Privacy Policy

1. Privacy at a Glance

General Information

The following provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to personally identify you.

Data Collection on This Website

Who is responsible for data collection on this website?

Data processing on this website is carried out by the website operator. Their contact details can be found in the "Data Controller" section of this privacy policy.

How do we collect your data?

Your data is collected in part when you provide it to us - for example, data you enter into a contact form. Other data is collected automatically or with your consent by our IT systems when you visit the website. This is primarily technical data (e.g. browser type, operating system, or time of page access).

What do we use your data for?

Some data is collected to ensure error-free provision of the website. Other data may be used to analyze your browsing behavior.

What rights do you have regarding your data?

You have the right to receive free information about the origin, recipient, and purpose of your stored personal data at any time. You also have the right to request the correction or deletion of this data. If you have given consent to data processing, you can revoke this consent at any time. You also have the right, under certain circumstances, to request the restriction of processing of your personal data. Furthermore, you have the right to lodge a complaint with the competent supervisory authority.

2. Hosting and CDN

External Hosting

This website is hosted by an external service provider (hoster). Personal data collected on this website is stored on the hoster's servers. This may include IP addresses, contact requests, meta and communication data, contract data, contact details, names, website access logs, and other data generated through a website.

External hosting is carried out for the purpose of fulfilling contracts with our prospective and existing customers (Art. 6(1)(b) GDPR) and in the interest of secure, fast, and efficient provision of our online offering by a professional provider (Art. 6(1)(f) GDPR).

3. General Information and Mandatory Disclosures

Data Protection

The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations and this privacy policy.

Please note that data transmission over the Internet (e.g. email communication) may have security vulnerabilities. Complete protection of data from third-party access is not possible.

Data Controller

The data controller for data processing on this website is:

Stellar Tourism Innovations GmbH
Torstrasse 105-107
10119 Berlin
Germany

Phone: +49 304 1738487
Email: hello@myxentra.com

Storage Duration

Unless a more specific storage period is stated within this privacy policy, your personal data will remain with us until the purpose for data processing no longer applies. If you submit a legitimate deletion request or revoke consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g. tax or commercial law retention periods).

Revocation of Consent

Many data processing operations are only possible with your explicit consent. You may revoke any previously given consent at any time. The legality of data processing carried out prior to revocation remains unaffected.

Right to Object (Art. 21 GDPR)

IF DATA PROCESSING IS BASED ON ART. 6(1)(E) OR (F) GDPR, YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA AT ANY TIME FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR PERSONAL DATA UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR PROCESSING.

IF YOUR PERSONAL DATA IS PROCESSED FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT TO SUCH PROCESSING AT ANY TIME.

Right to Lodge a Complaint

In the event of GDPR violations, data subjects have the right to lodge a complaint with a supervisory authority, particularly in the Member State of their habitual residence, workplace, or the place of the alleged infringement.

Right to Data Portability

You have the right to receive data that we process automatically on the basis of your consent or in fulfillment of a contract, in a commonly used, machine-readable format, delivered to you or to a third party.

SSL/TLS Encryption

This site uses SSL/TLS encryption for security purposes and to protect the transmission of confidential content. You can recognize an encrypted connection by the browser address bar changing from "http://" to "https://" and the lock icon displayed in your browser.

Right to Access, Correction, and Deletion

You have the right, within the framework of applicable law, to free information about your stored personal data, its origin and recipients, and the purpose of data processing, as well as the right to correction or deletion of this data.

Right to Restriction of Processing

You have the right to request the restriction of processing of your personal data. This right applies in the following cases:

• If you dispute the accuracy of your personal data stored by us, we generally need time to verify this.
• If the processing of your personal data was/is unlawful, you may request restriction of processing instead of deletion.
• If we no longer need your personal data, but you need it for the exercise, defense, or assertion of legal claims.
• If you have lodged an objection under Art. 21(1) GDPR, a balancing of your and our interests must be carried out.

4. Data Collection on This Website

Cookies

Our websites use "cookies." Cookies are small text files that do not cause damage to your device. They are stored either temporarily for the duration of a session (session cookies) or permanently (persistent cookies) on your device.

