Annex 2 — GDPR records
This annex supplements HEBERGENEVE SAS’ privacy policy in accordance with article 30 of Regulation (EU) 2016/679 (GDPR) — record of processing activities — and article 26 of the GDPR — allocation of responsibilities between joint controllers.
It describes, in detail and in full, the personal-data processing operations carried out as part of HEBERGENEVE SAS’ activity (publication of the site hebergeneve.com, direct bookings and bookings via partner platforms, performance of stays, concierge service on behalf of owner-landlords, accounting). It identifies the respective roles (controller, joint controller, processor) and the operational allocations between HEBERGENEVE and its partners.
This annex is kept up to date and made available to the CNIL upon request, in accordance with article 30.4 GDPR.
1. Identification of the controller
- HEBERGENEVE SAS
- 248 rue de Genève, 01170 Gex, France
- SIREN 919 295 931 — RCS Bourg-en-Bresse
- Legal representative: Mr ROUSSET Loïc, President
- GDPR contact point: rgpd@hebergeneve.com
Given the company’s size (fewer than 250 employees and no large-scale processing of special categories within the meaning of art. 9 GDPR), HEBERGENEVE SAS is not required to appoint a data protection officer (DPO). The President directly assumes the role of GDPR contact point.
2. Record of processing activities (art. 30 GDPR)
For each processing operation, the following are specified: the purpose pursued, the legal basis under article 6 GDPR, the categories of data processed, the categories of data subjects, the recipients, the retention period, any transfers outside the European Union, and the applicable security measures.
2.1 — Website audience measurement
| Purpose | Understand site traffic, identify the most viewed pages, track conversions on contact forms / quote requests, without individual identification. |
|---|---|
| Legal basis | Legitimate interest (art. 6.1.f GDPR) — CNIL consent exemption (anonymised audience measurement). |
| Data collected | Truncated IP address, browser type, OS, screen resolution, pages viewed, visit duration, source page, approximate country / region, aggregated click events. |
| Data subjects | Visitors to hebergeneve.com. |
| Recipients | HEBERGENEVE SAS (management and marketing team); Plausible Insights OÜ (Estonia) — analytics processor, EU hosting. |
| Retention period | 13 months maximum, in line with the CNIL recommendation. |
| Transfers outside EU | None. |
| Security measures | TLS 1.3, IP anonymisation upstream, no third-party cookie, no fingerprinting, auditable open-source Plausible server. |
2.2 — Contact forms and traveller requests
| Purpose | Respond to general information requests and pre-booking requests from travellers. |
|---|---|
| Legal basis | Pre-contractual measures at the data subject’s request (art. 6.1.b GDPR). |
| Data collected | First name, last name, email, phone, free message content, planned stay dates, capacity, property of interest (when the form is pre-filled from a listing). |
| Data subjects | Prospective travellers. |
| Recipients | HEBERGENEVE SAS (welcome team); Brevo SAS (France) — processor for email forwarding. |
| Retention period | 3 years from the last contact, in line with the CNIL commercial-prospecting standard. |
| Transfers outside EU | None. |
| Security measures | TLS 1.3, two-factor administrator authentication, access logs, art. 28 GDPR processing contract with Brevo. |
2.3 — Direct booking (channel hebergeneve.com / Smoobu)
| Purpose | Formation and performance of the short-term rental contract: confirmation, stay management, traveller communication, cleaning, inventory, deposit release. |
|---|---|
| Legal basis | Performance of the contract (art. 6.1.b GDPR). |
| Data collected | First name, last name, email, phone, stay dates, capacity, amount, payment status, Smoobu identifier, Stripe identifier (no card data), any comments. |
| Data subjects | Travellers who have booked. |
| Recipients | HEBERGENEVE SAS; the owner-landlord (concierge regime only, in their capacity as official landlord); Smoobu GmbH (Germany) — channel manager processor; Stripe Payments Europe Ltd (Ireland) — payment processor. |
| Retention period | 3 years from the end of the stay for the customer relationship; 10 years for accounting documents (article L.123-22 of the French Commercial Code). |
