Verve Apartments

Privacy Policy

Version: 20 January 2026

1. General Information on Data Processing

We process personal data solely within the scope of the applicable data protection laws, in particular the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). Personal data means any information relating to an identified or identifiable natural person (e.g. name, contact details, booking data, IP address).

2. Controller

Elias Kutscha

Wiesenstraße 6, 67550 Worms, Germany

Email: [email protected]

Phone: +49 151 12475349

3. Data Protection Officer

No data protection officer has been appointed.

4. Categories of Data Processed

Depending on the contact and booking channel, we process in particular:

- Basic data: first name, last name

- Contact data: email address, phone number, country

- Booking/stay data: accommodation/property, period of stay, number of guests, notes/remarks, communication (e.g. booking messages, check-in information)

- Billing data: invoice data (name/address, service period, amount, invoice number) as well as transaction/payment confirmations

- Portal/platform data: data provided to us by booking platforms (e.g. profile/contact data, booking details, message history)

- Technical data: IP address, browser/device information, timestamps, referrer URL, log data

- Statutorily required registration data (only where applicable): e.g. data from registration forms for guests without German nationality

5. Purposes and Legal Bases

We process personal data for the following purposes:

(a) Handling enquiries, concluding contracts and performing the accommodation agreement (Art. 6(1)(b) GDPR)

(b) Compliance with legal obligations (e.g. registration obligations, statutory retention obligations under tax and commercial law) (Art. 6(1)(c) GDPR)

(c) Communication with guests (email, phone, WhatsApp), support and sending information related to the booking (Art. 6(1)(b) GDPR; additionally Art. 6(1)(f) GDPR)

(d) Prevention of misuse, enforcement/defence of claims, IT security and error analysis (Art. 6(1)(f) GDPR)

(e) Operation of the website including cookies/analytics/marketing (if activated) based on your consent (Art. 6(1)(a) GDPR) and – where required – additionally pursuant to Section 25 TDDDG (access to information stored on your end device, e.g. cookies)

6. Sources of Data

We receive data:

- directly from you (e.g. website booking, phone, email, WhatsApp),

- via booking platforms (e.g. Airbnb, Booking.com, FeWo-direkt/Vrbo),

- via our booking/management system to the extent that data arises there through the booking process.

7. Obligation to Provide Data

Certain data is required for a booking (in particular your name and a means of contact). Without this data, a booking/enquiry may not be processed or carried out. Statutorily required information (e.g. registration obligations, where applicable) must also be provided.

8. Booking, Enquiries and Communication

8.1 Direct booking/enquiry (website, email, phone, WhatsApp)

If you book/enquire via our website or contact us by email/phone/WhatsApp, we process your information to handle the enquiry, to initiate/perform the contract and for communication.

8.2 Bookings via platforms

For bookings via booking platforms, we receive the data required for processing from the respective platform. In addition, the data protection provisions of the respective platform apply.

9. Booking and Management System (Lodgify)

For website/online bookings, reservation management, synchronisation with booking platforms (channel management), messages, automations and organisational processes, we use “Lodgify” (booking and management platform). Provider: Codebay Solutions Limited (trading as Lodgify), Magma House, 16 Davy Court Way, Castle Mound Way, Rugby, Warwickshire, CV23 0UZ, United Kingdom. In doing so, the data arising in the course of a booking/enquiry is processed in order to manage reservations, synchronise availability, send messages and operate the business.

Lodgify is typically used as a processor. Where required, we enter into data processing agreements with service providers who process personal data on our behalf (Art. 28 GDPR).

10. Keyless Access / Smart Lock (Nuki) – if used

If we use keyless access (e.g. via Nuki), information may be processed for the provision and management of access (e.g. access authorisations, time windows, and, where applicable, logs of locking events). Provider: Nuki Home Solutions GmbH, Münzgrabenstraße 92/4, 8010 Graz, Austria. Processing is carried out for the performance of the contract and for security reasons (Art. 6(1)(b) and (f) GDPR).

11. Statutory Registration Obligations (Registration Form) – only where applicable

Where required by law, we process data to fulfil registration obligations for guests without German nationality. Collection takes place via a digital process/link within our booking/management system. Storage and deletion/destruction are carried out in accordance with statutory requirements (Art. 6(1)(c) GDPR).

