Legal - Cabintale

COOKIES POLICY

Last Updated: January 2026

1.1 Introduction

Cabintale.com ("we," "us," "our," or "Company") operates two distinct digital properties:

Marketing Website (cabintale.com) – Public-facing website for marketing and information purposes
Admin Dashboard (admin.cabintale.com) – Secure application for registered users to manage their accounts and data

This Cookies Policy explains how we use cookies and similar tracking technologies on both properties, how we collect data through these technologies, and how you can manage your preferences. We are committed to transparency and compliance with the General Data Protection Regulation (GDPR), the Czech Republic's Personal Data Processing Act (Act No. 110/2019), and the Electronic Communications Act (ECA).

1.2 What Are Cookies?

Cookies are small text files that are stored on your device (computer, tablet, or mobile phone) when you visit our website or application. They serve to:

Maintain your login session
Remember your preferences
Enhance your user experience
Monitor website performance (on marketing website only)

Cookies can be either session cookies (deleted when you close your browser) or persistent cookies (stored for a set period).

1.3 Cookies on Our Marketing Website (cabintale.com)

1.3.1 Types of Cookies Used

On our marketing website, we use the following categories of cookies:

A) Strictly Necessary Cookies

Type: Session cookies
Purpose: Essential for the basic functioning of the website, including security features and load balancing
Legal Basis: Legitimate interest / Necessary for service provision (Art. 6(1)(f) GDPR)
Consent Required: No
Examples: HTTPS enforcement, security tokens, anti-fraud measures
Retention: Deleted when you close your browser

B) Functional Cookies

Type: Session and persistent cookies (up to 12 months)
Purpose: To remember your language preferences, theme settings, and navigation preferences to improve your browsing experience
Legal Basis: Consent (Art. 6(1)(a) GDPR)
Consent Required: Yes (explicit)
Retention: Up to 12 months

C) Performance and Analytics Cookies

Type: Persistent cookies
Purpose: To understand how visitors use our website, including which pages are visited most often, how users navigate, and to identify errors. This helps us improve site performance and user experience
Legal Basis: Consent (Art. 6(1)(a) GDPR)
Consent Required: Yes (explicit)
Tools Used: [Specify your analytics provider, e.g., Plausible Analytics, Fathom Analytics, or similar privacy-respecting tools]
Third-Party Data Sharing: None without consent
Retention: Up to 12 months

1.3.2 Cookie Consent Management

Consent Banner: When you first visit our marketing website, you will see a cookie consent banner that clearly explains our cookie usage. The banner provides:

Clear, plain language explanations of each cookie category
Granular options to accept or reject each category independently
An "Accept All" button (for user convenience)
A "Reject All" or "Customize" button (for user control)
Equal visual weight between acceptance and rejection options (no dark patterns)

Withdrawal of Consent: You can withdraw your cookie consent at any time by:

Clicking the cookie preferences link in the footer of our website
Clearing your browser cookies and revisiting the site
Using your browser's privacy settings to disable cookies

Browser Settings: Most browsers allow you to refuse cookies or alert you when cookies are being sent. For detailed instructions on how to manage cookies in your browser, please visit [browser manufacturer's help page].

1.4 Cookies on Our Admin Dashboard (admin.cabintale.com)

1.4.1 Types of Cookies Used

Our admin dashboard uses only the following strictly necessary cookies:

Authentication & Session Cookies

Type: Session cookies (deleted when you close your browser or log out)
Purpose:
- To maintain your login session during your active use of the dashboard
- To authenticate your identity and verify your authorization to access the dashboard
- To protect against unauthorized access through security measures
Legal Basis: Performance of contract (Art. 6(1)(b) GDPR) / Legitimate interest in platform security (Art. 6(1)(f) GDPR)
Consent Required: No – these cookies are necessary for the service to function
Technical Details:
- Contains only a session token/reference ID, not personally identifiable information
- All sensitive information is stored securely on our servers, not in the cookie itself
- Automatically expires when you close your browser or after a period of inactivity
- Uses HTTPS encryption to prevent interception

"Remember Login" Persistent Cookie (Optional)

Type: Persistent cookie (up to 30 days)
Purpose: To optionally remember your login credentials between sessions if you explicitly choose the "Remember Me" option during login
Legal Basis: Consent (Art. 6(1)(a) GDPR) – only set if user activates "Remember Me" checkbox
Consent Required: Yes – user must explicitly opt-in via "Remember Me" checkbox
Technical Details:
- Only set when user explicitly checks "Remember Me" during login
- Contains only an encrypted token, not your actual password
- Can be revoked at any time by logging out or clearing browser cookies
- Expires after 30 days of inactivity

1.4.2 No Tracking or Analytics on Admin Dashboard

We do not use any of the following on the admin dashboard:

Analytics cookies
Marketing cookies
Tracking pixels
Session recording tools
Third-party scripts for tracking or profiling
Behavioral analytics

This ensures your dashboard activity remains completely private.

