Terms and conditions

Stand: June 18th, 2024

The T&C consist of these terms, Annex A which is a Data Processing Agreement and Annex B which provides for additional optional Platform Features.

1. General
   1. Smoobu GmbH, Pappelallee 78/79, 10437 Berlin (“Smoobu”), is a software as a service provider, providing software for the central management of short-term accommodation, in particular holiday homes or vacation rentals, under a domain and as an app (“Platform”). The Platform, including any updates, enhancements, new features, and/or the addition of new web functionalities, is subject to these T&C.
   2. The Platform offers integrations with third-party tools (“Integrations”). End users of the Platform (“Users”) are required to separately enter into direct contractual agreements with said third parties or purchase these Integrations directly via Smoobu subject to separate terms provided by the third party vendor and separate invoicing.
   3. The use of the Platform is exclusively subject to these T&C in the version applicable at the time the Platform is accessed. The most recent version can be viewed on the Platform.
   4. The Platform may not be used for improper or fraudulent purposes.
   5. These T&C shall apply to all Users whether as natural persons, legal entities or partnerships, each with entrepreneurial capacity. Users are deemed to be owners acting as individuals for their own company, as well as accommodation providers, agencies, employees or vendors acting on behalf of owners.
      • contravenes clause (4) above;
      • uses automated systems or software to extract data from the Platform (so-called screen scraping), either for commercial or non-commercial purposes;
      • circumvents existing restrictions in robot-exclusion-headers or in other measures that restrict or prevent access to the Platform;
      • uses a device, software or program that affects or tries to affect the regular functionality of the Platform,
      • carries out an act that inappropriately strains Smoobu’s servers, computer or network;
      • fails to make payment per section 6 below; or
      • use of the Service beyond the contractually agreed or usual and customary scope.
2. Smoobu’s services
   1. The core functionality of the Platform is to facilitate calendar and price synchronization between the various distribution channels for short term accommodation that Smoobu has connected to the Platform, including hosting of said data, (“Core Features”). Additional features may be provided via the Platform and be subject to additional terms which can be reviewed here.
   2. Smoobu does not ensure the uninterrupted availability of the Platform. The annual average uptime of the Platform is 98%. Smoobu may carry out technical maintenance on the Platform at any time, generally outside normal business hours, and to the extent necessary. Use of the Platform may be restricted or not possible during said periods. In such cases, the User shall not be entitled to any claims for damages. Where possible, Smoobu shall inform the User in advance of any extensive maintenance work that results in Platform restrictions or unavailabilities.
   3. If applicable, upon receipt of notification of any malfunctions or errors Smoobu shall consider all economically viable efforts and technically feasible solutions to restore the Platform to its usual environment and functionality. For this purpose, said notifications must include sufficiently specific descriptions. It is the sole responsibility of Smoobu to make a final determination of the urgency of said notifications. Smoobu customer service is available during regular business hours for such notifications and corresponding communication.
   4. The Platform may offer (“Beta Services”). Beta Services are prominently marked as so and may not function as described. Beta Services may be improved or withdrawn at the sole discretion of Smoobu, where possible advance notice will be provided.
   5. Smoobu does not guarantee the error-free functionality, reliability, or performance of any Beta Services.
   6. Third-party tools may be integrated via the Platform. While reasonable efforts will be made to support such Integrations, it is expressly agreed that Smoobu shall bear no liability for any issues, damages, or losses arising from such Integrations.
   7. Smoobu does not guarantee the compatibility, reliability, or performance of any Integration.
   8. Smoobu accepts no liability for content outside of the Platform, including, but not limited to any websites linked in the Platform.
   9. Smoobu shall provide the User with access to the Platform in accordance with section 3 below.
   10. Smoobu offers various subscription options (“Subscription”), and available features may differ between Subscriptions as detailed on the Platform.
3. Rights and obligations of Users
   1. Smoobu grants Users a limited, non-exclusive and non-transferable, global license for the duration of the Agreement to access the Platform within the software as a service scope in accordance with these T&C and their Subscription.
   2. The User guarantees that it has the necessary power to enter into this legal agreement (“Agreement”) and has read, understood and accepted the applicable T&C including for any applicable Assistant Account Users (defined below), whose use of the Platform is also subject to this Agreement. The User warrants that all data it provides to Smoobu is correct and up-to-date at all times. Smoobu has the right to verify, at its sole discretion, the integrity, accuracy and completeness of the User’s data, as well as to implement further checks through manual and technical checks possibly carried out by external service providers or a self-disclosure (e.g. by answering a questionnaire) on its own costs in a timely manner.
   3. Users shall comply with all applicable laws, regulations, and industry standards. This applies, in particular but without limitation to anti-corruption, antitrust, data protection, anti-money-laundering, child labor, prevention of terrorism, export controls and sanctions, tourism regulations as well as health, safety, security and environmental requirements. If required by law or due to other regulatory requirements, Users shall ensure that it and its representatives and subcontractors fully cooperate with Smoobu and provide any required information.
   4. Users are provided with individual access to the Platform (“User Access”) which can be realized by entering a username and password. A User must choose a secure and appropriate username (email address) and an adequate and individual password. The password must be set following all state-of-the-art technical and security recommendations and kept confidential at all times.
   5. The User is responsible for maintaining the confidentiality of the User Access and for all activity conducted by, or on behalf of, the User.
   6. The User shall inform Smoobu immediately if it becomes aware of any suspicious or unauthorized use or access to the Platform and take all appropriate security measures to secure their User Access to the Platform. Furthermore, the User will immediately inform Smoobu if it detects problems or suspicious behavior relating to the Platform.
   7. The User will refrain from the following activities:
