Effective Date: February 2026

1. Introduction

Welcome to Tribii. We are committed to protecting your privacy and ensuring you have a positive experience on our platform. This Privacy Policy explains how Hoodbnb B.V. (hereafter referred to as 'Tribii', 'we', 'our', or 'us') collects, uses, stores, and shares your personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

This Privacy Policy applies to all users of the Tribii platform, including:

• Hoteliers and property managers who use Tribii's accommodation management platform
• Travellers who browse and book accommodations through Tribii
• Users who engage with our reviews and recommendation systems
• Job applicants and our employees

2. Who We Are and Our Commitment to Data Protection

Contact Information

Hoodbnb B.V. is a software company providing technology solutions to independent hospitality businesses across the European Union and beyond. Our registered office is in the Netherlands.

For any privacy-related inquiries, please contact our Data Protection Officer at:

• Email: contact [at] tribii [dot] com
• Mailing Address: Netherlands

Our Data Protection Principles

Tribii is committed to processing your data in accordance with GDPR and all applicable data protection laws. We adhere to the following principles:

• Lawfulness, fairness, and transparency: We process data only with a valid legal basis and keep you informed
• Purpose limitation: We use data only for purposes specified in this policy
• Data minimisation: We collect only the data necessary for our stated purposes
• Accuracy: We maintain accurate and up-to-date records
• Integrity and confidentiality: We protect data against unauthorised processing and loss

3. Data We Collect

Tribii collects different categories of data depending on how you interact with our platform. This section details what we collect from each user type.

A. Data from Hoteliers and Property Managers

When you create a Tribii account as a hospitality business, we collect:

• Business Information: business name, business registration number, tax ID, type of accommodation
• Contact Details: email address, phone number, business address
• Account Information: username, password (encrypted), security details
• Property Information: property name, address, room descriptions, pricing, availability calendar, amenities, images
• Financial Information: payment preferences for SaaS subscription billing
• Usage Analytics: login history, platform features used, booking management data
• CRM Data: information about guests who stayed at your property, guest communication history

B. Data from Travellers and Guests

When you use Tribii to search for, view, or book accommodations, we collect:

• Account Information: name, email address, password (encrypted), phone number
• Profile Data: nationality, date of birth (optional), language preferences, profile picture
• Booking History: properties viewed, accommodation bookings made, booking dates, number of guests
• Search and Browsing Data: searches performed, filters used, properties viewed, time spent on pages
• Device Information: device type, operating system, browser type, IP address, unique device identifier
• Location Data: approximate location (country/region) and location-based search preferences
• Review Data: reviews you write, ratings you give, review publication date, responses to reviews
• Communication Data: messages with properties, customer support tickets, feedback forms
• Payment-Related Information: billing address (for invoicing purposes only — actual payment processing occurs directly with your chosen payment provider)

In addition to sharing guest information with hotels, Tribii also retains basic platform-level data independently as a data controller. This includes guest name, email address, number of reservations, destinations visited, hotels booked, and booking dates. Tribii processes this data to facilitate the booking service, improve our platform, prevent fraud, and maintain service quality.

C. Data from Job Applicants

If you apply for a position at Tribii:

• CV/Resume: name, contact information, work experience, education, qualifications
• Application Data: application form responses, cover letter, interview notes
• Background Information: references (if provided), background check results (where applicable)

4. How We Collect Your Data

We collect data through the following methods:

Direct Collection

• Information you provide when creating an account
• Data you enter when listing accommodations or activities
• Information submitted through contact forms, support tickets, and feedback
• Reviews and ratings you publish

Automatic Collection

• Cookies and similar tracking technologies (see Section 11)
• Server logs and device information automatically collected when accessing the platform
• Behavioural analytics (pages viewed, time spent, interactions)

Third-Party Sources

• Data shared by hotels about their guests (see Section 7 for details)
• Social media integrations (where applicable)

