Before we start, some important values:
We promise to protect your data as if is our own.
We won’t sell your data for marketing purposes.
We won’t share your personal data without good reason with other parties. (Like legal obligations)
When ‘we’, ‘us’, ‘our’, or alike is mentioned in the text of this privacy statement, BOOKA RENTALS BV located in AMSTERDAM, the NETHERLANDS is meant. When we mention ‘websites’, the following domains are meant: Bookahouseboat.com, Bookalighthouse.com, Bookatreehouse.com, Bookaglamping.com, Bookarentals.com, Booka.co.
INFORMATION WE STORE
We collect certain types of information:
- Personal information
- Correspondence information
- Use of site information
1. Personal information
We only ask for personal data when we need it for business purposes. All personal data we process is lawfully obtained and with a legal basis. The purpose for collecting the information is so we can continue and run our day-to-day business. We need personal information to give you the ability to fully use the services we offer, advertising your property (owner) or submitting booking requests / bookings via our platform (traveler). We request several types of personal information:
- Required account information (traveler)
(Such as: Name, Email, Password, Phone)
- Required account information (owner)
(Such as: Name, Email, Password, Phone, Address, Security question)
- Profile information (owner)
- Listing information (owner)
In order to be able to use our services you are required to enter the requested information on the logged-in area of the website.
Connected application information
A user can choose to create an account on our website via the Facebook connect button instead of via email. This can also be used for future log-ins to the website. Also users may choose to connect their Google (calendar) account to our website in order to synchronize booking dates.
2. Correspondence information
Correspondence information is information you send us for a support ticket for example. We need a minimum amount of information in order to identify you or your booking and help you out. We use Zendesk (www.zendesk.com) to help order and maintain the support requests. We are not responsible for the way in which they handle the information they process.
Other correspondence information we store is that between you and the host / guest. The main reason therefor is to provide you an historic overview of what you have discussed with the other party. We also monitor this (automated) to detect possible misuse of the platform and to protect our users, against fraud for example. In no way is correspondence data used for marketing purposes. All sent and receive data can be seen per booking (request) in your account on the “My Bookings” page.
3. Use of site information
We store anonymized information on how the site is used for internal statistics and trends. The information we store are ‘search queries’, these often contain: location, dates and number of people travelling. We also use Google Analytics and Lucky Orange to analyze anonymized information entered when using our websites.
USE OF DATA
How we use your data
Your data is used for the purpose it was entered into our system: either so you can book one of the listed properties or so you can advertise your property / properties successfully on our platforms.
Other reasons to use your data could be, to be able to communicate with you or help you with any support questions you may have.
We infrequently use your information (name, email) with third parties tools (like mailchimp.com) for marketing purposes, for sending you our newsletter or showing you relevant ads on (social) media channels like Facebook for example.
We will only share necessary information with third parties in order to keep our services and platforms in operation. An example is mandrillapp.com which we use to send our emails.
Our website contains links to other parties. We are not responsible for the way in which these parties handle their user’s privacy.
In case our company is sold or merges with another company your data will become available to this new entity. We will notify you hereof.
In case we are legally required to share your data your consent is not requested.
Access / overview of your data
You have the right to view, update and remove the data we store belonging to you. You can do so by logging in to the website and accessing your ‘account’. The information you see on the different pages is almost all the info we store about you. Unless you’ve given us permission to create (certain parts of) your account for you, you have entered and provided the information yourself.
Beside the information that is visible to you from your account we store:
- The IP address used to make a booking request / booking
- Your payment method (Example: Visa, iDeal, PayPal)
- The location from which you make a booking request / booking
Within our company only the people who need access to your data have access to it. This is mainly required to handle support quests you send us. Or to prevent fraud or other illegal actions.
