Privacy Policy

Last updated: June 2026

1. Controller

Oasis Appart GmbH
Gustav-Becker-Strasse 4
01979 Lauchhammer
Germany

Managing Directors: Philipp Geppert, Thomas Manig
Email: info@oasify.de
Phone: +49 3573 809 6785
Commercial Register: Amtsgericht Cottbus, HRB 16902

2. Overview of Data Processing

The following overview summarizes the types of data processed and the purposes of their processing, and refers to the data subjects concerned.

Types of Data Processed

• Master data (name, address, date of birth, nationality)
• Contact data (email, phone)
• Content data (booking information, ID document data, messages)
• Usage data (pages visited, access times, feature usage)
• Meta/communication data (IP addresses, device information)
• Payment data (for Stripe subscriptions)
• Employee data (name, working hours, hourly wage)
• Communication content (guest messages, team messenger, WhatsApp)

Data Subjects Concerned

• Website visitors and prospects
• Customers (landlords using the platform)
• Guests of customers (self-service check-in, messages)
• Employees of customers (cleaning, time tracking, payroll)

3. Legal Bases

The processing of personal data is carried out on the basis of the following legal grounds:

• Performance of a contract (Art. 6(1)(b) GDPR) — check-in data, booking data, invoice data, employee data, guest communication
• Legitimate interests (Art. 6(1)(f) GDPR) — security, fraud prevention, error monitoring, operational optimization
• Legal obligation (Art. 6(1)(c) GDPR) — registration requirements (Sections 29–30 BMG), tax law (Section 147 AO, Section 257 HGB), GoBD
• Consent (Art. 6(1)(a) GDPR) — analytics cookies, Community Pricing Intelligence, WhatsApp communication

4. Contact Form / Enterprise Inquiries

On our website we offer a contact form for enterprise inquiries. Use of the form is voluntary. When submitting an inquiry, we process the following personal data:

Required information:

• First and last name
• Email address
• Number of apartments (selection field)

Optional information:

• Company name
• Phone number
• Free-text message

Purpose of Processing

The data is processed exclusively for handling your inquiry and for contacting you in the context of pre-contractual measures. We use your email address to send you a confirmation of receipt and to contact you regarding your inquiry.

Legal Basis

Processing is based on Art. 6(1)(b) GDPR (implementation of pre-contractual measures taken at the request of the data subject).

Recipients / Service Providers

• Supabase Inc. (USA) — database hosting and storage. The server is located in the EU region (eu-west-1, Ireland); personal data does not technically leave the EEA. In the event of processing by the US parent company, Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR have been concluded, as well as a Data Processing Agreement (DPA). Additionally, a Transfer Impact Assessment (TIA) is in place. Privacy policy: supabase.com/privacy
• Resend Inc. (2261 Market Street STE 5694, San Francisco, CA 94114, USA) — sending confirmation emails. Resend Inc. is certified under the EU-US Data Privacy Framework (DPF) (since March 2025); the transfer is based on the adequacy decision of the European Commission pursuant to Art. 45(1) GDPR. Additionally, a Data Processing Agreement (DPA) has been concluded. Privacy notice: resend.com/legal/dpa

Retention Period

The retention period depends on the processing status of your inquiry:

• New/contacted inquiries: Automatic deletion 6 months after receipt, unless contract negotiations are initiated.
• Qualified inquiries (ongoing contract negotiations): Automatic deletion 24 months after the last status change.
• Completed inquiries: Automatic deletion 12 months after completion.

If a contract is concluded, the inquiry data will be transferred to the contract documentation and will be subject to the corresponding contractual and tax retention periods. You may request early deletion of your inquiry at any time (info@oasify.de).

