CHAMELEON ACCESS

Privacy Policy

Last updated: March 2026

Applies to the Chameleon Access mobile application and website

1. Who We Are

Chameleon Access is a luxury concierge and lifestyle management service. References to “Chameleon Access”, “we”, “us” or “our” in this Privacy Policy refer to the company operating the Chameleon Access app and website at www.chameleonaccess.com.

We are the data controller of the personal information you provide to us. This means we determine how and why your data is processed. If you have any questions about this policy or your data, please contact us at:

  • Email: hello@chameleonaccess.com
  • Phone: +44 (0)20 8065 0029
  • Website: www.chameleonaccess.com

2. What Personal Data We Collect

When you use the Chameleon Access app or website, we may collect the following categories of personal data:

Account & Identity Information

  • Full name
  • Email address
  • Phone number
  • Password (stored in encrypted form)

Profile & Preference Information

  • Lifestyle preferences (e.g. transport style, dining preferences, travel habits)
  • Service preferences submitted through your profile
  • Any personal details you voluntarily provide to help us personalise your service

Request & Communication Data

  • Details of any requests you submit through the app, including travel, dining, accommodation, transport, or personal shopping requests
  • Messages exchanged between you and your Lifestyle Manager
  • Feedback and ratings you provide
  • Request history and status updates

Usage & Technical Data

  • App usage data, including pages visited and features used
  • Device type, operating system, and app version
  • IP address
  • Session timestamps

Payment Information

We do not store your full payment card details directly. Any payment processing is handled by authorised third-party payment processors in compliance with PCI DSS standards.

3. How We Use Your Personal Data

We use your personal data for the following purposes:

Delivering Our Services

  • To fulfil and manage your service requests
  • To communicate with you about your requests in real time
  • To assign and coordinate your Lifestyle Manager
  • To provide personalised recommendations and a curated events feed

Account Management

  • To create and manage your app account
  • To authenticate your identity when you log in
  • To maintain your preferences and profile settings

Service Improvement

  • To understand how the app is used and improve its features
  • To monitor the quality and performance of our service
  • To address technical issues and bugs

Legal & Safety

  • To comply with applicable laws and regulations
  • To prevent fraud, abuse, or misuse of our services
  • To protect the rights and safety of our clients, staff, and third parties

4. Legal Basis for Processing (UK & EU Users)

We are required under the UK GDPR and EU GDPR to have a lawful basis for processing your personal data. We rely on the following:

  • Contract performance: to fulfil our obligations to you when you use our services
  • Legitimate interests: to improve our app, ensure security, and communicate with you about relevant events and updates
  • Legal obligation: to comply with applicable laws
  • Consent: where you have specifically opted in, for example to marketing communications

Where we rely on consent, you have the right to withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.

5. Third-Party Infrastructure & Sub-Processors

To deliver the Chameleon Access app, we use the following trusted third-party infrastructure providers who process data on our behalf. These providers are carefully selected and operate under strict data processing agreements.

Supabase (Database & Authentication)

We use Supabase, Inc. to host and manage our application database and user authentication. Supabase acts as a data processor on our behalf, processing data only in accordance with our instructions.

Key facts about Supabase:

  • Your data is stored in the region we specify and does not leave that region without prior notice
  • All data is encrypted at rest using AES-256 and encrypted in transit via TLS
  • Supabase is SOC 2 Type 2 compliant, audited annually by an independent third party
  • Supabase is GDPR compliant and a Data Processing Addendum (DPA) is in place

For more information, see Supabase's privacy policy at supabase.com/privacy.

Vercel (Application Hosting & Deployment)

We use Vercel, Inc. to host and serve the Chameleon Access application. Vercel acts as a data processor on our behalf.

Key facts about Vercel:

  • Vercel is SOC 2 Type 2 compliant and ISO 27001:2013 certified
  • Vercel is certified under the EU-US Data Privacy Framework, providing a valid transfer mechanism for personal data from the EU, UK, and Switzerland
  • Vercel supports GDPR compliance and a Data Processing Addendum is in place
  • Infrastructure is hosted on AWS, Microsoft Azure, and Google Cloud Platform, with data encrypted in transit and at rest

For more information, see Vercel's privacy policy at vercel.com/legal/privacy-policy.

Other Third Parties

We may also use third-party services for payment processing, analytics, and communication tools. We will update this policy if we introduce new sub-processors that materially affect how your data is handled. We do not sell your personal data to any third party, ever.

6. International Data Transfers

Our infrastructure providers (Supabase and Vercel) are US-based companies. Where data is transferred outside the UK or European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission and UK ICO
  • Transfers to providers certified under the EU-US Data Privacy Framework (such as Vercel)
  • Data Processing Addenda with all sub-processors

We take all reasonable steps to ensure your data is protected to the same standard regardless of where it is processed.

7. Data Retention

We retain your personal data for as long as necessary to deliver our services and meet our legal obligations. Specifically:

  • Account data: retained for the duration of your account, plus up to 2 years after account closure
  • Request and communication history: retained for the duration of your account
  • Usage and analytics data: typically retained for up to 2 years
  • Payment records: retained for up to 7 years as required by financial regulations

When we no longer have a legitimate need to retain your data, we will securely delete or anonymise it.

8. Your Rights

Under the UK GDPR and EU GDPR, you have the following rights in relation to your personal data:

  • Right of access: to request a copy of the personal data we hold about you
  • Right to rectification: to request correction of inaccurate or incomplete data
  • Right to erasure: to request deletion of your personal data in certain circumstances
  • Right to restriction: to request that we limit how we use your data
  • Right to data portability: to receive your data in a commonly used, machine-readable format
  • Right to object: to object to processing based on legitimate interests
  • Right to withdraw consent: where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, please contact us at hello@chameleonaccess.com. We will respond within 30 days. We may need to verify your identity before processing your request.

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk, or your local data protection authority within the EU.

9. Cookies & Tracking

Our website and app may use cookies and similar tracking technologies to improve your experience and understand how our services are used. You can manage cookie preferences through your browser settings or via any cookie consent tool displayed on our website.

We do not use tracking technologies that follow you across unrelated third-party websites for advertising purposes.

10. Data Security

We take the security of your personal data seriously. Our security measures include:

  • Encryption of data at rest (AES-256) and in transit (TLS), provided through our infrastructure partners
  • Secure authentication and access controls within the app
  • Access to personal data is restricted to authorised team members on a need-to-know basis
  • Regular security reviews by our infrastructure providers

While we take all reasonable steps to protect your data, no method of transmission over the internet or electronic storage is completely secure. If you believe your data has been compromised, please contact us immediately at hello@chameleonaccess.com.

11. Children's Privacy

The Chameleon Access app is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with their data, please contact us immediately and we will take steps to delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, technology, or legal requirements. When we make material changes, we will notify you via the app or by email. The date at the top of this document indicates when it was last revised.

We encourage you to review this policy periodically. Continued use of the Chameleon Access app after updates constitutes your acceptance of the revised policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

  • Email: hello@chameleonaccess.com
  • Phone: +44 (0)20 8065 0029
  • Website: www.chameleonaccess.com