Controller

The controller under this privacy policy is Hygge Host Oy, Business ID 3403109-1 ("Hygge Host", "we", "us").

For questions concerning data protection, you can contact us at hello.hygge@hyggehost.fi.

What this privacy policy covers

This privacy policy applies to the processing of personal data when:

• you use our website
• you contact us
• you request information about our hosting or management services
• you make or manage an accommodation booking
• you move from our website to a Hospitable-, Bókun- or Duve-based booking or service path
• you use our cleaning or other services
• you communicate with us as a customer, guest, property owner or partner.

Hygge Host Oy operates under a hosting and short-term rental management model. We provide accommodation and related operational services mainly in properties owned by others but managed by Hygge Host Oy under an agreement. In relation to customers, Hygge Host Oy acts as the accommodation provider and service provider for these properties. The same principle also applies to our other services, unless it is expressly stated in connection with an individual service that the service is provided or sold by a third party.

Who this policy applies to

This policy applies in particular to the following groups of data subjects:

• website visitors
• users of contact forms and WhatsApp contact
• persons making accommodation bookings and guests
• persons making activity bookings
• property owners and persons interested in owner services
• customers ordering cleaning or other separately offered services
• persons submitting reviews or feedback.

What personal data we may process

We may process the following personal data depending on the situation:

4.1 Data related to use of the website

• IP address
• technical information about the browser and device
• log and security data
• cookie and analytics data
• data on the use of pages and navigation.

4.2 Data related to contacts and WhatsApp communication

• name
• email address
• telephone number
• message content
• content of WhatsApp communication and related data insofar as you message us via WhatsApp
• any other data provided on the form.

We use the Joinchat plugin on the website, which displays a contact button that directs users to WhatsApp. Use of the button may require the processing of technical data, such as IP address, browser data, cookies or click data, to enable the functioning of the website and the contact. If you decide to contact us via WhatsApp, we process the content of your message, your contact details and data related to the communication in connection with the correspondence carried out via WhatsApp. The actual communication also takes place in the WhatsApp service in accordance with its own terms and privacy practices.

4.3 Data related to accommodation bookings

• name and contact details of the person making the booking
• number of guests and, where necessary, names
• property, arrival and departure date
• messages and requests related to the booking
• data on additional services, cleaning, key handover, online check-in, guest communication and other practical operations
• any deposit, damage or complaint data.

4.4 Data related to activity bookings

• name and contact details of the person making the booking
• booked activity or service
• date/time, number of participants and other booking-related data
• customer communication and any change data.

4.5 Data related to owner services

• name of the owner or contact person
• contact details
• data concerning the property
• contract, invoicing and commission data
• communications, data related to service requests and other information related to managing the cooperation.

4.6 Data related to cleaning and other separate services

• name and contact details of the customer
• service property, time and content
• communication related to the provision of the service
• invoicing and payment data.

4.7 Statutory traveller data

• data required by law requested in the traveller notification
• where applicable, traveller notification data concerning accompanying minor children
• any data related to identity verification
• signature data on the paper traveller notification.

4.8 Data related to reviews

• any reviews displayed on the site, stars, username, name or profile data insofar as they are published on the site.

Our website uses the WP Review Slider Pro plugin to display Airbnb reviews. Through the plugin, the site may display the reviewer's name or first name, profile picture or other avatar, any initials, review text and review date, depending on what data the original source contains and how the plugin has been configured on the site.

Where personal data is obtained from

We primarily obtain personal data:

• directly from you through the website, forms, WhatsApp contact, email or telephone
• in connection with an accommodation booking
• from the systems we use, such as Hospitable and Duve
• in connection with activity bookings from Bókun
• from payment service providers, such as Stripe
• from external booking channels, such as Booking.com and Airbnb, insofar as the booking or related communication is transferred to us
• from booking systems for cleaning and other services, such as Slotti, if the service is ordered through it
• from property owners or their representatives when this is necessary to provide accommodation or owner services.

For what purposes we use personal data and on what legal basis

We use personal data only for predefined purposes and only when there is a legal basis for the processing under the General Data Protection Regulation.

6.1 Website functionality, security and development

We use personal data to ensure the technical functioning of the website, maintain security, prevent abuse, develop the service and perform analysis.

Legal basis: legitimate interest.

6.2 Processing contacts, WhatsApp communication and requests for quotations

We use the data to respond to contacts, requests for quotations and enquiries concerning owner services, and to process any service requests.

Legal basis: pre-contractual measures when the contact relates to a requested quotation, booking or service. For other general contacts, the legal basis is the controller's legitimate interest in ensuring customer communication and the proper management of the service.