      • Reverse Engineering: The User shall not engage in any form of reverse engineering, decompiling, disassembling, or otherwise attempt to derive the source code, underlying algorithms, or structure of the Platform, whether in whole or in part;
      • Inserting Bugs or Malicious Code: The User shall not introduce, upload, transmit, or distribute any viruses, worms, trojan horses, malware, or any harmful or malicious code that may disrupt, damage, or impair the functionality, security, or integrity of the Platform; and
      • Copying and Reproduction: The User shall not copy, reproduce, modify, distribute, display, perform, or create derivative works based on the Platform or any part thereof.
   8. Users must treat their User Access and all data stored on the Platform as Confidential Information (see section 9 below).
   9. If the User culpably breaches these obligations, they are responsible for any resulting damage.
   10. The User may assign additional assistant user accounts “Assistant Accounts” via the Platform. The User is responsible for the management of Assistant Accounts, for their compliance with their use of the Platform in accordance with these T&C and with all relevant laws and regulations.
   11. Users are entirely responsible for any and all activities that occur under the User´s account and any related Assistant Accounts. Smoobu will not be liable for any loss that Users may incur as a result of unauthorized access due to a Users failure to comply with these T&C. Users may be held liable for losses incurred by Smoobu or third parties due a Users failure to comply with these T&C.
   12. Smoobu´s Platform is accessible and usable via the internet. Users are responsible for the necessary internet hardware, network connection and its adequate speed; the appropriate computer systems’ security settings, proper IT compatibility, and maintenance of any equipment necessary to connect to, access, or otherwise access the Platform.
   13. The User is responsible for the correct entry, accurate maintenance and regular backup of the data and information required to use the Platform. The provisions under the heading “Liability and Indemnification” remain unaffected by this section.
   14. The User permits Smoobu to use its name for research, customer reference, marketing, advertising and sales promotional purposes until revoked by the User (email is sufficient) which may include communications to Users as part of these efforts.
4. Intellectual Property
   1. Smoobu is the sole and exclusive owner of all intellectual property rights including but not limited to copyrights, patent rights, trade secrets and trademarks which are developed and provided for in accordance with these T&C.
   2. The User shall not upload or otherwise provide any content to the Platform or use the Platform in any way that breaches any law or infringes any organization’s or individual’s rights or contravenes any applicable laws and/or regulations.
5. Liability and Indemnity
   1. Smoobu shall be liable without limitation for any legal reason in the event of intent or gross negligence, in the event of intentional or negligent injury to life, limb or health, on the basis of a guarantee promise, unless otherwise regulated in this respect, or on the basis of mandatory liability such as under the Product Liability Act. If Smoobu negligently breaches a material contractual obligation, liability shall be limited to the foreseeable damage typical of the contract, unless unlimited liability applies in accordance with the above clause. Essential contractual obligations are obligations which the contract imposes on Smoobu according to its content in order to achieve the purpose of the contract, the fulfillment of which makes the proper execution of the contract possible in the first place and on the observance of which the User may regularly rely. Any further liability of the provider is excluded.
   2. The parties agree that the amount of the damages foreseeable and typical for the contract pursuant to clause (1) above is limited to the Fees paid by the User to Smoobu in the immediately preceding 12-month period.
   3. The above liability provisions also apply with regard to the liability of Smoobu for its vicarious agents and legal representatives.
   4. The User will indemnify, defend and hold harmless Smoobu (including its directors, employees, agents or contractors) from and against any claims, costs, damages, losses, liabilities and expenses relating to any claims, actions, suits or proceedings by third parties against Smoobu arising out of the Users failure to comply with these T&C.
   5. The Platform, the Integrations, their use and the results of such are provided “as is” to the fullest extent permitted by law. Smoobu disclaims all express or implied warranties, including warranties of satisfactory quality and fitness for a particular purpose which may be implied in respect of the Platform or Integrations.
6. Billing and Payment
   1. Users shall pay the applicable fees (“Fees”) as specified on the Platform per Subscription. Except as otherwise provided (i) payment obligations are non-cancellable, (ii) Fees are non-refundable; (iii) all Fees are payable in advance including both initial Subscriptions and renewals, and (iv) All Fees are subject to the applicable statutory value-added tax (VAT).
   2. Smoobu may provide the User with a free trial license of the Platform for a limited period of time, for a duration at Smoobu’s sole discretion (“Test Phase” or “Free Trial”). The Test Phase shall exclusively include the testing of the Platform in a test environment with a possible limited scope to the full version subject to a charge; otherwise, the rights of use granted in these T&Cs shall apply. To continue using the Platform after the end of the Test Phase a User’s obligation to pay Fees begins.
   3. In case of late payment of Fees Smoobu is entitled to:
      • Receive interest at the statutory rate (§ 288 BGB) for the period of the payment delay; and
      • Suspend access to the Platform, Smoobu’s claim to the contractually agreed Fees remains unaffected.
   4. Should automatic billing fail to occur for any reason, Smoobu will issue an electronic invoice indicating that a User must proceed manually, within a certain deadline date, with the full payment corresponding to the billing period as indicated on the invoice.
7. Term and Termination
   1. Unless otherwise agreed in writing, this Agreement can be terminated with one month’s written notice, email is sufficient. Subscriptions will automatically renew for subsequent terms (same duration and Fees as initial Subscription) unless terminated in accordance with this clause or if said Subscription is no longer offered by Smoobu. The right to extraordinary termination of the Agreement for good cause remains unaffected.
   2. Smoobu may terminate this Agreement immediately on written notice if the User:
      • Materially breaches these T&C; or
      • Fails to pay any Fees due after 30 days upon falling due.
   3. Upon termination of a Subscription, Smoobu, in its sole discretion may provide the User with access to an alternative Subscription.
   4. Upon termination of the Agreement, and for an additional period of up to 30 days after termination end date, the User may download its data from the Platform.
   5. Clauses 5 (4), 6, 7, and 9 shall survive termination.
