1. Who are we?

This privacy policy (hereinafter the "Policy") describes how the company:

  • HOXBOOK SAS,

  • a simplified joint-stock company,

  • registered with the Paris Trade and Companies Register under number [to be completed],

  • with its registered office located at [address to be completed],

(hereinafter "Hoxbook", "we") processes personal data in the context of:

  • the public website https://www.hoxbook.com (hereinafter the "Site");

  • and the SaaS software platform accessible in particular via https://www.app.hoxbook.com (hereinafter the "Platform").

If you have any questions about the protection of personal data, you can contact us at:

  • Email: admin@hoxbook.com

  • Postal address: HOXBOOK SAS, [address to be completed]

2. Hoxbook's role: controller / processor
2.1 When Hoxbook acts as controller

Hoxbook acts as controller within the meaning of Regulation (EU) 2016/679 of 27 April 2016 ("GDPR") and the French Data Protection Act:

  • for processing carried out through the Site (management of contact forms, information requests, B2B prospecting, management of professional client accounts, technical logs related to Site browsing);

  • for certain processing activities carried out through the Platform when they are necessary for managing the relationship with its professional Clients (contract management, invoicing, support, usage monitoring for security and proper operation purposes).

2.2 When Hoxbook acts as processor

For personal data processing carried out through the Platform on behalf of Clients (for example, booking management, customer relationship management for the establishment, transactional SMS/email communications), the Client acts as controller and Hoxbook acts as processor within the meaning of the GDPR.

In this context:

  • the Client alone determines the purposes and essential means of the processing (which data are collected, which messages are sent, which campaigns are configured, etc.);

  • Hoxbook processes personal data only on the Client's documented instructions, solely for the purpose of providing the Services;

  • Hoxbook's detailed obligations as processor are set out in the "GDPR Processing Agreement" Appendix attached to the Terms and Conditions and forming an integral part of the contract entered into with the Client.

3. What data do we collect and for what purposes?

The categories of data collected depend on your relationship with Hoxbook (Site visitor, Platform user, customer of our Clients, etc.).

3.1 Data processed in the capacity of controller
3.1.1 Site visitors and B2B prospects

When you browse the Site or contact us (form, email), Hoxbook may process in particular:

  • identification and contact data: title, last name, first name, professional email address, phone number, job title, company;

  • request-related data: subject of the message, content of the request, date and time of contact;

  • technical browsing data: technical logs, IP addresses, connection metadata, device and browser data, for Site security and proper operation purposes.

Main purposes:

  • management and follow-up of contact and information requests;

  • business relationship management and B2B prospecting, in compliance with the applicable rules on electronic marketing;

  • Site security, prevention of abuse and intrusion attempts, production of aggregated technical traffic statistics.

Legal bases:

  • performance of pre-contractual measures at the request of the data subject (response to an information request);

  • Hoxbook's legitimate interest in developing its B2B business, subject to the rights of the data subjects;

  • compliance with legal obligations (security, management of any disputes).

3.1.2 Professional Clients and Platform Users (Hoxbook side)

In connection with managing its relationship with professional Clients and using the Platform, Hoxbook may process, as controller, in particular:

  • identification and contact data of the Client's representatives and Users: title, last name, first name, professional email address, position, account identification data;

  • contractual and billing data: billing details, information required to manage the contract, due dates, history of contractual exchanges;

  • technical data on Platform usage for security and support purposes: login logs, activity logs, security metadata;

Main purposes:

  • management of the contractual relationship with Clients (subscription, performance, follow-up and termination of the contract);

  • management of User Accounts, rights and authorisations;

  • invoicing, accounting, payment management and debt collection;

  • support, assistance and maintenance of the Platform;

  • security, prevention of fraud and abuse, improvement of the quality and operation of the Services.

Legal bases:

  • performance of the contract entered into with the Client;

  • compliance with legal obligations (in particular in relation to invoicing and accounting);

  • Hoxbook's legitimate interest in ensuring the security and proper operation of the Platform and improving its Services, subject to the rights of the data subjects.

3.2 Data processed as processor on behalf of Clients

When Clients (hotels, residences, accommodation establishments) use the Platform, Hoxbook processes the following personal data on their behalf, as defined in the Terms and Conditions and their GDPR appendix:

  • Data of the establishments' customers:

    • identification and contact data (title, last name, first name, contact details, etc.);

    • data relating to bookings and stays (dates, room type, services, preferences, history);

    • data relating to the customer relationship (communications, special requests, etc.).

  • Client's internal data:

    • data relating to the Client's employees, staff, contractors and suppliers;

    • data relating to the Client's Users (accounts, authorisations, activity logs, login logs);

  • Technical and security data:

    • logs, technical logs, connection metadata, activity traces and security data necessary for the operation and securing of the Platform.

  • Content of transactional communications:

    • content of transactional messages (emails and SMS) sent via the Platform on behalf of the Client (booking confirmations, stay information, etc.).

No bank card data is stored by Hoxbook in connection with the Services described in the Terms and Conditions.

The purposes of these processing activities (booking management, customer communications, internal operational management of the establishment, etc.) are determined by each Client, in its capacity as controller, and detailed in the documentation it provides to its own customers, employees and partners.

In this context, Hoxbook does not use the data processed on behalf of the Client for any purpose other than the performance of the Services, except where required by law or with the Client's specific agreement.