1.4.3 Session Management

Your session on the admin dashboard is managed through secure backend sessions stored on our servers, not through cookies alone. When you log in:

You receive a secure session cookie (token)
Your session data is stored securely on our backend infrastructure
Sessions expire after a period of inactivity (typically 24-48 hours)
You can manually log out at any time to end your session immediately

1.5 Data Retention for Cookies

Session cookies: Automatically deleted when you close your browser or log out
Persistent cookies: Automatically deleted after the stated retention period (up to 12 months for marketing site)
Remember Me cookie: Expires after 30 days

We do not extend cookie retention periods beyond what is necessary for their stated purpose.

1.6 Third-Party Cookies

We do not knowingly allow third-party providers to set cookies on our dashboard without your explicit knowledge and consent. Any third-party integrations (such as analytics providers on the marketing website) will be clearly disclosed in this policy.

1.7 Your Rights

Under GDPR and Czech data protection law, you have the right to:

Access: Request what cookies have been set on your device
Delete: Clear cookies from your device at any time
Object: Decline non-essential cookies
Withdraw Consent: Revoke consent for cookies at any time without penalty
Control: Manage your cookie preferences through our consent management tools

1.8 Contact Us

If you have questions about our cookies policy or wish to exercise your rights, please contact:

Cabintale Support
Email: support@cabintale.com
Location: Brno, Czech Republic

PRIVACY POLICY

Last Updated: January 2026

Effective Date: January 2026

2.1 Introduction

Cabintale.com ("we," "us," "our," or "Company") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our service. We comply with the General Data Protection Regulation (GDPR), Czech Republic's Personal Data Processing Act (Act No. 110/2019), and all applicable data protection laws.

Important Distinction: As a SaaS (Software as a Service) provider, our relationship with your role in data processing differs depending on which personal data we're discussing:

Your Account Data: We act as a Data Controller
Your Customers' Data: We act as a Data Processor on your behalf

This policy addresses both relationships.

2.2 Scope and Applicability

This Privacy Policy applies to:

Our marketing website (cabintale.com)
Our admin dashboard (admin.cabintale.com)
Any related services we provide under the Cabintale brand
All individuals whose personal data we process

This policy applies to all users globally, with special protections for European Economic Area (EEA) residents under GDPR.

2.3 Who We Are

Company Name: Cabintale
Business Type: SaaS Provider - Availability Calendar & Booking Management System
Location: Brno, Czech Republic
Data Controller Contact:
Email: support@cabintale.com

Role Description: Cabintale provides a platform that enables property managers and rental businesses to manage guest availability, bookings, and reservations. Our platform processes data on behalf of our users (property managers) to deliver these services.

2.4 What Personal Data We Collect

2.4.1 Data About You (Account Owner)

When you create and maintain a Cabintale account, we collect:

Essential Information:

Full Name – to identify your account
Email Address – for account access, password recovery, and service communications
Account Credentials – username and securely hashed password (we never store passwords in plain text)
Account Creation Date – for record-keeping purposes

Optional Information:

Profile picture or avatar
Company/business name (if applicable)
Time zone and language preferences
Support communication preferences

How Collected:

Registration form
Account settings
Email communications

Legal Basis: Performance of contract (Art. 6(1)(b) GDPR) and legitimate interest in account security (Art. 6(1)(f) GDPR)

2.4.2 Data About Your Customers (End-Users)

When you use Cabintale to manage guest bookings, your customers' information is processed. We collect:

Guest/Customer Data (that you provide through the platform):

Email Address – for booking confirmations and guest communications
Full Name – for reservation records and identification
Phone Number – for contact purposes (if you choose to collect this)
Booking Details – dates, property information, reservation status
Special Requests or Notes – captured during booking process

Important: You (the account owner) determine what guest data you collect. We process this data only according to your instructions and for the specific purpose of facilitating your bookings and guest communications.

