KAMPSTA AB ("KAMPSTA", "we", "our", "us") is the data controller for personal data processed through the KAMPSTA platform. We are registered in Sweden (registration number 559312-4871) at Djurgårdsvägen 12, 115 21 Stockholm.
This Privacy Policy explains how we collect, use, share, and protect your personal data when you use KAMPSTA as a guest, host, or visitor. It applies to our website, mobile applications, and all related services.
| Category | What we collect | Why |
|---|---|---|
| Account data | Name, email, phone number, profile photo, password hash | Account creation and authentication |
| Identity verification | Government ID type and verification result (not the ID itself), biometric confirmation result | Trust and safety — verifying all users are who they say they are |
| Booking data | Booking history, dates, pitch, guest count, special requests, booking communications | Facilitating and managing bookings |
| Payment data | Last 4 digits of card, billing address, transaction history. Full card data processed by Stripe — not stored by KAMPSTA | Processing payments and payouts |
| Location data | Approximate location (city level) for search — only if you grant permission. Precise location only used for map features and never stored | Showing nearby campsites in search results |
| Usage data | Pages visited, search queries, features used, device type, browser, IP address | Platform improvement, fraud detection, performance monitoring |
| Communications | Messages sent through KAMPSTA's messaging system between guests and hosts | Facilitating stays, resolving disputes, safety |
| Reviews | Review text, star ratings, category scores | Platform integrity and helping users make informed decisions |
We use your data to operate the KAMPSTA platform — processing bookings, facilitating payments, verifying identities, enabling host-guest communication, and providing customer support.
We analyse usage patterns, account behaviour, and booking data to detect fraud, prevent abuse, and protect our community. This is in our legitimate interest and is essential for a trusted marketplace.
We use anonymised and aggregated data to understand how people use the platform, what's working, and what to build next. We never use individually identifiable data for product analytics without your consent.
We send transactional emails (booking confirmations, receipts, security alerts) which you cannot opt out of as they are essential to the service. We send marketing communications only with your explicit consent, which you can withdraw at any time.
When you make a booking, your name, profile photo, and verified status are shared with the host. Your full contact details and ID are never shared. When a guest books your listing, you receive their name, verified status, and the booking details — nothing more.
We work with trusted third-party providers who process data on our behalf under strict data processing agreements:
We may disclose data to law enforcement or regulators where required by Swedish or EU law, or where necessary to protect the safety of our users.
We use cookies and similar technologies to operate the platform, remember your preferences, and analyse usage. We categorise cookies as:
We do not use advertising or tracking cookies. You can manage your cookie preferences at any time from your account settings or the cookie banner when you first visit.
We keep your data for as long as your account is active and for a period afterwards as required by law or legitimate business need. Specific retention periods:
Under GDPR you have the following rights. You can exercise any of these by emailing [email protected] — we respond within 30 days.
You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se if you believe we have processed your data unlawfully.
Your data is primarily stored and processed in the EU (AWS Stockholm). Where we transfer data outside the EU — for example, to Stripe or Sendgrid — we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses. A list of sub-processors and their locations is available on request.
KAMPSTA is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If we become aware that a child has created an account, we will delete it and all associated data immediately. If you believe a child has provided us with personal data, please contact [email protected].
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email and display a notice on the platform at least 14 days before the changes take effect. Your continued use of KAMPSTA after that date constitutes acceptance of the updated policy.
Previous versions of this policy are available on request by emailing [email protected].
For any privacy-related questions, data requests, or concerns:
We aim to respond to all privacy requests within 5 business days and to resolve them within 30 days as required by GDPR.