what we keep, what we don’t keep.

OAA is the data controller for personal data collected on this brand site. You may contact us by email or postal mail using the details published on the brand contact page.

A single data-protection contact handles all GDPR enquiries across OAA brands. Response time is 30 days maximum.

We collect data you provide directly when you book a stay (full name, email, phone number, billing address, accommodation preferences) and data automatically generated by browser interactions (IP, browser version, referrer, language).

We do not collect special-category personal data (health, religion, political opinions). Payment-card data never touches our servers — Stripe processes it directly under PCI-DSS Level 1.

Booking-related data is processed under contract performance (Article 6(1)(b) GDPR). Marketing emails are processed under explicit consent (Article 6(1)(a)) which you can withdraw at any time. Analytics are processed under consent recorded via the cookie banner.

Accounting records are retained under legal obligation (Article 6(1)(c)) for 10 years per French / German commercial law.

Personal data may be transferred to the following processors, each under a Data Processing Agreement: Stripe (payments), Postmark (transactional email), Supabase (database hosting in EU), Netlify (frontend hosting), Sentry (error monitoring).

No personal data is transferred outside the EEA. The full list of processors is available on request.

Booking records are retained for 24 months after the stay. Accounting records are retained for 10 years per legal obligation. Analytics aggregates are retained for 14 months. Marketing-consent records are retained until consent withdrawal plus 3 years for proof of consent.

After the retention period elapses, data is permanently deleted from active systems and backups within 30 days.

You may at any time exercise the rights granted by Articles 15 to 22 GDPR: access, rectification, erasure, restriction, portability, objection. You may also lodge a complaint with the supervisory authority of your habitual residence.

To exercise your rights, contact us by email. Response time is 30 days maximum. The first request is free; abusive repeat requests may be charged a reasonable fee.

If you are domiciled in France, the competent supervisory authority is the CNIL (cnil.fr). If you are domiciled in Germany, the competent authority is the BfDI (bfdi.bund.de). If you are domiciled in Sweden, the competent authority is IMY (imy.se).

You retain the right to lodge a complaint regardless of any prior contact with us.

We use a strictly limited set of cookies and equivalent technologies. Essential cookies (session, consent record, security) are exempt from consent requirement. Analytics and marketing technologies are activated only after explicit consent recorded via the cookie banner.

The full inventory of cookie purposes and retention periods is available in the consent banner settings panel.

When you book a stay, we optionally record the channel through which you discovered us (your answer to the "How did you find {brandName}?" question) along with any UTM parameters present in the landing URL (utm_source, utm_medium, utm_campaign, utm_content, utm_term), the landing path, and the cross-origin referrer (when present).

Legal basis: legitimate interest (GDPR Article 6(1)(f); Recital 47), to measure the effectiveness of our marketing channels. No third-party cookie is set: this data is stored in sessionStorage, which clears when the browser tab is closed. Retention: on the booking record for ten years (accounting obligation). No transfer outside the EU. You may exercise your right to erasure by email.