8. Data Protection
   1. Both parties shall comply with all applicable laws, including but not limited to the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016, (the “GDPR”) and the Federal Data Protection Act (the “BDSG”). Each party shall provide the other party any cooperation reasonably requested to enable the other party’s compliance with this clause.
   2. The parties agree to incorporate the data processing agreement included as Annex A, which forms part of these T&C, to provide for the processing of User´s guest´s personal data by Smoobu (“Data Processing Agreement”, “DPA”). Smoobu is a Processor (as defined by the GDPR) for any guest’s personal data uploaded to the Platform by or processed on behalf of a User.
   3. A User shall ensure and is solely responsible that they make all necessary and statutory data protection disclosures to data subjects regarding the use of the Smoobu Platform.
9. Confidentiality
   1. “Confidential Information” means any information disclosed by or relating to a party including information about a party’s business operations, products or trade secrets and which is either marked as confidential or which a reasonable person would regard as confidential.
   2. Either party may share Confidential Information with its Group Companies. “Group Companies” means any holding company or subsidiary of a party or any of its holding companies. A company is a subsidiary of another company, its holding company, if that other company (i) holds a majority of the voting rights in it, or (ii) is a member of it and has the right to appoint of remove a majority of its directors, (iii) or is a member of it and controls alone a majority of the voting rights in it.
   3. Save as set out in these T&C neither party will disclose Confidential Information. Confidential Information shall be kept confidential.
   4. The obligation at clause (3) above shall not apply to Confidential Information to the extent it:
      • Is in the public domain (other than as a result of a breach of these T&C);
      • Can be demonstrated as having been independently developed by the receiving party; or
      • Is required to be disclosed by law or court order.
   5. Both parties may disclose Confidential Information to its employees, agents, professional advisors or contractors on a need to know basis, provided that such individuals are bound by confidentiality obligations at least as restrictive as provided for in these T&C.
   6. Smoobu reserves the right to disclose any information as Smoobu deems necessary to satisfy any applicable law, regulation, legal process or governmental or regulatory request.
10. Final provisions
    1. This Agreement is subject to the substantive law of the Federal Republic of Germany to the exclusion of the UN Convention on Contracts for the International Sale of Goods.
    2. If the User has no general place of jurisdiction in Germany, the parties agree that the place of jurisdiction for all disputes arising from this contractual relationship shall be the registered office of Smoobu.
    3. Without the prior written consent of Smoobu, the User may not, assign, transfer, novate, sub-license any rights or obligations, whether in their totality or in part, to a third party, unless otherwise agreed upon. Nonetheless, each party may assign the rights and obligation under the T&C to the surviving entity, in connection with a merger, reorganization, consolidation, change in control or a sale of basically all of its assets, provided that the surviving entity is not a direct competitor, or the other party and assignee agrees in writing to be bound by these T&C.
    4. If individual provisions in these T&C shall become null or void, this will not affect the remaining provisions of these T&C. In place of ineffective or inapplicable provisions, the parties shall agree on an appropriate agreement, which comes closest to what the parties intended, and which corresponds to what would have been agreed in accordance with the purpose and intention of these T&C if the matter in question had been considered earlier.
    5. In the event of (“Force Majeure”) that prevents Smoobu from providing the Platform, Smoobu shall be released from its obligation to perform for the duration of the Force Majeure and additionally for a reasonable period of time for the resumption of the Platform. In this case, deadlines shall be postponed by the aforementioned period. Force Majeure events shall include, in particular, fire, explosion, flood, war, blockade, embargo, labor disputes, pandemics and official measures in connection with the aforementioned events for which Smoobu is not responsible. Claims for damages are excluded in this case. Smoobu is also not responsible for the functionality and availability of third-party services and other third-party components that the User maintains or has obtained via third parties, in particular the booking portals in the distribution network (connected online travel agents).
    6. Smoobu is authorized to amend these T&C in its sole discretion and subject to a reasonable period of notice. Existing Users will be notified by email at least two weeks before the change comes into effect. If the existing User does not object within the deadline set in the notification of change, their consent to the change shall be deemed to have been granted. If it objects, the changes shall not come into force; in this case, Smoobu shall be entitled to terminate the Agreement extraordinarily at the time the change comes into force. The notification shall refer to the intended amendment to these T&C, the deadline and the consequences of an objection or failure to object.
    7. Smoobu shall be entitled to adapt the Platform to the respective proven and established state of the art and technology. These adaptations include, among other things, safety-related and/or legally necessary changes, additions and extensions to the Platform; changes in accordance with generally applicable development specifications that have only a minor influence on the User’s work processes. The influence is minor if changes are made to the processes on the part of the User, but these are not replaced or terminated, but continue to exist with appropriate changes on the part of the User and at the User’s expense.
    8. Smoobu reserves the right to collect and statistically analyze data regarding Features (defined in Annex B) and how Users interact with and use the Platform for the purposes of quality assurance and the further development of Smoobu´s Platform and Features.
    9. Adjustments due to changes in the services offered by distribution networks (in particular OTA – Cloud-based Online Travel Agencies), which can be unilaterally enforced against Smoobu on the basis of the applicable contractual conditions. Smoobu reserves the right to replace the system requirements with others. In this case of a change described herein with significant influence, Smoobu shall inform the User in advance, at least in text form, using all available information and knowledge with the usual care. Significant influence exists, if functionalities are omitted; or are not only insignificantly restricted and therefore considerable additional organizational effort is required on the part of the User, as well as professional or technical changes have to be made.

