Privacy policy
Version: 2026-05-19
Privacy Policy
Version: May 19, 2026
1. CONTROLLER AND DATA PROTECTION CONTACT
Controller within the meaning of the GDPR is:
4S Aachen GmbH Horngasse 19 52064 Aachen Germany Email: info@4s-aachen.de
Data protection contact: Florian Köhler Email: datenschutz@4s-aachen.de
2. PRINCIPLES OF DATA PROCESSING
We collect and process personal data in accordance with the principles of data minimisation and transparency. We only collect data that is necessary for providing and handling our services.
We do not use tracking cookies, analytics tools or advertising tracking. Protecting our users' privacy is a top priority.
3. PURPOSES AND LEGAL BASES OF PROCESSING
3.1 Registration (optional for guests, mandatory for hosts) Data processed: Name, email address, date of birth (voluntary) Legal basis: Art. 6(1)(b) GDPR (performance of a contract) Purpose: Creating and managing the user account Note: Date of birth may be provided voluntarily and serves unique identification, in particular in connection with the enforcement of contractual claims.
3.2 Booking processing Data processed: Name, email address, booking details (accommodation, dates, price) Legal basis: Art. 6(1)(b) GDPR (performance of a contract) Purpose: Mediation and processing of accommodation bookings Note: Guests without an account must also provide these details for a booking
3.3 Payment processing Data processed: Payment information (card data, bank details), transaction data Legal basis: Art. 6(1)(b) GDPR (performance of a contract) Purpose: Payment processing via our payment service provider Mollie Recipient: Mollie B.V., Netherlands (EU) Note: Payment data is processed directly by Mollie and is not stored on our servers
3.4 Communication Data processed: Email address, message contents, booking reference Legal basis: Art. 6(1)(b) GDPR (performance of a contract) Purpose: Booking confirmations, communication between guest and host, platform notifications
3.5 Review system Data processed: Email address (also for non-registered guests), review text, review timestamp Legal basis: Art. 6(1)(f) GDPR (legitimate interest in quality assurance) Purpose: Authentication of reviews, trust-building on the platform Email retention: 60 days after check-out for sending the review link, then automatic deletion Review retention: Stored permanently until deletion of the reviewed account or a justified deletion request
3.6 Blocking and fraud prevention Data processed: Email address, payment data, documentation of violations Legal basis: Art. 6(1)(f) GDPR (legitimate interest in protecting the platform and other users) Purpose: Prevention of misuse, fraud and repeated violations of platform rules Retention: Stored until the block is lifted or rehabilitation is proven
3.7 Contract performance and legal claims Data processed: All contract-related data Legal basis: Art. 6(1)(b) and (c) GDPR (contract performance and statutory retention obligations) Purpose: Compliance with tax and commercial retention obligations; establishment, exercise or defence of legal claims Retention: 10 years under Sec. 147 AO (German tax retention obligation)
3.8 Registration duty for accommodation (BMG) – only for properties in Germany Data processed: Nationality and – for guests without German nationality – date of birth and ID/passport number; also arrival and departure dates. Legal basis: Art. 6(1)(c) GDPR in conjunction with Secs. 29, 30 BMG. Purpose: Compliance with statutory registration obligations for accommodation in Germany. Note: If the registration duty applies, these details are mandatory.
3.9 Security mechanisms for login and magic links Data processed: IP address, timestamp, and number of login and magic-link requests Legal basis: Art. 6(1)(f) GDPR (legitimate interest in protecting the platform against misuse and automated requests) Purpose: Prevention of misuse, brute-force attacks and automated requests
3.10 Support chat Data processed: Name (optional), email address (optional), message contents, IP address Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing customer support) Purpose: Responding to support enquiries via the live chat on our platform Note: If an email address is provided, notifications about new replies may be sent by email. Providing an email address is voluntary.
