Privacy Policy

Rafter

Effective Date: 16 March 2026

1. Introduction

Rafter Holdings Ltd ("Rafter", "we", "us", or "our") operates the experiencerafter.com website, the Rafter Marketplace, and the Rafter Kit white-label booking platform (collectively, the "Services"). This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our Services.

We are committed to protecting your privacy and processing your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and other applicable data protection legislation.

2. Data Controller

The data controller responsible for your personal data is Rafter Holdings Ltd. If you have any questions about this Privacy Policy or our data practices, you can contact us at hello@experiencerafter.com

3. Personal Data We Collect

3.1 Information You Provide to Us

  • Account information: name, email address, phone number, and password when you create a Rafter account.
  • Booking information: travel dates, guest details, payment information, and special requests when you make a reservation through the Marketplace or a Rafter Kit site.
  • Communication data: messages, enquiries, and feedback you send to us or to partner agencies through the platform.
  • Agency partner information: business name, contact details, bank account details (via Stripe Connect), property portfolio information, and PMS credentials.
  • Waitlist and marketing sign-ups: email address and any preferences you provide.

3.2 Information Collected Automatically

  • Device and browser information: IP address, browser type, operating system, device identifiers, and screen resolution.
  • Usage data: pages visited, search queries, click patterns, session duration, and referring URLs.
  • Location data: approximate geographic location derived from your IP address.
  • Cookies and similar technologies: as described in our Cookie Policy.

3.3 Information from Third Parties

  • Property management system (PMS) data synced from partner agencies (property details, availability, pricing).
  • Payment processing data from Stripe (transaction status, payout information).
  • Analytics providers (aggregated usage statistics).

4. Lawful Basis for Processing

We process your personal data under the following lawful bases:

  • Contract performance: to provide our Services, process bookings, facilitate payments, and manage your account.
  • Legitimate interests: to improve our Services, conduct analytics, prevent fraud, and communicate relevant updates. Our legitimate interests do not override your fundamental rights and freedoms.
  • Consent: where you have opted in to receive marketing communications, join our waitlist, or where we use non-essential cookies.
  • Legal obligation: to comply with applicable laws, regulations, and legal processes.

5. How We Use Your Personal Data

We use your personal data for the following purposes:

  • Providing and operating the Rafter Marketplace and Rafter Kit services.
  • Processing and managing property bookings and payments.
  • Communicating with you regarding bookings, account matters, and customer support.
  • Sending marketing communications (where you have consented).
  • Personalising your experience and providing tailored property recommendations.
  • Analysing usage patterns to improve the platform and develop new features.
  • Preventing fraud, enforcing our Terms of Service, and ensuring platform security.
  • Complying with legal obligations and resolving disputes.

6. How We Share Your Personal Data

We do not sell your personal data. We may share your data with the following categories of recipients:

  • Agency partners: When you make a booking, we share necessary guest details with the relevant holiday rental agency to fulfil your reservation.
  • Payment processors: Stripe processes payments on behalf of our agency partners via Stripe Connect. Stripe's privacy policy governs their handling of payment data.
  • Hosting and infrastructure providers: Vercel (hosting), Supabase (database), and other service providers who process data on our behalf under data processing agreements.
  • Email service providers: Resend and Google Workspace for transactional and operational communications.
  • Analytics providers: To understand platform usage in aggregate.
  • Legal and regulatory authorities: Where required by law or to protect our legal rights.
  • Business transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity.

7. International Data Transfers

Your personal data may be transferred to, and processed in, countries outside the UK and the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other legally recognised transfer mechanisms.

8. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. Specific retention periods include:

  • Account data: retained for the duration of your account and for up to 2 years after account closure.
  • Booking records: retained for up to 7 years for tax, legal, and accounting purposes.
  • Marketing data: retained until you withdraw consent or unsubscribe.
  • Server logs and analytics: retained for up to 12 months.

9. Your Rights

Under the UK GDPR and EU GDPR, you have the following rights in relation to your personal data:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete data.
  • Right to erasure: Request deletion of your personal data in certain circumstances.
  • Right to restriction: Request that we restrict the processing of your data.
  • Right to data portability: Request a machine-readable copy of data you provided to us.
  • Right to object: Object to processing based on legitimate interests or for direct marketing.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority, such as the UK Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, please contact us at hello@experiencerafter.com

10. Cookies and Tracking Technologies

We use cookies and similar technologies to operate our Services, analyse traffic, and personalise your experience. Essential cookies are necessary for the platform to function and do not require consent. Non-essential cookies (analytics, marketing) are only placed with your prior consent.

You can manage your cookie preferences at any time via our cookie banner or your browser settings. For more details, please refer to our Cookie Policy.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include encryption in transit (TLS/SSL), access controls, regular security reviews, and secure infrastructure provided by reputable cloud providers. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

12. Children's Privacy

Our Services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without appropriate parental consent, we will take steps to delete that data promptly.

13. Third-Party Links

Our Services may contain links to third-party websites, including those of our agency partners. We are not responsible for the privacy practices of those websites. We encourage you to read their privacy policies before providing any personal data.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by posting the updated policy on our website and, where appropriate, by email. The "Effective Date" at the top of this policy indicates when it was last revised.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

Email: hello@experiencerafter.com
Website: https://experiencerafter.com