Last updated: May 29, 2026

Privacy Policy

Cerca ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and share information when you use the Cerca mobile application ("App").

1. Information We Collect

Account information. When you register, we collect your name, email address, and the role you select (customer, provider, or both).

Profile information. Providers may optionally provide a business name, bio, city and state, phone number, service listings, portfolio photos, and before/after transformation images.

Payment information. All payment data (card numbers, bank account details) is collected and stored directly by Stripe. Cerca does not store full payment card information on our servers. We store Stripe payment intent IDs and payout account identifiers to manage bookings and payouts.

Booking and messaging data. We store booking requests, booking status, scheduled dates, service names, amounts paid, and messages exchanged between Customers and Providers through the App. Message monitoring: Cerca monitors in-app conversations to detect fraud, harassment, and policy violations. By using the messaging feature, you acknowledge that messages may be reviewed by our team or automated systems. Messages are not end-to-end encrypted and should not be treated as private communications outside the scope of coordinating services.

Location data. We use the city and state you provide in your profile to match you with nearby services. We do not collect your precise GPS location in the background.

Device and usage data. We collect push notification device tokens to send you booking and message alerts. We may collect basic usage analytics (feature interactions, error logs) to improve the App.

User-submitted feedback. If you submit feedback through the App, we store the message and its category (suggestion, bug report, or other).

2. How We Use Your Information

• To create and manage your account
• To facilitate bookings between Customers and Providers
• To process deposits, final payments, and tips through Stripe
• To issue automatic refunds when a Provider cancels a paid booking
• To send push notifications for new bookings, booking status changes, and messages
• To display Provider profiles and reviews to Customers searching for services
• To generate referral tracking and promo code attribution
• To generate your annual "Cerca Wrapped" recap, a summary of your booking activity for the calendar year shown only to you inside the App
• To respond to support inquiries and investigate disputes
• To improve and maintain the App

3. Information Sharing

We do not sell your personal information. We share information only in the following circumstances:

We may also disclose information if required by law, to enforce our Terms of Service, or to protect the rights, property, or safety of Cerca, our users, or the public.

Publicly accessible Provider content. Provider profile information — including business name, bio, city, services, reviews, and portfolio photos. Is publicly accessible and not protected by the App's private data handling. Specifically:

• Provider profiles are visible to all App users and may be indexed by search engines via public profile URLs (app-cerca.com/p/[slug]).
• Portfolio photos uploaded by Providers are displayed on their public profile page, accessible to anyone on the internet without a Cerca account.
• When discovery sharing is enabled, portfolio photos may appear to all Cerca customers in the in-app discovery feed.
• A provider's profile photo may appear as a thumbnail image when a customer saves that provider to a personal collection and shares the collection link with others. The collection share page is publicly accessible via a URL (app-cerca.com/collection/[slug]).
• Providers can opt out of the in-app discovery feed and remove photos at any time from Portfolio settings in the App. Removing a photo from the App removes it from public display.

4. Data Retention

We retain your account information and booking history for as long as your account is active. If you delete your account through the App, we delete your profile, bookings, and messages within 30 days, except where retention is required by law or for dispute resolution. Specific retention periods by data category:

• Account and profile information. Retained for the life of the account; deleted within 30 days of account deletion.
• Booking records and transaction amounts. Retained for 3 years after the booking date for legal, tax, and dispute purposes, even after account deletion.
• Message content. Retained for the life of the account; deleted within 30 days of account deletion, except where a message is under active review for a safety or fraud investigation, in which case it may be retained for up to 3 years.
• Safety and dispute records. Retained for up to 3 years to support potential legal proceedings.
• Stripe payment identifiers. Stripe payment intent IDs and payout account identifiers are retained for up to 7 years as required for financial record-keeping and tax compliance.
• Anonymized analytics data. Aggregated, non-identifiable usage data may be retained indefinitely as it cannot be linked back to an individual.
• Push notification tokens. Deleted within 30 days of account deletion or when a device is deregistered.

5. Your Rights

You may access, correct, or delete your personal information at any time through the App's profile settings. To delete your account and all associated data, use the "Delete My Account" option in the Profile screen. For additional requests or questions, contact us at legal@app-cerca.com.

California residents (CCPA/CPRA). Under the California Consumer Privacy Act, California residents have the following rights:

• Right to know. You may request disclosure of the categories and specific pieces of personal information we have collected about you, the purposes for which it is used, and the categories of third parties with whom it is shared.
• Right to delete. You may request deletion of your personal information, subject to certain exceptions (e.g., information needed to complete a transaction or comply with a legal obligation).
• Right to correct. You may request correction of inaccurate personal information we hold about you.
• Right to opt out of sale or sharing. Cerca does not sell or share your personal information for cross-context behavioral advertising as defined under CCPA. We do not sell personal data to third parties for monetary or other valuable consideration.
• Right to non-discrimination. We will not discriminate against you for exercising any of your CCPA rights.

