Data processing agreement.

1. Parties and Definitions

1.1 Parties

This Data Processing Agreement ("DPA") is entered into between:

• Data Controller: Each individual hotel, bed & breakfast, or guesthouse ("Hotel"), which is a customer of Tribii and acts as the controller of personal data relating to guests and other individuals.
• Data Processor: Hoodbnb B.V., trading as "Tribii", a limited liability company incorporated under the laws of the Netherlands (KVK number 73124680), contact: contact [at] tribii [dot] com ("Tribii" or "Processor"), which processes personal data on behalf of and under the instructions of the Hotel.

While Tribii acts as a Data Processor for hotel-specific guest data as described in this DPA, Tribii also independently processes certain basic platform-level booking data as a Data Controller, as described in Section 2A below. Such independent controller processing is not subject to this DPA but is governed by Tribii's Privacy Policy.

1.2 Definitions

1.3 Scope

This DPA applies to the processing of guest personal data collected through any Tribii ingestion channel where Tribii acts as Data Processor, including but not limited to: (a) Tribii-hosted booking pages; (b) embedded booking widgets on hotel websites; (c) third-party reservation sources and distribution channels the Hotel has connected to the Tribii platform; (d) authorised integrations enabled by the Hotel; and (e) guest records entered into the Tribii platform by Hotel staff.

This DPA does not govern Tribii's independent processing of basic platform-level booking data, which is processed under Tribii's Privacy Policy. Data relating to the Hotel's own account (such as property name, owner contact details, payment methods, and configuration preferences) is controlled by Tribii and is not subject to this DPA.

2. Subject Matter, Duration, Nature, and Purpose of Processing

2.1 Subject Matter

Tribii processes guest personal data to provide booking management services, including the creation and management of booking pages, reservation tracking, and guest communication.

2.2 Duration

Processing occurs throughout the Hotel's subscription term and continues as necessary to fulfill booking-related obligations. Personal data shall be deleted or returned within 30 days of contract termination, subject to the limitations in Section 4.7. Statutory traveler-registration records and the associated signature images are retained for the period required by applicable guest-registration law (approximately three years under Spain's Royal Decree 933/2021 / SES.HOSPEDAJES) even after other data is deleted.

2.3 Nature of Processing

• Collection of guest information through booking forms and integrated reservation channels
• Storage of booking records and guest data
• Transmission of booking confirmations via email and other communication channels
• Retention for booking history and dispute resolution
• Generating and retaining statutory traveler-registration records from guest self check-in, and (in a future release) transmitting them to the competent authorities, where the Hotel enables Self Check-in
• Use of aggregated, anonymised data for analytics and reporting, including the derivation of aggregated, non-identifying figures used for market benchmarking and to answer hoteliers' natural-language analytics questions via the Hotel AI Assistant
• Sending abandonment-recovery emails to visitors who began but did not complete a booking, where the Hotel enables the corresponding Booster feature
• Exposing the Hotel's published inventory, rate and policy data through a public read-only MCP endpoint, where the Hotel enables the corresponding Booster feature
• Transmitting the Hotel's public name and city to external large-language-model providers to measure AI Visibility, where the Hotel enables the corresponding Booster feature

2.4 Purpose

Tribii processes guest data solely to fulfill the booking and property management services contracted by the Hotel. Processing is limited to purposes explicitly authorised by the Hotel and necessary to perform the contracted services. Where the Hotel enables Self Check-in, Tribii additionally processes guest-provided registration data to support the Hotel's compliance with its statutory guest-registration obligations (e.g., Spain's Royal Decree 933/2021 / SES.HOSPEDAJES).

2A. Tribii's Independent Controller Processing

2A.1 Dual Role Clarification

In addition to its role as Data Processor for hotel-specific guest data, Tribii independently collects and processes certain basic booking data at the platform level as an independent Data Controller.

