Privacy Policy

Last updated: June 2026

1. Who we are

MR ELEPHANT operates the smart beach-box rental platform available at mr-elephant.company. References to "we", "us" and "our" mean MR ELEPHANT. The venue (hotel, lido or beach club) where you rent the box is the data controller for the rental contract; we act as the technology processor on their behalf.

2. What data we collect

• Account: email, optional name, optional phone number.
• Rentals: which box you rented, when, how much you paid and the payment method. Your 4-digit PIN is stored hashed — even our staff cannot read it.
• Payments: processed by Stripe; we never see or store your card number.
• Technical: language preference, browser type, basic logs needed to keep the service running and to investigate fraud.

3. Why we use your data

• To open the lock and run the rental you paid for (contract).
• To send you the receipt and operational emails (contract + legitimate interest).
• To meet VAT and accounting obligations of the venue (legal obligation).
• To prevent fraud and abuse of the service (legitimate interest).

4. Who we share data with

The venue you rented from receives the rental record (without your PIN). Stripe processes the payment. The lock manufacturer (TTLock) receives the device-id, the temporary passcode and its validity window. We never sell your data to advertisers.

5. How long we keep it

Account data: until you delete your account. Rental + payment records: for the period required by the venue's local tax law (usually 7–10 years in the EU), in anonymised form after you delete your account.

6. Your rights

You can access, correct, export or delete your account at any time from the in-app Settings screen. You can unsubscribe from any operational email via the link in its footer. You may also lodge a complaint with your national data-protection authority.

7. Contact

Email privacy@mr-elephant.company for any privacy-related request.