Stayplace

Privacy Policy

Data Controller

Mirco Stege, Höllenberg 12, 21441 Garstedt
E-Mail: [email protected]

Overview of Data Processing

The following provides a simple overview of what happens to your personal data when you visit our website.

Types of Data Processed

  • Contact information (name, email, phone)
  • Usage data (pages visited, time spent)
  • Technical data (IP address, browser type)

Purpose of Data Processing

  • Responding to inquiries
  • Processing bookings
  • Improving our services
  • Legal compliance

Legal Basis

We process your data based on:

  • Your consent (Art. 6(1)(a) GDPR)
  • Contract performance (Art. 6(1)(b) GDPR)
  • Legal obligations (Art. 6(1)(c) GDPR)
  • Legitimate interests (Art. 6(1)(f) GDPR)

Data Retention

We delete or anonymise personal data as soon as the processing purpose ends, at the latest according to the following periods:

  • Host accounts: until account deletion, plus 90 days backup retention
  • Guest data (name, email, phone, address): anonymised 2 years after check-out
  • Bookings and payments: 10 years per German tax law (§ 147 AO / § 257 HGB)
  • Audit and security logs: 2 years
  • Guest-guide access logs: check-out + 14 days
  • Analytics events (Uptik, server-side, no device access): per provider DPA
  • Email delivery logs (Resend): 30 days

Your Rights

  • Right to access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object

Signed-in users can view (Art. 15), export (Art. 20) or delete (Art. 17) their data at any time under "Account → My Data". For all other requests, or for requests from guests, please contact us using the details in the Imprint — we respond within 30 days.

Sub-Processors

We rely on carefully selected sub-processors (Art. 28 GDPR) to deliver our services. DPAs are in place or being signed with each provider. The full register is published in our repository under docs/compliance/DPA-REGISTER.md.

  • Railway (USA) — hosting and database; EU Standard Contractual Clauses
  • Cloudflare (USA) — DNS, CDN, object storage (R2); EU SCC + DPF
  • Stripe (Ireland) — card payments and Connect; EU-hosted
  • PayPal (Luxembourg) — payments and marketplace; EU-hosted
  • Resend (USA) — transactional email; EU SCC + DPF
  • Google (Ireland) — Google OAuth login
  • OpenAI (Ireland) — translations and chat assistance; EU-hosted
  • Uptik (USA) — server-side, cookieless usage analytics (HTTP metadata only, no end-device access)
  • OpenStreetMap Foundation (EU) — map tiles

Cookies

We set strictly necessary cookies only — for login (landlord_session), language preference (NEXT_LOCALE) and OAuth CSRF protection (google_oauth_state). No consent banner is required because we use no non-essential cookies, no tracking, and no third-party browser analytics. Server-side, cookieless usage analytics (Uptik) processes aggregated HTTP metadata under our legitimate interest (Art. 6(1)(f) GDPR).

Third-Party Services

This website may contain links to external booking platforms (Airbnb, Booking.com). These platforms have their own privacy policies.

Map Services (OpenStreetMap)

This website uses OpenStreetMap (OSM) to display maps. When loading a map, map tiles are fetched from servers operated by the OpenStreetMap Foundation (OSMF). Your IP address is transmitted to the OSMF in the process. This is based on our legitimate interest in displaying the location of our properties (Art. 6(1)(f) GDPR). For more information, see the OSMF privacy policy.

Changes to This Policy

We may update this privacy policy from time to time. The current version is always available on this page.

Last updated: April 2026 (SPL-94)