Privacy policy.

1. Introduction

Welcome to Tribii. We are committed to protecting your privacy and ensuring you have a positive experience on our platform. This Privacy Policy explains how Hoodbnb B.V., trading as 'Tribii' (hereafter referred to as 'Tribii', 'we', 'our', or 'us'), collects, uses, stores, and shares your personal data in accordance with the General Data Protection Regulation (GDPR), the UK GDPR, the revised Swiss Federal Act on Data Protection (revFADP), and other applicable data protection laws.

This Privacy Policy applies to all users of the Tribii platform, including:

• Hoteliers and property managers who use Tribii's accommodation management platform
• Travellers who browse and book accommodations through Tribii
• Hotel guests who use the Tribii guest mobile application (the "Guest App")
• Users who engage with our reviews, recommendation, and community systems
• Job applicants and our employees

2. Who We Are and Our Commitment to Data Protection

Contact Information

Tribii is a software company providing technology solutions to independent hospitality businesses across the European Economic Area, Switzerland, and the United Kingdom. We are incorporated in the Netherlands.

For any privacy-related inquiries, please contact our Privacy Contact at:

• Email: contact [at] tribii [dot] com
• Hoodbnb B.V., registered in the Netherlands under KVK number 73124680.

Our Data Protection Principles

Tribii is committed to processing your data in accordance with GDPR and all applicable data protection laws. We adhere to the following principles:

• Lawfulness, fairness, and transparency: We process data only with a valid legal basis and keep you informed
• Purpose limitation: We use data only for purposes specified in this policy
• Data minimisation: We collect only the data necessary for our stated purposes
• Accuracy: We maintain accurate and up-to-date records
• Integrity and confidentiality: We protect data against unauthorised processing and loss

3. Data We Collect

Tribii collects different categories of data depending on how you interact with our platform. This section details what we collect from each user type.

A. Data from Hoteliers and Property Managers

When you create a Tribii account as a hospitality business, we collect:

• Business Information: business name, business registration number, tax ID, type of accommodation
• Contact Details: email address, phone number, business address
• Account Information: username, password (encrypted), security details
• Property Information: property name, address, room descriptions, pricing, availability calendar, amenities, images
• Financial Information: payment preferences for SaaS subscription billing
• Usage Analytics: login history, platform features used, booking management data
• CRM Data: information about guests who stayed at your property, guest communication history
• Fiscal Credentials (where Fiscal Services are enabled): the digital certificate (.p12/.pfx) and passphrase you upload to sign and transmit tax records. These are stored encrypted at rest and are never logged, displayed or returned.
• Fiscal Invoice Data (where Fiscal Services are enabled): your legal name, tax identification number and address, and the tax identification numbers, names and billing addresses of buyers (including corporate guests) named on invoices, together with the invoice records, hash chain and submission logs.

B. Data from Travellers and Guests

When you use Tribii to search for, view, or book accommodations, we collect:

