principle for our staff.

10. Changes

This policy may evolve. Any substantial change will be notified to you by email.