3.11 Enforcement of damage claims Data processed: Name, address, contact details, booking details, damage documentation Legal basis: Art. 6(1)(f) GDPR (legitimate interest in enforcing legal claims) Purpose: Assertion of the host's damage claims against the guest on behalf of the host
4. RECIPIENTS AND CATEGORIES OF RECIPIENTS
Your data may be shared with or made accessible to the following recipients:
4.1 Payment service provider Mollie B.V., Netherlands (EU) Purpose: Payment processing Legal basis: Art. 6(1)(b) GDPR More information: https://www.mollie.com/legal/privacy
4.2 Hosting provider netcup GmbH, Germany Purpose: Operation of the technical infrastructure Legal basis: Art. 28 GDPR (processing by a processor)
4.3 Contractual partners (host and guest) As part of the booking process, necessary data is shared between guest and host (name, email, booking details). The host is an independent controller under the GDPR for processing personal data arising from the accommodation contract.
4.4 Registration data for hosts (BMG) Where legally required (properties in Germany), registration data may be provided to the host via a self‑service function. The host is an independent controller for processing this registration data.
4.5 Legal authority requests (BMG) Registration data may be transmitted to competent authorities to the extent required by the BMG.
4.6 Debt collection agencies and lawyers In connection with the enforcement of justified damage claims, personal data may be shared with appointed debt collection agencies or lawyers. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in enforcing legal claims)
4.7 Webhook recipients configured by the host Hosts can configure a webhook endpoint via the API to which booking events (booking ID, status, period, guest name) are automatically transmitted. The host is responsible for the choice and security of the recipient endpoint.
4.8 Mediation partners (partner accommodations) Some of the accommodations offered on the platform are provided through mediation partners (channel managers such as Destination Solutions). Such accommodations are marked as "partner accommodation" in the listing. For bookings of partner accommodations, the personal data required for booking processing (name, address, email, phone number, booking period, optional travel companions and guest remarks) is transmitted to the respective mediation partner as well as to the data holder (host or its sourcing partner). These recipients are independent controllers within the meaning of the GDPR and process the data in accordance with their own privacy policies. Purpose: mediation, contract performance, payment processing, confirmation and booking-related communication. Legal basis: Art. 6(1)(b) GDPR (contract initiation and performance). For these bookings, the platform operator acts solely as a mediator and has no influence on data processing by the mediation partner or by the data holder after the booking has been completed. The privacy policy of the mediation partner is available as a document link on the detail page of the respective accommodation.
4.9 Translation service (DeepL) DeepL SE, Cologne, Germany Purpose: Machine translation of user-generated content (e.g. accommodation descriptions, communication content) into other languages in order to provide the platform in multiple languages. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a multilingual platform); processing on our behalf pursuant to Art. 28 GDPR. Note: No sensitive identity or booking data (name, email, address, payment data) is transmitted to DeepL. More information: https://www.deepl.com/en/privacy
4.10 Map service (HERE Maps) HERE Europe B.V., Eindhoven, Netherlands (EU) Purpose: Display of maps, location markers for accommodations, address search (geocoding) and provision of weather data shown in the surroundings guide. Legal basis: Art. 6(1)(b) GDPR (contract performance, display of the accommodation's location); Art. 6(1)(f) GDPR (legitimate interest in a map-based presentation of the platform). Note: When a map is loaded, technical connection data (e.g. IP address, browser information) may be transmitted to HERE. No identity or booking data is shared. More information: https://legal.here.com/privacy/policy
4.11 Routing and geo service (openrouteservice / HeiGIT) HeiGIT gGmbH, Heidelberg, Germany Purpose: Calculation of routes, reachability analyses (isochrones) and distances between accommodations and points of interest within the surroundings guide. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing meaningful information about an accommodation's surroundings). Note: Only the coordinates of accommodations or points of interest are transmitted to openrouteservice; no personal identity or booking data is shared. More information: https://heigit.org/privacy-policy/
No sharing with: - Marketing partners - Analytics services - Advertising networks - Social media platforms - Credit agencies
5. RETENTION PERIODS
Account data Until a deletion request is received, then deleted after processing existing bookings and observing statutory retention periods.
Booking data For the duration of contract processing and then 10 years pursuant to tax retention obligations (Sec. 147 AO).