5. Legal Basis for Processing

Under GDPR, we must have a lawful basis to process your personal data. We rely on the following legal bases depending on the processing activity:

A. Contract Performance (Article 6(1)(b))

We process data necessary to perform our services:

• For hoteliers: providing platform access, managing bookings, processing payment of SaaS subscriptions
• For travellers: enabling search and booking functionality, managing reservations

B. Consent (Article 6(1)(a))

We obtain explicit consent for:

• Marketing communications and newsletters
• Non-essential cookies and tracking for analytics and advertising
• Profiling and automated decision-making used to personalise recommendations

C. Legitimate Interest (Article 6(1)(f))

We rely on legitimate interests for:

• Fraud prevention and security measures
• Essential analytics and platform improvements
• Customer support and issue resolution
• Direct marketing to existing customers (with opt-out available)
• Compliance with legal obligations and protection of legal claims

D. Tribii's Platform-Level Data Processing

As an independent data controller, Tribii processes platform-level data (guest name, email address, number of reservations, destinations visited, hotels booked, and booking dates) under two legal bases:

• Contract Performance: facilitating the booking service and managing the technical infrastructure required to deliver our platform
• Legitimate Interest: platform improvement, fraud prevention, and ensuring service quality and security

E. Legal Obligation (Article 6(1)(c))

We process data where required by applicable laws, including:

• Tax and accounting records
• Anti-money laundering and sanctions compliance

6. How We Use Your Data

Service Delivery

• Providing booking and property management functionality
• Processing and fulfilling accommodation reservations
• Managing SaaS subscriptions and premium features
• Supporting customer inquiries and technical support

AI-Powered Features

• SEO optimisation: analysing property descriptions to improve search visibility
• Revenue management: analysing booking patterns and pricing recommendations
• Personalised recommendations: suggesting accommodations and activities based on user behaviour and preferences
• Smart matching: connecting travellers with suitable properties

Guest CRM and Remarketing

• Enabling hoteliers to maintain guest databases and send targeted communications
• Facilitating personalised marketing campaigns to past guests

Analytics and Reporting

• Providing hoteliers with performance dashboards and occupancy reports
• Understanding platform usage patterns to improve our services
• Aggregate analytics that do not identify individuals

Reviews and User-Generated Content

• Publishing reviews and ratings to help other users make informed decisions
• Moderating content for compliance with community standards

Marketing and Communications

• Sending promotional emails and newsletters (where consent has been provided or legitimate interest applies)
• Service announcements and updates
• Personalised advertising within and outside our platform

Security and Compliance

• Preventing fraud, abuse, and illegal activity
• Enforcing terms of service and other agreements
• Responding to legal requests and regulatory obligations

7. Sharing Your Data with Third Parties

A. Data Shared Between Tribii and Hotels

Hotels and Tribii operate as separate and independent data controllers. Hotels are responsible for managing guest information related to their specific properties and reservations. Tribii, as an independent controller, retains platform-level data including guest name, email address, number of reservations, destinations visited, hotels booked, and booking dates for the purposes of facilitating the booking service, improving our platform, and preventing fraud. We share specific booking data with hotels as follows:

• Booking information: When a guest books through Tribii, we share guest name, email, phone number, and booking details with the property manager
• Guest profiles: With guest consent, hoteliers can access traveller profiles for CRM purposes
• Reviews and ratings: Published reviews are shared with properties for their records

Hotels are responsible for their own privacy notices and compliance when using guest data. We will sign a Data Processing Agreement (DPA) with each hotel if required by GDPR Article 28.

B. Service Providers (Data Processors)

We engage third-party service providers to support our operations. These processors act on our instruction and are bound by Data Processing Agreements:

• Cloud Infrastructure: hosting, storage, and database services
• Email Services: transactional and marketing email delivery
• Analytics Tools: tracking user behaviour and platform usage
• Customer Support Platforms: ticketing and chat systems
• Payment Service Providers: for SaaS subscription billing (note: we do NOT process guest payments directly)
• AI/ML Providers: for revenue management and recommendation algorithms

C. Business Partners

We may share aggregated, anonymised data with business partners for research and strategic purposes. This data cannot identify individual users.