• Account Information: name, email address, password (encrypted), phone number
• Profile Data: nationality, date of birth (optional), language preferences, profile picture
• Booking History: properties viewed, accommodation bookings made, booking dates, number of guests
• Search and Browsing Data: searches performed, filters used, properties viewed, time spent on pages
• Device Information: device type, operating system, browser type, IP address, unique device identifier
• Location Data: approximate location (country/region) and location-based search preferences
• Review Data: reviews you write, ratings you give, review publication date, responses to reviews
• Communication Data: messages with properties, customer support tickets, feedback forms
• Payment-Related Information: billing address (for invoicing purposes only; actual payment processing occurs directly with the payment provider used by the property)
• Identity-Document Data (where required by law): For stays at hotels in jurisdictions that require guest identity registration (for example, Spain's huéspedes filing obligation under Royal Decree 933/2021), Tribii records the guest's identity-document type and number (passport, national identity card, residence permit, or equivalent). This field is encrypted at rest. Legal basis: Article 6(1)(c) GDPR, legal obligation.
• Self Check-in Registration Data (where the hotel enables Self Check-in): Where a hotel enables online self check-in, the guest completes a digital registration form. In addition to the identity-document data above, this captures the guest's date of birth and nationality (mandatory in this context), residence address and province/region of residence, and a handwritten signature image together with a timestamped acknowledgment. The same registration details are collected for co-travellers and accompanying minors named on the booking (provided by the registering adult). The signature image is access-restricted at rest. Legal basis: Article 6(1)(c) GDPR, legal obligation.
• Integration Data: Where a hotelier connects an external service (such as a mailbox, calendar, or distribution channel) to Tribii to enable automated workflows, Tribii receives the relevant access credentials, processes the data flowing from that integration to deliver the contracted features, and encrypts long-lived credentials at rest. Hoteliers can revoke any such integration at any time from their account settings, which severs Tribii's ongoing access. Data flowing through an integration may be processed by Tribii's sub-processors as described in Section 7.B.
• Calendar-Export Tokens: Reservations can be exported to external calendar applications via tokenised public iCal URLs. The URL contains a unique token that, if shared, allows the holder to retrieve guest first name, last name, arrival and departure dates for that hotel's bookings. Hoteliers are responsible for keeping these tokens confidential and for rotating them via the platform if compromised.

In addition to sharing guest information with hotels, Tribii also retains basic platform-level data independently as a data controller. This includes guest name, email address, number of reservations, destinations visited, hotels booked, and booking dates. Tribii processes this data to facilitate the booking service, improve our platform, prevent fraud, and maintain service quality.

B-bis. Data from Guest App Users

The Tribii Guest App is a mobile application made available to hotel guests whose accounts originate from a reservation created by a hotel. When you use the Guest App, the following data is processed in addition to the data above.

Provided by the hotel through your reservation (you do not enter these): first and last name, email address, phone number, country, reservation details (booking reference, arrival and departure dates, number of guests, room type, status, notes), the cost breakdown for your stay, the associated hotel's details and coordinates, an internal account identifier, and a "VIP level" field set by the hotel.

Entered by you in the Guest App:

• Profile bio (free text, up to 160 characters)
• Travel interests selected from a fixed list (for example food, outdoors, culture, wellness, nightlife)
• Phone number (editable)
• Profile photo / avatar, uploaded from your device photo library if you choose to set one (see Section 4)
• Language preference
• User-generated content: community board posts, join-request messages, guest-to-guest direct messages, hotel chat messages, and experience-booking notes, all free text you author

Generated automatically:

• A session authentication token (limited lifetime), stored securely on your device
• Your device push-notification token, only where you enable notifications
• Timestamps (account registration, message sent/read times, request times)
• Your record of consent to these documents (see "In-App Consent and Versioning" below)

Safety and moderation data. If you use the in-app safety tools, we process: (a) content reports, when you report a board post, thread message, or direct message, we create a report record containing your identity as reporter, the reported guest's identity, a snapshot or excerpt of the reported content (kept even if the original is later deleted), the reason category you selected (spam or scam; harassment or hate; inappropriate content; or other), your optional free-text note, and a review status; and (b) block relationships, a record of which guest has blocked which, used solely to filter what each guest sees. Content reports are reviewed by Tribii staff or moderators.

No device location is collected. The Guest App does not collect your device's GPS or precise location and requests no location permission. Any "travellers nearby" experience is derived from your hotel's coordinates on your reservation (computed on our servers), not from your phone's location sensor.

In-app consent and versioning. Before you use the Guest App's community features for the first time, the app presents a consent screen that discloses, in plain language, that your first name, profile photo, bio, country, and interests are visible to other guests, and that your posts and messages are shared with the people you reach. The screen links to these documents and requires you to confirm that you have read and agree. We record your acceptance together with a timestamp and the version of the Terms and Privacy Policy you accepted, so that we can ask you to re-accept when these documents materially change.

