BookingByOffer

Privacy Policy

Last updated: June 2026

BookingByOffer is committed to protecting your personal data. This Privacy Policy informs you pursuant to Art. 13 and 14 of the General Data Protection Regulation (GDPR) about how we collect, process and protect your personal data when you use our platform (bookingbyoffer.com), and about your rights in relation to that data.

1. Data Controller

BookingByOffer GmbH Weyertal 4 50937 Cologne, Germany Represented by: William Fischer (Managing Director) Email: info@bookingbyoffer.com Phone: +49 170 4070175 Website: www.bookingbyoffer.com

2. Categories of Personal Data Processed

We process the following categories of personal data: 2.1 Registration and Account Data Full name, email address, password (stored exclusively in hashed form, never in plaintext), platform role (guest or host), registration date. 2.2 Profile Data Profile photo, phone number, address, personal bio, preferred display language and currency. 2.3 Host Verification Data (KYC — Know Your Customer) For hosts wishing to receive payouts, we process: full legal name, date of birth, nationality, business type (individual or company), tax identification number (optional), company name and registration number (companies only). Full IBAN is transmitted exclusively to Stripe and processed there — we store only the last 4 digits for display purposes. 2.4 Booking and Negotiation Data Accommodation requested, travel dates, guest count, price offers and counter-offers submitted, negotiation history, booking status, cancellation details (timestamp, actor, reason, refund amount), cancellation policy applicable at the time of booking. 2.5 Payment Data Stripe Customer ID (guests), Stripe Connect Account ID (hosts), payment intent reference, payment status, payout status, platform fee (12%) and host payout amount (88%). Full payment instrument details (card numbers, full IBAN) are processed exclusively by Stripe and are never stored on our servers. 2.6 Communication Data Messages exchanged between users through the platform's messaging system, and system-generated notifications (booking confirmations, offer reminders, cancellation notices). 2.7 Review and Feedback Data Accommodation and host reviews by guests (star rating, comments), guest reviews by hosts, negotiation scores (response speed, fairness). 2.8 Technical Usage Data IP address (in Vercel and Supabase server logs), browser type and version, operating system, session token for authentication, timestamps and nature of platform activity.

3. Purposes of Processing

We process your personal data for the following purposes: - Providing, operating and improving the platform and its features - Registering, authenticating and managing user accounts - Facilitating and processing bookings between guests and hosts - Processing payments, refunds and payouts via Stripe - Verifying host identity (KYC) as required by Stripe and anti-money-laundering regulations - Sending transactional emails (booking confirmations, offer notifications, cancellations, reminders) via Resend - Enabling communication between guests and hosts - Displaying and managing user reviews and profiles - Fraud prevention, platform security and abuse protection - Fulfilling legal obligations (in particular tax record-keeping and anti-money-laundering requirements) - Establishing, exercising or defending legal claims

4. Legal Bases for Processing

Processing of your personal data is based on the following legal grounds: Art. 6(1)(b) GDPR — Contract Performance Processing necessary for the initiation or performance of a usage contract with you: registration, account management, booking processing, payment processing, booking-related communications, cancellation handling. Art. 6(1)(a) GDPR — Consent Processing based on your explicit consent: optional email notifications (adjustable in profile settings), processing and public display of a profile photo. You may withdraw consent at any time with effect for the future, without affecting the lawfulness of prior processing. Art. 6(1)(c) GDPR — Legal Obligation Processing required to comply with legal requirements: tax record-keeping obligations (10-year retention), identity verification requirements under anti-money-laundering legislation, and other statutory reporting obligations. Art. 6(1)(f) GDPR — Legitimate Interests Processing based on our overriding legitimate interests: fraud prevention and platform security, system logging for error-fixing and stability, establishing and defending legal claims. We have carefully assessed that your interests, fundamental rights and freedoms do not override these interests.

5. Third-Party Service Providers and Data Processing Agreements

We use the following carefully selected third-party service providers. Data processing agreements (DPAs) pursuant to Art. 28 GDPR are in place with all providers: Supabase Inc. (San Francisco, CA, USA) Function: Database service, user authentication, file storage (profile photos, accommodation images) Data processed: All user data listed in Section 2 (except full payment instrument details) Storage location: EU region (Frankfurt, Germany) — data does not leave the EU in normal operation Legal basis for international transfer: EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR Privacy policy: supabase.com/privacy Stripe, Inc. (San Francisco, CA, USA) / Stripe Payments Europe Limited (Dublin, Ireland) Function: Payment processing for guests, Stripe Connect Custom for host payouts, identity verification (KYC) Data processed: Card data, IBAN, KYC documents, transaction data, Stripe customer profile Security certification: PCI-DSS Level 1 (highest level for payment service providers) Legal basis: Stripe Payments Europe Ltd. is EU-based; SCCs apply for US transfers Privacy policy: stripe.com/privacy Resend Inc. (San Francisco, CA, USA) Function: Transactional email delivery Data processed: Recipient email addresses, notification content Legal basis for international transfer: EU Standard Contractual Clauses (SCCs) Privacy policy: resend.com/legal/privacy-policy Vercel Inc. (San Francisco, CA, USA) Function: Web application hosting, Content Delivery Network (CDN), serverless functions Data processed: Server logs, IP addresses, request metadata Legal basis for international transfer: EU Standard Contractual Clauses (SCCs) Privacy policy: vercel.com/legal/privacy-policy Your personal data is never shared with third parties for advertising, marketing or their own purposes.