5. Kiosk Self-Service Check-In

During the self-service check-in, the following data is processed:

• Name, address, date of birth, nationality, email of the guest
• ID document photo (national ID card or passport) — automatically deleted after the statutory retention period
• OCR-extracted data (first name, last name from the ID document) — stored separately from the editable address form
• Booking number and details from Smoobu
• Check-in timestamp and verification results

ID document photos are stored encrypted in Supabase Storage (EU region) and automatically deleted after the configurable retention period (default: 14 days after checkout). Access to ID document photos is restricted to authorized administrators.

5.1 OCR Processing (Microsoft Azure OpenAI, EU)

For automatic text recognition (OCR) on ID documents, the photo is transmitted for text extraction to the Microsoft Azure OpenAI Service. The contracting data processor is Microsoft Ireland Operations Limited(One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland). Processing and storage take place via a regional “Standard” deployment exclusively within the EU (Sweden Central region); no third-country transfer occurs in regular operation. The data is not used to train any models.

Data minimisation: the ID portrait and the machine-readable zone (MRZ) are redacted server-side before transmission, so no biometric facial data reaches the processor.

The processing relationship with Microsoft is governed by the Microsoft Products and Services Data Protection Addendum (DPA) (May 2026 edition) including EU Standard Contractual Clauses (Module 2). Microsoft Ireland Operations Limited processes within the EEA; to the extent the US parent company Microsoft Corporation (One Microsoft Way, Redmond, WA 98052, USA) could obtain access, this is safeguarded by the EU SCCs pursuant to Art. 46(2)(c) GDPR and the EU-US Data Privacy Framework (DPF), under which Microsoft is certified. By default, Microsoft retains API requests for up to 30 days for abuse monitoring within the EU(a reduction to zero days via “Modified Abuse Monitoring” has been requested). Sub-processors are listed at aka.ms/subprocessors.

Technical fallback: in the event of an Azure outage, processing may be configured to fall back to OpenAI Ireland Limited (Dublin, Ireland; sub-processor OpenAI OpCo, LLC, USA, safeguarded by EU SCCs and DPF). This fallback is inactive in regular operation and receives no data; any activation would be reflected here.

Legal basis: Art. 6(1)(c) GDPR (legal obligation — capturing and verifying the identity data fulfils the statutory registration requirement under §§ 29–30 BMG), supplemented by Art. 6(1)(b) GDPR (performance of a contract — identity verification is part of the check-in process).

5.2 Digital Registration Form

As part of the check-in process, a digital registration form (Meldeschein) is created pursuant to Sections 29–30 BMG. It contains the mandatory details (name, date of birth, nationality, address, arrival/departure date, accompanying persons). The registration form can be exported as a PDF. Retention period: 1 year after departure (varies by federal state).

6. Guest Communication

6.1 Platform-Internal Messages

Customers can communicate directly with their guests through the platform (inbox, templates, broadcast messages, scheduled messages). The following data is processed:

• Message content and timestamps
• Email addresses of guests (for email delivery)
• Delivery status and read receipts

Legal basis: Art. 6(1)(b) GDPR (performance of a contract — the communication serves to carry out the accommodation contract).

6.2 WhatsApp Business Messaging (optional)

If the customer has activated the WhatsApp integration, messages can be delivered to guests via WhatsApp Business. Data is transmitted to Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) and/or Meta Platforms Inc. (USA):

• Guest's phone number
• Message content
• Delivery status

Activation of the WhatsApp integration by the customer is voluntary. As the controller, the customer is responsible for ensuring that an appropriate legal basis exists for contacting the guest via WhatsApp (e.g. legitimate interest or the guest's consent).

Meta Platforms Ireland Limited processes data within the EEA. For any transfers to the USA by Meta Platforms Inc., the provisions of the EU-US Data Privacy Framework and EU Standard Contractual Clauses apply. Privacy notice: WhatsApp Business Data Processing Terms

7. AI-Powered Features

7.1 AI Assistant (Chat)

The AI assistant uses large language models (LLMs) to answer questions about operations and perform data analyses. The following data is processed:

• The user's chat input
• Context data from the organization (bookings, check-ins, statistics)

Processing is based on Art. 6(1)(b) GDPR (performance of a contract). Chat input is not used to train AI models. Processing takes place via the Microsoft Azure OpenAI Service (EU) under the data protection safeguards described in Section 5.1 (inactive technical fallback: OpenAI Ireland Limited).

