Privacy Policy
About this privacy policy
Bookares, part of Kimamedia bv (Chamber of Commerce 94299528, Eindhoven, the Netherlands), values your privacy and only processes data necessary for improving its services. Personal data is never shared with third parties for commercial purposes. This policy explains what data is collected, its uses, sharing arrangements, storage methods, security measures, and user rights regarding personal information.
Software
Bookares uses software by Kimamedia bv. Personal data is shared with this partner for technical support. Kimamedia bv has access to your data to provide technical support; they will never use your data for another purpose. Security includes SSL encryption and strong password policies. Cookies collect technical information without storing personal data.
Web hosting
Cloudflare: Provides DNS, CDN, and security services. Processes metadata such as IP addresses and request data for delivering and securing the service. Appropriate technical and organizational security measures have been implemented.
Hetzner: Hosting partner for server infrastructure. Processes personal data on behalf of the company, collecting only metadata. Appropriate technical and organizational security measures have been implemented.
DigitalOcean: Applications are hosted here without sharing personal data, though IP addresses and operating systems are logged upon login.
Email and mailing lists
Brevo (SendinBlue): Sends newsletters using customer names and email addresses. Brevo will never use your name and email address for their own purposes. Unsubscribe links appear in automated emails. Cookies track email opens and reads.
Postmark: Email messages are stored for 45 days. Shared data includes email addresses, open status, software used, and message content — unless customers use their own SMTP server.
Gmail: Support emails and direct replies are stored on Gmail servers unless customers use their own SMTP server.
Payment processors
Stripe.com: Processes name, address, location, and payment data. Stripe has taken appropriate technical and organizational measures to protect your personal data. Data retention follows legal requirements.
Accounting and bookkeeping
SnelStart & Moneybird: Share name, address, location, and order details for invoice administration. Data is protected in transmission and storage, with confidentiality obligations binding both services.
Purposes of data processing
Data is used exclusively for service delivery related to the user's assigned tasks. No targeted marketing occurs without explicit consent. Data sharing with third parties is limited to accounting and administrative compliance, with all recipients bound to confidentiality.
Automatically collected data: Website-collected information (IP addresses, browsers, operating systems) improves services and is not classified as personal data.
Fiscal and criminal investigations: The company may be legally obligated to share data during governmental investigations while opposing such requirements within legal boundaries.
Data retention
Customer profiles are retained while users are clients. Upon termination requests, this constitutes a deletion request. Invoices with personal data are retained according to applicable administrative requirements, though staff cannot access client profiles afterward.
User rights
Users have rights under Dutch and European law regarding personal data processing.
- Right of access — Users may request to view processed data by contacting privacy@bookares.com. Responses come within 30 days, with copies sent to registered email addresses.
- Right of rectification — Users may request data corrections through the same contact method, receiving confirmation within 30 days.
- Right to restrict processing — Users may request limitations on data processing, receiving confirmation within 30 days that data won't be processed until restrictions are lifted.
- Right to data portability — Users may request data transfer to other parties through privacy@bookares.com. Within 30 days, copies are provided in machine-readable formats, though service continuation cannot be guaranteed because secure data linkage cannot be assured.
- Right of objection and other rights — Users may object to data processing, triggering immediate cessation pending review. If objections are valid, copies are provided and processing permanently stops. Users cannot be subjected to automated decision-making or profiling.
Cookies
Google Ads & Analytics: Website cookies from Google track visitor behavior and usage patterns. Google can interpret this information alongside other datasets and track your internet movements. Google uses this for targeted advertising (Adwords) and service offerings.
Third-party cookies are mentioned in this privacy statement when third-party software solutions utilize cookies.
Data Processor Agreement
This agreement is part of the main contract between Kimamedia bv (Bookares) and natural persons or legal entities (Clients). Bookares qualifies as a processor; clients are data controllers.
1. Definitions
- Data Breach: Security breaches causing accidental or unlawful destruction, loss, modification, unauthorized disclosure, or unauthorized access to transmitted, stored, or processed data.
