Last updated: May 2026
Privacy Policy
This Privacy Policy explains how we collect, use, share, and protect personal data when you use myperfectstay.com and the MyPerfectStay mobile apps for iOS and Android (the “Service”). We process personal data in accordance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the German Telecommunications-Digital-Services Data Protection Act (TDDDG).
1. Data controller
The data controller for the Service within the meaning of Art. 4 (7) GDPR is:
CloudCops GmbH
Amselweg 20
33758 Schloß Holte-Stukenbrock
Germany
Email: privacy@myperfectstay.com
See our Imprint for the full company details, including commercial register number and VAT-ID.
2. Data Protection Officer
We have not appointed a Data Protection Officer because the statutory thresholds in Art. 37 GDPR and § 38 BDSG do not currently apply to us. You may direct any data-protection question to privacy@myperfectstay.com and we will route it to the responsible person inside CloudCops GmbH.
3. Our UAE sister entity
MyPerfectStay’s commercial operations and B2B partner payouts in the MENA region are processed by Cloud Cops Technology L.L.C in the United Arab Emirates. Cloud Cops Technology L.L.C is not a controller, joint controller, or processor of MyPerfectStay user personal data. Personal data processed under this policy is processed exclusively by CloudCops GmbH in Germany on infrastructure located inside the European Union (see § 7 below). Commercial payouts to UAE partners do not contain personal data of MyPerfectStay end users.
4. Categories of personal data we process
We process only the data necessary to operate the Service. We never sell personal data, and we do not engage in third-party behavioural advertising.
- Account data — name, email address, password hash, profile photo (optional), language and currency preferences. Created when you register.
- Trip planning data — destinations, dates, group membership, votes, comments, saved itineraries.
- Booking data — traveller names, contact details, party composition, special requests, booking dates. Required to fulfil bookings with the relevant supplier.
- Payment data — for MyPerfectStay’s own payment flows, your full card number, CVC, and expiry date are tokenised by our payment processor and never stored on our servers. For affiliate bookings, payment is taken directly by the supplier (see § 6) and we do not see card details at all.
- Communications — emails you send us, support conversations, and lead-form submissions on /for-hotels and similar marketing pages.
- Device and diagnostics — crash reports, anonymised performance traces, and session-replay data with text and form input automatically masked (e.g. email and password fields are recorded as a black bar, not your typed values). Used to diagnose bugs and improve stability.
- Usage data — anonymised page and feature interaction counts; aggregated for product analytics.
- Server logs — IP address, user agent, requested URL, timestamp; retained short-term for security and fraud prevention.
5. Purposes and legal bases (Art. 6 GDPR)
We process personal data on the following legal bases:
| Purpose | Legal basis |
|---|---|
| Creating and operating your account; group-trip features | Contract — Art. 6 (1) (b) GDPR |
| Processing bookings and payments; sending booking confirmations | Contract — Art. 6 (1) (b) GDPR |
| Tax records, accounting, and statutory retention | Legal obligation — Art. 6 (1) (c) GDPR; §§ 147, 257 HGB / § 147 AO |
| Fraud prevention, security, abuse investigation | Legitimate interest — Art. 6 (1) (f) GDPR |
| Diagnostics, crash reports, masked session replay | Legitimate interest — Art. 6 (1) (f) GDPR |
| Aggregated, anonymised product analytics | Legitimate interest — Art. 6 (1) (f) GDPR |
| Marketing emails, newsletters, lead-form responses | Consent — Art. 6 (1) (a) GDPR; § 7 (2) UWG |
6. Recipients and processors
We share personal data only with carefully selected processors under written data-processing agreements pursuant to Art. 28 GDPR. We currently rely on:
| Recipient | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Primary application hosting and database | Germany (EU) |
| Microsoft Azure (Microsoft Deutschland GmbH) | Kubernetes infrastructure, secrets storage | Germany / EU regions |
| Cloudflare, Inc. | Image CDN delivery (imagedelivery.net) | USA — SCC + EU-US DPF |
| Functional Software, Inc. (Sentry) | Crash reports and masked session replay | USA — SCC + EU-US DPF |
| Resend, Inc. | Transactional and lead-response email delivery | USA — SCC + EU-US DPF |
| Stripe Payments Europe Ltd | Payment processing for MyPerfectStay-direct flows | Ireland (EU) |
| Tripadvisor LLC (Viator) | Activity supplier — booking, payment, and fulfilment for affiliate activity sales. When you book a Viator activity we transfer the traveller details necessary to fulfil the booking; payment is taken directly by Viator. | USA — SCC + EU-US DPF |
| Google LLC | Google OAuth sign-in (only if you choose it) and Google Maps tiles | USA — SCC + EU-US DPF |
| MongoDB, Inc. (Atlas) | Supplier response cache (no end-user PII stored here) | EU region |
| Slack Technologies, LLC | Internal team notifications for B2B lead-form submissions only | USA — SCC + EU-US DPF |
The list above is a current snapshot. Where required, processors are bound to the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and certified under the EU-US Data Privacy Framework. Where additional safeguards apply (e.g. supplementary technical measures) we apply them on a case-by-case basis.
