Privacy Notice (UK GDPR & Data Protection Act 2018)

1. Overview

This Privacy Notice explains how ACCOMODOO.COM LTD (“Accomodoo”, “we”, “our”, “us”) collects, uses, shares and protects personal data when you:

  • visit our websites,
  • contact us,
  • request a demo or trial,
  • create an account, or
  • use our platform (including operational tools for vacation-rental management).

Some platform features may process personal data about guests, property owners, and operational staff. Depending on the context, Accomodoo may act as:

  • Controller for our own business activities (e.g., marketing, sales, billing, website analytics), and/or
  • Processor on behalf of our customers (e.g., property managers/hosts) when we process guest and property-related data within the platform under customer instructions.
2. Data controller and contact details

ACCOMODOO.COM LTD
71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
Company number: 16327953

ICO registration: ACCOMODOO.COM LTD — Reference ZB978729 (ico.org.uk/register)

Contact emails:
Legal/privacy: legal@accomodoo.com
Complaints: complaints@accomodoo.com

3. Personal data we collect

Depending on how you interact with us, we may collect:

A) Website and enquiry data (Controller)
  • Identification and contact details (name, email, phone, company)
  • Enquiry content and communications
  • Marketing preferences
B) Account and customer admin data (Controller)
  • User profile data for admin, billing and support
  • Business details (company name, address, billing info)
  • Contract and subscription records
  • Support tickets, call notes and troubleshooting logs
C) Platform data (often Processor for customers)

Depending on customer configuration, the platform may process:

  • Guest data (name, contact details, booking details, stay dates, messages)
  • Operational data (tasks/checklists for cleaning, check-in, maintenance; status updates; notes; photo reports)
  • Owner portal data (owner contact details, limited portfolio visibility as configured)
  • Technical logs for security and reliability
D) Technical and usage data
  • IP address, device/browser identifiers, log files, timestamps, referring pages, and feature usage analytics (subject to cookie settings and legal requirements).

Special category data: We do not intentionally collect special category data. If users upload it into free-text fields or documents, we will minimise use and protect it appropriately.

4. Where we get data from
  • Directly from you (forms, email, calls, platform usage)
  • From our customers/your employer (where you’re a user invited to their workspace)
  • From devices/cookies and similar technologies (see section 9)
5. How we use personal data and our legal bases (Controller)

We process personal data where we have a lawful basis under Article 6 UK GDPR:

  • Operate, secure and maintain our website and services
    Legal basis: Legitimate interests
  • Respond to enquiries; schedule demos; provide customer support
    Legal basis: Contract / steps prior to entering a contract; legitimate interests
  • Create and administer accounts; billing and subscription management
    Legal basis: Contract; legal obligation (e.g., accounting records)
  • Service communications (e.g., security, uptime, product updates)
    Legal basis: Legitimate interests; contract (where applicable)
  • Marketing communications (where permitted)
    Legal basis: Consent and/or legitimate interests (as applicable)
  • Analytics and product improvement
    Legal basis: Legitimate interests and consent where required (non-essential cookies)
  • Compliance, dispute handling, and enforcement
    Legal basis: Legal obligation; legitimate interests
6. Platform processing (Processor role)

Where we act as a processor for a customer, our customer is the controller of guest/owner/platform content data. We process that data under the customer’s documented instructions and apply appropriate security measures. Customers may provide their own privacy notice to guests/owners explaining their use of the platform.

7. Sharing and disclosures

We may share personal data with:

  • Service providers / processors (hosting, email, analytics, CRM, customer support tooling, security, backups), acting under contracts and appropriate safeguards
  • Professional advisers (legal/accounting) where necessary
  • Authorities where legally required or to protect rights and safety
  • Corporate transactions (buyers/investors and advisers) with confidentiality safeguards

We do not sell personal data.

8. International transfers

Where personal data is transferred outside the UK, we use recognised safeguards such as UK adequacy regulations, the IDTA, and/or other contractual and technical measures appropriate to transfer risk.

9. Cookies and similar technologies

We use cookies and similar technologies for core functionality and (where enabled) analytics and performance. Where required, we obtain consent for non-essential cookies. You can control cookies via browser settings and any on-site cookie controls.

10. Retention

We retain personal data only as long as necessary for the purposes in this Notice, including legal, contractual, and security requirements. Typical retention periods depend on the data type (e.g., account and billing records, support logs, platform content under customer instructions). Where we act as processor, retention/deletion is typically controlled by the customer contract and customer settings.