7.2 AI-Powered Messaging Features (Translation, Reply Suggestions)

If the customer uses AI-powered messaging features (automatic translation of incoming guest messages, AI reply suggestions “Quick Reply”, AI-powered support suggestions), the respective message content is transmitted for processing to the Microsoft Azure OpenAI Service (EU, see Section 5.1). This may include personal data that the guest or user enters into the message themselves.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract — handling guest communication), supplemented by Art. 6(1)(f) GDPR (legitimate interest in efficient, multilingual guest support). The content is not used to train AI models and is processed exclusively within the EU.

7.3 AI-Based Cleaning Planning

AI-powered cleaning planning analyses booking patterns and cleaning history to suggest optimal cleaning time windows. Only aggregated operational data is processed, no personal guest data.

7.4 AI-Powered Maintenance and Development (Anthropic)

The management of Oasis Appart GmbH uses the AI assistant “Claude” by Anthropic, PBC (San Francisco, USA) for maintenance, error analysis and further development of the platform. Personal data may be transmitted to Anthropic on a case-by-case basis as the context of a maintenance session — for example when a specific support incident or technical error requires it. Transfers are made exclusively by the platform operator and never automatically or as part of the standard application logic.

Data categories processed: case-specific selected database content, source code and configuration, error logs, the platform operator's input in the chat. Under its Commercial Terms, Anthropic does not use API input for training purposes. Standard retention at Anthropic: 30 days. For transfers to the USA, EU Standard Contractual Clauses (SCCs) apply. Privacy notice: anthropic.com/privacy.

Read and write accesses to customers' personal data during maintenance sessions are automatically logged in the internal audit log (table pii_write_audit_log) and can be presented at the controller's request.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the stability, maintenance and further development of the platform).

8. Dynamic Pricing and Community Pricing Intelligence

8.1 Dynamic Pricing

Dynamic price calculation processes the following non-personal data: booking occupancy, season configuration, lead times, weekday patterns and event calendars. No personal guest data is used for price calculation.

8.2 Community Pricing Intelligence (Market Data)

With active participation (opt-in), anonymized price data of the customer is fed into a market data pool to calculate regional price benchmarks. Anonymization is achieved through:

• k-anonymity: at least 3 organizations and 5 apartments per region
• Trimmed mean: 10% of outliers are removed
• No individual data: organization and apartment counts are not disclosed to other customers

Legal basis: Art. 6(1)(a) GDPR(consent). Consent can be withdrawn at any time in the platform settings. Upon withdrawal, the customer's data is excluded from future benchmark calculations.

9. Smart Lock (Nuki)

When unlocking the door, unlock commands are transmitted to the Nuki Cloud API (Nuki Home Solutions GmbH, Graz, Austria). Device IDs and timestamps are processed. No personal guest data is transmitted to Nuki. The Nuki activity history (unlock times) is stored in the platform.

10. Noise and Environment Monitoring (Minut)

When using the Minut integration, environmental data from Minut sensors is processed:

• Noise levels (dB values, no audio recording)
• Temperature and humidity
• Alarm events (noise threshold exceeded, cigarette smoke)

No personal guest data is transmitted to Minut. Processing takes place via Minut Inc. (Sweden/USA). For the data transfer to the USA, EU Standard Contractual Clauses (SCCs) have been concluded. Privacy notice: minut.com/privacy

11. Payment Processing (Stripe)

For processing subscription payments, we use Stripe (Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland / Stripe Inc., 354 Oyster Point Blvd, South San Francisco, CA 94080, USA). During payment processing, your payment data is transmitted directly to Stripe. Our servers do not store any credit card data or bank details — only a Stripe customer ID for assignment.

