Privacy Policy

Last updated: March 2026

1. Introduction

This Privacy Policy explains how DTZ LABS SRL ("we," "us," or "our"), operating under the brand name BnBFlow, collects, uses, stores, and protects your personal data when you visit our website at https://bnbflow.io, use our property management application at https://app.bnbflow.io, or otherwise interact with our services.

We are committed to protecting your privacy and processing your personal data in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, or "GDPR"), Romanian data protection legislation, and other applicable European privacy laws.

By accessing or using our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use our services.

2. Data Controller

The data controller responsible for the processing of your personal data is:

DTZ LABS SRL

CUI: 46677120

Romania, European Union

Email: [email protected]

DTZ LABS SRL is a Romanian-registered company with European operations. We maintain a presence in Estonia to support our European operations and e-Residency infrastructure. All data processing activities are conducted within the European Union.

3. Data We Collect

3.1 Landing Site and Marketing Website

When you visit our website, we may collect the following data:

  • Analytics data: Page views, pages visited, referral source, device type, browser type, operating system, screen resolution, approximate geographic location (country/region level), and session duration. This data is collected through cookies and analytics tools only with your consent.
  • Contact form submissions: Name, email address, company name (if provided), and the content of your message when you submit a contact or inquiry form.
  • Cookie data: Essential cookies required for site functionality. Analytics and marketing cookies are set only with your explicit consent. See Section 10 for details.

3.2 BnBFlow Application

When you register for and use the BnBFlow application, we collect and process the following categories of personal data:

  • Account data: Name, email address, phone number, organization name, role, and authentication credentials.
  • Property data: Property names, addresses, descriptions, photographs, amenity information, pricing, and availability calendars.
  • Guest data: Guest names, email addresses, phone numbers, nationality, ID document copies (where required by local law for guest registration), digital signatures, and check-in/check-out records.
  • Payment data: Billing information is processed securely through Stripe. We do not store credit card numbers or full payment credentials on our servers. We retain transaction records, invoice details, and subscription status.
  • Communication data: Messages sent and received through the unified inbox, WhatsApp message logs, email notifications, and template content.
  • Booking data: Reservation details, booking sources (Airbnb, Booking.com, direct), guest counts, dates, pricing, and channel manager synchronization logs.
  • Financial records: Invoices, fiscal declarations, owner commission calculations, revenue reports, and tax-related documentation.

4. How We Use Data

We process your personal data for the following purposes:

  • Service delivery: To provide, operate, and maintain the BnBFlow platform, including property management, guest check-in, booking synchronization, smart lock access code generation, and fiscal invoicing.
  • Communication: To respond to your inquiries, send transactional notifications (booking confirmations, check-in instructions, access codes), and provide customer support.
  • Service improvement: To analyze usage patterns, diagnose technical issues, improve platform features, and develop new functionality based on aggregated, anonymized data.
  • Legal compliance: To comply with applicable legal obligations, including fiscal reporting requirements (e.g., e-Factura/ANAF in Romania), guest registration obligations under local tourism laws, tax record retention, and responding to lawful requests from authorities.
  • Security: To detect, prevent, and respond to fraud, unauthorized access, and other security incidents.
  • Billing and payments: To process subscription payments, generate invoices, and manage your account billing cycle.

5. Legal Basis for Processing (GDPR Article 6)

We process your personal data based on the following legal grounds:

  • Consent (Art. 6(1)(a)): For analytics cookies, marketing communications, and optional data processing activities. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Contract performance (Art. 6(1)(b)): To provide you with the BnBFlow service as outlined in our Terms of Service, process your subscription, manage your account, and deliver the features you have subscribed to.
  • Legitimate interest (Art. 6(1)(f)): For service improvement based on aggregated usage data, fraud prevention, platform security, and direct communications about service updates. We balance our interests against your rights and freedoms.
  • Legal obligation (Art. 6(1)(c)): To comply with fiscal invoicing requirements, tax record retention, guest registration mandated by tourism authorities, and data preservation obligations under Romanian and EU law.

6. Data Sharing and Third-Party Processors

We do not sell your personal data. We share data only with trusted third-party service providers who process data on our behalf under strict data processing agreements (DPAs) in compliance with GDPR Article 28. Our third-party processors include:

  • Stripe (Stripe, Inc.) — Payment processing. Stripe processes billing information and payment credentials under its own privacy policy and PCI DSS compliance. Stripe is certified under the EU-U.S. Data Privacy Framework.
  • Meta / WhatsApp (Meta Platforms, Inc.) — Delivery of WhatsApp notifications to guests. Message content, recipient phone numbers, and delivery status are processed through the official Meta Cloud API. Applicable only when you enable the WhatsApp add-on.
  • Channex (Channex Ltd.) — OTA channel management integration. Property data, availability, rates, and booking details are synchronized with Airbnb and Booking.com through Channex. Applicable only on Business plans with channel manager enabled.
  • Vercel (Vercel, Inc.) — Hosting and content delivery for our marketing website. Vercel processes server logs including IP addresses, request headers, and access timestamps.
  • Analytics provider — Website analytics for understanding traffic patterns and user behavior on our marketing website. Data is anonymized and collected only with your consent.
  • UpBill (UpBill SRL) — Fiscal invoicing and e-Factura/ANAF integration for Romania. Invoice data, company details, and transaction amounts are transmitted to generate fiscally compliant invoices.
  • Smart lock providers (TTLock, Nuki, Tuya) — Access code generation and lock management. Booking dates, property identifiers, and access code parameters are shared with the relevant smart lock platform when you enable the Smart Lock add-on.