| Transfers outside EU | Possible, framed by the Standard Contractual Clauses (decision 2021/914) and the EU-US Data Privacy Framework, in the context of Stripe operations occasionally routed to the United States. |
| Security measures | TLS 1.3, strong authentication, art. 28 processing contracts (Smoobu, Stripe, Brevo), access logs, encrypted daily backups. |
2.4 — Booking via partner platforms (Airbnb, Booking.com)
| Purpose | Formation and performance of the contract when the booking is made on a third-party platform. |
|---|---|
| Legal basis | Performance of the contract (art. 6.1.b GDPR). |
| Data collected | First name and first letter of the last name (Airbnb), platform proxy email, dates, capacity, amount. The full name and real email are received only at check-in via the police record (cf. 2.6). |
| Data subjects | Airbnb / Booking.com travellers. |
| Recipients | HEBERGENEVE SAS; the owner-landlord (concierge regime); Smoobu (calendar consolidation); Airbnb Ireland UC or Booking.com B.V. (Netherlands) — joint controllers under art. 26 GDPR for the pre-booking and payment phases. |
| Retention period | 3 years customer relationship / 10 years accounting documents. |
| Transfers outside EU | Handled by Airbnb and Booking.com under their respective DPAs (SCCs + DPF). |
| Security measures | Official Airbnb / Booking.com APIs, accessible platform DPA, certified Smoobu integration. |
2.5 — Payment (Stripe — direct bookings; platform — Airbnb/Booking bookings)
| Purpose | Collect the price of the stay, any deposit, the tourist tax, and process the deposit pre-authorisation. Re-invoicing between HEBERGENEVE and the owner-landlord under concierge regime via the Stripe Connect mechanism (“direct charge” + “application fee”). |
|---|---|
| Legal basis | Performance of the contract (art. 6.1.b GDPR) and accounting legal obligation (art. 6.1.c GDPR). |
| Data collected | Transaction identifier, amount, currency, status, last category / country of the card (never the number), cardholder name, email. Sensitive data (PAN, CVC) is collected and hosted exclusively by Stripe (PCI-DSS level 1). |
| Data subjects | Paying travellers; owner-landlords (Stripe Connect KYC). |
| Recipients | HEBERGENEVE SAS; under concierge regime, the owner-landlord as merchant of record; Stripe Payments Europe Ltd (Ireland); chartered accountant. |
| Retention period | 10 years for accounting documents. |
| Transfers outside EU | Stripe may occasionally transfer to the United States under the DPF and SCCs. |
| Security measures | Stripe certified PCI-DSS level 1, 3D-Secure, signed art. 28 GDPR processing contract. |
2.6 — Police record and traveller identification (Chekin)
| Purpose | Establish and retain the individual police record provided for in article R.611-42 of the CESEDA and the order of 14 June 2007, for foreign travellers; verify the identity of the booking traveller; electronically sign the rental contract and the property rules. |
|---|---|
| Legal basis | Legal obligation (art. 6.1.c GDPR) for the foreign-traveller police record; legitimate interest (art. 6.1.f GDPR) for identity verification of national travellers. |
| Data collected | First name, last name, date and place of birth, nationality, type / number / expiry date of the ID document, home address, electronic signature of the rental contract. |
| Data subjects | Travellers staying in a property managed by HEBERGENEVE. |
| Recipients | HEBERGENEVE SAS; the owner-landlord (concierge regime); Chekin Applications Ltd (Ireland) — processor; competent police authorities upon legal request. |
| Retention period | 6 months from departure for the foreign-traveller police record (legal duration); 3 years for the other elements (customer relationship). |
| Transfers outside EU | None (Chekin Ireland, EU hosting). |
| Security measures | TLS 1.3, segregation of identity data within Chekin, art. 28 GDPR processing contract, access log. |
2.7 — Deposit / security deposit (Swikly)
| Purpose | Secure the property by pre-authorised card imprint, with no actual debit unless an incident occurs, and release the deposit within 7 days of departure or use it partially / fully in case of damage. |
|---|---|
| Legal basis | Legitimate interest (art. 6.1.f GDPR) — protection against damage and loss. |