Stripe Payments Europe Ltd., as an Irish company, is established within the EEA. For any transfers to Stripe Inc. (USA), the provisions of the EU-US Data Privacy Framework (DPF) apply. Privacy policy: stripe.com/privacy

12. Accounting Export (lexoffice, sevDesk — optional)

With the lexoffice or sevDesk integration activated, invoice data (invoice number, amounts, VAT, guest names and addresses as invoice recipients, booking and service periods, VAT ID) is automatically synchronized into the accounting account configured by the customer.

• Haufe-Lexware GmbH & Co. KG (lexoffice), Munzinger Strasse 9, 79111 Freiburg, Germany. Processing takes place exclusively within Germany. Privacy notice: lexware.de/datenschutzhinweise
• sevDesk GmbH, Hauptstrasse 115, 77652 Offenburg, Germany. Processing takes place exclusively within Germany. Privacy notice: sevdesk.de/datenschutz

Both integrations are used only if the customer activates them in the platform settings and stores their own API credentials. Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(c) GDPR (fulfilment of tax obligations).

13. Hosting

13.1 Application Hosting (Vercel)

The web application is hosted on Vercel (Vercel Inc., 440 N Barranca Avenue #4133, Covina, CA 91723, USA). With each page request, technical data (IP address, user agent, timestamp) is processed by Vercel. Vercel stores access logs for a maximum of 30 days.

Vercel Inc. is certified under the EU-US Data Privacy Framework (DPF). The transfer is based on the adequacy decision of the European Commission pursuant to Art. 45(1) GDPR. Additionally, a Data Processing Agreement (DPA) has been concluded. Privacy notice: vercel.com/legal/privacy-policy

13.2 Database and Storage (Supabase)

The database and file storage are provided by Supabase (Supabase Inc., USA). The Supabase server is located in the EU region (eu-west-1, Ireland), so personal data does not technically leave the EEA. For any processing by the US parent company, Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR as well as a Data Processing Agreement (DPA) have been concluded. Details on transfer safeguards: Section 4.

13.3 Reach Measurement (Vercel Web Analytics)

For the statistical analysis of website usage we use Vercel Web Analytics (Vercel Inc., USA). The service works cookie-free — no cookies are set and no information is stored on or read from your device. Recognition of individual visitors across multiple days is not possible.

Data processed: the URL accessed, referrer URL, user agent (browser and device type) and the country (derived from the IP address). The IP address is hashed at the edge and discarded at the latest at the end of the calendar day; it is never stored in plain text.

The legal basis is our legitimate interest in the needs-based design and statistical analysis of our website (Art. 6(1)(f) GDPR). As no cookies are set and no information is stored on the device, Section 25 TTDSG does not apply. Transfer safeguards (DPF + DPA) follow from Section 13.1. You may object to the processing at any time pursuant to Art. 21 GDPR (info@oasify.de).

14. Email Delivery (Resend)

For sending transactional emails (invoices, notifications, guest messages, system notifications) we use Resend Inc. (USA). Data processed: recipients' email addresses, email content (including invoice PDFs as attachments), delivery status.

Resend Inc. is certified under the EU-US Data Privacy Framework (DPF). Additionally, a Data Processing Agreement (DPA) has been concluded. Privacy notice: resend.com/legal/dpa

15. Error Monitoring (Sentry)

We use Sentry (Functional Software Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA) for error monitoring and performance optimization.

15.1 Server-Side Error Monitoring

Technical error data (stack traces, HTTP status codes) is processed on the basis of Art. 6(1)(f) GDPR (legitimate interest in operational security). Personal data (email addresses, IP addresses) is automatically filtered out (PII scrubbing). Server-side error monitoring is permanently active to ensure secure and stable operations.

15.2 Client-Side Collection

Extended analytics data in the browser is collected only with your explicit consent (analytics cookie category).