6. International Data Transfers

All third-party providers listed in Section 5 are headquartered in the USA. Since the USA does not ensure a level of data protection equivalent to the EU, we rely on appropriate safeguards under Art. 46 GDPR — specifically EU Standard Contractual Clauses pursuant to European Commission Implementing Decision (EU) 2021/914. Stripe Payments Europe Limited, as Stripe's Irish subsidiary, is responsible for European data processing; the EU GDPR applies directly. Upon request, we will provide you with copies of the applicable Standard Contractual Clauses. Please contact info@bookingbyoffer.com.

7. Retention Periods and Deletion

We store personal data only as long as necessary for the respective processing purpose or as required by law: Account data (name, email, profile): Until full deletion of the user account on explicit request Booking and payment data: 10 years from the end of the relevant financial year (statutory tax retention obligation); booking overview (excluding full payment data) until account closure KYC data (host verification): For the duration of the active business relationship and thereafter at least 5 years under anti-money-laundering legislation; Stripe may apply longer retention periods Communication data (messages): Until deletion of the respective user account Review data: Until deletion of the reviewing or reviewed user account Technical server logs (IP addresses, request logs): Automatically after 30 days After statutory or contractual retention periods expire, data is routinely and securely deleted. Deletion may exceptionally be deferred where data is still needed to establish, exercise or defend legal claims.

8. Cookies and Tracking

We use only technically necessary cookies without which the platform cannot function: Authentication Cookie (Supabase Auth Session): This cookie stores your encrypted session token and allows the platform to recognise you as logged in across pages. It is automatically deleted when you log out or when the session expires. Without this cookie, logging in is not possible. We do not use: - Tracking cookies or web beacons - Analytics tools (no Google Analytics, no Matomo or similar products) - Marketing or retargeting cookies - Social media plugins with tracking functionality - Behavioural profiling or personalised advertising Consent to cookies is therefore not required for the cookies we use, as they fall under the technical necessity exemption.

9. Your Rights

You have the following rights with respect to your personal data: Right of Access (Art. 15 GDPR): You may request confirmation of whether we process personal data about you and, if so, access to that data. This includes information about processing purposes, data categories, recipients, planned retention periods and the origin of the data. Right to Rectification (Art. 16 GDPR): You may request immediate correction of inaccurate or completion of incomplete personal data. Right to Erasure — "Right to be Forgotten" (Art. 17 GDPR): You may request deletion of your personal data where there is no legal retention obligation. For accounts with outstanding bookings or ongoing disputes, deletion may be deferred until final resolution. Right to Restriction of Processing (Art. 18 GDPR): You may request restriction of processing where you contest accuracy, processing is unlawful, or you require the data to establish legal claims. Right to Data Portability (Art. 20 GDPR): You have the right to receive data you have provided to us in a structured, commonly used, machine-readable format (e.g. JSON or CSV) and to transmit it to another controller. Right to Object (Art. 21 GDPR): You may object to processing of your personal data where we rely on legitimate interests (Art. 6(1)(f) GDPR). We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests. Right to Withdraw Consent: Consents (e.g. for email notifications) may be withdrawn at any time with effect for the future — via platform settings or by email to info@bookingbyoffer.com. Withdrawal does not affect the lawfulness of prior processing. Contact us for all data protection requests: info@bookingbyoffer.com. We typically respond within 30 days.

10. Right to Lodge a Complaint with a Supervisory Authority

If you believe that the processing of your personal data infringes the GDPR, you have the right under Art. 77 GDPR to lodge a complaint with a data protection supervisory authority — in particular in the Member State of your habitual residence, place of work or place of the alleged infringement. The supervisory authority responsible for BookingByOffer is: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW) Kavalleriestraße 2-4, 40213 Düsseldorf, Germany Phone: +49 211 38424-0 Email: poststelle@ldi.nrw.de Website: www.ldi.nrw.de This right does not affect your right to contact us first and resolve matters directly without supervisory involvement.

11. Data Security

We implement technical and organisational security measures to protect your personal data against loss, destruction, manipulation and unauthorised access: - All data transmitted via HTTPS/TLS encryption - Password hashing using modern cryptographic methods (no plaintext passwords) - Row Level Security (RLS) in the database — each user can only access their own data - Authentication-based access controls on all API endpoints - No storage of full payment data on our servers (exclusively Stripe) - Regular review and updating of our security measures Despite all precautions, absolute security of data transmission over the internet cannot be guaranteed.

12. Changes to this Privacy Policy

We reserve the right to update this Privacy Policy to reflect changes in the legal framework or our services. The current version is always available at bookingbyoffer.com/datenschutz. The date of the most recent update is shown at the top of this policy. For material changes that significantly affect your rights or the nature of processing, we will notify registered users by email at least 30 days before the changes take effect. We recommend reading this Privacy Policy regularly.