Booking Session Data (Incomplete Bookings)

When a visitor begins a booking on a hotel's embedded Tribii widget but does not complete it, Tribii captures the partial booking-form data the visitor has already entered. This may include email address, first and last name, phone number, requested stay dates (arrival and departure), and the rooms selected. We capture this data so that hoteliers who have activated the Abandonment Recovery feature can send the visitor a limited number of recovery messages on the hotel's behalf. The legal basis for those messages is set out in Section 5, and the retention period is set out in Section 8.

C. Data from Job Applicants

If you apply for a position at Tribii:

• CV/Resume: name, contact information, work experience, education, qualifications
• Application Data: application form responses, cover letter, interview notes
• Background Information: references (if provided), background check results (where applicable)

4. How We Collect Your Data

We collect data through the following methods:

Direct Collection

• Information you provide when creating an account
• Data you enter when listing accommodations or activities
• Information submitted through contact forms, support tickets, and feedback
• Reviews and ratings you publish
• Profile details, posts, and messages you create in the Guest App

Automatic Collection

• Cookies and similar tracking technologies (see Section 11)
• Server logs and device information automatically collected when accessing the platform
• Behavioural analytics (pages viewed, time spent, interactions)

Mobile App Permissions

The Guest App requests device permissions only where needed for a feature you choose to use:

• Photo library: requested only when you choose to set a profile photo; the image you select is uploaded as your avatar.
• Push notifications: optional; if you grant permission, your device push token is registered so we can deliver message and activity notifications, via Expo's push service and the platform push gateways (Apple APNs and Google FCM).
• Camera, microphone, contacts, and location are not requested.

Third-Party Sources

• Data shared by hotels about their guests (see Section 7 for details)
• Where you use "Continue with Google" to sign in to the Guest App, Google provides your email address and basic profile so we can match you to your existing guest account
• Social media integrations (where applicable)

5. Legal Basis for Processing

Under GDPR, we must have a lawful basis to process your personal data. We rely on the following legal bases depending on the processing activity:

A. Contract Performance (Article 6(1)(b))

We process data necessary to perform our services:

• For hoteliers: providing platform access, managing bookings, processing payment of SaaS subscriptions
• For travellers: enabling search and booking functionality, managing reservations
• For Guest App users: authenticating you, showing your reservations and hotel communications, and providing the profile and account features you use

B. Consent (Article 6(1)(a))

We obtain explicit consent for:

• Marketing communications and newsletters
• Non-essential cookies and tracking for analytics and advertising
• Profiling and automated decision-making used to personalise recommendations (including AI-driven property and content recommendations)
• Use of optional features that send guest content to third-party AI providers
• Participation in the Guest App community features, captured through the in-app consent screen, including the visibility of your profile and content to other guests, and your optional use of the photo library and push notifications

C. Legitimate Interest (Article 6(1)(f))

We rely on legitimate interests for:

• Fraud prevention and security measures
• Essential analytics and platform improvements
• Customer support and issue resolution
• Operating the Guest App community features, including content moderation, handling content reports, and managing blocks, to keep the community safe and to comply with our House Rules and app-store user-generated-content policies
• Direct marketing to existing customers (with opt-out available)
• Compliance with legal obligations and protection of legal claims

D. Tribii's Platform-Level Data Processing

As an independent data controller, Tribii processes platform-level data (guest name, email address, number of reservations, destinations visited, hotels booked, and booking dates) under two legal bases:

• Contract Performance: facilitating the booking service and managing the technical infrastructure required to deliver our platform
• Legitimate Interest: platform improvement, fraud prevention, and ensuring service quality and security

E. Legal Obligation (Article 6(1)(c))

We process data where required by applicable laws, including:

• Tax and accounting records
• Anti-money laundering and sanctions compliance
• Hotel-registration and identity-verification obligations (e.g., Spain's huéspedes regime under Royal Decree 933/2021)
• Recording statutory traveler-registration data through Self Check-in and, in a future release, transmitting it to the competent national authority (e.g., Spain's Ministry of the Interior via the SES.HOSPEDAJES platform), where the hotel enables Self Check-in
• Issuing and reporting tax invoices through the Fiscal Services, where you enable them: a legal obligation under the applicable Spanish (VeriFactu), Basque (TicketBAI / BATUZ), Navarra and EU e-invoicing rules