Data Processing Agreement

Stand: June 18th, 2024

Agreement on Data Processing pursuant to Art. 28 GDPR

1. Object and duration of the agreement
   1. Item
      • This Data Processing Agreement (“DPA”) is concluded between Smoobu GmbH (“Smoobu”, “Processor”, “Contractor”) and a company as a user of the Smoobu Platform and its services (“User”, “Client”, “Controller”), whereby the details of the parties are set out in the Main Agreement and the applicable T&C for the SaaS Platform Agreement for the provision of digital services (“T&C”) by Smoobu. This DPA is a supplement to the Main Agreement, as it is incorporated into it by reference, defines the rights and obligations of the Client and Smoobu and applies to all services performed and described in the Main Agreement and provided by Smoobu to the Client.
      • This DPA applies insofar as the Client uses digital services (including the websites and mobile applications) of Smoobu on the Platform or Smoobu processes personal data in accordance with the instructions of the Client, including personal data provided to the Contractor by or on behalf of the Client, for the purpose of providing services under the Main Agreement. If none of the above conditions apply, this DPA shall not apply.
      • In the event that other local laws to which the Client is subject require additional precautions with regard to data protection-related matters in connection with the fulfilment of the Main Agreement, which are not mentioned or sufficiently described here in the DPA, the parties shall make such precautions, provided that the Client informs the Contractor sufficiently in advance and the Contractor can implement them economically and technically after examination.
   2. Duration
      • The duration of this DPA (“Term”) corresponds to the term of the Main Agreement. The Contractor shall process the Client’s personal data for the duration of the provision of the Services and thereafter until the data is deleted or returned in accordance with a corresponding instruction. Cancellation or other termination of the main contractual relationship shall simultaneously terminate this DPA.
      • Notwithstanding the preceding paragraph, this DPA shall apply for as long as the Contractor processes the Client’s personal data (including backups, etc.). As a necessary measure to ensure data integrity and availability, the Contractor may retain backup copies of the Client’s personal data even after the end of the provision of the Services. The Contractor shall ensure that such personal data is not actively used and that access to it is strictly limited.
   3. Cancellation
      • The Client may terminate this DPA with immediate effect if the Contractor or one of its sub-processors violates the provisions of this DPA or relevant data protection laws.
      • The Contractor may terminate this DPA if the Client objects to a sub-processor that the Contractor deems necessary for the provision of the services or if the Client issues an instruction that the Contractor deems impracticable to implement.
   4. Definitions
      • For the purposes of this DPA, the terms “appropriate technical and organisational measures“, “controller“, “personal data“, “personal data breach“, “processing“, “processor” and “supervisory authority” (or appropriately equivalent terms) shall each have the meaning given to them in applicable data protection law.
      • Relevant data protection laws are (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”); (ii) Regulation (EU) 2016/679 of the United Kingdom (“GDPR UK”), whereby references to the GDPR are to be understood as references to the corresponding provisions of the GDPR UK; (iii) national legislation that supplements the GDPR and regulates the processing of personal data.
      • Client Personal Data includes all personal data, incl. data of the Client and its customers, using Client´s services (“Customer”) processed by the Contractor in accordance with the Instructions for the purpose of providing the Services, including personal data provided to the Contractor by or on behalf of the Client. For the avoidance of doubt, Client Personal Data does not include (i) the personal data that the Contractor would have independently of the Client’s use of the Services, in particular traffic data from third parties, such as linked technical information on devices used (IP address, cookie IDs, other metadata) (where relevant) and (ii) aggregated statistical information that does not constitute personal data.
      • Instruction / Instruction means an instruction regarding the scope and manner of the processing of the Client’s personal data that the Client gives to the Contractor in any form, such as, but not limited to, selected provisions of the Main Agreement and this DPA, written orders from the Client, emails or settings on the Platform provided to the Client by the Contractor.
      • A Sub-processor is a third-party data processor commissioned by the Contractor who has access to the Client’s data as a processor or will process it in accordance with the instructions issued.
      • Standard Contractual Clauses/ SCC are the Standard Contractual Clauses approved by the European Commission for the transfer of personal data from the European Union to third countries, as amended, replaced, supplemented or superseded from time to time, and the full current version of which can be found at the following link: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
      • DPF means the EU-U.S. Data Privacy Framework and/or the Swiss-U.S. Data Privacy Framework or any successor self-certification program operated by the U.S. Department of Commerce and approved by the European Commission from time to time that has not been invalidated (and in each case includes the U.K. extension of the EU-U.S. Data Privacy Framework and any other country extension of that framework that extends the application of the EU-U.S. Data Privacy Framework to that country)
2. Specification of the content of the DPA
   1. The user as Client and Controller commissions Smoobu as Contractor to process the personal data of the Client as processor in accordance with the documented instructions.
      
   2. As part of the general obligations, the Client shall ensure and document that the Contractor may, for the purpose of providing the Services, process the personal data provided by the Client, including its customer Personal Data used by the Client, in accordance with the Client’s instructions and in compliance with the laws applicable to such processing. The Client shall ensure an appropriate legal basis for the processing of Customer Personal Data and shall provide accurate and comprehensive information to the data subjects about the processing of Customer Personal Data as required by the Data Protection Laws. Accordingly, the Client shall inform its Customers transparently in accordance with the relevant legal requirements.
      
      Further details can be found in the Main Agreement and Annex 1.
3. Technical and organizational measures
   1. The Contractor shall take all necessary technical and organisational measures in its area of responsibility in accordance with Art. 32 GDPR to protect personal data and shall provide the Client with the documentation for review, attached as Annex 2. The Client may request additional information on the technical and organisational measures implemented by the Contractor from time to time.
      