How Collected:

Guest booking forms (created and hosted by you)
Manual entry by you or your staff
Integration with your booking channels

Legal Basis: Performance of contract with you (Art. 6(1)(b) GDPR) – we process guest data on your instructions to deliver the service you've contracted for

Data Processing Agreement: For all customer data processing, we maintain a Data Processing Agreement (DPA) with you under GDPR Article 28, outlining our obligations as a processor.

2.4.3 Payment Information

What We Store:

Payment method type (e.g., "Credit Card," "Bank Transfer")
Transaction references and invoice numbers
Billing date and subscription renewal dates
Invoice amounts and payment status

What We DO NOT Store:

Credit card numbers
Card verification codes (CVV)
Bank account details (IBANs)
PayPal or other payment service credentials

How Payment Data Is Handled:
All payment processing is handled by our third-party payment providers (e.g., Stripe, PayPal). We never directly receive or store your sensitive payment information. Our payment providers are GDPR-compliant and PCI DSS certified.

Legal Basis: Performance of contract (Art. 6(1)(b) GDPR) and legal obligation to maintain financial records (Art. 6(1)(c) GDPR)

2.4.4 Technical Data (Automatically Collected)

On Marketing Website (cabintale.com):

IP address
Browser type and version
Operating system
Pages visited and time spent on each page
Referral source
Geographic location (at country/region level)
Device type (mobile, tablet, desktop)

On Admin Dashboard (admin.cabintale.com):

IP address (for security purposes only)
Browser type and version
Geographic location (for security fraud detection)
Login timestamps
Device information (for security verification)

Collection Method: Automatically via server logs and analytics tools

Legal Basis: Legitimate interest in website optimization, fraud prevention, and security (Art. 6(1)(f) GDPR)

Note: We do not use session recording, heatmaps, or behavioral tracking on the admin dashboard. No recording of user interactions occurs.

2.4.5 Communication Data

Emails you send to our support team
Support tickets and chat communications
Feedback and feature requests
Customer service interactions

Legal Basis: Performance of contract (Art. 6(1)(b) GDPR) and legitimate interest in customer support (Art. 6(1)(f) GDPR)

2.5 How We Use Your Personal Data

2.5.1 For Your Account and Service Delivery

We use your personal data to:

Create and maintain your account – enabling you to access Cabintale's features
Authenticate your identity – securely logging you in to our platform
Deliver the service – maintaining your calendar, processing bookings, storing your settings
Billing and invoicing – charging your subscription, issuing receipts, managing payment records
Account recovery – helping you regain access if you forget your password
Legal compliance – meeting tax obligations, preventing fraud, enforcing our terms

2.5.2 For Your Customers' Data

We process your customers' data exclusively for:

Facilitating bookings – storing reservation details, managing availability
Guest communication support – enabling you to send booking confirmations and guest information
Operational functionality – retrieving guest data to display in your calendar and dashboard
Support purposes – assisting you with customer inquiries (if you share guest data with us for support)

We DO NOT:

Use guest data for marketing purposes
Share guest data with third parties
Create profiles or behavioral tracking of guests
Use guest data beyond the purpose of facilitating your bookings
Access or process guest data except at your instruction

2.5.3 For Improving Our Service

With your explicit consent on the marketing website, we may use aggregated, anonymized data to:

Improve website performance
Identify and fix technical issues
Understand user behavior to enhance features
Develop new features and services

This analysis is performed on aggregated data only and cannot identify you or your guests.

2.5.4 For Security and Fraud Prevention

We use personal data to:

Detect and prevent fraud or abuse
Protect against unauthorized access (e.g., through IP monitoring)
Enforce our Terms of Service
Comply with legal obligations

Legal Basis: Legitimate interest in platform security (Art. 6(1)(f) GDPR)

2.5.5 Communication with You

We will use your email address to:

Send service notifications (e.g., password resets, booking alerts, billing notifications)
Respond to your support requests
Notify you of changes to this Privacy Policy or our Terms of Service
Send important account security alerts

Marketing Communications: We will only send marketing emails if you have explicitly opted in. We do not send unsolicited marketing emails. You can unsubscribe from marketing communications at any time by clicking the unsubscribe link in any email.