Data collected with active consent:

• Error messages and stack traces
• Browser and device information
• Current URL and user interactions (Session Replay)
• IP address (anonymized by Sentry)

Legal basis: consent (Art. 6(1)(a) GDPR). Consent can be withdrawn at any time via the cookie settings. Sentry privacy policy: sentry.io/privacy

16. Notifications and Push Messages

The platform sends notifications via various channels:

• In-app notifications: stored in the database, no third parties
• Email notifications: via Resend (see Section 14)
• Push notifications: via the Expo Push service (for the mobile app)

For push notifications, the device's push tokens are transmitted to Expo (Expo Inc., USA). No personal content is transmitted in the push message itself — only a notification hint. The full message is retrieved only by the app via an authenticated API request.

17. Mobile Application (iOS / Android)

We provide a native mobile application (“Oasify”) for iOS and Android, available through the Apple App Store and Google Play Store. The mobile app is intended for staff (employees, administrators) and platform operators of customer organizations. It is not used by guests for self-check-in.

17.1 Data Categories Processed in the Mobile App

• Account and authentication data: email, user ID, encrypted access tokens stored on the device (iOS Keychain via Expo SecureStore, Android Keystore)
• Operational data displayed to staff: guest names, phone numbers, email addresses, booking details — only for the organizations the user is authorized to access
• User-generated content: cleaning verification photos, consumable purchase receipts, damage report photos, in-app messages between team members and with guests
• Device and notification data: Expo / FCM / APNs push tokens (used solely to deliver operational push notifications), device model, operating system version
• Diagnostics data: anonymized crash reports and performance traces via Sentry (no email, IP, or user ID attached — see Sections 15 and 17.4)

Legal basis: Art. 6(1)(b) GDPR (performance of the service contract between us and the customer organization employing the user) and Art. 6(1)(f) GDPR(legitimate interest in operational stability for diagnostic telemetry).

17.2 Camera and Photo Library Access

The app requests access to the device camera and photo library only when the user actively triggers a photo upload (cleaning documentation, receipt scan, damage report). No background access, no continuous capture. Permission can be revoked at any time in the operating system settings.

17.3 Push Notifications

Push notifications are delivered via Apple Push Notification service (APNs) for iOS and Firebase Cloud Messaging (FCM) for Android, routed through the Expo Push API (Expo, 650 California Street, San Francisco, CA 94108, USA). Push tokens are linked to the user account in our database to address notifications to the right device.

Notification content is limited to operational events relevant to the user's role (new bookings, cleaning assignments, guest messages, support escalations). Notifications can be disabled per category in the app settings, or globally via the operating system. Legal basis: Art. 6(1)(b) GDPR (service performance).

Apple privacy policy: apple.com/legal/privacy | Google / Firebase: firebase.google.com/support/privacy | Expo: expo.dev/privacy

17.4 Mobile Error Monitoring (Sentry)

Crash reports and performance traces from the mobile app are sent to a dedicated Sentry project hosted in the EU region (ingest.de.sentry.io). Personal identifiers (email, IP address, username, user ID) are stripped before transmission via a beforeSend filter. Session replay is not enabled in the mobile app.

Sample rates: 100 % of crashes, 20 % of performance traces in production. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operational stability). Retention: 90 days.

17.5 No Tracking, No Advertising

The mobile app does not use cross-app tracking, advertising identifiers (IDFA / AAID), advertising SDKs, or analytics SDKs beyond the Sentry diagnostics described in 17.4. The app does not access location, contacts, calendar, microphone, or health data.

17.6 Local Data Storage

The app stores authentication tokens encrypted in the iOS Keychain or Android Keystore. Operational data (cached bookings, messages) is held in an on-device SQLite database for offline support and is wiped when the user logs out or the app is uninstalled.

17.7 Data Deletion in the Mobile App

Logging out of the app removes locally stored authentication tokens and clears the offline cache. Account deletion follows the same process as for the web application (see Section 21). Push tokens are deactivated automatically on logout and on account termination.