F. Abandonment-Recovery Communications

Where a hotel has activated the Abandonment Recovery feature, Tribii sends recovery messages to visitors who began a booking on that hotel's widget but did not complete it. The lawful basis for sending these messages is consent (Article 6(1)(a) GDPR), captured through a per-session consent flag recorded at the point the visitor provides their details in the booking flow. A message is only sent where that flag is set and the visitor has not opted out.

Where, in a given jurisdiction, such a message is instead permitted on the basis of the 'soft opt-in' for existing-customer contact details under the ePrivacy Directive (2002/58/EC) and its national implementations (including the UK Privacy and Electronic Communications Regulations), Tribii and the hotel rely on that basis only subject to its conditions: that the contact details were obtained in the course of, or in negotiations for, a sale; that the messages relate to similar services; and that a clear and simple opt-out is offered both at the point of collection and in every message.

6. How We Use Your Data

Service Delivery

• Providing booking and property management functionality
• Processing and fulfilling accommodation reservations
• Managing SaaS subscriptions and premium features
• Supporting customer inquiries and technical support
• Operating the Guest App: showing your reservations, enabling chat with your hotel, and powering your profile and account features

Guest App Community and Experiences

• Enabling you to connect with other travellers through the community board, join requests, and direct messages
• Displaying the parts of your profile and the content you post to the other guests you choose to reach
• Letting you discover and request hotel-curated experiences
• Moderating community content and handling reports and blocks to keep the community safe

AI-Powered Features

Some Tribii features, including content optimisation, revenue and pricing assistance, image generation, and automated reservation workflows, are powered by third-party AI service providers. Where such features process personal data, the data is transmitted to those providers solely to deliver the contracted features. Those providers process data on Tribii's instruction under written agreements. Only the data necessary to deliver the contracted feature is transmitted, and Tribii configures these services, where the provider offers it, so that Tribii customer content is not used to train the providers' general-purpose models. A list of sub-processors used by Tribii is in Section 7.B.

• Revenue Intelligence: forecasts, alerts, market benchmarking and pricing recommendations for hoteliers, computed from the hotel's own booking data and public signals (public holidays and weather). Statistical, not based on guest profiling.
• Hotel AI Assistant: answering hoteliers' natural-language questions about their own property using aggregated, non-identifying figures. Individual guest personal data is not sent to the AI provider.

Guest CRM and Remarketing

• Enabling hoteliers to maintain guest databases and send targeted communications
• Facilitating personalised marketing campaigns to past guests

Analytics and Reporting

• Providing hoteliers with performance dashboards and occupancy reports
• Understanding platform usage patterns to improve our services
• Aggregate analytics that do not identify individuals

Reviews and User-Generated Content

• Publishing reviews and ratings to help other users make informed decisions
• Moderating content for compliance with community standards

Marketing and Communications

• Sending promotional emails and newsletters (where consent has been provided or legitimate interest applies)
• Service announcements and updates
• Transactional communications such as Guest App magic-link sign-in emails and push notifications you have enabled

Security and Compliance

• Preventing fraud, abuse, and illegal activity
• Enforcing terms of service and other agreements
• Responding to legal requests and regulatory obligations

7. Sharing Your Data with Third Parties

A. Data Shared Between Tribii and Hotels

Hotels and Tribii operate as separate and independent data controllers. Hotels are responsible for managing guest information related to their specific properties and reservations. Tribii, as an independent controller, retains platform-level data including guest name, email address, number of reservations, destinations visited, hotels booked, and booking dates for the purposes of facilitating the booking service, improving our platform, and preventing fraud. We share specific booking data with hotels as follows:

• Booking information: When a guest books through Tribii, we share guest name, email, phone number, and booking details with the property manager
• Guest profiles: With guest consent, hoteliers can access traveller profiles for CRM purposes
• Hotel chat: Messages you send to your hotel through the Guest App are shared with that hotel's staff
• Reviews and ratings: Published reviews are shared with properties for their records

Hotels are responsible for their own privacy notices and compliance when using guest data. We will sign a Data Processing Agreement (DPA) with each hotel as required by GDPR Article 28.

