Privacy Policy

Last updated: 17 May 2026 · Effective: 17 May 2026

1. Overview

EBUNEX PRIVATE LIMITED (“RBApp”, “we”, “us”) operates the RBApp mobile application and rbapp.io website (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect personal data when you use the Service.

We comply with the EU General Data Protection Regulation (GDPR), Singapore’s Personal Data Protection Act (PDPA), the California Consumer Privacy Act (CCPA), and applicable Apple App Store and Google Play data-handling policies.

2. Data we collect

2.1 Information you provide

  • Account information: name, email address, phone number, country, date of birth.
  • Identity verification (KYC): government-issued ID, selfie / liveness scan, address proof (hosts only).
  • Profile content: profile photo, bio, language preferences, experiences offered (hosts only).
  • Payment information: processed by our PCI-DSS compliant partners (Stripe, HitPay). We do not store full card details on our servers.
  • Communications: messages exchanged in-app between traveler and host, support tickets, reviews.

2.2 Information collected automatically

  • Device information: device model, operating system, app version, language, time zone, IP address.
  • Usage data: screens visited, features used, search queries, crash logs.
  • Approximate location: derived from IP, used to surface nearby experiences. Precise GPS is requested only when you opt in for navigation to a meeting point.
  • Cookies / similar technologies: on rbapp.io for session management and anonymous analytics.

2.3 Information from third parties

  • Identity-verification providers (e.g. Onfido, Stripe Identity) when completing KYC.
  • Payment processors when confirming a transaction.
  • Social-login providers (Google, Apple) if you choose to sign in through them. Only the basic profile fields you authorize.

3. How we use your data

  • Provide, maintain, and improve the Service.
  • Verify identity and prevent fraud, money-laundering, and abuse.
  • Match travelers with relevant hosts and experiences.
  • Process bookings, payments, payouts, refunds, and chargebacks.
  • Send transactional emails / push notifications (booking confirmations, host messages, safety updates). You can disable non-essential notifications in settings.
  • Respond to support requests and resolve disputes.
  • Comply with legal obligations, court orders, and regulator requests.
  • Conduct anonymized analytics and product research.
We do not sell your personal data. We do not use your data to train third-party AI models. We do not run programmatic ad auctions on your profile.

4. Who we share data with

We share personal data only with the following categories:

  • Hosts and travelers: when you book, your host receives your name, profile photo, and message history for that booking. Hosts never see your email or phone.
  • Service providers: cloud hosting (Google Cloud, Firebase), identity verification, payments, analytics (privacy-preserving), customer support tooling. All providers are bound by written data-processing agreements.
  • Authorities: where required by law, valid legal process, or to protect the safety of users.
  • Acquirers: in connection with a merger, acquisition, or asset sale, subject to confidentiality and continuity of this Policy.

5. Storage, retention & security

Data is stored on Google Cloud and Firebase servers in Asia-Pacific and the United States, encrypted at rest (AES-256) and in transit (TLS 1.2+). Access is restricted to authorized personnel under the principle of least privilege.

Retention:

  • Active account data is retained while your account is open.
  • After account deletion, personal data is removed within 30 days, except for transaction records retained for 5–7 years for tax and anti-money-laundering compliance.
  • KYC documents are retained for 5 years after relationship end, per FATF / MAS guidelines.
  • Anonymized analytics may be retained indefinitely.

6. Your rights

You may, at any time, exercise the following rights:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: correct inaccurate data via in-app settings or by emailing us.
  • Erasure: request deletion of your account and data. See our Account Deletion page.
  • Portability: request your data in a machine-readable format.
  • Restriction / objection: ask us to stop using your data for a specific purpose.
  • Withdraw consent: withdraw consent for marketing communications at any time.
  • Complaint: lodge a complaint with your local data-protection authority (e.g. PDPC Singapore, ICO UK, your EU member-state DPA).

7. Children

RBApp is rated 17+ and not intended for users under 17. We do not knowingly collect data from anyone under 17. If we learn we have done so, we will delete the account promptly. Parents or guardians who believe a child has registered can email hello@ebunex.com.

8. International data transfers

Where personal data is transferred outside your country of residence, we rely on Standard Contractual Clauses, adequacy decisions, or other lawful transfer mechanisms recognized by the GDPR and PDPA.

9. Contact / Data Protection Officer

For any privacy question, request, or complaint, contact our DPO:

  • Email: hello@ebunex.com
  • Postal: EBUNEX PRIVATE LIMITED, 22 Sin Ming Ln, #06-76 Midview City, Singapore 573969

We respond to verified requests within 30 days.

10. Updates

We may update this Policy from time to time. Material changes will be announced in-app and via email at least 30 days before they take effect.