Cookies that are required for electronic communication or for providing certain features you have requested are stored pursuant to Art. 6(1)(f) GDPR, unless another legal basis is specified.

You can configure your browser to inform you about the setting of cookies and to allow cookies only on a case-by-case basis. Disabling cookies may limit the functionality of this website.

Server Log Files

The hosting provider automatically collects and stores information in server log files that your browser transmits to us. These include:

• Browser type and version
• Operating system
• Referrer URL
• Hostname of the accessing computer
• Time of server request
• IP address

This data is collected pursuant to Art. 6(1)(f) GDPR.

Contact Form

If you send us inquiries via the contact form, your details from the form, including the contact data you provide, will be stored by us for the purpose of processing the inquiry and for follow-up questions. We do not share this data without your consent.

Inquiries via Email, Phone, or Fax

If you contact us by email, phone, or fax, your inquiry including all personal data derived from it will be stored and processed by us for the purpose of handling your request. We do not share this data without your consent.

5. Social Media

Social Media Profiles

We maintain online presences within social networks and process user data in this context to communicate with active users or to provide information about us.

Please note that user data may be processed outside the European Union. For a detailed description of processing methods and opt-out options, please refer to the privacy policies of the respective social network operators.

6. Analytics Tools and Advertising

Google Analytics

This website uses Google Analytics, a web analytics service. Provider: Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Google Analytics uses "cookies." The information generated by the cookie about your use of this website is usually transmitted to and stored on a Google server in the USA. We have enabled IP anonymization on this website.

You can prevent Google Analytics from collecting your data by downloading and installing the browser plugin available at: https://tools.google.com/dlpage/gaoptout

7. Newsletter

If you wish to subscribe to the newsletter offered on this website, we require your email address and information that allows us to verify that you are the owner of the specified email address. Processing is based solely on your consent (Art. 6(1)(a) GDPR). You can revoke your consent at any time, for example via the "unsubscribe" link in the newsletter.

8. Plugins and Tools

Google Web Fonts

This site uses Google Web Fonts for consistent font display. When you access a page, your browser loads the required web fonts into its cache. This means Google learns that our website was accessed from your IP address.

More information at https://developers.google.com/fonts/faq and in Google's Privacy Policy.

9. eCommerce and Payment Providers

Processing of Customer and Contract Data

We collect, process, and use personal data only to the extent necessary for the establishment, content arrangement, or modification of the legal relationship (inventory data). This is done pursuant to Art. 6(1)(b) GDPR.

Stripe

We offer payment via Stripe. Provider: Stripe Inc., 510 Townsend Street, San Francisco, CA 94103, USA. Data transmission to Stripe is based on Art. 6(1)(a) GDPR (consent) and Art. 6(1)(b) GDPR (contract fulfillment).

Details: https://stripe.com/privacy

Chekin Soluciones Digitales

We use the services of Chekin Soluciones Digitales for collecting and managing guest data during the check-in process. Provider: Chekin Soluciones Digitales, S.L., Avda. República Argentina, 24 - 7º, 41011, Sevilla, Spain (NIF: B21579990).

When you complete an online check-in for an accommodation managed via Xentra and/or Chekin, your guest data (name, contact details, ID details, duration of stay, etc.) is transmitted to Chekin Soluciones Digitales. This data transmission is for fulfilling legal registration requirements and proper handling of your stay.

Details: https://chekin.com/en/privacy/

10. External Service Providers and Data Processors

In the course of providing the Xentra platform, we engage the following external service providers that may process personal data on our behalf. Data processing is based on Art. 6(1)(b) GDPR (contract fulfillment) and/or Art. 6(1)(f) GDPR (legitimate interest).

Communication & Messaging

Twilio Inc.

We use Twilio for sending SMS, WhatsApp, and voice messages to guests as part of guest communication. Provider: Twilio Inc., 101 Spear Street, Suite 500, San Francisco, CA 94105, USA. Phone numbers, message content, and timestamps are processed.

