1. Parties and Definitions

1.1 Parties

This Data Processing Agreement ("DPA") is entered into between:

• Data Controller: Each individual hotel, bed & breakfast, or guesthouse ("Hotel"), which is a customer of Tribii and acts as the controller of personal data relating to guests and other individuals.
• Data Processor: Hoodbnb B.V., a limited liability company incorporated under the laws of the Netherlands, contact: contact [at] tribii [dot] com ("Tribii" or "Processor"), which processes personal data on behalf of and under the instructions of the Hotel.

While Tribii acts as a Data Processor for hotel-specific guest data as described in this DPA, Tribii also independently processes certain basic platform-level booking data as a Data Controller, as described in Section 2A below. Such independent controller processing is not subject to this DPA but is governed by Tribii's Privacy Policy.

1.2 Definitions

1.3 Scope

This DPA applies exclusively to the processing of guest personal data collected through Tribii's booking page and embedded booking widgets, with respect to Tribii's role as Data Processor. The Hotel retains full control as the Data Controller for this guest data. Tribii processes guest data solely on the documented instructions of the Hotel.

This DPA does not govern Tribii's independent processing of basic platform-level booking data, which is processed under Tribii's Privacy Policy. Data relating to the Hotel's own account (such as property name, owner contact details, payment methods, and configuration preferences) is controlled by Tribii and is not subject to this DPA.

2. Subject Matter, Duration, Nature, and Purpose of Processing

2.1 Subject Matter

Tribii processes guest personal data to provide booking management services, including the creation and management of booking pages, reservation tracking, and guest communication.

2.2 Duration

Processing occurs throughout the Hotel's subscription term and continues as necessary to fulfill booking-related obligations. Personal data shall be deleted or returned within 30 days of contract termination, unless applicable law requires longer retention.

2.3 Nature of Processing

• Collection of guest information through booking forms
• Storage of booking records and guest data
• Transmission of booking confirmations via email and SMS
• Retention for booking history and dispute resolution
• Use of aggregated, anonymised data for analytics and reporting

2.4 Purpose

Tribii processes guest data solely to fulfill the booking and property management services contracted by the Hotel. Processing is limited to purposes explicitly authorised by the Hotel and necessary to perform the contracted services.

2A. Tribii's Independent Controller Processing

2A.1 Dual Role Clarification

In addition to its role as Data Processor for hotel-specific guest data, Tribii independently collects and processes certain basic booking data at the platform level as an independent Data Controller.

2A.2 Scope of Independent Controller Processing

As an independent Data Controller, Tribii processes the following basic platform-level booking data:

• Guest name
• Email address
• Number of reservations
• Destinations visited
• Hotels booked
• Booking dates

2A.3 Legal Basis

Tribii processes this platform-level booking data under the following legal bases under GDPR Article 6:

• Contract Performance (Article 6(1)(b)): To provide and maintain the booking platform services and to facilitate guest reservations with hotels on the Tribii network.
• Legitimate Interests (Article 6(1)(f)): To operate and improve the Tribii platform, to prevent fraud and ensure security, and to provide personalized service recommendations.

2A.4 Governance and Privacy Notice

Tribii's processing of this independent controller data is governed by Tribii's Privacy Policy, not this DPA. Hotels acknowledge that Tribii processes this platform-level booking data as an independent Data Controller and that data subjects should refer to Tribii's Privacy Policy.

2A.5 Hotel Acknowledgment

By entering into this DPA, the Hotel acknowledges and accepts that Tribii processes certain basic platform-level booking data as an independent Data Controller under the terms described in this Section 2A.

3. Types of Personal Data and Categories of Data Subjects

3.1 Types of Personal Data

Tribii processes the following categories of guest personal data:

• Guest name
• Email address
• Telephone number
• Booking dates and duration
• Number of guests
• Special requests and preferences

No special categories of personal data (sensitive data under Article 9 GDPR) are processed.

3.2 Categories of Data Subjects

Tribii processes data of the following data subjects:

• Guests making reservations through the Hotel's booking page or widget
• Persons named as additional contacts for bookings

4. Obligations of the Processor

4.1 Processing on Instruction

Tribii shall process personal data only on documented instructions from the Hotel. These instructions are documented in the Tribii Terms of Service and this DPA. Tribii shall inform the Hotel if, in its opinion, an instruction infringes the GDPR or other data protection laws.

4.2 Confidentiality of Personnel

Tribii ensures that persons authorised to process personal data have committed to confidentiality or are under an appropriate legal obligation of confidentiality.

4.3 Security Measures (Article 32 GDPR)

Tribii implements and maintains appropriate technical and organisational security measures to protect personal data.

Technical Measures

• Encryption of personal data in transit using TLS 1.2 or higher
• Encryption of personal data at rest
• Secure authentication mechanisms (password hashing, multi-factor authentication options)
• Regular security audits and vulnerability assessments
• Access logging and monitoring
• Secure backup and disaster recovery procedures

Organisational Measures

• Documented data protection policies and procedures
• Employee data protection and security training
• Restricted access to personal data on a need-to-know basis
• Data protection impact assessments where required
• Incident response and breach notification procedures

4.4 Sub-processors

Tribii shall not engage sub-processors without prior written authorisation from the Hotel. The Hotel may object to the engagement of any sub-processor within 15 days of notification.