2.6 Your Role as a Data Controller

When you collect and store customer/guest data in Cabintale, you are the Data Controller for that information. This means you are responsible for:

Obtaining consent: Ensuring guests consent to data collection and your use of their information
Privacy disclosures: Informing guests how their data will be used
Lawful basis: Establishing a legal basis for collecting and processing guest data
Data security: Protecting guest data from unauthorized access
Retention periods: Determining how long you retain guest data
Guest rights: Enabling guests to access, correct, or delete their information

Our role: We act as your Data Processor. We follow your instructions and only process guest data as needed to deliver our service. We do not control how guest data is used; that decision is yours.

Recommendation: We strongly recommend reviewing your own privacy policy with guests to explain what data you collect and how you use it. Consider informing guests that their data is stored on Cabintale's platform.

2.7 Data Sharing and Third Parties

2.7.1 When We Share Data

We share your personal data only in the following circumstances:

1. With Your Explicit Consent

When you authorize us to integrate with a third-party service (e.g., payment processor, email service)

2. As Required by Law

To comply with legal obligations, court orders, or government requests
To enforce our Terms of Service
To protect the rights, safety, or property of Cabintale, our users, or the public

3. With Essential Service Providers (Data Processors)

Web hosting providers – to store and serve our application
Payment processors – to process your subscription payments
Email service providers – to send transactional emails (billing, password reset, support)
Analytics providers – only with your consent, for website improvement
Security providers – for fraud detection and prevention

All third-party processors are contractually required to:

Process data only according to our instructions
Maintain appropriate security measures
Comply with GDPR and applicable data protection laws
Not use data for their own purposes
Notify us immediately of any data breaches

2.7.2 Guest Data Sharing

Your customers' data is NEVER shared with third parties except:

Your explicit instruction to integrate with another service
Legal requirement or court order
As necessary to deliver the service you've requested

We do not:

Sell guest data
Share guest data with marketing partners
Use guest data for our own purposes
Share guest data with other users of Cabintale

2.8 Data Retention and Deletion

2.8.1 Active Account Data

While your account is active, we retain your personal data (name, email, account settings) to maintain the service. This data is necessary for your account to function.

2.8.2 After Account Deletion

If you delete your Cabintale account:

All your personal data is permanently deleted from our active systems
All guest/customer data associated with your account is permanently deleted
All backups containing your data are securely destroyed within 30 days
Billing records may be retained only to comply with Czech tax law (up to 6 years for tax purposes)

Exception: We may retain anonymized or aggregated data that cannot identify you for statistical purposes.

Timeline: Deletion is completed within 7 business days of your request.

2.8.3 Guest Data Retention

Guest/customer data is retained only for as long as:

You maintain an active account with Cabintale
The reservation/booking is active or a reasonable period after completion (e.g., for guest communication)
You explicitly request its deletion

Once you delete guest data or your account is deleted, the data is permanently removed.

2.8.4 Technical Data (Logs)

Server logs and analytics data are automatically deleted after 90 days
We do not maintain long-term archives of access logs

2.8.5 Backup Data

While we maintain regular backups for disaster recovery and data protection:

Deleted data is removed from backups within 30 days
Backups are encrypted and stored securely
Deleted data cannot be recovered after the 30-day window

2.9 Data Security

We implement comprehensive technical and organizational security measures to protect your personal data:

2.9.1 Technical Security

Encryption in transit: All data transmitted between your device and our servers uses HTTPS/TLS encryption
Encryption at rest: Sensitive data is encrypted in our database
Access controls: Only authorized personnel can access personal data, and only for legitimate purposes
Secure authentication: Passwords are hashed using industry-standard algorithms (e.g., bcrypt, Argon2), never stored in plain text
Regular security updates: We maintain up-to-date security patches for all systems
Firewalls and intrusion detection: We use firewalls and monitoring systems to detect unauthorized access
Session security: Session tokens are securely generated and cannot be predicted

2.9.2 Organizational Security

Staff training: All team members handling personal data receive data protection training
Access restrictions: Personal data access is limited to staff members who need it to perform their job
Data processing agreements: All vendors are bound by contracts requiring GDPR compliance
Incident response: We have procedures in place to respond to and mitigate data breaches
Regular audits: We conduct regular security audits to identify and address vulnerabilities

2.9.3 What We Cannot Guarantee

While we implement strong security measures, no system is completely secure. We cannot guarantee absolute protection against:

Advanced cyber attacks
Unauthorized third-party access
Loss or corruption of data due to unforeseen circumstances

By using Cabintale, you acknowledge that data security involves inherent risks.