Registration data (BMG) Nationality, date of birth and ID number are stored in the user profile and can be deleted by the user at any time. Upon account deletion, this profile data is anonymised. Where the registration duty applies, date of birth and ID number are additionally stored in the booking record and made available to the host as an independent controller for compliance with the registration duty (see Section 4.4). This booking-related data is subject to the statutory tax retention period (Sec. 147 AO).
Communication data For the duration of contract processing and then 3 years for potential legal claims.
Review emails 60 days after check-out for sending the review link, then automatic deletion. Published reviews remain stored permanently.
Blocking data Stored until the block is lifted.
Security data (rate limiting) Retention: Request counters are stored for 60 seconds; if limits are exceeded, a lock entry is stored for 180 seconds. After that, automatic deletion occurs through cache expiry.
Support chat data Enquiries without a user account: 90 days after the last message, then automatic deletion. Enquiries with a user account: For the duration of the user account; deleted upon account deletion.
Payment data Processed exclusively by Mollie and not stored on our servers.
Audit logs To comply with commercial and tax retention and evidence obligations and to ensure traceability of money-flow-related and data-protection-relevant events, we log certain system events (e.g. booking and payment status changes, commission settlements, account blocks, deletion and anonymisation operations). In addition to timestamp and event type, the logs typically contain a user or booking reference and – where necessary for traceability – the acting user's IP address. Legal basis: Art. 6(1)(c) GDPR in conjunction with Sec. 257 HGB (German Commercial Code) and Sec. 147 AO (German Fiscal Code); additionally Art. 6(1)(f) GDPR (legitimate interest in compliance, fraud prevention and platform security). Retention: 10 years pursuant to Sec. 257 HGB and Sec. 147 AO.
6. DATA SUBJECT RIGHTS
You have the following rights regarding your personal data:
6.1 Right of access (Art. 15 GDPR) You have the right to obtain information about the personal data we process.
6.2 Right to rectification (Art. 16 GDPR) You have the right to request the correction of inaccurate or completion of incomplete data.
6.3 Right to erasure (Art. 17 GDPR) You have the right to have your data deleted, unless statutory retention obligations or legitimate interests (e.g. ongoing contract processing, blocks) prevail.
6.4 Right to restriction of processing (Art. 18 GDPR) You have the right to request restriction of processing of your data.
6.5 Right to object (Art. 21 GDPR) You have the right to object, on grounds relating to your particular situation, to processing based on Art. 6(1)(f) GDPR.
6.6 Right to data portability (Art. 20 GDPR) You have the right to receive your personal data in a structured, commonly used, machine‑readable format (self‑service export via your account).
6.7 Withdrawal of consent Where processing is based on consent, you may withdraw consent at any time with effect for the future.
Exercise of rights To exercise your rights, please contact: datenschutz@4s-aachen.de
7. DATA SECURITY
We implement technical and organisational measures to protect your data against accidental or intentional manipulation, loss, destruction or unauthorised access.
These include: - Encrypted data transmission (SSL/TLS) - Regular security updates - Access restrictions to databases - Hosting in German data centres (netcup)
Our security measures are continuously improved in line with technological developments.
8. NO TRACKING COOKIES AND ANALYTICS
We do not use tracking cookies, analytics tools (such as Google Analytics) or advertising tracking. Protecting our users' privacy is a top priority.
We use only technically necessary cookies (e.g. session cookies for login). There is no tracking, advertising or marketing analysis.
9. RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY
You have the right to lodge a complaint with a data protection supervisory authority.
Competent supervisory authority: State Commissioner for Data Protection and Freedom of Information North Rhine‑Westphalia Kavalleriestraße 2‑4 40213 Düsseldorf Germany Phone: +49 211 38424‑0 Email: poststelle@ldi.nrw.de Website: https://www.ldi.nrw.de
10. CHANGES TO THIS PRIVACY POLICY
We reserve the right to update this privacy policy as necessary to reflect changes in legal requirements or our services and data processing.
The current version is always available on this page. We will inform you by email about material changes.