Privacy Policy

Version 2 Published on 19.03.2026

1. Data Controller

1.1. The controller of personal data is C0D3 sp. z o.o. with its registered office in Krakow, ul. Karmelicka 27/301, 31-131 Krakow, Poland, entered in the Register of Entrepreneurs of the National Court Register under KRS number 0001194905, NIP (Tax Identification Number) 6762702494 (hereinafter: "Administrator" or "Booquela").

1.2. To contact the Administrator regarding personal data matters: [email protected].

2. What Data We Collect

2.1. Data provided during registration: first name, last name, email address, authentication data (including password stored using appropriate technical safeguards).

2.2. Data provided during reservation: contact details, reservation information (date, hours, room), payment data (processed by the payment operator Stripe, Inc.; payment card data is not stored on the Administrator's servers).

2.3. Billing and invoicing data: data necessary for issuing invoices and accounting documents, including business or Studio Owner data (company name, tax identification number, registered office address).

2.4. Data collected automatically: IP address, device identifiers, browser type, operating system, date and time of visit, pages viewed, source of entry to the Platform.

2.5. Review data: review content, ratings, date of publication. Reviews and ratings are published publicly on the listing page of the respective room and on the Studio Owner's profile.

2.6. Correspondence data: content of messages sent through the Platform's messaging system between Clients and Studio Owners in connection with Reservations.

2.7. Security data: user event logs, information about login attempts, changes to account security settings, data related to two-factor authentication (2FA).

3.1. We process personal data for the following purposes and on the following legal bases (in accordance with Article 6(1) of the GDPR):

Purpose Legal basis
Performance of the contract (account registration, reservation, service delivery) Article 6(1)(b) - performance of a contract
Processing of payments and settlements Article 6(1)(b) - performance of a contract
Communication between Users in connection with Reservations Article 6(1)(b) - performance of a contract
Handling of complaints Article 6(1)(b) - performance of a contract
Handling of disputes, chargebacks, and claims Article 6(1)(f) - legitimate interest (protection of the rights of the Administrator and Users)
Issuing invoices and accounting documents Article 6(1)(c) - legal obligation
Fulfillment of tax and accounting obligations Article 6(1)(c) - legal obligation
Operating the review and rating system Article 6(1)(f) - legitimate interest (building trust and transparency on the Platform)
Ensuring Platform security, detecting abuse, and preventing fraud Article 6(1)(f) - legitimate interest (protection of Users and integrity of the Platform)
Ensuring transaction security, handling chargebacks and payment disputes Article 6(1)(f) - legitimate interest (protection of the rights of the Administrator and Users)
Establishing, pursuing, and defending claims Article 6(1)(f) - legitimate interest (protection of the Administrator's rights)
Conducting internal operational and evidentiary analyses related to security and service quality Article 6(1)(f) - legitimate interest (improvement of the Platform)
Platform usage analytics based on cookies or similar identifiers Article 6(1)(a) - consent
Internal statistical analyses and reporting based on aggregated or anonymized data Article 6(1)(f) - legitimate interest (improvement of services)

3.2. Detailed information regarding the Administrator's legitimate interests, including the results of balancing tests, is available upon request by contacting the Administrator.

4. Is Providing Data Mandatory

4.1. Providing data marked as required during account registration (first name, last name, email address, password) is necessary for the conclusion and performance of the contract for the provision of electronic services. Failure to provide this data makes it impossible to create an account on the Platform.

4.2. Providing data necessary to make a Reservation (contact details, payment data) is a condition for concluding a Reservation agreement. Failure to provide this data makes it impossible to make a Reservation.

4.3. Providing billing data (company details, tax identification number, address) by Studio Owners is necessary for commission settlements and the issuance of accounting documents. Failure to provide this data makes it impossible to use the Platform in the role of a Studio Owner.

4.4. Providing other data (e.g., review content, profile photo) is voluntary; however, the absence of such data may limit access to certain functionalities of the Platform.

5. Automated Decision-Making

5.1. As a general rule, the Administrator does not make decisions producing legal effects or similarly significant effects solely by automated means within the meaning of Article 22 of the GDPR.

5.2. The Platform may use automated mechanisms for security purposes (e.g., detection of suspicious activity, blocking unauthorized login attempts) and for service quality purposes (e.g., monitoring quality parameters of Listings). These mechanisms support decision-making but do not replace human assessment in the case of decisions affecting User rights.

6. Data Recipients

6.1. Personal data may be disclosed to the following categories of recipients to the extent necessary for the fulfillment of processing purposes:

  • Payment and settlement service operators, in particular Stripe, Inc. - for the purpose of processing payments, settlements, handling chargebacks, and payment disputes
  • Studio Owners - to the extent necessary for the performance of a Reservation (first name, contact details of the person making the Reservation)
  • Clients - to the extent necessary for the performance of a Reservation (studio details, Studio Owner's contact details)
  • Hosting, IT infrastructure, and cloud service providers - for the purpose of storing, maintaining, and securing data, whereby as a general rule data is processed within the EEA, and in the event of transfer outside the EEA, appropriate safeguards required by law are applied
  • Email and communication service providers - for the purpose of sending notifications and messages related to the operation of the Platform
  • Analytics service providers - for the purpose of analyzing Platform usage and improving services (based on User consent, where required)
  • Technical support and security service providers - for the purpose of maintaining and protecting the Platform
  • Accounting, legal, and audit service providers - to the extent necessary for handling settlements, legal advice, and audits
  • Entities supporting the handling of complaints, claims, chargebacks, and fraud prevention - to the extent necessary for the protection of the rights of the Administrator and Users
  • Public authorities and other authorized entities - in cases provided for by applicable law

6.2. We do not sell personal data to third parties.

6.3. Upon receiving data to the extent necessary for the performance of a Reservation, the Studio Owner and the Client may process such data as separate controllers for their own purposes and on their own behalf and shall be responsible for ensuring the compliance of such processing with applicable regulations.