2A.2 Scope of Independent Controller Processing

As an independent Data Controller, Tribii processes the following basic platform-level booking data:

• Guest name
• Email address
• Number of reservations
• Destinations visited
• Hotels booked
• Booking dates
• Pre-payment booking session data (email, name, phone, requested dates, and selected rooms) captured from visitors who begin but do not complete a booking, used for abandonment recovery
• The cross-tenant recovery opt-out (suppression) list of email addresses that have unsubscribed from recovery emails anywhere on the Tribii network
• MCP agent call logs (calling agent, method, tool, arguments, status, latency; no IP address or guest personal data)

2A.3 Legal Basis

Tribii processes this platform-level booking data under the following legal bases under GDPR Article 6:

• Contract Performance (Article 6(1)(b)): To provide and maintain the booking platform services and to facilitate guest reservations with hotels on the Tribii network.
• Legitimate Interests (Article 6(1)(f)): To operate and improve the Tribii platform, to prevent fraud and ensure security, and to provide personalized service recommendations.

2A.4 Governance and Privacy Notice

Tribii's processing of this independent controller data is governed by Tribii's Privacy Policy, not this DPA. Hotels acknowledge that Tribii processes this platform-level booking data as an independent Data Controller and that data subjects should refer to Tribii's Privacy Policy.

2A.5 Hotel Acknowledgment

By entering into this DPA, the Hotel acknowledges and accepts that Tribii processes certain basic platform-level booking data as an independent Data Controller under the terms described in this Section 2A.

3. Types of Personal Data and Categories of Data Subjects

3.1 Types of Personal Data

Tribii processes the following categories of guest personal data:

Confirmed booking data

• Guest name
• Email address
• Telephone number
• Booking dates and duration
• Number of guests
• Special requests and preferences
• Identity-document number (passport or national ID), where required by hotel-registration law

Pre-payment booking session data

• Email address, first and last name, and telephone number entered in the booking flow
• Requested arrival and departure dates and the rooms selected
• A per-session consent flag and the status of any recovery messages sent

Pre-payment booking session data is captured from visitors who begin a booking on an embedded widget but do not complete it, to enable abandonment recovery where the Hotel has activated that feature. The personal data in these records is erased 60 days from last activity, as set out in Section 4.7.

Fiscal invoice data (where Fiscal Services are enabled)

Where the Hotel enables the Fiscal Services, Tribii additionally processes, on the Hotel's behalf, fiscal invoice data (the Hotel's tax identity and the tax identification numbers, names and billing addresses of buyers named on invoices) and holds the Hotel's digital signing certificate and passphrase in an encrypted vault. The transmission of fiscal records to a tax authority is carried out to satisfy the Hotel's own legal obligation.

Self check-in / guest-registration data (where Self Check-in is enabled)

Where the Hotel enables Self Check-in, Tribii additionally processes, on the Hotel's behalf, the guest-provided registration data required by applicable guest-registration law:

• Date of birth
• Nationality
• Residence address and province/region of residence
• Identity-document type and number (encrypted at rest)
• A handwritten signature image and a timestamped acknowledgment
• The same registration details for co-travellers and accompanying minors named on the booking

This data is processed only for hotels that enable Self Check-in.

Tribii does not intentionally process special categories of personal data (Article 9 GDPR); identity-document numbers, nationality and signature images are not Article 9 data. Identity-document data (including national identification numbers, which are subject to Article 87 GDPR) and signature images are processed under Article 6(1)(c) GDPR (legal obligation under applicable hotel-registration law, such as Spain's Royal Decree 933/2021) and are encrypted or otherwise access-restricted at rest. The parties recognise national identification numbers and signatures as a more sensitive category warranting additional safeguards. The Hotel undertakes not to enter Article 9 data (e.g., health, religious, biometric, or trade-union information) into free-text fields such as guest notes, internal tags, or staff messages. If the Hotel intends to process Article 9 data through the Tribii platform, the parties shall enter into a supplementary written agreement before such processing begins.