11. Your rights (UK GDPR)

Subject to conditions and exemptions, you may have the right to:

  • access, rectification, erasure, restriction
  • object to processing based on legitimate interests
  • data portability (where applicable)
  • withdraw consent (where we rely on consent)

To exercise rights (controller context): legal@accomodoo.com
Complaints: complaints@accomodoo.com
You also have the right to complain to the ICO.

If you are a guest/third party whose data is processed by a customer using our platform, we may direct you to the relevant customer (controller) where appropriate.

12. Automated decision-making

We do not generally use automated decision-making producing legal or similarly significant effects. If this changes, we will update this Notice and provide appropriate information.

13. Changes to this Notice


Data Protection & Information Security Policy

1. About this Policy

This Policy is a public, high-level summary of the organisational and technical measures used by ACCOMODOO.COM LTD (“Accomodoo”, “we”, “our”, “us”) to protect personal data and confidential information. It supports compliance with the UK GDPR and the Data Protection Act 2018, and is designed to reduce risks of unauthorised access, loss, misuse, alteration or disclosure.

Status: This document is published for transparency. It does not form part of any contract, except to the extent required by applicable law.

2. Who we are

ACCOMODOO.COM LTD
71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
Company number: 16327953

ICO registration: ACCOMODOO.COM LTD — Reference ZB978729 (see ico.org.uk/register)

Contacts:
Legal: legal@accomodoo.com
Complaints: complaints@accomodoo.com

3. Scope

This Policy applies to all Accomodoo directors, officers, employees, agency staff and contractors (“Personnel”), and to all information processed by or on behalf of Accomodoo, including:

  • personal data processed for operating our websites and customer relationships;
  • personal data processed within our platform (including booking and operations features);
  • system credentials, access tokens, and other confidential business information.

Personnel must comply with this Policy as a condition of access to Accomodoo systems.

4. Data protection principles

We process personal data in accordance with the UK GDPR principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity/confidentiality; and accountability.

5. Governance and accountability

We maintain a governance framework which includes:

  • management accountability for privacy and security;
  • a designated privacy/security owner for oversight, training and incident coordination;
  • risk-based reviews of higher-risk processing;
  • supplier/sub-processor due diligence and contractual controls appropriate to risk.
6. Key security controls (summary)
6.1 Access control
  • Role-based access controls and least-privilege permissions
  • Multi-factor authentication for administrative and cloud accounts
  • Joiner/mover/leaver procedures; prompt revocation on role change/termination
  • Strong password and credential management standards
6.2 Encryption and secure communications
  • Encryption in transit (TLS 1.2+) where supported
  • Encryption at rest for supported storage and managed systems
  • Secure secret storage for keys/tokens where applicable
6.3 Monitoring, vulnerability management and testing
  • Security logging/monitoring proportionate to system risk
  • Regular patching and remediation based on severity
  • Periodic vulnerability scans and security reviews for internet-facing services
6.4 Resilience and backups
  • Backups for critical systems and configuration
  • Disaster recovery / business continuity measures proportionate to service criticality
  • Periodic restore tests where appropriate
6.5 Training and confidentiality
  • Confidentiality obligations for Personnel and need-to-know handling
  • Periodic privacy and security awareness training
7. Data lifecycle controls
  • Collection/use only for defined purposes and minimum necessary data
  • Retention aligned to legal, operational and contractual requirements
  • Secure deletion or anonymisation when no longer required
8. International transfers

Where personal data is transferred outside the UK, we use recognised safeguards such as UK adequacy regulations, the International Data Transfer Agreement (IDTA) and/or other contractual/technical measures appropriate to risk.

9. Incident and breach management

We maintain procedures to identify, contain, investigate and remediate incidents. Suspected incidents must be reported immediately internally. Where required, we notify the ICO without undue delay and, where feasible, within 72 hours of awareness, and notify affected individuals where legally required.

10. Supplier and contractor requirements

Where suppliers/contractors access Accomodoo data, we require appropriate controls including confidentiality, access restrictions, incident notification, and secure return/deletion on termination.

11. Review and changes

Reviewed at least annually and when processing, systems, or risk profile materially change. The latest version will be published on our website.e this Notice from time to time. The latest version will be published on our website.