6.3 Processing accommodation bookings and guest communication

We use the data to receive, manage, amend and confirm accommodation bookings, for guest communication, arrival instructions, key handover, arranging cleaning, providing the accommodation, and customer service before, during and after the stay. We may use the Duve service to implement online check-in, guest communication, any service requests, offering additional services and other digital guest service insofar as these functions are in use.

Legal basis: performance of a contract and pre-contractual measures.

6.4 Directing accommodation bookings through a Hospitable deep link

Our website uses a hosted booking solution related to the Hospitable service. The customer is directed to Hospitable's hosted booking view to make a booking. For this reason, personal data may be processed both in the systems we use and in Hospitable's technical booking environment. In relation to the customer, Hygge Host Oy acts as the accommodation provider and service provider for the booking. Payments are received through Hygge Host Oy's Stripe account. Hospitable may process, for example, data concerning IP address, browser and operating system, as well as cookies, to implement the booking path. Hospitable's own privacy policy applies to the technical booking environment it provides, but this does not remove the fact that Hygge Host Oy acts as the controller for the personal data it processes for its own purposes, such as managing the booking, customer communication, providing the accommodation and accounting.

Legal basis: performance of a contract and pre-contractual measures. For system data required for the technical implementation of the booking, the legal basis is the controller's legitimate interest.

6.5 Directing activity bookings through Bókun

Our website may direct users to a Bókun-based activity booking path. The seller of the activities is a third party. In this context, Hygge Host acts as a marketing and intermediary channel and not as the actual service provider of the activity. Hygge Host may receive a commission for the intermediation. In connection with an activity booking, personal data may be processed by Hygge Host, the Bókun system, the payment service provider and the actual service provider of the activity in question insofar as this is necessary to intermediate, process and take payment for the booking, handle any changes or cancellations, and provide customer service.

Legal basis: pre-contractual measures insofar as we process intermediation or contact requested by the user. The controller's legitimate interest insofar as we process data to carry out intermediation activities, administer commissions and provide our own customer service.

6.6 Owner services, cleaning and other separate services

We use personal data to provide hosting and management services to property owners, manage contracts, communicate, process commissions and costs, coordinate cleaning, and provide separately sold services such as cleaning services.

Legal basis: contract, pre-contractual measures and the controller's legitimate interest in the proper management of the contractual relationship.

6.7 Payments, invoicing and accounting

We use personal data to receive payments, reconcile payments, process refunds, invoice, administer commissions, keep accounts and investigate possible abuse. Payment card and other payment data are processed in the systems of Stripe or another payment service provider. Hygge Host does not itself store complete payment card details, but receives the necessary data related to payment completion, status, refunds, invoicing and reconciliation.

Legal basis: performance of a contract and statutory obligation.

6.8 Statutory traveller notifications

We use data related to traveller notifications only for the purposes required by law. Hygge Host Oy acts as the accommodation operator in these situations. Under the Finnish Act on Accommodation and Food Service Activities, traveller notifications and traveller data must be retained for one year from the date the traveller notification is signed, after which they must be destroyed. If the data is entered into a traveller register, the traveller data in the register must be retained for one year from the date it was entered, after which it must be destroyed. Traveller notifications may be collected on paper or, where applicable, electronically through Duve. Paper forms are stored as standard practice in a security cabinet, and access to them is limited to persons who are entitled to access them based on their job duties. Data concerning foreign nationals is submitted, where necessary, to the relevant authority in the manner required by law. After the retention period ends, the forms are securely destroyed using a paper shredder in a locked space. Traveller notification data is not used for customer service or direct marketing.

Legal basis: statutory obligation.

6.9 Cookies and analytics

We use cookies and Google Analytics 4 on the website to analyse website use, compile usage statistics, develop the service and understand the functionality of the service. Google Analytics 4 may process, for example, data on page loads, sessions, estimated geographic location, and technical data related to the user's browser and device. Google Analytics 4 uses first-party cookies on the website to distinguish individual users and sessions.

Legal basis: consent for non-essential analytics cookies. Insofar as personal data is processed in connection with technically necessary functions, the processing is based on the controller's legitimate interest in ensuring the technical functioning of the website.

6.10 Displaying reviews on the site

Our website may display reviews published on Airbnb or parts of them through the WP Review Slider Pro solution. The reviews displayed originate from Airbnb. Depending on the settings, reviews may display, for example, the reviewer's name or first name, profile picture or avatar, review text and review date. Displaying this data on the website constitutes processing of personal data insofar as the data can be identified as relating to a natural person.