B. Sub-Processors

Tribii engages the following sub-processors. Each is bound by a written data-processing agreement and, where transfers leave the EEA, by European Commission Standard Contractual Clauses (Commission Decision (EU) 2021/914) and any applicable UK or Swiss addendum. The authoritative, current list, including each provider's purpose, location, and transfer mechanism, is published at our Sub-processor List; the table below reproduces it as of the effective date of this policy. We will give hoteliers at least fifteen (15) days' notice by email before adding, replacing, or materially changing a sub-processor, under the procedure described in our Data Processing Agreement.

C. Sharing Between Guests in the Guest App

The Guest App's community features are social by design. When you participate, the following information is visible to other guests using the app: your first name, profile photo, bio, country, and selected travel interests. Posts you publish are shared with the travellers they reach, and direct messages are shared with the recipients you send them to. Private posts are gated by the post owner, who approves or denies each join request before the requester can see the thread. You control this exposure: you choose whether to participate, what to post, and whether to set an avatar, bio, or interests, and you can delete your own posts and your account at any time (see Section 8). Tribii does not sell this information and does not make your profile public outside the app.

D. Business Partners

We may share aggregated, anonymised data with business partners for research and strategic purposes. This data cannot identify individual users.

E. Legal Requirements

We may disclose your data if required by law, regulation, or government request, including:

• Court orders or legal proceedings
• Law enforcement requests
• Tax and regulatory compliance

F. Business Transactions

If Tribii is acquired, merged, or assets are sold, your data may be transferred as part of the transaction. We will notify you of such changes and any affected privacy rights.

G. Cross-Network Recovery Suppression List

If you unsubscribe from an abandonment-recovery email sent through any Tribii-powered hotel, that opt-out suppresses your email address across the entire Tribii network, so no participating hotel can send you a further recovery email. To make that suppression effective, we retain your email address permanently in a suppression list. This is the sole purpose for which the email is kept in that list, and it is held under Article 17(3)(b) GDPR (Recital 65), which permits retention necessary to give effect to your request to stop processing.

H. Tax Authorities and E-Invoicing Networks (Fiscal Services)

Where a hotel enables the Fiscal Services and switches on transmission, invoice data, namely the hotel's tax identity and the tax identification numbers, names and billing addresses of buyers named on invoices, is transmitted to the competent tax authority as required by law. Depending on the hotel's location these recipients are:

• the Spanish State Tax Administration Agency (AEAT), under VeriFactu;
• the Diputación Foral de Álava, the Diputación Foral de Bizkaia (TicketBAI and BATUZ/LROE), and the Diputación Foral de Gipuzkoa, in the Basque territories;
• the Hacienda Foral de Navarra, in Navarra;
• the Peppol network and recipients under the EU e-invoicing standard EN 16931, for structured electronic invoices.

These authorities and networks act as independent recipients in their own right under their governing legislation; they are not Tribii's sub-processors. The digital certificate and passphrase you upload are never transmitted to these recipients; they are used only to sign your records.

I. Guest-Registration Authorities (Self Check-in)

Where a hotel enables Self Check-in, statutory traveler-registration data (the identity, date of birth, nationality, residence and document details described in Section 3.B) is, in a future release, transmitted to the competent national authority designated by applicable guest-registration law, for example Spain's Ministry of the Interior via the SES.HOSPEDAJES platform. This transmission is carried out to satisfy the hotel's own legal obligation under Article 6(1)(c) GDPR; the authority acts as an independent recipient under its governing legislation and is not Tribii's sub-processor.