| Data collected | First name, last name, email, pre-authorisation amount, deposit status, Swikly identifier. Card data is hosted exclusively by Swikly (PCI-DSS). |
| Data subjects | Travellers. |
| Recipients | HEBERGENEVE SAS; the owner-landlord (concierge regime); Swikly (France) — processor. |
| Retention period | 7 days after departure for the pre-authorisation; 2 years for incident-related elements. |
| Transfers outside EU | None. |
| Security measures | Swikly PCI-DSS, TLS, art. 28 GDPR processing contract. |
2.8 — Transactional communications and newsletter (Brevo)
| Purpose | Send transactional emails (booking confirmation, check-in instructions, reminders, review requests) and, where applicable, marketing communications (newsletter). |
|---|---|
| Legal basis | Performance of the contract (art. 6.1.b GDPR) for transactional emails; explicit prior consent (art. 6.1.a GDPR) for marketing communications. |
| Data collected | Email, first name, segment (traveller, prospect, owner), send history, opens, clicks. |
| Data subjects | Travellers, prospects, owners. |
| Recipients | HEBERGENEVE SAS; Brevo SAS (France) — processor. |
| Retention period | 3 years from the last interaction (CNIL standard) or until unsubscription for marketing communications. |
| Transfers outside EU | None. |
| Security measures | Brevo ISO 27001 certified, double opt-in, one-click unsubscribe, art. 28 GDPR processing contract. |
2.9 — Accounting and invoicing
| Purpose | Keep accounting books, issue and retain invoices, file tax and social-security returns. |
|---|---|
| Legal basis | Legal obligation (art. 6.1.c GDPR) — articles L.123-12 et seq. of the French Commercial Code, articles 286 et seq. of the French General Tax Code. |
| Data collected | Beneficiary identity, amounts, dates, service description, bank details. |
| Data subjects | Travellers, partner owners, suppliers. |
| Recipients | HEBERGENEVE SAS; appointed chartered accountant; tax authority on legal request. |
| Retention period | 10 years (art. L.123-22 C. com.). |
| Transfers outside EU | None. |
| Security measures | Encrypted archiving, secure accounting-firm access, two-factor authentication. |
2.10 — Concierge quote request (owners)
| Purpose | Assess a project to take over management of a property by HEBERGENEVE, formalise a commercial proposal, and where applicable sign a concierge services contract or a commercial lease. |
|---|---|
| Legal basis | Pre-contractual measures at the data subject’s request (art. 6.1.b GDPR). |
| Data collected | First name, last name, email, phone, property address, type, area, number of bedrooms, any photos, free content. |
| Data subjects | Prospective owners. |
| Recipients | HEBERGENEVE SAS. |
| Retention period | 3 years if the quote does not lead to a contract; contract duration + 10 years after its term in case of signing. |
| Transfers outside EU | None. |
| Security measures | TLS 1.3, logical segregation of owner / traveller data, restricted access. |
2.11 — Anti-fraud and unpaid debt management
| Purpose | Prevent fraud (fake means of payment, falsified identities, over-bookings) and manage unpaid debts and stay incidents. |
|---|---|
| Legal basis | Legitimate interest (art. 6.1.f GDPR) — protection of HEBERGENEVE’s and partner owners’ economic interests. |
| Data collected | Identity, transactions, incident reason, written exchanges, inventory photos. |
| Data subjects | Travellers concerned by an incident. |
| Recipients | HEBERGENEVE SAS; where applicable, the lawyer or mediator involved. |
| Retention period | 2 years from the incident, unless litigation is ongoing. |
| Transfers outside EU | None. |
| Security measures | Internal log, access restricted to the President and commercial management. |
3. Joint controllership (art. 26 GDPR)
Where several entities jointly determine the purposes and means of a processing operation, they are qualified as joint controllers within the meaning of article 26 GDPR. This section formalises the arrangements applicable to HEBERGENEVE SAS’ main activity channels.
3.1 — Joint controllership with the owner-landlord (concierge regime v3.1)
Scope. For properties operated under the v3.1 concierge services contract, HEBERGENEVE SAS and the owner-landlord exercise limited and clearly allocated joint controllership for processing related to booking, stay performance and traveller invoicing.