3.2 Categories of Data Subjects

Tribii processes data of the following data subjects:

• Guests making reservations through any Tribii ingestion path (booking page, embedded widget, third-party reservation source, or direct entry by Hotel staff)
• Persons named as additional contacts or fellow travellers for bookings, including co-travellers and accompanying minors registered through Self Check-in (whose data is provided by the accompanying adult)
• Recipients of email communications (transactional or marketing) sent through Tribii on behalf of the Hotel
• Visitors to embedded booking widgets who initiate but do not complete a booking, where personal data has been provided in the booking flow

4. Obligations of the Processor

4.1 Processing on Instruction

Tribii shall process personal data only on documented instructions from the Hotel. These instructions are documented in the Tribii Terms of Service and this DPA. Tribii shall inform the Hotel if, in its opinion, an instruction infringes the GDPR or other data protection laws.

4.2 Confidentiality of Personnel

Tribii ensures that persons authorised to process personal data have committed to confidentiality or are under an appropriate legal obligation of confidentiality.

4.3 Security Measures (Article 32 GDPR)

Tribii implements and maintains appropriate technical and organisational security measures to protect personal data.

Technical Measures

• Encryption of personal data in transit using TLS 1.2 or higher
• Encryption of sensitive identifiers (including identity-document numbers and OAuth refresh tokens) at rest using AES-256
• Secure authentication mechanisms (password hashing, multi-factor authentication options)
• Regular security reviews and vulnerability assessments
• Access logging and monitoring
• Secure backup and disaster recovery procedures
• Dedicated encrypted storage for digital signing certificates and passphrases used by the Fiscal Services, which are never logged, displayed or returned

Organisational Measures

• Documented data protection policies and procedures
• Employee data protection and security training
• Restricted access to personal data on a need-to-know basis
• Data protection impact assessments where required
• Incident response and breach notification procedures

4.4 Sub-processors

The Hotel grants Tribii a general written authorisation to engage sub-processors for the purposes of providing the contracted services. The current sub-processors are listed in Annex A to this DPA and are also published, in a versioned form, at our Sub-processor List. Tribii shall notify the Hotel by email at least fifteen (15) days in advance of any addition, replacement, or material change to a sub-processor. The Hotel may object on reasonable data-protection grounds within that period. If the parties cannot agree on a resolution within thirty (30) days of the Hotel's objection, the Hotel may terminate the affected service without penalty, with a pro-rata refund of any pre-paid fees for the unused period.

4.5 Data Subject Rights Assistance

Tribii shall assist the Hotel in fulfilling data subject rights requests under Articles 15-22 GDPR, including the right of access, rectification, erasure, restriction of processing, and data portability.

4.6 Data Protection Impact Assessment and Prior Consultation Support

Tribii shall provide the Hotel with reasonable assistance in fulfilling its obligations under Articles 35 and 36 GDPR, including conducting Data Protection Impact Assessments (DPIAs) and prior consultation with supervisory authorities where required.

4.7 Deletion or Return of Data

Upon termination or expiry of the Service Agreement, Tribii shall, at the Hotel's choice, delete all personal data or securely return it to the Hotel in a structured, commonly-used, machine-readable format. Deletion or return shall be completed within thirty (30) days of termination, subject to: (a) any data Tribii is required to retain under applicable law (e.g., financial and tax records under Dutch law) for the statutory period; and (b) data that is the subject of an active legal dispute, regulatory request, or litigation hold. Personal data that has been replicated to operational backups will be overwritten in the normal backup-rotation cycle and will not be actively accessed or used during that period. Tribii shall confirm deletion or return in writing. This deletion-or-return obligation does not apply to fiscal records and submission logs created through the Fiscal Services, which are append-only and must be retained, unaltered, for the tax-inspection period required by applicable law; such records are retained notwithstanding termination of the Service Agreement. The same exception applies to statutory traveler-registration records and the associated signature images created through Self Check-in, which must be retained for the period required by applicable guest-registration law (approximately three years under Spain's Royal Decree 933/2021 / SES.HOSPEDAJES) notwithstanding termination of the Service Agreement.