4. Subprocessors, hosting and data transfers
4.1 Main hosting of the Platform

The main application data processed via the Hoxbook Platform, including in particular the data hosted in the application and the main database, are hosted by Supabase on infrastructure located in mainland France, in accordance with the main configuration chosen by Hoxbook.

For the main hosting of the application and database, Hoxbook does not organise any voluntary transfer of such data outside France or outside the European Economic Area.

4.2 Technical subprocessors and communication service providers

Hoxbook may use sub-processors for limited purposes, in particular:

  • Supabase: main hosting and database;

  • Cloudflare: DNS, network security and, where applicable, content delivery services;

  • SendGrid: sending transactional emails;

  • Twilio: sending transactional SMS messages.

Processing related to transactional emails and SMS is carried out via providers located in Ireland, within the European Union, in accordance with the configuration chosen by Hoxbook.

The data transmitted to these providers is strictly limited to what is necessary:

  • for hosting and operating the Platform;

  • for the sending, deliverability, security and tracking of communications (email address and/or phone number, elements necessary for personalisation, message content, technical metadata).

Unless there is a duly justified legal, evidentiary or security requirement, data relating to transactional communications are retained for the strictly necessary duration of processing, and then deleted within a maximum of thirty (30) days.

4.3 Informing Clients about subprocessors

The sub-processors that Hoxbook may use in connection with processing carried out on behalf of Clients (as processor within the meaning of the GDPR) are listed and governed in the "GDPR Processing Agreement" Appendix attached to the Terms and Conditions. Hoxbook informs Clients of any planned addition or replacement of a sub-processor under the conditions set out in the contract.

5. Retention periods

Hoxbook retains personal data for no longer than is necessary for the purposes for which it is processed, and in any event in compliance with the retention periods set out in the Terms and Conditions, the GDPR appendix and applicable regulations.

By way of indication:

  • transactional communication data sent via SendGrid and Twilio are retained for the strictly necessary period for delivery, deliverability and security, and then deleted within a maximum of thirty (30) days, unless there is a duly justified legal or evidentiary requirement;

  • logs, technical logs and security data are retained for a period reasonably necessary for the security of the Platform, incident detection and the establishment of evidence in the event of a dispute;

  • contract management and invoicing data are retained for the duration of the contractual relationship, and then archived for the applicable statutory limitation period.

For processing carried out as processor, the retention periods are determined by the Client, as controller; Hoxbook returns and/or deletes the data at the end of the contract, under the conditions set out in the Terms and Conditions and the GDPR appendix.

6. Data security

Hoxbook implements appropriate technical and organisational measures taking into account the state of the art, implementation costs, the nature, scope, context and purposes of the processing, as well as the risks to the data subjects.

These measures include in particular, depending on the relevant environments:

  • encryption of data in transit;

  • cryptographic protection of backups and, where relevant, data at rest;

  • management of authorisations and access controls;

  • authentication of users and administrators;

  • logging of relevant access and actions;

  • regular backups;

  • security checks or audits at reasonable intervals;

  • continuity, recovery and resilience measures.

Hoxbook implements reasonable security measures but cannot guarantee the absolute absence of incidents, intrusion, corruption, loss, alteration or unavailability of data, especially where the origin of the incident is outside its control.

7. Your rights (GDPR) and how to exercise them

In accordance with applicable regulations, you have, under the conditions they provide, the following rights regarding your personal data:

  • right of access;

  • right to rectification;

  • right to erasure (right to be forgotten);

  • right to restriction of processing;

  • right to object, particularly in relation to marketing;

  • right to data portability where applicable;

  • right to set out instructions regarding what happens to your data after your death.

7.1 When Hoxbook is the controller

For processing for which Hoxbook is the controller (Site, management of the relationship with Clients, use of the Platform by Client Users on the Hoxbook side), you can exercise your rights by contacting us at:

  • Email: [GDPR contact address to be completed]

  • Postal address: HOXBOOK SAS, [address to be completed]

Where appropriate, we may ask you to provide suitable proof of identity.

7.2 When Hoxbook acts on behalf of a Client

For processing carried out by Hoxbook on behalf of a Client (data of the establishment's customers, Client's internal data, etc.), it is the responsibility of that Client, in its capacity as controller, to handle your requests to exercise your rights.

In this case, we invite the individuals concerned to contact the relevant establishment (hotel, residence, etc.) directly. If Hoxbook receives a request relating to such data, it will forward it to the Client acting as controller without responding directly, unless instructed otherwise by that Client or required by law.

7.3 Complaint to the supervisory authority

You also have the right to lodge a complaint with the competent supervisory authority, in particular in France with the CNIL (www.cnil.fr).

8. Cookies and trackers

The Site and the Platform may use cookies or similar technologies, in particular to:

  • enable the technical proper functioning of the online Services (authentication, session maintenance, security);

  • improve browsing comfort;

  • produce aggregated audience measurements.

Cookies strictly necessary for the operation of the Services are placed without prior consent, within the limits permitted by the regulations. Other cookies, when used, are implemented in accordance with the applicable rules and, where appropriate, subject to your consent via a dedicated banner or settings module.

Additional information may be provided in a cookie banner or a specific cookie policy accessible from the Site.

9. Updating this Policy

This Policy may be updated, in particular to take into account:

  • possible legislative or regulatory changes;

  • changes relating to the processing carried out by Hoxbook;

  • the addition or replacement of sub-processors under the conditions agreed with Clients.