Categories of personal information collected include: identifiers (name, email, phone), commercial information (booking history, payment amounts), professional information (provider bio, services, portfolio), internet/network activity (usage analytics, push tokens), and message content (text messages exchanged between customers and providers through the in-app chat, which may be reviewed by Cerca as described in Section 1). We do not collect sensitive personal information beyond what is described in Section 1. To submit a verifiable consumer request, email legal@app-cerca.com with the subject line "California Privacy Request."

European Economic Area & UK residents (GDPR/UK GDPR). If you are located in the EEA or UK, you have the following rights under applicable data protection law:

• Right of access. You may request a copy of the personal data we hold about you.
• Right to rectification. You may request correction of inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"). You may request deletion of your personal data where there is no compelling reason for its continued processing.
• Right to restrict processing. You may request that we limit how we use your data in certain circumstances.
• Right to data portability. You may request your personal data in a structured, machine-readable format.
• Right to object. You may object to processing based on our legitimate interests.
• Right to lodge a complaint. You have the right to lodge a complaint with your local data protection authority.

Our legal bases for processing personal data are: (a) contract performance. To create your account, process bookings, and facilitate payments; (b) legitimate interests. Specifically, improving platform safety, preventing fraud, detecting and investigating policy violations, and sending service-related notifications that users would reasonably expect; and (c) consent. Where you have explicitly provided it, such as agreeing to identity verification. To exercise any of these rights, contact legal@app-cerca.com.

International data transfers. Cerca's infrastructure is hosted in the United States. If you are located in the European Economic Area (EEA) or United Kingdom, your personal data is transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission with our data processors (including Supabase and Stripe) as the lawful transfer mechanism for these transfers. By using the App, you acknowledge that your data will be processed in the United States in accordance with this Privacy Policy.

6. Push Notifications

We send push notifications for booking requests, booking status updates, new messages, and payment requests. You can disable push notifications at any time in your device's system settings. Disabling notifications does not affect your ability to use the App, but you may miss time-sensitive alerts.

7. Children's Privacy

Cerca is not intended for users under the age of 18. We do not knowingly collect personal information from minors. If we learn that we have collected information from a minor, we will delete it promptly.

8. Security

We use industry-standard security measures including encrypted connections (HTTPS/TLS), row-level security policies on our database, and Stripe's PCI-compliant infrastructure for payment data. No method of transmission or storage is 100% secure; use the App at your own risk.

9. Identity Verification (Cerca Verified)

Providers may optionally participate in the Cerca Verified program, which confirms their real identity through a government ID check. This section explains how identity data is handled.

What we collect. When a provider initiates identity verification, Stripe Identity (a service operated by Stripe, Inc.) collects a photo of a government-issued ID document and a selfie photograph directly from the provider. Cerca does not receive, view, or store the ID document or selfie.

Who processes it. Identity documents and biometric data (facial geometry derived from the selfie) are processed solely by Stripe Identity. Stripe's privacy policy at stripe.com/privacy governs how this data is collected, retained, and deleted. Cerca receives only the verification result (approved or not approved).

What Cerca stores. Cerca stores a record of the verification outcome (verified or not), the Stripe verification session ID for audit purposes, and the date the verification was completed. We do not store any biometric data.

Purpose. Identity verification data is used only to confirm that a provider is a real person. It is not used for credit checks, background checks, advertising, or any other purpose.

Biometric data. Facial recognition and biometric comparison is performed exclusively by Stripe. Cerca does not use, access, or retain biometric identifiers or biometric information. Providers in states with biometric privacy laws (such as Illinois, Texas, and Washington) should review Stripe's biometric data practices at stripe.com/privacy.

Consent. Identity verification is entirely optional. Providers must explicitly consent to the collection and processing of their identity data by agreeing to the Cerca Verified terms before initiating the process.

Deletion. To request deletion of your Cerca Verified record, contact legal@app-cerca.com. For deletion of identity documents processed by Stripe, contact Stripe directly per their privacy policy.

10. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users as required by applicable law. Under GDPR, we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach where feasible, and notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms. Under applicable US state laws, we will provide notice within the timeframes required by the laws of each affected user's state. Breach notifications will be sent to the email address associated with your account.

11. Cookies and Website Tracking

This section applies to the Cerca website at app-cerca.com in addition to the App.

Essential cookies. We use cookies that are strictly necessary for the website to function. For example, remembering your language preference (English or Spanish) and your cookie consent choice. These cookies do not require your consent as they are required for the site to operate.

Analytics cookies. We may use analytics tools on the website to understand how visitors navigate and use the site. These tools may set cookies or use similar tracking technologies. We ask for your consent before loading non-essential cookies, via the cookie banner displayed on your first visit.

Managing cookies. You can withdraw cookie consent at any time by clearing your browser cookies and revisiting the site, at which point the consent banner will reappear. You can also disable cookies in your browser settings, though this may affect website functionality.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via the App or email. Continued use of the App after changes are posted constitutes your acceptance of the updated policy.

Contact

Privacy or legal questions? legal@app-cerca.com.

General support? support@app-cerca.com.

Billing questions? billing@app-cerca.com.