2.10 Your Data Protection Rights (GDPR)

As an individual whose data we process, you have the following rights under GDPR and Czech data protection law:

2.10.1 Right of Access

You have the right to request a copy of the personal data we hold about you, including:

What data we store
Why we store it
How long we keep it
Who we share it with

How to request: Email support@cabintale.com with the subject "Data Access Request"
Response time: Within 30 days

2.10.2 Right of Rectification

You have the right to correct inaccurate or incomplete personal data. You can:

Update your account information directly in your profile
Contact us to correct information you cannot update yourself

Response time: Changes are made immediately for self-service updates; up to 30 days for requests requiring verification

2.10.3 Right of Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data, except where:

We have a legal obligation to retain it (e.g., tax records for 6 years)
The data is necessary to fulfill our contract with you
We have a legitimate interest in retaining it (which we must justify)

How to request: Email support@cabintale.com with the subject "Data Deletion Request"

Account deletion: You can delete your entire account and associated data through your account settings or by contacting support.

Response time: Within 30 days; deletion is completed within 7 business days of approval

2.10.4 Right to Restrict Processing

You can request that we limit how we use your personal data while:

You challenge its accuracy
You object to processing
We no longer need it but you need us to retain it for legal claims
You object to automated processing

How to request: Email support@cabintale.com with the subject "Request to Restrict Processing"
Response time: Within 30 days

2.10.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., CSV) and to transmit it to another service provider without hindrance.

Available data:

Your account information
Your email address
Booking and calendar data
Transaction history

How to request: Email support@cabintale.com with the subject "Data Portability Request"
Format: Data will be provided as a CSV file
Response time: Within 30 days

2.10.6 Right to Object

You have the right to object to processing based on legitimate interest or statistical purposes.

How to request: Email support@cabintale.com with the subject "Objection to Processing"
Response time: We will stop processing within 30 days unless we have a compelling legal reason to continue

2.10.7 Right to Withdraw Consent

For any processing based on consent (e.g., marketing emails, analytics), you can withdraw consent at any time:

Click "unsubscribe" on marketing emails
Adjust cookie preferences in your browser or via our consent tool
Email support@cabintale.com to withdraw other consents

Impact: Withdrawal applies only to future processing; past processing remains lawful.

2.10.8 Rights Related to Automated Decision-Making

We do not use your personal data for automated decision-making or profiling that produces significant effects on you (e.g., credit decisions, eligibility decisions).

2.11 International Data Transfers

2.11.1 Where Data Is Processed

Cabintale's infrastructure and data are processed in the European Economic Area (EEA), specifically in Czech Republic or other EEA locations. Personal data is not transferred outside the EEA except where:

You explicitly authorize integration with a non-EEA service
Required by law or court order
With your explicit consent

2.11.2 Non-EEA Transfers

If we do transfer data outside the EEA, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs)
Binding Corporate Rules (BCRs)
Adequacy decisions by the European Commission
Your explicit consent

You will be notified if such transfers occur.

2.12 Children's Data

Cabintale is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If you are under 16, you may only use Cabintale with parental/guardian consent.

If we discover we have collected data from a child under 16 without verifiable parental consent, we will delete that data immediately.

2.13 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms:

We will notify you within 72 hours of discovering the breach (unless we determine the risk is low)
We will include: Description of the breach, categories of data affected, likely consequences, measures we're taking, and our contact details
We will notify authorities as required by law

You will be notified via email using the address associated with your account.

2.14 Changes to This Privacy Policy

We may update this Privacy Policy occasionally to reflect:

Changes in our services
New data protection laws
Improved privacy practices
User feedback

Notification: We will notify you of material changes by:

Posting the updated policy on our website
Sending you an email notification
Requesting your acceptance of changes (if legally required)

Effective date: Changes become effective 30 days after notification, unless you disagree. Your continued use of Cabintale after the effective date constitutes acceptance of the updated policy.

2.15 Contact Us

If you have questions about this Privacy Policy, our privacy practices, or want to exercise any of your data protection rights, please contact:

Data Protection Contact:
Email: support@cabintale.com
Address: Brno, Czech Republic

Response time: We aim to respond to all inquiries within 5-7 business days.

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority (Office for Personal Data Protection – UOOU in Czech Republic, or your relevant supervisory authority).

GDPR TERMS (Data Processing Agreement Terms)

Last Updated: January 2026

This document outlines GDPR-specific terms for Cabintale's processing of personal data. These terms complement our Privacy Policy and apply to all users.