In addition to deletion on termination, the following in-life retention periods apply during the Service term, consistent with Section 8 of Tribii's Privacy Policy: (a) the personal data in abandoned booking session records (email, name, phone) is erased 60 days from the session's last activity, after which a de-identified record is retained for aggregate statistics; and (b) MCP agent call logs are retained indefinitely for operational and abuse-investigation purposes, as they contain no IP address and no guest personal data.

4.8 Audit Rights and Compliance Demonstration

Tribii shall make available to the Hotel, upon reasonable request, all information necessary to demonstrate compliance with this DPA and GDPR. The Hotel may, in its discretion, accept Tribii's then-current SOC 2 Type II report, ISO 27001 certification, or equivalent third-party attestation (where available) in lieu of on-site audits. Where on-site audits are required, they shall be: (i) conducted at the Hotel's expense; (ii) subject to at least thirty (30) days' prior written notice; (iii) limited to once per calendar year, except where reasonable grounds exist to suspect a material breach of this DPA or a personal-data breach affecting the Hotel's data subjects; and (iv) subject to reasonable confidentiality and operational-security protections.

5. Obligations of the Controller (Hotel)

5.1 Lawful Basis for Processing

The Hotel is responsible for ensuring that processing of guest personal data is lawful and has a proper legal basis under GDPR.

5.2 Transparency Obligations

The Hotel is responsible for providing transparent information to guests in privacy notices, including information about Tribii's role as processor.

5.3 Legal Instructions

The Hotel shall ensure that any instructions given to Tribii are lawful and comply with applicable data protection laws.

5.4 Data Quality and Purpose Limitation

The Hotel is responsible for ensuring that personal data collected is accurate, necessary, and limited to the stated purposes.

6. Sub-Processor Notification and Authorization

The Hotel grants Tribii a general written authorisation to engage sub-processors, in place of any prior specific-authorisation arrangement. Tribii shall maintain a current, versioned list of sub-processors in Annex A to this DPA and at our Sub-processor List, and shall notify the Hotel at least fifteen (15) days in advance of any addition, replacement, or material change, under the procedure described in Section 4.4.

7. International Data Transfers

Tribii stores personal data primarily on EU-based infrastructure. Several of the sub-processors listed in Annex A are based in the United States or operate global infrastructure that may include US data centres. Personal data is transferred to these sub-processors in the ordinary course of providing the contracted services. Tribii relies on the European Commission Standard Contractual Clauses, Commission Decision (EU) 2021/914 of 4 June 2021, in particular Module 3 (processor-to-processor), as the transfer mechanism for these transfers.

Where UK personal data is in scope, the UK International Data Transfer Addendum (issued by the ICO with effect from 21 March 2022) is incorporated by reference.

Where Swiss personal data is in scope, the EU SCCs are supplemented with the adjustments recognised by the Swiss Federal Data Protection and Information Commissioner (FDPIC), including (i) substituting references to EU law with references to the revised Swiss Federal Act on Data Protection (revFADP), (ii) recognising the FDPIC as the competent supervisory authority, and (iii) extending the personal scope to legal persons until such time as Swiss law no longer protects them, and, where a sub-processor is independently certified under the Swiss-US Data Privacy Framework, that framework may additionally be relied upon.

Transfer Impact Assessments are conducted by Tribii and refreshed periodically. Tribii does not currently rely on Binding Corporate Rules, except where a specific sub-processor independently certifies adequacy (e.g., the EU-US Data Privacy Framework or its UK / Swiss extensions).

The US-based artificial-intelligence sub-processors engaged by Tribii are Anthropic, PBC; OpenAI, L.L.C.; Google LLC (Gemini); and Perplexity AI, Inc. Each is listed in Annex A with its transfer mechanism. For features that process guest personal data on the Hotel's behalf, transfers to these providers rely on the Standard Contractual Clauses 2021 (Module 3, processor-to-processor) and, where the recipient is certified, the EU-US Data Privacy Framework. For the AI Visibility feature, the data transmitted is the Hotel's public name and city, which is not guest personal data; those transfers rely on the Standard Contractual Clauses 2021 (Module 2, controller-to-processor) and the Data Privacy Framework where applicable. The MCP endpoint exposes the Hotel's commercial inventory, rate and policy data and carries no guest personal data.