Operational allocation.
| Processing / activity | Operational lead | Co-decision-maker |
|---|---|---|
| Property listing and pricing | HEBERGENEVE | Owner (validation of floor rate) |
| Receipt and qualification of traveller requests | HEBERGENEVE | — |
| Collection and traveller invoicing (Stripe Connect direct charge) | Owner (merchant of record) | — |
| Traveller communication, check-in instructions | HEBERGENEVE | — |
| Foreign-traveller police record (CESEDA) | Owner (official host L.2333-33 CGCT) | HEBERGENEVE (operational implementation via Chekin) |
| Tourist tax collection and remittance | Owner | — |
| Response to GDPR rights requests | HEBERGENEVE (single point of contact) | Owner (operational relay) |
| Notification of data breach | HEBERGENEVE (centralises and notifies CNIL) | Owner (notifies HEBERGENEVE without delay) |
Single point of contact. In accordance with article 26.3 GDPR, the traveller may exercise their rights either with HEBERGENEVE or with the owner-landlord. HEBERGENEVE SAS centralises requests at rgpd@hebergeneve.com and coordinates the response within one month from receipt of the request (art. 12.3 GDPR).
Breach notification. In the event of a data breach concerning a stay under concierge regime, the owner-landlord informs HEBERGENEVE SAS without undue delay and at the latest 24 hours after becoming aware of it. HEBERGENEVE SAS, as single point of contact, notifies the breach to the CNIL under the conditions of art. 33 GDPR and, where applicable, to data subjects under art. 34 GDPR.
This joint-controllership arrangement is documented in a specific clause of the v3.1 concierge services contract (GDPR annex), signed by both parties.
3.2 — Joint controllership with Airbnb Ireland UC
Scope. For bookings made via Airbnb, Airbnb Ireland UC and the Landlord (HEBERGENEVE under sub-letting, or the owner under concierge) are joint controllers under art. 26 GDPR for processing up to booking confirmation and payment on Airbnb. From check-in onwards, HEBERGENEVE (or the owner depending on the regime) becomes an autonomous controller for the police record, stay performance and final invoicing.
Arrangement. Airbnb publishes its joint-controllership arrangement in its trust centre (article 3175). HEBERGENEVE adheres to this arrangement by using the API and the Host account. Airbnb travellers may exercise their rights either with Airbnb or with HEBERGENEVE.
3.3 — Joint controllership with Booking.com B.V.
Scope and arrangement equivalent to point 3.2, by adherence to the arrangement published by Booking.com B.V. (Booking.com privacy centre). Booking.com travellers may exercise their rights with Booking.com or with HEBERGENEVE.
4. Processors under art. 28 GDPR
The following entities act as processors on behalf of HEBERGENEVE SAS, i.e. they process personal data only on the controller’s documented instructions, within the framework of an art. 28 GDPR-compliant processing contract.
| Processor | Purpose | Country of establishment | Data hosting |
|---|---|---|---|
| Smoobu GmbH | Channel manager, rental management | Germany | EU |
| Stripe Payments Europe Ltd | Card payment, Stripe Connect | Ireland | EU / framed US transfers (DPF + SCCs) |
| Chekin Applications Ltd | Online check-in, police record | Ireland | EU |
| Swikly SAS | Card pre-authorisation / deposit | France | EU |
| Brevo SAS | Sending transactional emails and newsletter | France | EU |
| Plausible Insights OÜ | Anonymised audience measurement | Estonia | EU |
| IONOS SARL | Web hosting and domain name | France / Germany | EU |
| Chartered accountant | Accounting, tax filings | France | EU |
HEBERGENEVE SAS publishes its up-to-date list of processors and notifies any substantial change on this page.
5. Exercise of rights — procedure
In accordance with articles 15 to 22 of the GDPR, you have the rights of access, rectification, erasure, restriction, portability, objection, and the right to set post-mortem directives. To exercise these rights, write to rgpd@hebergeneve.com, specifying the subject of your request and attaching, if necessary for your identification, a copy of an ID (article 12.6 GDPR).
HEBERGENEVE SAS undertakes to respond within one month of receipt of the request (art. 12.3 GDPR), extendable by two months in case of complexity, after informing the data subject.
You also have the right to lodge a complaint with the French Data Protection Authority (CNIL), 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, www.cnil.fr.
6. Updates to this annex
This annex is updated whenever the processing operations evolve substantially (addition of a processor, modification of a purpose, change of retention period, modification of a joint-controllership arrangement). The last update date appears in the footer. Changes with an impact on data subjects are subject to individual notification by email when technically possible.
Last update: 25 April 2026 — version v1