D. Legal Requirements

We may disclose your data if required by law, regulation, or government request, including:

• Court orders or legal proceedings
• Law enforcement requests
• Tax and regulatory compliance

E. Business Transactions

If Tribii is acquired, merged, or assets are sold, your data may be transferred as part of the transaction. We will notify you of such changes and any affected privacy rights.

8. Data Retention and Deletion

We retain your data only for as long as necessary to provide our services and comply with legal obligations.

Retention Periods

Deletion Requests

You can request deletion of your account and associated data at any time. We will delete your data within 30 days, unless:

• We are legally required to retain it (e.g., tax records)
• Deletion conflicts with our legitimate interests or other users' rights
• You have an active dispute or booking

9. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

Right of Access (Article 15)

You have the right to request a copy of all personal data we hold about you. We will provide this in a structured, commonly used, machine-readable format within 30 days of your request.

Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete data. We will update your information within 30 days or explain why we cannot comply.

Right to Erasure (Article 17)

You can request deletion of your data in certain circumstances, including when:

• Data is no longer necessary for its original purpose
• You withdraw consent
• You object to processing based on legitimate interest
• Data has been processed unlawfully

We will not delete data if required by law or if deletion would adversely affect other users.

Right to Restrict Processing (Article 18)

You can request that we limit how we process your data while we verify its accuracy or assess your objection. We will store data but not actively use it.

Right to Data Portability (Article 20)

You can request your data in a structured, machine-readable format and have it transferred to another service provider without hindrance. We will provide this within 30 days.

Right to Object (Article 21)

You can object to:

• Direct marketing (we will stop immediately)
• Processing based on legitimate interest
• Automated decision-making and profiling

Right to Withdraw Consent

If we process your data based on consent, you can withdraw it at any time by updating your account settings or contacting us. Withdrawal does not affect the legality of processing that occurred before withdrawal.

How to Exercise Your Rights

To exercise any of these rights, contact us at:

• Email: contact [at] tribii [dot] com
• In-app privacy portal (where available)

We will respond within 30 days. If your request is complex, we may extend this by two months, which we will communicate to you.

10. Automated Decision-Making and Profiling

What We Do

Tribii uses automated decision-making and profiling (including AI/ML algorithms) for:

• Personalised property recommendations based on search history and behaviour
• Pricing and revenue management suggestions for hoteliers
• Fraud detection and prevention
• Content moderation and review validation
• Targeted marketing and personalised advertising

Your Rights (Article 22)

Under Article 22 of the GDPR, you have the right NOT to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, unless:

• The decision is necessary for entering into a contract
• You have given explicit consent
• It is authorised by law

For most Tribii features, we provide human review and override options. If you wish to object to automated decision-making or request human review, contact us at contact [at] tribii [dot] com.

11. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience and gather analytics.

Types of Cookies

• Essential Cookies: Required for basic platform functionality (login, security). No consent required.
• Performance Cookies: Track site usage and performance. Require consent.
• Functional Cookies: Remember your preferences and personalise content. Require consent.
• Marketing Cookies: Used for targeted advertising and third-party tracking. Require explicit consent.

Cookie Duration

Most analytical cookies are retained for up to 13 months. You can clear cookies via your browser settings at any time.

Your Cookie Choices

When you first visit Tribii, we will present a cookie consent banner. You can:

• Accept all cookies
• Accept only essential cookies
• Manage preferences in the cookie settings panel

You can change your preferences at any time in your account settings or by clearing cookies from your browser.

12. Data Protection of Children

Tribii is not intended for children under 16 years of age (or the legal age of digital consent in your country). We do not knowingly collect data from children under this age.