Where the Hotel uses structured electronic invoicing over the Peppol network, invoice data may be routed to recipients elsewhere within the EU/EEA under EN 16931; such routing remains within the EU/EEA.

Where the Hotel enables Self Check-in, statutory traveler-registration data is transmitted, in a future release, to the competent national authority designated by applicable guest-registration law (e.g., Spain's Ministry of the Interior via the SES.HOSPEDAJES platform). Such transmission is a transfer to a public authority within the EU/EEA carried out to satisfy the Hotel's own legal obligation and does not constitute an international transfer outside the EU/EEA.

8. Data Breach Notification

In the event of a Data Breach affecting personal data processed under this DPA, Tribii shall:

• Notify the Hotel without undue delay and in any event within forty-eight (48) hours of becoming aware of the breach
• Provide details of the breach, including the nature, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed
• Cooperate fully with the Hotel in any investigation, notification to supervisory authorities, or notification to affected data subjects
• Preserve all evidence and documentation related to the breach for at least 12 months

The Hotel remains responsible for determining whether to notify supervisory authorities and affected data subjects in accordance with Articles 33 and 34 GDPR.

9. Liability and Indemnification

9.1 Cap

The aggregate liability of Tribii under or in connection with this DPA shall be subject to the liability cap set forth in Section 6.4 of the Terms & Conditions, save that the following are excluded from the cap: (i) administrative fines imposed directly on the Hotel by a competent supervisory authority that are recoverable from Tribii as a processor under Article 82 GDPR; (ii) liability arising from Tribii's gross negligence, wilful misconduct, or fraud; (iii) liability that cannot be limited under mandatory data-protection law.

9.2 Indemnity

Tribii shall indemnify the Hotel against claims, fines, and damages arising from Tribii's breach of this DPA or GDPR, excluding claims arising from the Hotel's own unlawful instructions or actions.

9.3 Hotel Responsibility

The Hotel shall be responsible for and indemnify Tribii against claims arising from the Hotel's unlawful instructions, failure to obtain valid consent, failure to fulfill transparency obligations, and claims related to the accuracy of personal data collected by the Hotel.

10. Term and Termination

This DPA enters into force on the date of the Hotel's subscription to Tribii's Service and continues for the duration of the Service Agreement. Upon termination, Tribii shall delete or return all personal data as described in Section 4.7.

11. Governing Law and Dispute Resolution

This DPA shall be governed by and construed in accordance with the laws applicable to the Tribii Terms of Service. Any disputes arising from or related to this DPA shall be resolved in accordance with the dispute resolution mechanisms set forth in the Tribii Terms of Service.

12. General Provisions

12.1 Entire Agreement

This DPA, together with the Tribii Terms of Service, constitutes the entire agreement between the parties regarding the processing of personal data.

12.2 Amendment

Tribii may amend this DPA to comply with changes in applicable law or to implement reasonable security improvements. Amendments shall be notified to the Hotel at least 30 days in advance.

12.3 Conflict of Terms

In the event of any conflict between the provisions of this DPA and the Tribii Terms of Service, the stricter data protection requirements shall apply.

12.4 Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

12.5 No Third-Party Beneficiaries

This DPA is for the benefit of the parties and their successors and permitted assigns and is not intended to create any rights in any third party.

Annex A: Sub-processors

The following sub-processors are engaged by Tribii in connection with the contracted services as of the effective date of this DPA. Each is bound by a written data-processing agreement and, where applicable, by EU Standard Contractual Clauses (with UK IDTA Addendum and Swiss-recognised adjustments as relevant). Tribii will notify the Hotel by email of changes to this list under the procedure in Section 4.4.