Privacy policy
Last updated: 5 May 2026. This privacy policy informs you in accordance with Art. 13 and 14 GDPR how we process personal data on apartmentsite.at and within our commercial activities.
1. Controller
Studio Apps Sp. z o.o.
ul. Warszawska 40, lok. 2A, 40-008 Katowice, Poland
KRS 0001226501
Authorised representative: Małgorzata Izabela Dzięgała, President of the Management Board
Privacy contact: privacy@apartmentsite.at
General contact: info@apartmentsite.at
We have not appointed a data protection officer because the legal requirements (Art. 37 GDPR) are not met. For all privacy matters please contact the email above.
2. Data processed when visiting the website
On every page request technical data (server logs) is processed automatically: IP address, date and time, requested URL, referrer URL, user agent. Purpose: serving the site, security, error analysis. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in stable and secure operation). Retention: 14 days at our hosting provider (Vercel).
3. Data processed via the lead form
When you complete the form on apartmentsite.at we process: first and last name, email, optional phone and company name, listing links, language preference, optional message. We additionally store technical metadata (IP, user agent, UTM parameters, referrer) and the timestamp and version of the three separate consents (data processing, media licence, marketing — the last optional).
- Purposes: handling your inquiry; preparing a non-binding website draft ("demo"); pre-contractual steps and contract conclusion if applicable; spam/abuse protection; proof of consent (Art. 7(1) GDPR).
- Legal bases: Art. 6(1)(b) GDPR (pre-contractual steps); Art. 6(1) (a) GDPR (consent for content data and the licence to use your listing materials); Art. 6(1)(f) GDPR (security metadata); Art. 6(1)(c) GDPR (statutory record-keeping).
- Demo: hosted on a non-public, non-indexed test URL. If no order is placed within 14 days of delivery we delete the demo entirely.
- Retention: inquiries without contract — 12 months from last contact; with contract — statutory retention periods (5 yrs PL / 7 yrs AT).
4. Data processed for B2B marketing (cold email)
We proactively contact short-term apartment hosts in the DACH region because our service has a direct functional connection to their business. We describe this processing transparently here.
4.1 Categories of data
- First and last name (where publicly known)
- Business email address
- Company or brand name
- Public profile URL (Airbnb host profile, Booking profile, own website)
- Number and city of offered apartments
- Profile language
- Interaction data (open, click, reply)
4.2 Sources (Art. 14 GDPR)
- insideairbnb.com (public datasets on short-term rentals)
- Google Maps API (public business listings)
- publicly available host websites
- public business directories (e.g. WKO Firmen A-Z for Austria)
We do not collect data from protected areas, behind login or with methods that bypass platform security measures. We process only data that the host has published as a business operation.
4.3 Legal basis
Processing is based on our legitimate interest (Art. 6(1)(f) GDPR) in direct marketing of our service, which has a direct functional connection to your business as a host (Recital 47 GDPR explicitly recognises direct marketing as a legitimate interest). We have prepared a written legitimate interest assessment and present it on request to the competent supervisory authority. We additionally observe § 174 TKG 2021 (Austria) and § 7 UWG (Germany): max one sequence per recipient, immediate and permanent stop after any objection.
4.4 Recipients
- Resend Inc. (USA) — email delivery; EU SCCs.
- Supabase Inc. (data in EU region) — contact database; EU SCCs for the US parent.
- Vercel Inc. (USA) — hosting the web application; EU SCCs.
4.5 Retention
- Contacts without interaction: 24 months from collection.
- Contacts with interaction: 36 months from last interaction.
- Suppression list (after objection): unlimited, solely to ensure no further emails are sent (Art. 17(3)(b) GDPR — compliance with a legal obligation).
4.6 Your right to object (opt-out)
You may object to processing for marketing purposes at any time without giving reasons (Art. 21(2) GDPR): use the "Unsubscribe" link in every email (one-click, RFC 8058) or write to privacy@apartmentsite.at. After objection you receive no further marketing emails; your address remains on the suppression list for that protective purpose.
5. Data processed as processor (hosting for customer websites)
Where we receive booking inquiries from customers' website visitors as part of the hosting we provide, we process those data as a processor within the meaning of Art. 28 GDPR. The respective customer is the controller. The obligations are set out in the data processing agreement at apartmentsite.at/en/dpa.
6. Cookies and analytics
We use cookies sparingly. Three categories:
- Strictly necessary cookies — for session, CSRF and language preference. Legal basis: § 165(3) TKG 2021 (AT) / § 25(2) TTDSG (DE) — no consent required.
- Own analytics (Pulse) — our self-built privacy-friendly analytics tool that records page views and interactions in aggregated form. No advertising cookies, no third-party trackers. Legal basis: Art. 6(1)(a) GDPR with § 165(3) TKG 2021 — only after your consent through the cookie banner. You can withdraw your consent at any time via the "Cookie settings" link in the footer.
- Advertising / tracking cookies — we use none.
Details about individual cookies are in our cookie statement.
7. Processors and recipients
- Vercel Inc. (USA) — website hosting; EU SCCs.
- Supabase Inc. (EU region) — database, auth, storage; EU SCCs.
- Resend Inc. (USA) — transactional and marketing emails; EU SCCs.
- Cloudflare Inc. (USA, EU edges) — DNS, CDN, DDoS protection; EU SCCs.
8. International data transfers
Transfers to the USA are based on EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) and supplementary technical and organisational measures. Resend and Vercel are certified under the EU-US Data Privacy Framework (Adequacy Decision 2023/1795).
9. Retention overview
| Data category | Retention |
|---|---|
| Server logs | 14 days |
| Lead form (no contract) | 12 months from last contact |
| Lead form (contract) | statutory (5 yrs PL / 7 yrs AT) |
| Demo | 14 days after delivery |
| Cold-mail contacts (no interaction) | 24 months |
| Cold-mail contacts (with interaction) | 36 months |
| Suppression list | unlimited (protective purpose) |
| Booking inquiries (hosting) | per customer instruction, max 36 months |
| Contract correspondence | 6 years after end of contract |
| Accounting records | 5 yrs PL / 7 yrs AT |
10. Your rights
You have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), objection — particularly to direct marketing (Art. 21), and withdrawal of consent with effect for the future (Art. 7(3)). Requests: privacy@apartmentsite.at. We respond within the statutory one-month deadline (Art. 12(3)).
You may also lodge a complaint with a supervisory authority — in particular the one competent for you (Austria: Datenschutzbehörde, Vienna; Germany: your federal state DPA; Poland — our authority: UODO, Warsaw).
11. Obligation to provide
Provision is neither legally nor contractually required. Without the data marked as mandatory and the corresponding consents we cannot process your inquiry or prepare a demo.
12. Automated decisions / profiling
We do not engage in solely automated decision-making, including profiling, within the meaning of Art. 22 GDPR.
13. Security measures
We implement appropriate technical and organisational measures (TOMs): TLS in transit, encrypted database connections, row-level security, regular backups, access control, audit logs, secure password storage and regular security updates.
14. Changes to this privacy policy
We may update this privacy policy to reflect legal or service changes. The current version is at apartmentsite.at/en/datenschutz. For material changes we will additionally notify you by email if you have provided one.