      If accepted by the Client, the documented measures shall form the basis of the DPA. The Contractor shall implement and maintain the measures, including appropriate security measures, necessary to protect the Client’s personal data from unauthorized or accidental access, loss, alteration, disclosure or destruction, and shall assist the Client in ensuring compliance with the Client’s obligations in this regard, taking into account the nature of the processing and the information available. The Contractor must establish security in accordance with Art. 28 para. 3 lit. c, 32 GDPR, in particular in conjunction with Art. 5 para. 1, para. 2 GDPR. Overall, the measures to be taken are data security measures and measures to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. The state of the art, the costs of implementation and the nature, scope and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons must be taken into account.
      
   2. If the inspection/audit of the Client reveals a need for adjustment, this shall be implemented by mutual agreement.
      
   3. The agreed technical and organizational measures are subject to technical progress and further development. In this respect, the Contractor shall be permitted to implement alternative adequate measures in the future. In doing so, the security level of the specified measures may not be undercut. The Client must be informed immediately of any significant changes, which must be documented by the Contractor.
4. Rights of data subjects
   1. The Contractor shall support the Client in its area of responsibility and as far as possible by means of suitable technical and organisational measures in responding to and implementing requests from data subjects with regard to their data protection rights. It may not provide information on, port, correct, delete or restrict the processing of the data processed on behalf of the Client without authorization, but only in accordance with documented instructions from the Client. If a data subject contacts the Contractor directly in this regard, the Contractor shall forward this request to the Client without delay. The Client shall receive support from the Contractor in responding to requests from data subjects and shall then reimburse the costs incurred by the Contractor as a result.
      
   2. If covered by the scope of services, the rights to information, rectification, restriction of processing, erasure, and data portability shall be ensured directly by the Contractor in accordance with the documented instructions of the Client.
5. Quality assurance and other obligations of the Contractor
   1. In addition to compliance with the provisions of this DPA, the Contractor has its own legal obligations under the GDPR; in this respect, it guarantees compliance with the following requirements in particular:
      • Maintaining confidentiality in accordance with Art. 28 para. 3 sentence 2 lit. b, 29, 32 para. 4 GDPR. When carrying out the work, the Contractor shall only use employees, staff, representatives, service providers and Sub-contractors who have been obliged to maintain confidentiality and who have been familiarised with the data protection provisions relevant to them in advance. The Contractor and any person subordinate to the Contractor who has authorized access to personal data may only process this data in accordance with the Client’s instructions, including the authorizations granted in this DPA, unless they are legally obliged to process it.
        
      • The Client and the Contractor shall cooperate with the supervisory authority in the fulfilment of their tasks upon request.
        
      • Immediately informing the Client of any inspections and measures taken by the supervisory authority insofar as they relate to this DPA. This also applies if a competent authority investigates the processing of personal data in the context of administrative offense or criminal proceedings relating to the processing of personal data by the Contractor.
        
      • If the Client is subject to an inspection by the supervisory authority, administrative offence or criminal proceedings, a liability claim by a data subject or a third party, another claim or a request for information in connection with the commissioned processing at the Contractor, the Contractor shall support the Client to the best of its ability.
        
      • The Contractor shall regularly monitor the internal processes and the technical and organizational measures to ensure that the processing in its area of responsibility is carried out in accordance with the requirements of the applicable data protection law and that the protection of the rights of the data subject is guaranteed.
        
      • Verifiability of the technical and organizational measures taken vis-à-vis the Client within the scope of its control powers in accordance with Section 8 of this DPA.
        
      • Taking into account the type of processing and the information available, the Contractor shall notify the Client immediately of any breaches of personal data protection in such a way that the Client can fulfill its legal obligations, in particular in accordance with Art. 33, 34 GDPR. He shall prepare documentation on the entire process, which he shall make available to the Client for further measures.
        
      • The Contractor shall support the Client in its area of responsibility and as far as possible within the scope of existing information obligations towards supervisory authorities and data subjects and shall provide it with all relevant information in this context without delay.
        
      • The Contractor shall not communicate with supervisory authorities, data subjects or the media about data breaches, responses to requests to exercise data protection rights or other incidents relating to the Client’s personal data without the Client’s instructions, unless this is required by data protection laws.
        
      • Insofar as the Client is obliged to carry out a data protection impact assessment in accordance with Art. 35 GDPR, the Contractor shall support it, taking into account the type of processing and the information available to it. The same applies to any existing obligation to consult the competent data protection supervisory authority.
   2. This DPA does not release the Contractor from compliance with other provisions of the GDPR.
6. Subcontracting relationships
   1. Subcontracting relationships within the meaning of this provision shall be understood as those services that relate directly to the provision of the main service. This does not include ancillary services that the Contractor utilizes, e.g. telecommunications services, postal/transport services, cleaning services or security services. Maintenance and testing services shall constitute a subcontracting relationship if they are provided for IT systems that are provided in connection with a service provided by the Contractor under this DPA. However, the Contractor is obliged to make appropriate and legally compliant contractual agreements and to take control measures to ensure the data protection and data security of the Client’s data, even in the case of outsourced ancillary services.
      
      The Client authorizes the Contractor to appoint sub-processors within the scope of the data processing specified in this DPA and agrees that these sub-processors may commission other processors with the processing of the Client’s personal data. The Client consents to the commissioning of the sub-processors specified in Annex 3 subject to the condition of a contractual agreement with the sub-processors in accordance with Art. 28 (2-4) GDPR.
      
      The contractual agreement shall be presented to the Client upon request, with the exception of business clauses not related to data protection law.
      