3.1 Roles and Responsibilities

3.1.1 Data Controller vs. Data Processor

For your account data (your name, email, etc.):

Cabintale is the Data Controller
We determine the purposes and means of processing your data
We are responsible for GDPR compliance regarding your account data

For your customers' data (guest/end-user information you collect):

You are the Data Controller
We are the Data Processor acting on your instructions
You determine what data is collected and how it's used

3.1.2 Our Processing Instructions

As a processor, we process your customer data exclusively according to the following instructions:

Process guest data only to facilitate bookings and reservations – Store and retrieve guest information needed to manage availability calendars, process bookings, and send booking confirmations
Maintain data security – Store guest data with appropriate technical and organizational security measures
Restrict access – Provide access to guest data only to your authorized staff through your account credentials
Delete on request – Permanently delete guest data when you request deletion
Assist with data subject requests – If a guest requests access to or deletion of their data, we will facilitate your response

You remain responsible for: Determining the lawful basis for collecting guest data, obtaining guest consent where required, and maintaining compliance with GDPR in your own privacy notices.

3.2 Data Processing Agreement (DPA)

3.2.1 DPA Incorporation

By using Cabintale, you accept that our standard Data Processing Agreement applies to the processing of your customer data. The DPA incorporates the following GDPR Article 28 required terms:

3.2.2 Required DPA Clauses

1. Subject Matter, Duration, Nature, and Purpose of Processing

Subject Matter: Processing of guest/customer data submitted through the Cabintale platform
Duration: For the term of your subscription plus 30 days post-termination
Nature: Storage, retrieval, organization, transmission (as needed to provide the service)
Purpose: To facilitate your booking and availability management operations, nothing more

2. Types of Personal Data and Categories of Data Subjects

Personal data: Names, email addresses, phone numbers, booking dates, reservation notes
Categories of data subjects: Your customers, guests, individuals making reservations

3. Obligations and Rights of the Controller (You)

You, as the Data Controller, must:

Ensure you have a lawful basis for collecting guest data (consent, contract, legitimate interest, etc.)
Provide accurate and complete information in your privacy policy about how you collect and process guest data
Obtain any necessary consents from guests before processing their data
Maintain a record of your processing activities (Article 30 GDPR)
Respond to data subject requests (access, deletion, rectification, portability, objection)
Conduct Data Protection Impact Assessments (DPIAs) if your processing poses high risk
Notify data subjects in the event of a data breach affecting their data
Ensure sub-processors you engage are GDPR compliant

4. Security Measures (Processor's Responsibility)

We, as the Data Processor, implement and maintain:

Encryption: Data is encrypted in transit (HTTPS/TLS) and at rest in our database
Access controls: Only authorized personnel can access data; staff are trained on data protection
Authentication: Secure login credentials are required to access customer data
Regular audits: We conduct security assessments to identify and address vulnerabilities
Incident response: We have procedures to detect, investigate, and respond to security incidents
Backup and recovery: We maintain secure backups to prevent data loss, with encrypted storage
Staff confidentiality: All staff handling personal data are bound by confidentiality agreements

These measures are appropriate to the risk level posed by processing personal data in our service.

5. Sub-Processors

We may engage the following sub-processors to assist in providing the service:

Web hosting provider – [Specify hosting provider] – for server infrastructure and data storage
Payment processor – [Specify payment processor] – for processing subscription payments
Email service provider – [Specify email provider] – for sending transactional emails (password resets, billing notifications, booking confirmations)
Analytics provider – [Specify analytics provider] – for analyzing website performance (marketing site only)

Notification: We will notify you 30 days in advance before engaging new sub-processors. You have the right to object to new sub-processors, in which case we will either:

Find an alternative processor you approve, or
Terminate the affected service or your account

All sub-processors are contractually required to meet the same data protection standards as Cabintale.

6. International Data Transfers

All personal data is stored and processed within the European Economic Area (EEA). We do not transfer personal data outside the EEA without your explicit written authorization and appropriate safeguards (Standard Contractual Clauses, Binding Corporate Rules, or adequacy decisions).

7. Data Subject Rights – Processor Assistance

We will assist you in responding to data subject requests (access, rectification, deletion, restriction, portability, objection) by:

Providing you with a copy of the relevant personal data
Updating or deleting data upon your instruction
Restricting processing of data upon your request
Providing data in a portable format upon your request
Providing information about our processing to support your responses

Response time: We aim to assist within 5-7 business days of your request.

