Privacy Policy
Last updated: May 22, 2026
This Privacy Policy explains how Samba collects, uses, and protects personal data. It applies to our website, our product, and everyone we interact with — operators using Samba, travelers booking through operators, and visitors to sambahq.com.
We are committed to GDPR and to handling your data with care. This page is written in plain English so you can actually read it.
1. Who's responsible
Samba SASU is responsible for this policy.
- Legal name: Samba SASU
- SIREN: 102317393
- Registered office: 58 rue de Monceau, 75008 Paris, France
- Privacy contact: privacy@sambahq.com
2. Two roles: controller and processor
Samba acts in two different roles depending on whose data we're talking about. This matters because it determines who decides how the data is used.
For operator data (your account, billing, usage of Samba), Samba is the data controller. We decide what we collect, why, and how long to keep it.
For traveler data (the personal data of travelers who book trips through Samba booking pages), the operator is the data controller and Samba is the data processor. The operator decides what to collect on their booking forms, why, and for how long. Samba processes that data on the operator's behalf to deliver the Service.
If you're a traveler and want to know how your data is used, contact the operator you booked with — they're the controller.
A Data Processing Agreement (DPA) governing our role as processor is available on request at privacy@sambahq.com.
3. What data we collect and why
From operators
When you sign up and use Samba, we process:
- Account info: name, email, password (hashed), company name, role.
- Billing info: payment details handled via Stripe, billing address, VAT number, invoices.
- Usage data: how you use Samba — pages visited, features used, IP address, browser info, timestamps. Used for security, support, and product improvement.
- Communications: chats, emails, and other messages you send us via Intercom or other channels for support, sales, or product questions.
Legal basis: performance of our contract with you (the Terms of Service), our legitimate interest in operating and improving Samba, and legal obligations (e.g., keeping accounting records).
From travelers (as processor on behalf of operators)
When travelers book through a Samba-powered booking page, the operator collects whatever they configure on their form. Typically this includes:
- Name, email, phone number
- Booking details (trip, dates, number of travelers, etc.)
- Payment information (handled by Stripe — Samba never sees raw card numbers)
- Anything else the operator chooses to collect (passport details, dietary requirements, emergency contacts, etc.)
We process this data only on the operator's instructions as their processor. We don't use traveler data for our own purposes.
Legal basis: the operator determines the legal basis. Typically performance of their contract with the traveler.
From website visitors
When you visit sambahq.com:
- We use a small number of essential cookies that don't require consent.
- With your consent (via our cookie banner), we use analytics tools to understand how the site is used. See section 6.
- We may collect your email if you submit a contact form, book a call, or sign up to a research interview.
Legal basis: your consent (analytics, marketing) and legitimate interest (essential site operation, fraud prevention).
4. Who we share data with
We use a small number of trusted vendors to run Samba. Each one is bound by data protection terms. These are our subprocessors as of the date above:
| Vendor | What they do | Location |
|---|---|---|
| Laravel Cloud | Application and database hosting | EU |
| Vercel | Marketing website hosting | EU edge |
| Stripe | Payment processing (operator subscriptions and traveler payments) | Ireland and US |
| Intercom | Customer support chat, helpdesk, and email | US, transferred under the EU-US Data Privacy Framework |
| PostHog | Product and marketing analytics, including session replay (with consent) | EU |
| Google Analytics | Marketing analytics (with consent) | US, transferred under the EU-US Data Privacy Framework |
| Email delivery provider | Transactional email (account notifications, booking confirmations) | To be confirmed |
We'll update this list when it changes. If a change materially affects how your data is processed, we'll notify operators in advance.
We don't sell your personal data. We don't share it with advertisers or data brokers.
We may disclose data when legally required (e.g., to comply with a court order, a tax authority request, or a regulator).
5. International data transfers
Samba is based in France and we prefer EU hosting wherever possible. Some of our subprocessors are based in the US (notably Stripe and Google Analytics). When data is transferred outside the European Economic Area, we rely on:
- The EU-US Data Privacy Framework for vendors certified under it, or
- Standard Contractual Clauses with appropriate supplementary measures.
6. Cookies and analytics
We use cookies and similar technologies on our website. They fall into two categories:
Strictly necessary cookies (always on): These keep the site working — login, security, basic functionality. No consent required.
Analytics cookies (consent required): With your consent, we use PostHog (including session replay, which records anonymized interactions to help us understand UX issues) and Google Analytics 4 to measure how visitors use the site and improve our product and marketing.
You can accept, reject, or customize cookies via our cookie banner, and change your choices at any time from the same banner or by clearing your browser cookies.
7. How long we keep data
| Data | Retention |
|---|---|
| Operator account data | While your account is active, then up to 90 days after closure |
| Traveler data (as processor) | While operator's account is active; deleted within 90 days of operator account closure |
| Accounting records (invoices, payment records) | 10 years (required by French law, Code de Commerce Art. L123-22) |
| Marketing communications | Until you unsubscribe or 3 years of inactivity |
| Website analytics | Up to 14 months |
| Support communications (Intercom chats and emails) | Up to 3 years after last contact |
After these periods, data is either deleted or anonymized.
8. Your rights
You have rights over your personal data under GDPR:
- Access: get a copy of the data we hold about you.
- Rectification: correct data that's wrong.
- Erasure: ask us to delete your data (with some legal exceptions, like accounting records).
- Restriction: limit how we process your data.
- Portability: receive your data in a portable format.
- Objection: object to certain types of processing, including marketing and processing based on legitimate interest.
- Withdraw consent: for anything based on consent, you can withdraw it at any time.
- Lodge a complaint: with a supervisory authority. In France, that's the CNIL.
To exercise any of these rights, email privacy@sambahq.com. We'll respond within 30 days.
If you're a traveler: for data the operator collected through Samba, contact the operator directly — they're the controller. We'll help them respond if needed.
9. Security
We take security seriously. A summary of what we do is on our Security page.
In the event of a data breach affecting personal data, we will notify the relevant supervisory authority and, where required, affected individuals — in line with GDPR Article 33.
10. Children
Samba is not intended for children under 18. We don't knowingly collect data from minors. If an operator collects traveler data that includes minors (e.g., family bookings), they're responsible for the appropriate consents under applicable law.
11. Marketing communications
If you've signed up for marketing emails or are an operator who has consented to receive product updates and tips, we'll send you occasional emails. Every email includes an unsubscribe link, and you can opt out at any time.
12. Changes to this policy
We may update this policy from time to time. We'll post the new version with an updated "Last updated" date. For material changes, we'll notify operators directly by email or in-product.
13. Contact
Questions, requests, or concerns?
- Privacy: privacy@sambahq.com
- Security: security@sambahq.com
- General: hello@sambahq.com