8. Data Retention and Deletion

We retain your data only for as long as necessary to provide our services and comply with legal obligations.

Retention Periods

Deletion Requests

You can request deletion of your account and associated data at any time. We will action your request within 30 days, subject to the following:

• Data that we are legally required to retain (e.g., financial and tax records under Dutch law) will be retained for the statutory period
• Data that is the subject of an active dispute or contractual obligation will be retained until resolution
• Data that has been replicated to operational backups will be overwritten in the normal backup rotation cycle and will not be actively accessed in the interim
• The data is part of an immutable fiscal record or submission log created through the Fiscal Services, which by law cannot be altered or deleted and is retained for the statutory tax-inspection period

Guest App In-App Account Deletion

The Guest App provides a "Delete account" control. When you confirm deletion, Tribii purges the app-layer data associated with your account, including your community content (posts and messages), your push-notification tokens, your authentication and session tokens, and your app-only profile fields (bio, interests, avatar, language preference), and revokes all of your active sessions. Your underlying reservation and billing records held by your hotel are not deleted by this action: the hotel is a separate, independent controller of that booking data and retains it under its own lawful basis and retention rules, and Tribii continues to hold the platform-level and legally required records described in this Section 8 and in Section 3. For safety and audit reasons, content reports and the associated content snapshots relating to you (whether you filed them or were the subject of them) may be retained for the moderation retention period set out above, even after your account is deleted. In short: the app data we control as part of the Guest App is deleted on request, while booking and billing records persist under the hotel's own retention rules and our legal obligations, and a limited set of moderation records is kept for safety.

9. Your Rights Under GDPR

Under the GDPR (and equivalent rights under UK GDPR and the revFADP), you have the following rights regarding your personal data:

Right of Access (Article 15)

You have the right to request a copy of all personal data we hold about you. We will provide this in a structured, commonly used, machine-readable format within 30 days of your request.

Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete data. We will update your information within 30 days or explain why we cannot comply.

Right to Erasure (Article 17)

You can request deletion of your data in certain circumstances, including when:

• Data is no longer necessary for its original purpose
• You withdraw consent
• You object to processing based on legitimate interest
• Data has been processed unlawfully

We will not delete data if required by law or if deletion would adversely affect other users.

Right to Restrict Processing (Article 18)

You can request that we limit how we process your data while we verify its accuracy or assess your objection. We will store data but not actively use it.

Right to Data Portability (Article 20)

You can request your data in a structured, machine-readable format and have it transferred to another service provider without hindrance. We will provide this within 30 days.

Right to Object (Article 21)

You can object to:

• Direct marketing (we will stop immediately)
• Processing based on legitimate interest
• Automated decision-making and profiling

Right to Withdraw Consent

If we process your data based on consent, you can withdraw it at any time by updating your account settings or contacting us. Withdrawal does not affect the legality of processing that occurred before withdrawal.

How to Exercise Your Rights

To exercise any of these rights, contact us at:

• Email: contact [at] tribii [dot] com
• In-app privacy portal (where available)

We will respond within 30 days. If your request is complex, we may extend this by two months, which we will communicate to you.

10. Automated Decision-Making and Profiling

What We Do

Tribii uses automated decision-making and profiling (including AI/ML algorithms) for:

• Personalised property recommendations based on search history and behaviour
• Pricing and revenue management suggestions for hoteliers
• Fraud detection and prevention
• Content moderation and review validation
• Targeted marketing and personalised advertising

Your Rights (Article 22)

Under Article 22 of the GDPR, you have the right NOT to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, unless:

• The decision is necessary for entering into a contract
• You have given explicit consent
• It is authorised by law

For most Tribii features, we provide human review and override options. If you wish to object to automated decision-making or request human review, contact us at contact [at] tribii [dot] com.