2. Subject matter
This agreement establishes conditions under which Bookares processes personal data on client instructions. It forms an integral part of the main agreement, jointly determining processing subject matter, duration, and scope. Parties guarantee compliance with applicable laws regarding personal data processing.
3. Client obligations as data controller
Clients provide personal data and determine processing purposes and means. They guarantee that processing complies with applicable law. When client employees process data, clients remain responsible for legal compliance.
4. Permitted processing
Bookares processes data exclusively for delivering its online booking application as described in the main agreement, and only upon client instruction.
Data types processed: Name, address, email, telephone number, optional custom fields.
Data subject categories: Client customers, former clients, debtors and creditors, employees or contractors.
5. Data processing
Bookares processes only data strictly necessary for contract execution, having no control over processing purposes. Personal data is disclosed only to employees or sub-processors with necessary access, unless legally required otherwise. Employees are informed of agreement obligations. For contract execution, Bookares may create backups with identical protection as original data. No personal data is processed outside the European Economic Area (EEA).
6. Sub-processors
Clients accept that Bookares uses sub-processors during contract execution. Information about sub-processors is available upon request, which clients may refuse only for justified reasons. Bookares ensures sub-processors maintain equivalent data protection safeguards. The company remains fully responsible for sub-processor compliance and serves as the client's sole contact point.
7. Confidentiality
Bookares maintains strict confidentiality regarding processed personal data. This obligation extends to all employees and sub-processors and continues after agreement termination. Confidentiality doesn't apply when supervisory authorities, legal requirements, or court orders mandate disclosure; when information is publicly known; or when disclosure occurs at client request.
8. Security measures
Bookares implements appropriate technical and organizational measures proportionate to processing risks, ensuring compliance with applicable law and protecting data subject rights. Protection levels account for technical standards, implementation costs, and processing nature, scope, context, and purposes. The company adjusts protection levels as necessary or legally required. Upon explicit client request, Bookares may implement additional security measures, with associated costs borne by the client unless otherwise agreed.
9. Data breach notification
Upon discovering a breach, Bookares notifies clients without undue delay, describing the breach nature (including affected data subject categories and data types where possible), probable consequences, and remedial measures (including those limiting adverse effects). Post-notification updates on breach developments are provided. Clients determine whether to inform supervisory authorities and affected individuals. Both parties bear their own notification costs.
10. Data subject and government requests
Bookares assists clients with data subject requests. Requests directed to Bookares are forwarded to clients, who handle them unless otherwise agreed. The company also assists with government authority requests. Clients reimburse Bookares for costs incurred in executing these obligations unless otherwise agreed.
11. Information obligations and audits
Bookares provides all information necessary to demonstrate agreement compliance. Clients may conduct maximum one annual audit or data protection impact assessment at their own expense. Bookares provides full audit cooperation, with costs for indirect expenses borne by clients.
12. Agreement duration and termination
The processor agreement becomes effective upon client acceptance and continues throughout the main agreement duration. Parties cannot terminate mid-term. The agreement concludes after Bookares deletes all personal data. After 550 days of inactivity without login, data and account information are automatically deleted. Users who terminate accounts via 'account > my data' have data deleted within 30 days. Backups and copies are permanently deleted after one year unless legal requirements mandate retention. Clients retain data export capabilities throughout contract duration through available export functionality.
13. General provisions
This agreement forms part of the main agreement; rights and obligations from the main agreement and Bookares's general terms also apply. In conflicts between processor agreement and main agreement provisions, processor agreement terms prevail regarding personal data processing. This agreement replaces all prior arrangements regarding personal data processing and may be modified only in writing. Bookares provides rental owners the opportunity to present rental objects or time allocations via a booking system. The company has no involvement in concluded agreements, booking organization, or information accuracy. Bookares accepts no liability for third-party information content, including copyright infringement or intellectual property violations. Bookares attempts to connect parties but is never party to agreements between them. Users must resolve disputes independently and indemnify Bookares from claims arising from such disputes. Dutch law governs the processor agreement, with disputes filed at the Eindhoven District Court.
Changes
Bookares reserves the right to modify its privacy policy at any time. The most current version always appears on this page.
Contact
For questions about this privacy policy, contact us at privacy@bookares.com