12. Payment Processing

12.1 Bank transfer

If you pay by bank transfer, we process the data necessary for allocating the payment (e.g. name, IBAN, amount, payment reference, booking reference). The legal basis is Art. 6(1)(b) GDPR.

12.2 Online payments (e.g. Stripe/PayPal, Apple Pay/Google Pay) – if offered

If online payment methods are offered, payment processing is carried out via the respective payment service provider (e.g. Stripe, PayPal; and, where applicable, Apple Pay/Google Pay via connected payment services). Providers (examples): Stripe Payments Europe, Limited, 1 Grand Canal Street Lower, Dublin 2, Ireland; PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. Payment and transaction data is generally processed directly by the payment service provider. As a rule, we do not receive full card/bank account details, but rather payment confirmations/transaction information and billing-relevant data. The legal basis is Art. 6(1)(b) GDPR.

13. Invoicing / Retention

We process billing data to issue invoices and to comply with statutory retention obligations under tax and commercial law. The legal bases are Art. 6(1)(b) GDPR and Art. 6(1)(c) GDPR.

14. Email and Communication Services

14.1 Email

Email communication is carried out via our email service/provider STRATO GmbH, Otto-Ostrowski-Straße 7, 10249 Berlin, Germany (“Strato”). Communication content and metadata (e.g. time, sender/recipient) are processed to the extent necessary for communication (Art. 6(1)(b) or (f) GDPR).

14.2 WhatsApp (contact, WhatsApp button, WhatsApp Business; WhatsApp API – potentially in the future)

If you contact us via WhatsApp or use a WhatsApp button on our website, personal data (e.g. phone number, communication content, metadata and, where applicable, technical data when clicking) is processed by WhatsApp/Meta. Provider (EU): Meta Platforms Technologies Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. Processing is carried out for communication (Art. 6(1)(b) GDPR for pre-contractual/contractual communication or Art. 6(1)(f) GDPR).

If a WhatsApp API/automation is used in the future, this may serve more efficient communication (e.g. automated check-in information). In that case, processing will also be carried out exclusively in accordance with data protection requirements; details will be specified upon activation.

15. Website Visits, Server Logs

When you visit our website, technically necessary data is processed automatically (e.g. IP address, date/time, pages accessed, browser/device information, referrer URL). Processing is carried out to provide the website, for security (e.g. detecting misuse) and for error analysis (Art. 6(1)(f) GDPR).

16. Cookies, Consent Management, Section 25 TDDDG

Our website uses cookies and similar technologies. Technically necessary cookies are required for the operation of the website. Non-essential cookies (e.g. analytics/marketing) are set – if activated – only after your consent via the consent/cookie banner (Art. 6(1)(a) GDPR) and, where required, additionally pursuant to Section 25 TDDDG (access to information on the end device). You can withdraw or adjust your consent at any time via the cookie settings.

17. Web Analytics/Tracking/Marketing – if activated

For the analysis and optimisation of our website and for marketing purposes, we may use the following services (e.g. Google Analytics (GA4), Google Tag Manager, Google Ads conversion tracking/remarketing). Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; and affiliated companies such as Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. These services are – if active – loaded only after consent via the consent banner (Art. 6(1)(a) GDPR; where applicable Section 25 TDDDG).

If technically implemented, Google Consent Mode may also be used to take consent states into account and to make measurement more data-protection compliant.

18. CAPTCHA Spam Protection – if activated

To protect our forms from misuse (e.g. automated enquiries/spam), we may use CAPTCHA services, e.g. Google reCAPTCHA (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; and, where applicable, Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) or hCaptcha (Intuition Machines, Inc., 350 Alabama St, San Francisco, CA 94110, USA). In this context, technical data (e.g. IP address, browser/device information, interaction data) may be processed. The legal basis is your consent (Art. 6(1)(a) GDPR) insofar as the integration is not strictly technically necessary; otherwise, our legitimate interest in protecting the website (Art. 6(1)(f) GDPR). The specific service used will be named in this privacy policy once activated.

19. Review Display (Revyoos) – embedded as a button/widget

We use Revyoos (Revyoos S.L., Spain) to display verified guest reviews as a widget/button on our website. When the widget is loaded/opened, technical data (e.g. IP address, browser information) may be transmitted to Revyoos; cookies may also be set to the extent required for the widget to function.

Depending on the technical design, processing is based either on your consent (Art. 6(1)(a) GDPR; where applicable Section 25 TDDDG) or—if no consent-requiring cookies/tracking technologies are used—on our legitimate interest in transparent presentation of reviews (Art. 6(1)(f) GDPR).