18. Team Messenger

The internal team messenger enables communication between employees and administrators within an organization. All messages are stored encrypted in the Supabase database (EU region). There is no disclosure to third parties.

19. Data Subject Rights

You have the right to:

• Access to your stored data (Art. 15 GDPR)
• Rectification of inaccurate data (Art. 16 GDPR)
• Erasure of your data (Art. 17 GDPR) — “right to be forgotten”
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR) — the platform provides a data export function (JSON/CSV) for this purpose
• Objection to processing (Art. 21 GDPR)

To exercise your rights, please contact: info@oasify.de

We will respond to your request within one month (Art. 12(3) GDPR). In complex cases, this period may be extended by a further two months, of which we will inform you.

Withdrawal of Consent (Art. 7(3) GDPR)

Where the processing of your personal data is based on consent (Art. 6(1)(a) GDPR), you have the right to withdraw your consent at any time with effect for the future. The lawfulness of the processing carried out on the basis of the consent until the withdrawal remains unaffected.

How to withdraw consent:

• Cookie consent (Analytics/Sentry): Click the “Cookie Settings” link in the website footer to withdraw or adjust your consent for client-side data collection.
• Community Pricing Intelligence:Disable participation in the platform settings under “Market Data”.
• Other consents:By email to info@oasify.de or informally in writing to the controller's address above.

After withdrawal, processing based on the consent will be stopped immediately. Data already stored whose processing is based on another legal basis (e.g. statutory retention obligations) remains unaffected.

Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data infringes the GDPR (Art. 77 GDPR).

The supervisory authority responsible for us is:

Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg
Stahnsdorfer Damm 77
14532 Kleinmachnow, Germany
Phone: +49 33203 356-0
Email: poststelle@lda.brandenburg.de
Website: www.lda.brandenburg.de

20. Retention Periods and Deletion Processes

• ID document photos: automatic deletion 14 days after checkout date (configurable)
• Check-in address data: automatic deletion 2 years after collection
• Registration forms (Meldescheine): 1 year after departure (varies by federal state, maximum 2 years)
• Guest messages: deleted together with the associated guest record
• Invoices: personal data is pseudonymized after 8 years (Section 257 HGB, Section 147 AO). Invoice numbers and amounts are retained (GoBD-compliant).
• Booking data: 8 years (tax retention obligation under Section 14b UStG)
• Employee data: 3 years after termination of the employment relationship (limitation period), payroll data 6 years (Section 41(1) EStG)
• Enterprise inquiries: 6 months (new/contacted), 24 months (qualified), 12 months (completed) — automatic deletion in each case
• Account data: 30 days after account termination (see Section 21)
• Audit log entries: retained for the duration of the statutory retention periods and cannot be deleted manually (GoBD compliance)

21. Account Termination and Data Deletion

After termination of your Oasify account, the following process applies:

• Immediate suspension: Your access is suspended immediately.
• 30-day export window: You have 30 days to download your data via the data export function (JSON and CSV format). You will receive a notification by email.
• Reminder: You will receive a reminder email 7 days before final deletion.
• Automatic deletion: After the 30-day period, all your data will be irrevocably deleted.
• Invoice data: Will be retained in pseudonymized form for 8 years for legal reasons (Section 257 HGB, Section 147 AO), not deleted.
• Audit log: Tax-relevant entries are retained in accordance with GoBD.

22. Cookies and Local Storage

Technically Necessary Cookies

The platform uses technically necessary cookies for authentication (session cookie, refresh token) and language settings. These cookies are required for the operation of the platform and cannot be disabled.

Analytics Cookies (optional)

Extended analytics features (Sentry Session Replay) are only activated with explicit consent via the cookie banner. Consent can be withdrawn at any time via the cookie settings in the footer.

23. Changes

We reserve the right to amend this privacy policy to keep it in line with current legal requirements at all times or to implement changes to our services. In the event of material changes, registered customers will be informed by email. The current version can always be found on this page.