Last updated: June 9, 2021
At BnB Holiday, we are committed to protecting and respecting your privacy. Please read this policy in order to familiarise yourself with why we collect personal data, the type of personal data we collect, and how we use this personal data.
2. Contact Information
3. What data we collect and for what purpose
We only process personal data to the extent necessary for providing a functional website, content and services. Appropriate security standards and procedures for collection, use and retention of your personal data are maintained, in order to prevent unauthorised access or disclosure.
Your personal data is available and accessible only by those who need the data to accomplish the intended processing purpose.
In the BnB Holiday system there are three groups of personal data:
“Visitor” refers to all visitors of the Website, including those acting as an Accommodation Provider or a Booker.
“Accommodation Provider” refers to the user of the logged in portion of the Website. This is the Accommodation Business that uses the Website in order to manage their property rental business. The Accommodation Provider may be a natural person using their personal data as business data.
“Booker” or “Guest” refers to the Accommodation Provider’s customers and potential customers.
When the website is visited, we collect data on access to our pages and save them as 'server log files'.
The data logged in these cases may be:
- IP address
- Date and time of access
- Browser type and version
- Operating system
- Application version
- Language settings
- Time zone settings
- Pages visited
- The website from which the user's system reached our website
- Websites accessed by the user's system via our website
This data is collected for statistical purposes and is used to improve the user experience on our website. We also use it to check server performance and guard our system against unlawful use. The legal basis for the collection of this data is Article 6(1)(f) of the GDPR.
Cookies are small pieces of data stored on the user's computer by the web browser while browsing a website. They contain a characteristic string that allows the browser to be uniquely identified when the website is reopened.
We use session cookies (cookies that only last until you close your browser), when technically necessary to simplify the use of the website for users. The data stored in these cookies may be:
- System settings
- Log in information
- Dates searched
In addition, we use persistent cookies from third parties, which have a longer lifespan and are not automatically deleted, for marketing purposes and to analyse Visitor traffic and behaviour. In such cases we ask for your consent, in accordance with Article 6(1)(a) of the GDPR. For more information see section 5. Providing your personal data to others.
Visitors can also report the Accommodation Providers website if they feel the content is scammy, inappropriate or unlawful. In this case the data we collect and save are:
- Message content
- IP address
- Date and time of sending
The processing of this data is necessary for the purpose of our legitimate interests, Article 6 (1)(f) of the GDPR. These interests may include using this data for optimising the website experience for our users, guarding our system against unlawful use, handling legal disputes, for regulatory investigations and compliance or to enforce the terms of service of BnB Holiday.
3.2 Accommodation Providers
Accommodation Providers are businesses that use the logged in part of our website to run their Accommodation business, manage their bookings and display their website online.
With respect to the Accommodation Providers data BnB Holiday has the role of Controller and Processor as defined by GDPR.
With respect to the Bookers data, it is the Accommodation Provider that has the role of Controller and is responsible for providing, correcting and deleting Bookers personal information on request. BnB Holiday act as a Processor of the Bookers' data on behalf of the Accommodation Provider as described in more detail in the Data Processor Agreement.
If you are an Accommodation Provider or a business partner concerned with the protection of your personal information, we recommend that you use a distinct, separate business address, business phone number, business bank account and business email rather than use personal data.
If you choose to provide personal information to us in response to a specific request for business contact details, you understand and agree that any personal information provided in this context shall be deemed to be your business contact data, and you consent to its use as business information. In this case, your data will not be protected by the GDPR.
Some of the data you register and publish on your website with BnB Holiday, may be classified as personal data (this is escpecially true of the employee data). By registering such data on our website:
- You confirm that you have the necessary rights and permissions to publish such data
- You give us the permission to publish the data on your behalf, for anyone, anywhere in the world to see, on your website with us and the whole BnB Holiday system, such as but not limited to our directories and other sites where potential Bookers can contact you.
When Accommodation Providers register and use the BnB Holiday system the following data may be collected:
- Email address
- Business name
- Phone number
- Business website URL
- Business address
- Website from which they registered
- Pages visited
- IP address
- Date and time of registering
- Data and time of access
- Credit card information
- Images uploaded to the website
- Host name
- Host languages
- Any information entered in 'About' fields
This data is collected in accordance with Article 6(1) letters (b) and (f) or the GDPR for the purpose of:
- Access and account administration: verification as part of the registration and log in process
- Communication: sending emails about bookings, reservation requests or messages from potential customers
- Marketing: emails with information about new features and services provided by us. You will always be able to opt out of marketing emails
- Statistical purposes: optimisation of our website and ensuring security of our system, in particular where there are concrete indications of unlawful use.