Emails we send
We send account and service related emails when actions you have taken on the website or app require us to do so in order to make our service possible. Examples of emails we send are:
- Account activation link emails
- Booking related emails
- Account related emails
- Support related emails
We use www.mandrillappp.com to send our transactional email. They store the emails our system sends for 30 days after which they are deleted. Mandrill provides us the ability to see statistics related to the sent emails such as: open rate, delivery rate, bounce rates, and so on. We use an external application such as Mandrill to deliver our emails because email delivery is a profession on its own and not our core business.
Short text messages (SMS)
We use MessageBird (www.messagebird.com) to send you short text messages in a few cases:
- When a booking request is started but not submitted (traveler)
- When a booking request is approved by the owner and a payment is required to secure the booking (traveler)
- When a new (pre-paid) booking request is received (owner)
- When a (pre-paid) booking request isn’t accepted in 24h, a reminder (owner)
The text messages, containing your first name (at most) and phone number are stored for 6 months on the MessageBird servers. After that period they are deleted. This enables us to check the correct sending of SMS’s every once in a while. Or to check if the messages are delivered. In case they aren’t the phone number provided is often incorrect and needs correction.
Revoke data used
Any user may revoke our access for the following linked application at any time:
- For Facebook: on the application management tab of your Facebook account.
- For Google: on the Google token management page or via our calendar management page.
Deletion of your data
You can login to the website to review the information we store from you. If information is not required you can delete it yourself. Although we do not advise you (as owner) to do so as it will remove valuable information for your listing and result in less bookings, you can remove it. If you would like to remove required information you can send us a request to delete your account. All information will be deleted which is not linked to a (future or historic) booking. The information we keep is required for our invoices and financial administration. We are required to keep financial information for our administration for 7 years by law.
PROTECTION OF DATA
How do we protect your data?
We protect your data and our websites (code) in several ways. Our websites use an SSL certificate to ensure a secure connection. We also use www.CloudFlare.com to speed up and protect our websites and servers. CloudFlare analyzes our traffic and keeps bas actors out before they reach the websites. With it’s CDN of 150+ datacenters worldwide it also helps speed up the delivery of our content in places further away from our server location. We also use a Web Application Firewall (WAF) to protect us from potential harm on the IP level. We can set rules to keep certain actors out of the door. We also monitor our websites’ traffic by using CloudFlare, Google Analytics and Lucky Orange. Our code is tested and reviewed on a regulatory basis and updated or improved where needed. And finally all passwords are stored hashed and slated. The chosen security question and answer, for the owner profile, are also stored encrypted.
Each time a user connects his Facebook account, logs in via Facebook or connects a gCalendar we receive a special token. This token can be used to retrieve some limited personal data, to create your account or post to your Facebook timeline. We only post to the timeline of users who voluntary choose to apply for a Facebook discount.
As each token can only be used for a very limited amount of time (about 20 minutes usually) we request offline access. This means we get another token which can be used to get a new access token for this user. These access tokens are stored encrypted as they can be used directly to fetch user data. The offline tokens aren't encrypted as they can't be used without our application secret code, which is stored separately on our side.
Where do we store your data?
At the moment we host our websites and its databases in The Netherlands. The databases are, of course, password protected, have brute force detection mechanisms and IP locks to prevent access from non-whitelisted IP addresses. Your password is stored hashed and salted, so in case of an very unlikely breach it won’t be backwards engineerable.
Booka Rentals uses Google Analytics to analyze our websites and to measure how effective our AdWords campaigns are. This also shows use where our visitors come from and which pages they visited. The information therefore doesn’t contain any personal data and is not traceable to individual users.
We use a few cookies for different analytical purposes:
- Google Analytics and AdWords cookies to analyze how our websites are used and how effective our AdWords campaigns are.
- Lucky Orange analytical software which places cookies too.
- We also store search requests linked to a non-personified ID which is stored in a cookie to avoid duplications.
We store your personal information as long as you have an account on our website. When the account is deleted we also delete your personal information as long as it is not needed for invoices of our financial administration.
Changes to this privacy statement
Last updated on: 25 may 2018