   2. Outsourcing to Sub-contractors or changing the existing Sub-contractor in accordance with Appendix 3 is permitted, provided that:
      
      • the Contractor notifies the Client of such outsourcing to or change of Sub-contractors in advance in an appropriate manner in digital or other form in accordance with Annex 3 within a reasonable period of time, which may not be less than 14 days, and
      • the Client does not object to the planned outsourcing in writing or in text form to the Contractor by the time the data is handed over, and
      • is based on a contractual agreement in accordance with Art. 28 (2-4) GDPR.
      • For this purpose, the Client shall inquire about changes at irregular intervals on the website on which the Contractor duly informs about the identity and scope of the order.
        
   3. The transfer of personal data of the Client to the Sub-contractor and the Sub-contractor’s initial activities are only permitted once all requirements for subcontracting have been met. Compliance with and implementation of the Sub-contractor’s technical and organizational measures shall be checked in advance of the processing of personal data, taking into account the Sub-contractor’s risk, and then regularly by the Contractor.
      
   4. If the Subcontractor provides the agreed service outside the EU/EEA, the Contractor shall ensure that the service is permissible under data protection law by taking appropriate measures.
7. International data transfers
   1. Any transfer of personal data to a third country or to an international organization requires documented instructions from the Client and requires compliance with the requirements for the transfer of personal data to third countries in accordance with Chapter V of the GDPR.  The Client authorizes the transfer of data to a third country to the recipients listed in Annex 3. The measures authorized by the Client to ensure an adequate level of protection under Art. 44 et seq. GDPR in the context of subcontracting. These measures may include, in particular, the implementation of the standard data protection clauses (SCC) referred to in Article 46(2)(c) of the GDPR or, as in the case of a transfer to a provider in the USA, in accordance with the rules of the DPF.
      
   2. If the Client instructs the transfer of data to third parties in a third country, the Client shall be responsible for compliance with Chapter V of the GDPR.
8. Control rights of the Client
   1. The Client shall have the right to carry out inspections in consultation with the Contractor or to have them carried out by independent auditors to be appointed in individual cases. It shall have the right to satisfy itself of the Contractor’s compliance with this DPA in its business operations during normal business hours by means of random checks, which must generally be notified in good time. The Client shall notify the Contractor in writing (e-mail is sufficient) in advance of any inspection to be carried out in accordance with this section, stating the scope, form and desired contribution of the cooperation of the Contractor. Depending on the work involved, the costs incurred and the degree of disruption to ongoing business operations, the Contractor shall send the Client a suitable remuneration arrangement in advance and invoice it later.
      
   2. The Contractor shall ensure that the Client can satisfy itself of the Contractor’s compliance with its obligations under Art. 28 GDPR. The Contractor undertakes to provide the Client with the necessary information upon request and, in particular, to provide evidence of the implementation of the technical and organizational measures.
      
   3. Proof of the technical and organizational measures for compliance with the special requirements of data protection in general as well as those relating to the order can be provided at the express written request of the Client by sending corresponding reports or report extracts from independent bodies (e.g. auditors, internal audit, data protection officer, IT security department, data protection auditors, quality auditors) on the basis of the currently recognized IT and data protection standards and economically proportionate measures.
9. Authorization of the Client to issue instructions
   1. During the term of this DPA, the Client may issue instructions to Smoobu as Contractor. The Contractor shall process personal data only on the basis of documented instructions from the Client, unless it is obliged to do so under the law of the Member State or under Union law. The Client shall confirm verbal instructions without delay (at least in text form). The Client’s initial instructions shall be determined by this DPA. If the Client issues additional instructions to the Contractor, the Client shall reimburse the Contractor for any costs incurred as a result of these instructions.
      
   2. The Contractor shall inform the Client immediately if it is of the opinion that an instruction violates data protection regulations or is of the opinion that a specific instruction leads to a violation. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Client.
      
   3. Upon termination of the term and provision of services under the Main Agreement and without prejudice to the applicable statutory retention and deletion periods for the Client’s data, the Client hereby instructs the Contractor to delete or anonymize the personal data of the Client’s customers in its possession within 120 days of termination, unless an instruction or data protection laws require otherwise.
10. Deletion and return of personal data
    1. Copies or duplicates of the data shall not be created without the Client’s knowledge. Excluded from this are backup copies, insofar as they are necessary to ensure proper data processing, as well as data that is required in order to comply with statutory retention obligations.
       
    2. After completion of the contractually agreed work or earlier at the request of the Client – but at the latest upon termination of the Main Agreement – the Contractor shall hand over to the Client all documents, processing and utilization results and data pertaining to the contractual relationship that has come into its possession or, with prior consent, destroy them in accordance with data protection regulations. The same applies to test and scrap material. The deletion log must be submitted on request.
11. Liability
    1. The Contractor shall indemnify the Client for any direct damage suffered by the Client as a result of a breach of this DPA, including the accidental loss, disclosure, destruction or damage of personal data of the Client by the Contractor or any of its sub-processors unless any of the above is due to compliance with the Client’s instructions. For the avoidance of doubt, the limitations of the Contractor’s liability set out in the Main Agreement shall not apply to this section.
12. Final Provisions
    1. Insofar as other agreements on the protection of personal data arise from other agreements between the Client and the Contractor, this DPA on commissioned processing shall take precedence, unless the parties expressly agree otherwise.
       
    2. If any part of this DPA is held to be invalid or unenforceable, the remainder of this DPA shall be construed so as to preserve the intentions of the parties to the greatest extent possible.
       
    3. Either party may propose amendments to this DPA that it deems necessary due to data protection laws or other regulations, interpretations, decisions or guidelines. In such cases, the parties shall cooperate to amend this DPA accordingly.
       
    4. Unless disputes between the parties are settled amicably, this DPA shall be interpreted, construed and enforced in accordance with the law and by the courts of the Federal Republic of Germany as provided in the Main Agreement.
       