Legal basis: the controller's legitimate interest in demonstrating service quality, customer experience and trust.

Recipients and processors of personal data

We may disclose or provide access to personal data to the following recipients or processor groups to the extent necessary to provide services, manage customer service, process payments, maintain systems or fulfil statutory obligations:

• Hospitable
• Duve
• Bókun
• Stripe
• Slotti
• Google and Gmail / Google Workspace
• Google Analytics
• Joinchat
• WhatsApp / Meta insofar as communication takes place via WhatsApp
• accounting and financial administration service providers
• cleaning, key handover, maintenance and other operational partners insofar as sharing data is necessary to provide the service
• authorities when required by law.

We do not disclose guests' contact details or other personal data directly to property owners. If data is provided to owners for reporting, invoicing or service monitoring, the data is provided without personal data unless there is a separate lawful and necessary basis for disclosure.

Transfers of data outside the EU/EEA

The service providers we use may also process personal data outside the European Union or the European Economic Area or use subprocessors located in such areas. Such services may include, for example, Google Analytics 4, Google Workspace / Gmail, Stripe, Bókun, Duve, Joinchat, WhatsApp / Meta and Hospitable insofar as the technical implementation of the booking path or digital guest service requires it.

In such situations, we ensure that there is a transfer basis for the personal data transfer in accordance with the General Data Protection Regulation, such as an adequacy decision by the European Commission, standard contractual clauses approved by the European Commission or another applicable safeguard mechanism.

More information on the services used and their transfer bases can be requested using the contact details specified in section 1.

Mandatory provision of data

Some personal data is necessary to enter into a contract or provide the service. If such data is not provided, we may not be able to accept a booking, process it or provide the service. Statutory traveller notification data is collected to the extent required by law, and it cannot be withheld when the law requires its collection.

Retention periods for personal data

We retain personal data only for as long as necessary for the purposes described in this policy or for the period required by law. The retention periods or the criteria for determining them are as follows:

• technical website log and security data: 12 months
• general contacts, WhatsApp messages and requests for quotations: 12 months after the matter has been fully processed
• owner leads and sales negotiations: 24 months from the last active contact
• data related to owner contracts: for the duration of the contract and thereafter for no more than 6 years insofar as the data is included in accounting materials, taxation or documents required for handling legal claims
• data related to accommodation bookings, online check-in, guest communication and other digital guest service: 36 months after the stay ends, unless an open complaint, damage matter or official obligation requires longer retention
• data related to activity bookings: 24 months after the service has been provided, unless invoicing, a complaint or a legal claim requires longer retention
• booking data related to cleaning and other separate services: 24 months after the service has been provided, unless invoicing, a complaint or a legal claim requires longer retention
• invoicing and accounting data: at least six years from the end of the year in which the financial period ended
• traveller notifications and traveller data: one year from the date the traveller notification was signed or entered into the register, after which the data is destroyed
• reviews displayed on the site: for as long as they remain published on the website or until they are removed from the site.

Traveller notification data is not used for customer service or direct marketing.

Rights of the data subject

Under applicable data protection legislation, you have the right to:

• receive information about the processing of your personal data
• access the data concerning you
• request correction of inaccurate data
• request deletion of data in certain situations
• request restriction of processing in certain situations
• object to processing in certain situations
• transfer data from one system to another where the right applies
• withdraw consent at any time if the processing is based on consent.

The scope of these rights depends on the basis on which the data is processed. You can exercise your rights by contacting us at hello.hygge@hyggehost.fi.

Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data infringes data protection legislation. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman.

Data security

We protect personal data with appropriate technical and organisational measures. These include, for example, access rights management, strong passwords, two-factor authentication in use for Google accounts, multi-factor authentication in other systems where possible, logging and monitoring, encrypted connections, limiting the processing of personal data only to persons who need it based on their job duties, and contractual control of service providers. Paper traveller notifications are stored in a locked space, and paper materials are securely destroyed after the retention period ends.

Cookies

The website uses cookies and possibly other similar technologies. Non-essential cookies and analytics technologies are enabled only when there is a lawful basis for doing so. The use, purposes, retention periods and management of cookies are described in more detail in a separate cookie policy and/or the website's cookie settings.

Processing excluded from this policy

This privacy policy does not apply to possible camera surveillance at our office. Separate information on camera surveillance in the office premises is provided at the premises and, where necessary, in a separate privacy notice.

Updating this privacy policy

We may update this privacy policy, for example, when services, systems, contract models or legislation change. The up-to-date version is kept available on our website.