7. International Data Transfers

DTZ LABS SRL processes and stores data primarily within the European Union. Our servers and primary infrastructure are located in EU data centers.

Where data transfer to countries outside the European Economic Area (EEA) is necessary (for example, when using Stripe or Meta services), we ensure that appropriate safeguards are in place, including:

  • Adequacy decisions: Transfers to countries recognized by the European Commission as providing an adequate level of data protection.
  • EU-U.S. Data Privacy Framework: For transfers to certified U.S. companies participating in the Data Privacy Framework.
  • Standard Contractual Clauses (SCCs): Where no adequacy decision or framework certification exists, we rely on EU-approved Standard Contractual Clauses.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy, subject to the following retention periods:

  • Account data: Retained for the duration of your active account and for 5 years following account closure, to comply with legal obligations and resolve any disputes.
  • Financial records and invoices: Retained for 10 years from the date of creation, as required by Romanian fiscal legislation (Law 82/1991 on Accounting, as amended) and EU VAT regulations.
  • Guest registration data: Retained in accordance with the legal requirements of the jurisdiction where the property is located. In Romania, guest records must be retained for a minimum period as stipulated by tourism legislation.
  • Analytics data: Anonymized analytics data may be retained indefinitely. Identifiable analytics data is deleted within 26 months of collection.
  • Contact form submissions: Retained for 2 years from the date of submission, unless a business relationship is established.
  • Communication logs: WhatsApp messages and inbox conversations are retained for the duration of the active account plus 1 year.

Upon expiration of the applicable retention period, personal data is securely deleted or irreversibly anonymized.

9. Your Rights Under GDPR

As a data subject under the General Data Protection Regulation, you have the following rights regarding your personal data:

  • Right of access (Art. 15): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access that data along with information about the purposes and recipients of processing.
  • Right to rectification (Art. 16): You have the right to have inaccurate personal data corrected and incomplete data completed without undue delay.
  • Right to erasure (Art. 17): You have the right to request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent, or when processing is unlawful. This right is subject to legal retention obligations (see Section 8).
  • Right to data portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
  • Right to restriction of processing (Art. 18): You have the right to request restriction of processing when you contest the accuracy of data, when processing is unlawful, or when we no longer need the data but you require it for legal claims.
  • Right to object (Art. 21): You have the right to object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
  • Right to lodge a complaint: You have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) or with the supervisory authority of the EU Member State in which you reside.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days, as required by GDPR.

10. Cookies

Our website uses cookies to ensure proper functionality and, with your consent, to analyze website traffic.

Essential Cookies

These cookies are strictly necessary for the operation of our website. They include session identifiers, security tokens, and cookie consent preferences. Essential cookies do not require consent and cannot be disabled.

Analytics Cookies

Analytics cookies help us understand how visitors interact with our website by collecting information about pages visited, time spent, and navigation paths. These cookies are set only after you provide explicit consent through our cookie banner. You may withdraw your consent at any time through the cookie settings accessible in the website footer.

Third-Party Cookies

We do not use third-party advertising or tracking cookies. If any third-party service we integrate with sets cookies (for example, embedded content), these are covered under the respective third party's privacy policy.

11. Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption: All data in transit is encrypted using TLS 1.2 or higher. Sensitive data at rest is encrypted using industry-standard algorithms.
  • Access controls: Access to personal data is restricted to authorized personnel on a need-to-know basis. Multi-factor authentication is enforced for administrative access.
  • Regular audits: We conduct periodic security assessments and vulnerability testing to identify and address potential risks.
  • Incident response: We maintain an incident response plan to address data breaches promptly. In the event of a breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by GDPR Articles 33 and 34.

12. Children

BnBFlow is a business-to-business service designed for property managers and accommodation providers. Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, please contact us at [email protected].

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or business operations. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page.
  • Provide a prominent notice on our website for at least 30 days.
  • Notify registered users via email for changes that materially affect how their data is processed.

We encourage you to review this Privacy Policy periodically. Your continued use of our services after changes are posted constitutes acceptance of the revised policy.

14. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your personal data, please contact us:

Data Protection Officer

DTZ LABS SRL

Email: [email protected]

General support: [email protected]

You also have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) at www.dataprotection.ro or with the supervisory authority in your country of residence.