7. International transfers
We host the primary application and database inside the European Union. Some processors listed in § 6 are established in the United States; in those cases we rely on:
- an EU adequacy decision under Art. 45 GDPR (EU-US Data Privacy Framework) where the recipient is self-certified, and
- the EU Standard Contractual Clauses (SCCs) under Art. 46 (2) (c) GDPR as a secondary safeguard.
We do not transfer MyPerfectStay user personal data to our UAE sister entity, Cloud Cops Technology L.L.C, or to any other recipient outside the EU/EEA without an Art. 45 or Art. 46 safeguard.
8. Retention
| Category | Retention |
|---|---|
| Account, profile, trip-planning data | For as long as your account is active + 90 days after deletion |
| Booking records and invoices | 10 years (§ 147 AO, §§ 257, 238 HGB) |
| Payment receipts and tax-relevant payment metadata | 10 years (§ 147 AO) |
| Crash reports and session replay (masked) | 90 days |
| Server access logs | 14 days |
| Aggregated usage analytics | Up to 26 months |
| Marketing email list | Until you withdraw consent or unsubscribe |
| Support emails | 3 years after last contact |
9. Your rights
You have the following rights under the GDPR:
- Access — Art. 15 GDPR — confirmation of processing and a copy of the data we hold about you.
- Rectification — Art. 16 GDPR — correction of inaccurate data.
- Erasure — Art. 17 GDPR — deletion when one of the listed grounds applies. You can delete your account at any time from the in-app settings.
- Restriction — Art. 18 GDPR — restriction of processing during a dispute.
- Portability — Art. 20 GDPR — receipt of your data in a structured, machine-readable format.
- Objection — Art. 21 GDPR — objection to processing based on legitimate interest, including direct marketing at any time.
- Withdraw consent — Art. 7 (3) GDPR — for any processing based on consent, without affecting processing already carried out.
- Complaint to a supervisory authority — Art. 77 GDPR. Our lead supervisory authority is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Kavalleriestraße 2–4, 40213 Düsseldorf, Germany.
To exercise any of these rights, write to privacy@myperfectstay.com. We respond within 30 days (extendable by up to two further months under Art. 12 (3) GDPR for complex requests).
10. Cookies and similar technologies
We use a minimal set of cookies and local-storage entries. We do not load third-party advertising or cross-site tracking cookies.
- Essential — authentication, session, CSRF protection, language/currency preference. Stored on your device under Art. 6 (1) (b) and (f) GDPR and § 25 (2) TDDDG (strictly necessary).
- Functional and analytics — anonymised counters only, stored on the basis of consent under § 25 (1) TDDDG where applicable, with a clear opt-out.
11. Marketing communications
We send marketing emails (e.g. product updates, B2B newsletters) only with your prior opt-in consent. Every marketing email includes a one-click unsubscribe link. If you submit a B2B lead-form (e.g. the revenue calculator on /for-hotels), we use the email address you provide to send you the requested report and to follow up on your enquiry; you may withdraw consent at any time by replying with the word “unsubscribe”.
12. Children
The Service is not directed to children under 16. We do not knowingly process personal data of children. If you believe a child has provided us with personal data, please contact us and we will delete it.
13. Automated decision-making
We do not use automated decision-making or profiling that produces legal effects concerning you within the meaning of Art. 22 GDPR.
14. Changes to this policy
We will update this policy as our processing changes or as the law evolves. Material changes will be announced inside the Service and via email to active users at least 30 days before they take effect. The current version is always available at myperfectstay.com/privacy; the “Last updated” date at the top of this page reflects the latest revision.
15. Parent company privacy notice
CloudCops GmbH also operates a consulting business under cloudcops.com. The privacy notice for that business is available at cloudcops.com/en/privacy-policy. That notice governs visits to the cloudcops.com website and does not apply to the MyPerfectStay Service.
16. Contact
CloudCops GmbH, Amselweg 20, 33758 Schloß Holte-Stukenbrock, Germany
privacy@myperfectstay.com