Important: You remain responsible for verifying the identity of the data subject and for responding to requests within the GDPR 30-day deadline. We will assist you, but the legal responsibility is yours.

8. Data Protection Impact Assessment (DPIA)

If you need to conduct a DPIA for processing activities using Cabintale, we will:

Provide detailed information about our processing, technical measures, and security practices
Assist in evaluating risks to data subjects
Recommend appropriate safeguards and risk mitigation measures

We maintain documentation available for DPIA purposes.

9. Breach Notification

If we discover or become aware of a personal data breach affecting your customer data:

We will notify you immediately (within 24 hours when possible)
We will provide details: Description of the breach, types of data affected, likely consequences, individuals affected, measures taken to contain the breach
We will assist in investigation: We will provide logs and technical information to help investigate the breach
We will assist with notification: We will provide information to help you notify affected data subjects and authorities as required

Your responsibility: You remain responsible for notifying affected individuals and relevant authorities as required by GDPR.

10. Audit and Compliance Verification

You have the right to:

Request documentation of our data protection practices
Conduct audits or security assessments of our systems
Request certifications or compliance reports

Process:

Audit requests should be submitted to support@cabintale.com
We will provide reasonable access to our practices and documentation
Audits must be conducted with reasonable notice and during business hours
We may require you to sign a non-disclosure agreement to protect our systems

Frequency: We conduct regular internal audits and security assessments.

11. Data Retention and Deletion

Active account: While your account is active, we retain customer data as you direct
Deletion: Upon your request, we permanently delete all customer data within 7 business days
Account termination: Upon account closure, all customer data is deleted within 7 business days (with tax record exceptions)
Backups: Deleted data is removed from backups within 30 days
Tax records: We may retain billing data for up to 6 years as required by Czech tax law

Your responsibility: You must retain a copy of customer data if you need it for legal, contractual, or other legitimate business purposes after deletion from Cabintale.

12. End of Processing – Return or Deletion of Data

Upon termination of your account or our service relationship:

You may request a data export – We will provide your data in a portable format (CSV)
Or you may request deletion – We will permanently delete all data
We will confirm completion – Within 7 business days, we will confirm that data has been deleted and not retained in backup systems (except as legally required)

Our right to retain: We may retain minimal information to defend legal claims or meet tax/legal obligations, but this will be limited in scope and duration.

3.3 Data Protection by Design and Default

We have implemented the following data protection measures throughout our service:

Data minimization: We collect only the minimum personal data needed to provide the service
Purpose limitation: Data is used only for the purpose you've authorized
Retention limitation: Data is retained only as long as necessary
Integrity and confidentiality: Data is protected through encryption and access controls
Transparency: Clear privacy notices and policies explain our processing
User control: Users have clear tools to manage and delete their data
Security by default: Default settings prioritize privacy (no unnecessary tracking, minimal cookies)

3.4 Lawful Basis for Processing

3.4.1 For Your Account Data (We Are the Controller)

We process your account data based on:

Performance of Contract (Art. 6(1)(b)) – To create and maintain your account, provide the service, process billing
Legitimate Interest (Art. 6(1)(f)) – To maintain security, prevent fraud, improve service quality, comply with legal obligations
Consent (Art. 6(1)(a)) – For marketing communications (with your explicit opt-in)

3.4.2 For Your Customer Data (We Are the Processor)

The lawful basis is determined by you, as the controller. We process only according to your instructions. Common lawful bases you might rely on:

Performance of Contract (Art. 6(1)(b)) – Guest data is necessary to fulfill the booking contract
Legitimate Interest (Art. 6(1)(f)) – You have a legitimate business interest in managing reservations and guest communications
Consent (Art. 6(1)(a)) – If you've obtained explicit consent from guests for data processing

Your responsibility: Document the lawful basis in your privacy policy and ensure you have a valid legal ground for collecting guest data.