- Fraud detection and prevention: We process personal information in order to detect and safeguard our system against fraud or other illegal activities
- Payment processing: Your payment information is processed for the purpose of BnB Holiday collecting payment for our services. Your payment information will be processed directly by payment gateway Providers which are compliant with the Payment Card Industry security standard (PCI-DSS level 1).
When a Booker (Guest) makes a booking request or sends a message on the Accommodation Provider's website, run by BnB Holiday, we will collect data on behalf of the Accommodation Provider. This data is saved in the accomodation Provider's user profile, as well as sent in an email notification to the accomodation provider.
The Accommodation Provider acts as a Controller of the personal information provided by the Bookers and is responsible for providing, correcting and deleting Bookers personal information on request.BnB Holiday acts as a Processor of Bookers' personal data on behalf of the Accommodation Provider, as described in more detail in the Data Processor Agreement.
If a Booker asks for the data held on them in BnB Holiday, all that the Accommodation Provider needs to do is send them a copy of all the bookings, receipts and messages. This will contain all the data held in BnB Holiday.
If the Accommodation Provider needs to delete a Bookers data, all he or she needs to do to is to delete all of the bookings, receipts and messages registered on the Booker. This will delete all of the Booker's data held in the System.
The Booker's personal data may include:
- email address
- Phone number
- Travel information (check in, check out, number of people etc.)
- Message content
- IP address
- Date and time of sending
The processing of this data is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, Article 6 (1)(b) of the GDPR.
The Booker's data is stored for as long as is needed for the Accommodation Provider to provide the accommodation booked and welcome the Bookers return business.
BnB Holiday does not handle payments for Accommodation and cannot be held liable for the security of any payment information that a Booker may have passed on to an Accommodation Provider.
5. Providing your personal data to others
The personal data that we collected from you is generally stored within a country of the European Union or the European Economic Area (“EU/EEA”) but may also, whenever necessary, be transferred to and processed in a country outside of the EU/EEA. Any such transfer of your personal data will be carried out in compliance with applicable laws and without undermining your statutory rights.
BnB Holiday has signed a data processing agreement with all sub-processors that process personal information on our behalf. In case these sub-processors are located in a third country not being pre-approved by European commission as a safe country for transfer of personal data (adequacy decision), we will use Standard Contractual Clauses to ensure a similar level of protection as granted within the EU/EEA or other lawful grounds for transfer.
5.1 Google Analytics
Google Analytics is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
We use Google Analytics for aggregated, anonymised website traffic analysis. Such analysis is used for marketing and for website optimisation by looking at use patterns.
5.2 Google Ads
This website uses Google AdWords. AdWords is an online advertising program from Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, United States (“Google”).
We use Google Ads for marketing and conversion tracking, i.e. to gauge the efficiency of our marketing efforts.
5.3 Google Maps
This site uses the Google Maps map service via an API. It is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
If enabled by the Accommodation Provider this service is used to display the Accommodation location.
5.4 Facebook Pixel
Our website measures conversions using Visitor action pixels from Facebook, Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”).
These allow the behaviour of site visitors to be tracked after they click on a Facebook ad to reach the Provider’s website. This allows an analysis of the effectiveness of Facebook advertisements for statistical and market research purposes and their future optimisation.
We use email distribution services provided by Twillio Sendgrid 889 Winslow St, Redwood City, CA 94063, United States.
This website uses the services of Twillio Sendgrid to send emails and email notifications to our registered users (Accommodation Providers) as well as messages sent from the websites of Accommodation Providers by their visitors and potential customers (Bookers).
We also use Sendgrid to send out newsletters.
We use Sendgrid to analyze our newsletter campaigns. When you open an email sent by Sendgrid, a file included in the email (called a web beacon) connects to Sendgrid’s servers in the United States. This allows us to determine if a newsletter message has been opened and which links you click on. In addition, technical information is collected (e.g. time of retrieval, IP address, browser type, and operating system). This information cannot be assigned to a specific recipient. It is used exclusively for the statistical analysis of our newsletter campaigns. The results of these analyses can be used to better tailor future newsletters to your interests.
If you do not want your usage of the newsletter to be analyzed by Sendgrid, you will have to unsubscribe from the newsletter. For this purpose, we provide a link in every newsletter we send.