Where a hotelier enables the Assistant AI automated-pricing capability, Tribii automatically applies room-rate changes within the limits the hotelier configures. This is an automated decision about the hotel's own commercial pricing (business data); it is not a decision about any individual guest and does not produce legal or similarly significant effects on a data subject within the meaning of Article 22. Hoteliers can disable Assistant AI or revert to manual approval at any time.

11. Cookies and Tracking Technologies

Tribii currently uses only strictly essential cookies. Because no analytics, marketing, or third-party tracking cookies are set by Tribii, no cookie consent banner is displayed. The Guest App does not use advertising or tracking SDKs. Full details, including third-party cookies set by embedded iframes from Stripe and Google Maps, are in our Cookie Policy.

12. Data Protection of Minor Guests

Tribii's traveller-facing services (creating a guest account, leaving reviews) are intended for use by adults aged 16 or over (or the local age of digital consent under Article 8 GDPR). The Guest App and its community features are intended for adults aged 18 or over and are not directed to children. Where a hotelier records a minor as part of a family or group booking, the hotelier is the data controller for that record and is responsible for obtaining and documenting any parental or guardian consent required under applicable law. Where a hotel enables Self Check-in, a minor's registration data is provided by the accompanying adult on the minor's behalf; this data is processed on the basis of the hotel's legal obligation (Article 6(1)(c) GDPR), not on the basis of the minor's consent. Tribii does not directly market its services to children.

If We Discover Unauthorised Child Data

If we discover that we have collected data from a child without proper consent, we will delete it immediately and notify the parent or guardian.

13. International Data Transfers

Tribii's primary infrastructure is located in the European Union. However, several of our sub-processors (listed in Section 7.B) are based in the United States or operate global infrastructure that may include US data centres. As a result, personal data is transferred to the United States in the ordinary course of providing our services, including, for example, payment processing, AI-assisted platform features, transactional email delivery, push-notification delivery, error monitoring, and certain platform integrations.

Tribii relies on the European Commission Standard Contractual Clauses (Commission Decision (EU) 2021/914), in particular Module 3 (processor-to-processor), as the transfer mechanism for these transfers.

For UK personal data, the UK International Data Transfer Addendum issued by the ICO is incorporated by reference.

For Swiss personal data, the EU SCCs are applied with the supplementary adjustments recognised by the Swiss Federal Data Protection and Information Commissioner (FDPIC), including references to the revised Federal Act on Data Protection (revFADP) and recognition of the FDPIC as competent supervisory authority, and, where a sub-processor is independently certified under the Swiss-US Data Privacy Framework, that framework may additionally be relied upon.

Transfer Impact Assessments are conducted and reviewed periodically. Tribii does not currently rely on Binding Corporate Rules or adequacy decisions for these transfers, except where a specific sub-processor independently certifies adequacy (e.g., the EU-US Data Privacy Framework or its UK / Swiss extensions). A list of sub-processors and their transfer mechanisms is maintained in Section 7.B and at our Sub-processor List.

Two optional features generate specific international transfers. Where a hotel enables AI Visibility, Tribii transmits the hotel's public name and city (which are not guest personal data) to US-based large-language-model providers to measure how those models describe the hotel; these transfers rely on the Standard Contractual Clauses 2021 (Module 2, controller-to-processor) and, where the provider is certified, the EU-US Data Privacy Framework. Where a hotel enables AI Connections (MCP), the endpoint is reachable over the public internet from anywhere in the world, but it exposes only the hotel's published inventory, rate and policy data and carries no guest personal data.

Where a hotel uses structured electronic invoicing over the Peppol network, invoice data may be routed to recipients elsewhere in the EU/EEA under the EU e-invoicing standard EN 16931. Such routing stays within the EU/EEA and does not constitute a transfer to a third country.

Where a hotel enables Self Check-in, statutory traveler-registration data is, in a future release, transmitted to the competent national authority (e.g., Spain's Ministry of the Interior via SES.HOSPEDAJES). This is a transfer to a public authority within the EU/EEA to satisfy the hotel's legal obligation and does not constitute a transfer to a third country.