    5. For all inquiries regarding the processing of the Client’s personal data, the Client should contact the Contractor at [email protected].

Version: June 2024

Appendix 1 – Scope of processing

Description of the processing:

1. Nature and purpose of the intended processing of data
   The nature and purpose of the processing of personal data by the Contractor for the Client are specifically described in the service agreement (Main Agreement). The Contractor shall process the Client’s personal data in electronic form on an ongoing basis and may carry out the following operations on it on instruction: Collection, recording, organization, structuring, storage, use, disclosure and deletion.
2. Type of data
   The subject of the processing of personal data in accordance with the Main Agreement are the following types of data and concern both the Client and the Client’s Customers with whom the Client has a legal relationship:
   • Personal master data
   • Communication data (e.g. telephone, e-mail)
   • Activities of the data subjects on the services specified by the Client
   • Contract master data (contractual relationship, product or contractual interest) 
   • Client history 
   • Contract billing data
   • No special categories of personal data are processed.
3. Categories of data subjects
   The categories of data subjects affected by the processing include in accordance with the main contract:
   • Client
   • Customers of the Client
   • Employees of the Client
   • Providers of integration services and their contact persons

Appendix 2 – Technical and organizational measures

Description of the technical and organizational measures taken by the Contractor, taking into account the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects.

Measures for pseudonymisation and encryption of personal data:

Depending on the type of data to be processed, different security requirements apply to each category.

Personal data of the Client (and its employees) shall be pseudonymized (and anonymized if necessary) by the Contractor, if possible and as required in accordance with the standard defined by the Contractor.

The Contractor uses encrypted connections via VPN for remote access, SSL etc. and uses mechanisms for multi-level authentication where possible. It also ensures that there is no unauthorized use of the system by setting up the use of secure passwords, automatic locking mechanisms after a period of time, encryption of data carriers, use of a firewall, encryption of notebooks, management of user authorizations, creation of user-profiles and general guidelines on data protection and password assignment.

Description of measures to ensure continuous confidentiality, integrity, availability and resilience of systems and services related to processing

The Contractor shall maintain responsibilities and procedures for the management and operation of all information processing facilities to ensure complete, valid and accurate processing of data.

The Contractor shall ensure that there is no unauthorized access to data processing systems by securing the system with an alarm system with transponder system or code blocking, security locks, key allocation regulations and a regulation for visitors only when accompanied by employees.

Description of measures to ensure the availability of personal data and rapid access to data in the event of a physical or technical incident

The Contractor’s systems are designed to defend against or prevent common attacks and ensure availability for operation, monitoring and maintenance. To this end, the Contractor shall conduct regular simulated tests and audits to confirm that its systems remain available.

Availability and reliability is monitored to ensure that the Contractor’s Platform remains online with minimal service disruption.

Description of measures to ensure a process for regularly reviewing, assessing and evaluating the effectiveness of technical and organizational measures to ensure the security of processing

The technical and organizational measures, applicable instructions and relevant guidelines are regularly reviewed by external service providers and through internal tests.

The Contractor carries out regular risk assessments, including vulnerability tests, internal and external penetration tests, network, system and firewall scans and checks. 

Description of measures for the identification and authentication of users

The Contractor’s systems are aligned with recognized industry standards and practices and have communication procedures in place to identify users, as well as robust password and authentication controls. Access to the system is logged and administrators can manage user rights.

Description of measures to protect personal data during transmission and storage

The Contractor shall maintain procedures to prevent unauthorized access or misuse of information and use industry best practices where necessary, such as unique IDs for authentication and for the purpose of secure mapping when transferring and storing in production systems.

Description of measures to ensure the physical security of places where personal data is processed

The Contractor’s premises are protected on site by video surveillance of the entrance areas and a personalized access system to prevent third parties from entering.  

The data centers used employ strict administration rights and have clear database structures so that each customer can only access data records that are assigned to this user ID.

Only persons who are expressly authorized and require information for their work have access to personal data.

Description of event logging requirements (e.g. for authentication of the Client or data entry, modification or deletion)

The Contractor’s data retention policy provides for different retention periods and backup copies depending on the category of data, including legal obligations or other exceptions that require the retention of such data until the expiry of certain legal obligations, e.g. for tax and accounting purposes. If it is not possible to destroy the personal data, the relevant protection provisions governing this personal data will continue to apply and any further processing will cease.

Appendix 3 – Authorised subcontracting relationships

A list of sub-processors that process personal data is set out on the following sub-processor website (and will be updated from time to time) and the Client hereby confirms consent to the sub-processors in place at the conclusion of the Contract. The Sub-Processors website includes a process for Clients to sign up for notifications of new Sub-Processors or changes to the list of Sub-Processors. To receive updates or changes to this list, you must register via the mechanism provided.

T&C - ANNEX B

Stand: June 18th, 2024

ANNEX B

This Annex B forms part of the Smoobu Terms and Conditions (T&C) and is applicable for certain Platform features (“Features”) as detailed below.  Features offered vary per Subscription. This Annex B is applicable if you use one or more of these Features.

1. Website Builder
   1. Smoobu offers a website builder (“Website Builder”) via the Platform which enables a User to create a publicly available website (“Website”).
      
   2. Websites may be hosted under a User´s own URL or  under a Smoobu-provided domain and Users are solely responsible for ensuring that the content (texts, graphics, photos, etc.) created and/or uploaded, including the Website domain name, complies with all applicable laws and regulations, including but not limited to the Digital Services Act (REGULATION (EU) 2022/2065) and youth protection, product liability, product safety, e-commerce (in particular legal obligations for provider labeling), competition, data protection and tax laws and, to obtain and maintain all necessary consents, approvals and authorizations at its own expense. Smoobu shall not be liable for any legal consequences arising from the User’s failure to comply with such laws and regulations.
      
