Odybook.

Privacy Policy

Last updated: February 6, 2026

1. Introduction

Odybook ("we," "our," or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our booking management platform.

This policy applies to all users of our platform, including tourism professionals (Agencies and Guides) and their customers who interact with our booking widgets. We process data according to the General Data Protection Regulation (GDPR).

By using our services, you acknowledge the collection and use of your data as described here. Odybook acts as a Data Controller for our customers (professionals) and a Data Processor for their clients' booking data.

2. Data Controller

The entity responsible for your personal data is:

Odybook SAS
[INSERT_COMPANY_ADDRESS], Paris, France
Email: privacy@odybook.com
Phone: [INSERT_PHONE_NUMBER]

For any privacy-related inquiries, please contact our Data Protection Officer at dpo@odybook.com.

3. Data We Collect

We collect and process the following categories of personal data:

3.1 Professional Account Information

  • Full name and professional credentials
  • Business email address and phone number
  • Company name, address, and VAT information
  • Profile images and branding assets

3.2 Booking and Customer Information

  • End-customer names and contact details
  • Reservation dates, participant counts, and preferences
  • Notes on dietary requirements or accessibility (if provided)
  • Gift card issuance and redemption history
  • Communication history between professional and client

3.3 Payment Information

All payment processing is handled by Stripe. We do not store full credit card numbers. We retain:

  • Transaction IDs and billing history
  • Subscription status and plan details
  • Payout bank account details (for professionals)

3.4 Technical and Usage Data

  • IP addresses, browser types, and device identifiers
  • Navigation paths and platform interaction metrics
  • Referral sources and session durations
  • Cookie identifiers and tracking data

4. Legal Basis for Processing

We process data based on the following legal grounds:

  • Contractual Necessity: To provide our booking management services
  • Legitimate Interests: For security, fraud prevention, and service improvement
  • Legal Compliance: For tax, accounting, and regulatory reporting
  • Explicit Consent: For marketing and non-essential cookie usage

5. How We Use Your Data

Your data is utilized for the following core operations:

  • Service Delivery: Managing accounts, experiences, and calendars
  • Booking Intermediation: Facilitating reservations and confirmations
  • Financial Management: Processing subscriptions and payouts via Stripe
  • Communication: Sending transactional emails and support updates
  • Personalization: Tailoring UI/UX based on language and currency preferences
  • Platform Security: Monitoring for system abuse and unauthorized access
  • Compliance: Maintaining legally required business records

6. Data Retention

Data is kept only as long as necessary for the purpose it was collected:

  • Active Accounts: Data is kept for the duration of the subscription
  • Closed Accounts: Most data is removed/anonymized within 12 months
  • Financial Records: Retained for 10 years per French accounting laws
  • Technical Logs: Retained for 6-12 months for security audits

7. Data Sharing

We share data with trusted sub-processors strictly for service provision:

  • Infrastructure: Supabase (Data storage) and Vercel (Hosting)
  • Payments: Stripe (PCI-compliant payment processing)
  • Communications: Resend (Email delivery service)
  • Productivity: Google Cloud (Optional calendar synchronization)

We do not sell personal data. All partners are audited for GDPR compliance and data security standards.

8. International Transfers

While our primary servers are in the EEA, some sub-processors operate in the US.

We ensure appropriate safeguards (Standard Contractual Clauses) are in place to maintain an equivalent level of protection as mandated by the GDPR.

9. Cookies

We use different types of cookies to operate the platform:

Essential Cookies

Required for authentication, security, and basic functionality. Cannot be disabled.

Performance Cookies

Used to understand usage patterns and improve platform performance. Anonymous telemetry.

Preference Cookies

Used to remember settings like language and display preferences.

You can update your preferences via our cookie banner at any time.

10. Security Measures

We protect your data with state-of-the-art measures:

  • Encryption of data at rest and in transit (TLS 1.2+)
  • Multi-Factor Authentication (MFA) for dashboard access
  • Automated vulnerability scanning and security monitoring
  • Strict internal access controls (Least Privilege principle)
  • Regular database backups and disaster recovery protocols

11. Your Rights

Under GDPR, you have the right to access, rectify, or erase your data.

  • Access and portability of your personal dataset
  • Correction of inaccurate or incomplete information
  • Deletion of data ("Right to be Forgotten")
  • Restriction of or objection to specific processing activities
  • Withdrawal of consent for marketing communications

To exercise these rights, email privacy@odybook.com. We respond within 30 days.

You also have the right to lodge a complaint with the CNIL (France) or your local authority.

12. Children

Our services are for professionals and adults. We do not knowingly collect data from children under 16 without parental consent (e.g., as part of a family booking handled by an adult).

13. Updates

We may update this policy periodically. Major changes will be notified via email or a platform banner.

14. Contact

Questions? Reach out to us at legal@odybook.com or via post at our registered address.

We are dedicated to transparent data processing and respect for user privacy.