Booking Privacy

Privacy Notice (GDPR)

1. Controller

TDS Travel & Data Service GmbH

Registered Address: Müllerstr. 47 80469 München

Registration/Tax/VAT No.: 129475583

Privacy Contact: info@tdsreisen.de


2. Purposes and Legal Bases

  • Booking & Contract (Art. 6(1)(b) GDPR): process reservations, confirmations, cancellations, vouchers.
  • Payments (Art. 6(1)(b),(f)): secure payments via Stripe, fraud prevention, chargebacks.
  • Legal obligations (Art. 6(1)(c)): accounting, tax compliance, consumer protection.
  • Legitimate interests (Art. 6(1)(f)): IT security, debugging, fraud prevention, maintaining audit logs.
  • Marketing (Art. 6(1)(a)): only if you explicitly consent; otherwise, only transactional messages are sent.

3. Data We Process

  • Identification & Contact: name, email, phone, address, country.
  • Booking Data: property, dates, party, extras, rate plan, cancellation status.
  • Payment Data: processed by Stripe; we receive payment status but not full card details.
  • Technical Data: IP, browser user agent, referrer, session identifiers, booking/voucher access logs.

4. Sources

  • You (checkout forms, voucher access).
  • Stripe (payment status).
  • WebHotelier (availability, booking confirmation).

5. Recipients

  • Stripe Payments Europe, Ltd. (payment processing).
  • WebHotelier (reserve-online.net / Hotelier.io) (channel manager to relay booking to property).
  • Property partners (guest and booking details to fulfill stay).
  • Email/hosting providers (transactional emails and system operation).

6. International Transfers

  • Stripe and other providers may transfer data outside the EEA. These transfers are secured by EU Standard Contractual Clauses or equivalent safeguards.

7. Retention

  • Booking & financial records: 6–10 years (statutory).
  • Technical/audit logs: up to 12 months (longer if needed for disputes/security).
  • Communications: per legal retention rules.
  • Data no longer required is deleted or anonymized.

8. Your Rights

  • Access, rectification, erasure, restriction, objection, portability, withdrawal of consent.
  • Complaint: your local EU Data Protection Authority; in Greece: https://www.dpa.gr
  • To exercise rights: contact [info@tdsreisen.de]. Identity verification may be required.

9. Automated Decision-Making

  • No fully automated decisions with legal effects. Fraud checks may be applied.

10. Cookies

  • Essential cookies for checkout, payments, voucher sessions.
  • No analytics/marketing cookies unless you consent via cookie banner.

11. Security

  • TLS encryption; restricted access to systems; PCI DSS-compliant payment processors (Stripe).
  • No full card numbers or CVV stored by us.

12. Children

  • Service intended for adults (18+). If we learn we hold data of a child, we delete it unless required by law.

13. Updates

  • We may update this Privacy Notice; material changes will be highlighted on our site.