If You Are Under 16

If you are under 16, you must obtain parental or guardian consent before using Tribii. Parents and guardians can request information about children's data or request deletion by contacting contact [at] tribii [dot] com.

If We Discover Unauthorised Child Data

If we discover that we have collected data from a child without proper consent, we will delete it immediately and notify the parent or guardian.

13. International Data Transfers

Tribii is based in the Netherlands and primarily operates within the EU/EEA. If we transfer data outside the EU/EEA:

• We will use Standard Contractual Clauses (SCCs) approved by the EU Commission
• We will ensure equivalent safeguards are in place
• We will comply with GDPR Chapter V requirements

Currently, we do not transfer data to non-EEA countries, but this may change as we expand. We will update this section if material changes occur.

14. Data Security

Security Measures

Tribii implements comprehensive security measures to protect your data:

• Encryption: Data in transit (TLS/SSL) and at rest are encrypted
• Access Controls: Role-based access and multi-factor authentication
• Firewalls and Intrusion Detection: Network security monitoring
• Regular Audits: Security assessments and penetration testing
• Employee Training: Data protection and cybersecurity training for staff
• Data Protection Impact Assessments: Conducted for high-risk processing

While we use industry-standard security, no system is 100% secure. We encourage you to use strong passwords and never share login credentials.

Data Breach Notification

If we discover a data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours
• Notify affected individuals without undue delay
• Provide details of the breach, its scope, and recommended actions

15. Data Processing Agreements (DPA)

For hotels acting as data controllers, we will execute a Data Processing Agreement that complies with GDPR Article 28. The DPA will specify:

• The subject matter, scope, and duration of processing
• The nature and purpose of processing
• Types of personal data and categories of data subjects
• Obligations and rights of the controller

Request a DPA by contacting contact [at] tribii [dot] com.

16. Your Right to Lodge a Complaint

If you believe we have violated your privacy rights, you have the right to lodge a complaint with your national data protection authority. You can do this in addition to contacting us.

EU Supervisory Authorities

You can file a complaint with the data protection authority in your country:

• Netherlands: Autoriteit Persoonsgegevens (AP)
• Germany: Bundesdatenschutzbeauftragter (BfDI) or State DPAs
• Spain: Agencia Española de Protección de Datos (AEPD)
• Italy: Garante per la protezione dei dati personali

We encourage you to contact us first, as we will work to resolve any concerns.

17. Contact Us

For any privacy-related questions, requests, or concerns:

• Email: contact [at] tribii [dot] com
• Mailing Address: Hoodbnb B.V., Netherlands
• In-app Privacy Portal: Available to logged-in users

We aim to respond to all inquiries within 30 days.

18. Privacy by Design

Tribii is committed to Privacy by Design principles (GDPR Article 25). We:

• Implement data protection from the outset in all new features and services
• Conduct Data Protection Impact Assessments (DPIA) for high-risk processing
• Minimise data collection and retention periods
• Provide privacy-friendly default settings
• Regularly review and audit data processing practices

19. Third-Party Links and Services

Our platform may contain links to third-party websites and services (e.g., payment providers, social media). We are not responsible for their privacy practices. Please review their privacy policies before sharing your data.

20. Updates to This Privacy Policy

Tribii may update this Privacy Policy to reflect changes in our operations, technology, or legal requirements. We will notify you of material changes by:

• Email notification to your registered email address
• Prominent notice on our website or platform
• Requesting your explicit consent if required

The 'Effective Date' at the top of this policy indicates the last update. Your continued use of Tribii constitutes acceptance of updated terms.

21. Summary of Your Rights at a Glance

22. Acknowledgment

By using Tribii, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data processing practices, please do not use our platform.

Thank you for trusting Tribii with your data. We are committed to protecting your privacy and ensuring transparency in all our data processing activities.

Document Version: 1.0
Last Updated: February 2026