Details: https://www.twilio.com/legal/privacy

PMS Integrations (Property Management Systems)

Xentra synchronizes booking, guest, and property data with the following PMS platforms, provided the user has activated the respective integration. Booking data (guest names, stay dates, prices) and property data are transferred:

• Smoobu GmbH - Brunnenstraße 196, 10119 Berlin, Germany. Privacy Policy
• Guesty Inc. - 36 East 20th Street, New York, NY 10003, USA. Privacy Policy
• Hostaway Oy - Helsinki, Finland. Privacy Policy
• Beds24 GmbH - Hausseestr. 14, 16798 Fürstenberg, Germany. Privacy Policy
• Octorate S.r.l. - Via Filippo Caruso 23, 00173 Rome, Italy. Privacy Policy
• Lodgify S.L. - Barcelona, Spain. Privacy Policy
• Hostfully Inc. - San Francisco, USA. Privacy Policy
• Smily (formerly BookingSync) - Privacy Policy

Access Control & Smart Locks

Xentra integrates with the following smart lock and access control providers. When activated, access codes, device identifiers, and access logs are processed:

• Nuki Home Solutions GmbH - Münzgrabenstraße 92/4, 8010 Graz, Austria. Access codes, device IDs, and access logs are processed. Privacy Policy
• igloohome Pte. Ltd. - Singapore. PIN codes and access logs are processed. Privacy Policy
• SALTO Systems S.L. - Oiartzun, Spain. Access credentials and access events are processed. Privacy Policy
• Ring LLC (Amazon) - Santa Monica, CA, USA. When integrated with Ring Intercom, video/audio streams and access events are processed. Privacy Policy

Dynamic Pricing

PriceLabs Inc.

We integrate PriceLabs for automated, market-based pricing optimization. Booking data, occupancy rates, and pricing information are transmitted. Provider: PriceLabs Inc., Chicago, IL, USA.

Details: https://pricelabs.co/privacy

Artificial Intelligence

Google LLC (Gemini API / Google AI Studio)

Xentra uses Google's Gemini large language models via the Google AI Studio API for AI-powered features, including the AI messaging bot, smart reply suggestions, content generation, invoice data extraction, and natural language portfolio queries. When these features are used, relevant data (e.g., guest messages, property descriptions, invoice text) is transmitted to Google's servers for processing.

Provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google processes data under the Gemini API Terms of Service. Pursuant to Google's API data usage policy, data sent via the paid API tier is not used to train Google's models.

Details: https://policies.google.com/privacy

ID Verification

Stripe Identity

For biometric identity verification during online check-in, we use Stripe Identity. ID photos and biometric selfie data are transmitted to Stripe Inc. for processing. Processing is based on Art. 6(1)(b) GDPR (contract fulfillment) and Art. 6(1)(c) GDPR (legal registration obligations).

Details: https://stripe.com/privacy

Government Authority Connections

As part of legally required registration obligations, Xentra transmits guest data to the competent authorities in the respective countries. This transmission is based on Art. 6(1)(c) GDPR (fulfillment of a legal obligation). This includes, among others:

• Spain: Policía Nacional, Guardia Civil, Mossos d'Esquadra
• Italy: Alloggiati Web (Polizia di Stato), ISTAT
• Portugal: SEF (Serviço de Estrangeiros e Fronteiras)
• Germany: Meldeschein / Accommodation Registration
• Austria: Central Registration Register (ZMR)
• Croatia: eVisitor
• Others: Switzerland, Czech Republic, Colombia, UAE, and more

Statistical reporting is submitted to INE (Spain), ISTAT (Italy), AVS (South Tyrol), Turisme de Catalunya, and other regional authorities.

11. Audio and Video Conferencing

We use online conferencing tools to communicate with our customers. When you communicate with us via video or audio conferencing over the Internet, your personal data is collected and processed by us and the respective conferencing tool provider.

Conferencing tools are used to communicate with existing or prospective contractual partners (Art. 6(1)(b) GDPR) and for general simplification of communication (Art. 6(1)(f) GDPR).

12. Job Applications

You may apply to us (e.g. via email or online application form). When you send us an application, we process your related personal data to the extent necessary for deciding on the establishment of an employment relationship. Legal basis: § 26 BDSG (German Federal Data Protection Act) and Art. 6(1)(b) GDPR.

If we are unable to make you a job offer, we reserve the right to retain the data you submitted for up to 6 months after the end of the application process. The data will then be deleted.