14. Data Security

Security Measures

Tribii implements comprehensive security measures to protect your data:

• Encryption in transit: All data exchanged between users, our platform, and our sub-processors is encrypted using TLS 1.2 or higher. The Guest App communicates with our servers over HTTPS only; cleartext traffic is disabled.
• Encryption at rest: Sensitive identifiers (including identity document numbers and OAuth refresh tokens) are encrypted at rest using AES-256. Other personal data is held in databases protected by access controls and infrastructure-level encryption.
• Secure credential storage on device: Guest App session tokens are stored in the operating system's secure store (iOS Keychain / Android EncryptedSharedPreferences).
• Access controls: Role-based access; multi-factor authentication is available and is enforced for administrative accounts.
• Firewalls and intrusion detection: Network security monitoring.
• Audits: Regular internal security reviews; external penetration testing planned.
• Employee training: Data protection and cybersecurity training for staff.
• DPIAs: Conducted for high-risk processing activities, including AI-assisted features and any new processing that involves significant volumes of personal data.
• Certificate vault: digital certificates and passphrases used for the Fiscal Services are held in a dedicated encrypted store, are never written to logs and are never returned through the interface or API.

While we use industry-standard security, no system is 100% secure. We encourage you to use strong passwords and never share login credentials.

Data Breach Notification

If we discover a data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours
• Notify affected individuals without undue delay
• Provide details of the breach, its scope, and recommended actions

15. Data Processing Agreements (DPA)

For hotels acting as data controllers, we will execute a Data Processing Agreement that complies with GDPR Article 28. The DPA will specify:

• The subject matter, scope, and duration of processing
• The nature and purpose of processing
• Types of personal data and categories of data subjects
• Obligations and rights of the controller

Our standard DPA is available at Data Processing Agreement.

16. Your Right to Lodge a Complaint

If you believe we have violated your privacy rights, you have the right to lodge a complaint with your national data protection authority. You can do this in addition to contacting us.

You can file a complaint with the data protection authority in your country. A current list of EEA supervisory authorities (covering all EU Member States plus Norway, Iceland, and Liechtenstein) is maintained by the European Data Protection Board at edpb.europa.eu/about-edpb/about-edpb/members_en.

For users in the United Kingdom, you may contact the Information Commissioner's Office (ICO) at ico.org.uk.

For users in Switzerland, you may contact the Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch.

Where Tribii's lead supervisory authority applies, that authority is the Autoriteit Persoonsgegevens (AP) in the Netherlands.

We encourage you to contact us first, as we will work to resolve any concerns.

17. Contact Us

For any privacy-related questions, requests, or concerns:

• Email: contact [at] tribii [dot] com
• In-app Privacy Portal: Available to logged-in users

We aim to respond to all inquiries within 30 days.

18. Privacy by Design

Tribii is committed to Privacy by Design principles (GDPR Article 25). We:

• Implement data protection from the outset in all new features and services
• Conduct Data Protection Impact Assessments (DPIA) for high-risk processing
• Minimise data collection and retention periods
• Provide privacy-friendly default settings
• Regularly review and audit data processing practices

19. Third-Party Links and Services

Our platform may contain links to third-party websites and services (e.g., payment providers, social media). We are not responsible for their privacy practices. Please review their privacy policies before sharing your data.

20. Updates to This Privacy Policy

Tribii may update this Privacy Policy to reflect changes in our operations, technology, or legal requirements. We will notify you of material changes by:

• Email notification to your registered email address
• Prominent notice on our website or platform
• In the Guest App, requesting that you re-accept the updated version where required
• Requesting your explicit consent if required

The 'Last updated' date at the bottom of this policy indicates when it was last revised. Your continued use of Tribii constitutes acceptance of updated terms.

21. Summary of Your Rights at a Glance

22. Acknowledgment

By using Tribii, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data processing practices, please do not use our platform.

Thank you for trusting Tribii with your data. We are committed to protecting your privacy and ensuring transparency in all our data processing activities.