20. Newsletter / Direct Marketing – if offered

If we send newsletters or promotional information, this is done either on the basis of your consent (Art. 6(1)(a) GDPR) or—within the legally permitted scope of marketing to existing customers—on the basis of our legitimate interest (Art. 6(1)(f) GDPR). You can object at any time or withdraw your consent.

If a newsletter service provider is used, processing is carried out via a processor (Art. 28 GDPR).

21. OpenAI/ChatGPT (internal support, data minimisation)

We use AI-supported tools such as ChatGPT/OpenAI occasionally for internal support when drafting texts. Personal data of guests is generally not transmitted. If, in exceptional cases, an API is used, this is done only with data minimisation and within the framework of the provider’s contractual/technical safeguards. Personal data is not used for “training” purposes in this context.

Provider: OpenAI OpCo, LLC, 3180 18th Street, San Francisco, CA 94110, USA; for users in the EEA/Switzerland, where applicable OpenAI Ireland Ltd, 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland.

22. Recipients of Data

We transfer personal data only where this is necessary. Recipients may include in particular:

- Booking/management system/website platform (Lodgify)

- Payment service providers (e.g. Stripe, PayPal) – if used

- Smart lock provider (e.g. Nuki) – if used

- Review service (Revyoos)

- Communication services (email provider, WhatsApp) if you use these channels

- Tax advisor/tax authorities in the context of statutory obligations

- Public authorities/official bodies where there is a legal obligation or a lawful request

23. Processing on Our Behalf (Art. 28 GDPR)

Service providers that process personal data on our behalf (e.g. hosting/booking platform, newsletter service provider, and, in certain roles, payment service providers) are, where required, engaged under data processing agreements. Internally, access to personal data is restricted to authorised persons (generally only the administrator/controller).

24. Transfers to Third Countries

Some services may transfer data to countries outside the EU/EEA (in particular the USA), e.g. when using Google services (analytics, tag manager, ads, reCAPTCHA) or WhatsApp/Meta. Transfers take place only if the requirements of Art. 44 et seq. GDPR are met (e.g. adequacy decision, EU–US Data Privacy Framework—where applicable—and/or Standard Contractual Clauses (SCCs) and, where appropriate, additional safeguards).

25. Storage Period

We store personal data only for as long as is necessary for the purposes stated or as long as statutory obligations exist:

- Booking and billing data (invoices/taxes): generally up to 10 years

- Booking-related communication (email/WhatsApp): as long as necessary, generally until the end of applicable statutory limitation periods where relevant

- Enquiries without a booking: generally up to 24 months (depending on necessity), unless statutory obligations prevent deletion

- Registration data/registration forms (only where applicable): in accordance with statutory requirements; thereafter timely deletion/destruction

- Technical logs: for an appropriate period for security/error analysis (typically a few weeks), unless retention is required for security reasons

26. Data Security

We use technical and organisational measures to protect your data against loss, misuse and unauthorised access (e.g. HTTPS encryption, access restrictions, two-factor authentication for administrative access).

27. Your Rights

Under the GDPR, you have in particular the following rights:

- Right of access (Art. 15 GDPR)

- Right to rectification (Art. 16 GDPR)

- Right to erasure (Art. 17 GDPR)

- Right to restriction of processing (Art. 18 GDPR)

- Right to data portability (Art. 20 GDPR)

- Right to object (Art. 21 GDPR)

- Right to withdraw consent given (Art. 7(3) GDPR)

To exercise your rights, please contact us by email. We may request suitable proof of identity.

28. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for Rhineland-Palatinate is:

Der Landesbeauftragte für den Datenschutz Rheinland-Pfalz

Hintere Bleiche 34, 55116 Mainz

www.datenschutz.rlp.de

29. No Automated Decision-Making/Profiling

No solely automated decision-making within the meaning of Art. 22 GDPR takes place.

30. Changes to this Privacy Policy

We reserve the right to update this privacy policy, e.g. in the event of legal changes or if we expand/change our services. The version published on our website at the time shall apply.

31. Prevailing Version

If this privacy policy is provided in multiple languages, the German version shall prevail in the event of any discrepancies.

+49 151 12475349

[email protected]
©2026 Verve Apartments All rights reserved - Powered byLodgify