3.5 Legitimate Interest Assessment

3.5.1 For Account Security and Service Improvement

We process your account data based on legitimate interests in:

Platform security – Detecting fraud, unauthorized access, and abuse
Service improvement – Understanding which features are used, identifying bugs, optimizing performance
Legal compliance – Meeting tax obligations, defending against legal claims, complying with court orders
Business operations – Billing, customer support, contract enforcement

Balancing test: These legitimate interests outweigh your privacy rights because:

Processing is necessary and not excessive
You expect a certain level of data collection for these purposes
We implement safeguards to minimize processing (data minimization, encryption, deletion)
We provide transparency through clear privacy notices

3.6 Special Categories of Data

We do not knowingly collect or process special categories of personal data, including:

Racial or ethnic origin
Political opinions
Religious beliefs
Trade union membership
Genetic data
Biometric data for identification
Health data
Data about criminal convictions

If you collect such data from guests (e.g., health information for vacation rentals), you are solely responsible for:

Establishing a lawful basis for processing (Article 9 GDPR)
Obtaining explicit consent where required
Implementing additional security measures
Complying with enhanced notification requirements

We recommend: Do not collect special category data through Cabintale unless absolutely necessary.

3.7 Data Retention Policy

3.7.1 Your Account Data

Data Type	Retention Period	Purpose	Legal Basis
Account credentials (email, hashed password)	Duration of account	Account authentication	Performance of contract
Account settings (name, preferences)	Duration of account	Service provision	Performance of contract
Billing records	6 years after deletion	Tax compliance	Legal obligation
Technical logs (IP, device info)	90 days	Security, fraud prevention	Legitimate interest
Email communications (support, billing)	3 years	Record-keeping, dispute resolution	Legitimate interest

3.7.2 Your Customer Data

Data Type	Retention Period	Purpose	Legal Basis
Guest/customer information	Duration of your account + period you specify	Booking management	Performance of contract/your direction
Booking history	Duration of your account	Guest reference, dispute resolution	Legitimate interest
Communications with guests	Duration of your account	Record-keeping	Legitimate interest

Your control: You determine retention periods for customer data. Upon deletion request or account closure, all data is deleted within 7 business days.

3.7.3 Automated Deletion Policy

Technical logs: Automatically deleted after 90 days
Session cookies: Automatically deleted when browser closes or after inactivity
Deleted account data: Removed from backups within 30 days
Billing records: Retained for 6 years (tax law requirement), then deleted

3.8 Cookies and Tracking (GDPR/ePrivacy Directive Compliance)

3.8.1 Marketing Website (cabintale.com)

Strictly necessary cookies: No consent required (session management, security)
Functional cookies: Require explicit consent via banner
Analytics cookies: Require explicit consent via banner
Consent withdrawal: Users can withdraw at any time via cookie preferences or browser settings

3.8.2 Admin Dashboard (admin.cabintale.com)

Authentication cookies: No consent required (strictly necessary)
Session management: No consent required (strictly necessary)
Remember Me cookie: Requires explicit opt-in via checkbox
No tracking: No analytics, marketing, or behavioral tracking on dashboard

3.9 Compliance Verification and Updates

3.9.1 Our Commitments

Annual compliance review: We review and update our practices annually
Security assessments: We conduct regular security audits
Staff training: All staff handling personal data receive data protection training
Technology updates: We update systems and tools to meet evolving security standards
Transparency: We maintain clear documentation of our processing activities

3.9.2 Your Commitments

Accurate data: Ensure information you provide to us is accurate and complete
Lawful collection: Ensure you have a lawful basis for collecting customer data
Guest notifications: Inform guests that their data is processed through Cabintale
Rights assistance: Cooperate with us in responding to data subject requests
Prompt notification: Notify us of any data breaches you discover
Compliance: Maintain your own compliance with GDPR regarding customer data

3.10 Governing Law and Jurisdiction

These GDPR terms are governed by:

EU General Data Protection Regulation (GDPR) – Directly applicable
Czech Republic Personal Data Processing Act (Act No. 110/2019) – National implementation
Czech Republic Electronic Communications Act – Cookie and ePrivacy rules
Czech Republic law – For contract interpretation and dispute resolution

Jurisdiction:

Data protection disputes are overseen by the Office for Personal Data Protection (Úřad pro ochranu osobních údajů – ÚOOO) in Czech Republic
If you are an EEA resident, you may lodge complaints with your local data protection authority
Legal disputes may be addressed through Czech courts or alternative dispute resolution

3.11 Contact and Requests

For data protection inquiries, requests, or complaints:

Email: support@cabintale.com
Location: Brno, Czech Republic

Response timeframe: 5-7 business days for standard inquiries; up to 30 days for formal data subject requests

Escalation:

If you are unsatisfied with our response, you may lodge a complaint with the Office for Personal Data Protection (Czech Republic's supervisory authority)
Contact: https://www.uoou.cz/en