   3. Users may only use the Features provided by Smoobu for legitimate business purposes that are directly related to the intended scope of the customer account on the Smoobu Platform. In particular, the website and means of communication may not be used for gambling or other purposes that are harmful to minors or incite violence or otherwise send spam, malicious code or other unlawful content.
      
   4. The User warrants that it is either the owner of the intellectual rights associated with the content created and/or uploaded or has a license to reproduce said content on the Website and the content does not infringe any other third-party rights.
      
   5. Smoobu reserves the right to suspend or terminate the User’s access to the Website Builder and take existing Websites offline at any time, without prior notice, if Smoobu determines that the User is using the Website Builder in violation of this Annex B and/or the T&C.
   6. The User acknowledges that the Website Builder may be subject to periodic updates and maintenance, which may result in temporary disruptions in service. Smoobu shall make reasonable efforts to both minimize any such disruptions and provide advance notice of such. Smoobu shall not be liable for any damages or losses arising from such disruptions.
      
   7. Any Websites that have not been updated or accessed for a period of twelve months or more may be taken offline and later deleted by Smoobu.
2. Integrated Booking System
   1. Smoobu offers an accommodation booking system (“Booking System”) which a User may embed in their own website or in the Website created via the Website Builder.
      
   2. The Booking System offers the User the technical possibility to conclude a distance contract online with guests for the rental of accommodation, whereby the availability of the respective accommodation is then transferred directly to the Smoobu Platform, provided that the accommodation is also linked to the Smoobu Platform in accordance with the T&C. All legal requirements necessary for a legally binding booking and all relevant consumer regulations must be complied with by the User and ensured and taken into account at their own instigation, responsibility and expense.
      
   3. The User is responsible for the initial embedding and continued maintenance of the Booking System in accordance with the guidance provided by Smoobu on the Platform and shall be solely responsible for all respective storage of such applicable transaction data.
3. Application Programming Interface (“API”) – For Developers
   1. This section governs Users connecting their own application to Smoobu via API. Smoobu provides various API’s for different use cases.
      
   2. Smoobu must be notified in writing via [email protected] before a User begins coding. Smoobu may provide the necessary keys and additional information per use case.
      
   3. Smoobu must be notified in writing via [email protected] before a User begins coding. Smoobu may provide the necessary keys and additional information per use case.
4. E-Invoicing
   1. Smoobu offers an invoicing Feature (“E-Invoicing”) which generates guest invoices according to a standard XML format; this data file constitutes an electronic invoice.
   2. Users are responsible for correctly inputting all required data to generate invoices via the Platform.
   3. Users are responsible for ensuring that all invoices generated via the Platform are correct before providing to the recipient. Smoobu accepts no liability for invoices with incorrect data or otherwise.
5. Dynamic Pricing
   1. Smoobu offers an additional Feature which permits Users to build, maintain and automate the optimal pricing strategies for their short term vacation rentals, “Dynamic Pricing”.
   2. The User is responsible to provide all mandatory data points and to activate the Feature individually for each accommodation via the Platform.
   3. Dynamic Pricing is activated individually for each accommodation via the Platform, not per User Account.
   4. By using Dynamic Pricing, you provide Smoobu with additional information, and authorize us to automatically update the pricing data for your short term accommodation rentals, in particular holiday homes or vacation rentals, on your behalf. Unless we otherwise agree in writing, we do not have permission to change any other details related to your account.
   5. Dynamic Pricing will be automatically deactivated when the source of applicable data is too low or insufficient and you will be notified of such.
   6. You may adjust your price settings on the Platform to manage our price recommendations according to your preferences. Additionally you may choose to deactivate Dynamic Pricing and set pricing manually. Any manual setting of prices, will require an active change of settings in order to revert to prices recommended by Dynamic Pricing.
   7. Dynamic Pricing may not be used for any benchmarking or other competitive purposes.
6. Feature Billing
   1. The monthly cost of Dynamic Pricing and E-Invoicing and any applicable additional chargeableFeatures are billed in accordance with your Smoobu Agreement and Subscription. E.g. if you have an annual Subscription, you will be billed annually for these Features.
   2. Additional paid Features may be canceled at any time and the cancellation will be effective at the end of your current billing cycle. You may continue to use these Features after cancellation until the end of the billing cycle. Any cancellation of Features does not impact your Subscription.
   3. Cancellation of paid Features must be made by clicking the “Cancel” button via the applicable Feature page on the Platform. You will receive a deactivation confirmation email.
   4. By using any additional paid Features via the Platform, you acknowledge that the fee structure and fees charged by Smoobu may change at any time. Smoobu will provide you with thirty (30) days advance notice of any changes to the then-existing fee structure. Continued use of any applicable Features following that 30-day notice period constitutes your agreement to the updated fee structure and fees. You acknowledge that if you object to the proposed fee structure change(s), your sole remedy may be to stop using said feature.
7. General
   1. These Features are provided as is and Smoobu makes no warranties or representations regarding their functionality, accuracy, reliability, or legal compliance thereof. The User acknowledges and agrees that Smoobu shall not be liable for any damages or losses arising from their use.
      
   2. Smoobu reserves the right to expand, change or delete services or Features and to make improvements, in particular if these serve technical progress and/or appear necessary and to prevent misuse. We will only make these changes to paid services if they are reasonable for our Users or if Smoobu is obliged to do so by law.
      
   3. The User agrees to indemnify and hold harmless Smoobu, its affiliates, and their respective officers, directors, employees, and agents from and against any claims, damages, liabilities, costs, and expenses arising from the Users use of these Features, including but not limited to any claims related to the Customer’s failure to comply with applicable laws and regulations and the T&C which incorporates this Annex B.