This list may be updated from time to time. Tribii shall notify the Hotel of any material changes to sub-processors and provide the Hotel with the opportunity to object.

4.5 Data Subject Rights Assistance

Tribii shall assist the Hotel in fulfilling data subject rights requests under Articles 15-22 GDPR, including the right of access, rectification, erasure, restriction of processing, and data portability.

4.6 Data Protection Impact Assessment and Prior Consultation Support

Tribii shall provide the Hotel with reasonable assistance in fulfilling its obligations under Articles 35 and 36 GDPR, including conducting Data Protection Impact Assessments (DPIAs) and prior consultation with supervisory authorities where required.

4.7 Deletion or Return of Data

Upon termination or expiry of the Service Agreement, Tribii shall, at the Hotel's choice, delete all personal data within 30 days or securely return it to the Hotel, unless applicable law requires Tribii to retain the data. Tribii shall confirm deletion or return in writing.

4.8 Audit Rights and Compliance Demonstration

Tribii shall make available to the Hotel, upon reasonable request, all information necessary to demonstrate compliance with this DPA and GDPR. This includes allowing the Hotel or its representatives to conduct audits, inspections, or assessments of Tribii's security measures and data handling practices.

5. Obligations of the Controller (Hotel)

5.1 Lawful Basis for Processing

The Hotel is responsible for ensuring that processing of guest personal data is lawful and has a proper legal basis under GDPR.

5.2 Transparency Obligations

The Hotel is responsible for providing transparent information to guests in privacy notices, including information about Tribii's role as processor.

5.3 Legal Instructions

The Hotel shall ensure that any instructions given to Tribii are lawful and comply with applicable data protection laws.

5.4 Data Quality and Purpose Limitation

The Hotel is responsible for ensuring that personal data collected is accurate, necessary, and limited to the stated purposes.

6. Sub-Processor Notification and Authorization

Tribii shall maintain a current list of sub-processors and shall notify the Hotel in advance of any changes. The Hotel shall have 15 days to object to the addition of a new sub-processor on reasonable grounds. Sub-processors shall be subject to data protection obligations equivalent to those in this DPA.

7. International Data Transfers

Tribii primarily stores personal data in EU-based infrastructure. To the extent that any personal data is transferred outside the EU/EEA, Tribii shall implement appropriate safeguards in accordance with Chapter V GDPR, such as European Commission adequacy decisions or Standard Contractual Clauses (SCCs).

8. Data Breach Notification

In the event of a Data Breach affecting personal data processed under this DPA, Tribii shall:

• Notify the Hotel without undue delay and, where feasible, within 72 hours of discovering the breach
• Provide details of the breach, including the nature, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed
• Cooperate fully with the Hotel in any investigation, notification to supervisory authorities, or notification to affected data subjects
• Preserve all evidence and documentation related to the breach for at least 12 months

The Hotel remains responsible for determining whether to notify supervisory authorities and affected data subjects in accordance with Articles 33 and 34 GDPR.

9. Liability and Indemnification

9.1 Processor Liability

Each party's liability for data protection violations is governed by the Tribii Terms of Service. Tribii shall indemnify the Hotel against claims, fines, and damages arising from Tribii's breach of this DPA or GDPR, excluding claims arising from the Hotel's own instructions or actions.

9.2 Hotel Responsibility

The Hotel shall be responsible for and indemnify Tribii against claims arising from the Hotel's unlawful instructions, failure to obtain valid consent, failure to fulfill transparency obligations, and claims related to the accuracy of personal data collected by the Hotel.

10. Term and Termination

This DPA enters into force on the date of the Hotel's subscription to Tribii's Service and continues for the duration of the Service Agreement. Upon termination, Tribii shall delete or return all personal data as described in Section 4.7.

11. Governing Law and Dispute Resolution

This DPA shall be governed by and construed in accordance with the laws applicable to the Tribii Terms of Service. Any disputes arising from or related to this DPA shall be resolved in accordance with the dispute resolution mechanisms set forth in the Tribii Terms of Service.

12. General Provisions

12.1 Entire Agreement

This DPA, together with the Tribii Terms of Service, constitutes the entire agreement between the parties regarding the processing of personal data.

12.2 Amendment

Tribii may amend this DPA to comply with changes in applicable law or to implement reasonable security improvements. Amendments shall be notified to the Hotel at least 30 days in advance.

12.3 Conflict of Terms

In the event of any conflict between the provisions of this DPA and the Tribii Terms of Service, the stricter data protection requirements shall apply.

12.4 Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

12.5 No Third-Party Beneficiaries

This DPA is for the benefit of the parties and their successors and permitted assigns and is not intended to create any rights in any third party.