Stripe is operated by Stripe Payments Europe, Limited, C/O A&L Goodbody, Ifsc, North Wall Quay Dublin 1., Dublin 1, Dublin, Ireland.
We use the Stripe payment services to process our invoicing.
6. Data deletion and storage duration
The data processed by BnB Holiday are deleted or restricted in their processing in compliance with the Articles 17 and 18 or the GDPR. The data are deleted as soon as they are no longer required for the purpose for which they were collected and the deletion does not conflict with any statutory storage requirements or legal obligations. If the data is still required for other legitimate purposes, the data will be restricted for processing, i. e. the data is blocked and not processed for other purposes.
When you close your account, BnB Holiday will delete your personal data. Since we keep backup of all databases for up to 90 days it might take up to 90 days before your personal data is completely removed from our system.
If there are particular reasons for deleting personal data earlier than this, you can contact BnB Holiday at: [email protected]. Fees might apply, in proportion with the time needed for our support staff to fulfill the request.
In Norway, where BnB Holiday is situated, all accounting data such as expenses, invoices and receipts must be stored for 5 years.
7. Your rights
If your personal data are processed by us (the "Controller"), you have the following principal rights under the general data protection regulation:
- The right to access your personal data
- The right to rectify your personal data
- The right to have your personal data deleted
- The right to restrict processing of your personal data
- The right to object to processing of your personal data
- The right to data portability
- The right to complain to the supervisory authority
- The right to withdraw consent
7.1 The right to access your personal data
You may request a confirmation from us as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data processed;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
- that you have the right to request from us rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing;
- that you have the right to lodge a complaint with a supervisory authority;
- if personal data are not collected from you, any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.
If personal data are transferred to a third country or to an international organisation, you have the right to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer.
We are obliged to provide a copy of the personal data undergoing processing. For any further copies requested by you, the we may charge a reasonable fee based on administrative costs. If you make the request by electronic means, and unless otherwise requested by you, the information shall be provided in a commonly used electronic form.
The right to obtain a copy of the personal data concerning you may not adversely affect the rights and freedoms of others.
7.2 The right to rectify your personal data
If the personal data held by the Controller is incorrect or incomplete, you have the right to request completion or correction of your personal data. The Controller must make the correction without delay.
7.3 The right to have your personal data deleted
You may request to have your personal data deleted if one of the following applies:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
- You withdraw the consent on which the processing is based, and where there is no other legal ground for the processing
- You object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR
- Your personal data have been unlawfully processed
- Your personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject
- The personal data regarding you have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR
Personal data disclosed to third parties
If the Controller has made your personal data public and is obliged to delete this data in accordance with Article 17 (1) of the GDPR, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform Controllers which are processing the personal data that you have requested the erasure by such Controllers of any links to, or copy or replication of, those personal data.
The right to deletion does not exist if the processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) of the GDPR as well as Article 9(3) of the GDPR;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing;
- for the establishment, exercise or defence of legal claims.
7.4 The right to restrict processing of your personal data
You may request to restrict processing of your personal data if one of the following applies:
- If you contest the accuracy of your personal data, for a period enabling the Controller to verify the accuracy of the personal data
- The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead
- The Controller no longer needs the personal data for the purposes of the processing, but you need it for the establishment, exercise or defence of legal claims
- You have objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate reasons of the Controller override your reasons
If processing of your personal data has been restricted, your data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If processing of your personal data has been restricted, you shall be informed by the Controller before the restriction of processing is lifted.
7.5 The right to object to processing of your personal data
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions.
The Controller shall no longer process your personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
If your personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
7.6 The right to data portability
You have the right to receive the personal data concerning you, which you have provided to a Controller, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another Controller without hindrance from the Controller you provided the data, provided that:
- The processing is based on consent pursuant to point (a) of Article 6(1) of the GDPR or point (a) of Article 9(2) of the GDPR or on a contract pursuant to point (b) of Article 6(1); and
- the processing is done by automated means.
In exercising this right, you also have the right to have your personal data transmitted directly from one Controller to another, where technically feasible.
The rights and freedoms of others may not be adversely affected by your rights.
7.7 The right to complain to a regulator
Irrespective of any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you believe that the processing of your personal data violates the GDPR.
The supervisory authority with which the complaint has been lodged shall inform you on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.
7.8 The right to withdraw consent
You have the right to withdraw you consent to data processing at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.