7. Transfer of Data Outside the EEA

7.1. As a general rule, personal data is processed within the European Economic Area (EEA).

7.2. Where data is transferred outside the EEA, in particular in connection with the use of payment operator services or infrastructure providers, such transfer is carried out with appropriate safeguards required by law, in particular on the basis of standard contractual clauses (SCCs), adequacy decisions, or other mechanisms provided for in Chapter V of the GDPR.

7.3. Information about the safeguards applied when transferring data outside the EEA may be obtained by contacting the Administrator.

8. Data Retention Period

8.1. User account data - for the duration of holding an account, and after its closure for the period necessary for settlements, handling of active or historical Reservations, complaints, disputes, ensuring security, and fulfillment of legal obligations, including until the expiration of the statute of limitations for claims.

8.2. Reservation and settlement data - for the period required by tax and accounting legislation (as a general rule, 5 years from the end of the tax year in which the transaction took place), and in the case of ongoing disputes or claims - until their final resolution.

8.3. Payment data - in accordance with the retention policy of the payment operator (Stripe, Inc.). Payment card data is not stored on the Administrator's servers.

8.4. Correspondence and evidentiary data - for the period necessary for handling Reservations, complaints, disputes, and claims, and for the period required by law, including until the expiration of the statute of limitations for claims.

8.5. Review data - for the duration of their publication on the Platform, and after removal or hiding of a review, for the period necessary for the resolution of disputes, complaints, violations of Platform rules, and claims.

8.6. System logs and security data - for a period of 12 months from the date of the event, unless longer retention is necessary in connection with a security incident, dispute, or proceedings.

8.7. Analytical data - in the form of aggregate statistics or permanently anonymized data, may be retained indefinitely. Analytical data allowing User identification is retained for the period resulting from the configuration of the respective analytical tool and necessary for the fulfillment of analytical purposes, but in no event longer than the period specified in the current cookie settings or documentation of the respective tool.

9. Cookies and Tracking Technologies

9.1. The Platform uses cookies, i.e., small text files stored on the User's device when using the Platform. Cookies are used to ensure the proper functioning of the Platform, to improve the quality of services, and, with the User's consent, to analyze the manner of Platform usage.

9.2. The Platform uses the following categories of cookies:

a) Essential (technical) cookies - required for the proper functioning of the Platform. They do not require User consent. They include:

  • maintaining the User session and login status,
  • language preferences,
  • security tokens (CSRF),
  • remembering the cookie choice (consent/refusal).

b) Functional cookies - used to remember User preferences and personalize the functioning of the Platform (e.g., recently viewed rooms, display settings). Functional cookies are used after obtaining User consent.

c) Analytical and statistical cookies - used to analyze the manner of Platform usage, measure the effectiveness of features, and improve services. They may be provided by third parties (e.g., Google Analytics or other analytical tools). Analytical cookies are used only after obtaining User consent.

d) Marketing and advertising cookies - may be used to measure campaign effectiveness, remarketing, or personalization of advertising content. Marketing cookies are used only after obtaining User consent.

9.3. Currently, the Platform does not use advertising cookies or cookies for behavioral marketing purposes. If the Administrator implements such technologies in the future, this will occur after prior notification to the User, appropriate updating of this Privacy Policy and cookie settings, and obtaining the required consent where such consent is required by law.

9.4. Upon the first visit to the Platform, the User is informed about the use of cookies and may choose which categories of cookies other than essential cookies they accept. The scope of available categories depends on the technologies currently used on the Platform.

9.5. The User may at any time withdraw or change their consent to the use of cookies other than essential cookies through the cookie settings available on the Platform. Withdrawal of consent is as easy as granting it. Independently, the User may also manage cookies through their browser settings. Detailed information about specific cookie categories, their providers, duration, purpose, and the ability to enable or disable them is available in the cookie settings on the Platform.

9.6. Disabling essential cookies through browser settings may prevent the proper use of the Platform.

10. User Rights

10.1. Under the GDPR, you have the following rights:

  • Right of access (Article 15) - obtaining information about processed data and a copy of the data
  • Right to rectification (Article 16) - correcting inaccurate or supplementing incomplete data
  • Right to erasure (Article 17) - deletion of data ("right to be forgotten")
  • Right to restriction of processing (Article 18) - restricting the scope of data processing
  • Right to data portability (Article 20) - receiving data in a structured, commonly used, machine-readable format
  • Right to object (Article 21) - objecting to processing based on legitimate interest
  • Right to withdraw consent (Article 7(3)) - withdrawing consent to data processing where consent is the basis for processing (e.g., analytical cookies); withdrawal of consent does not affect the lawfulness of processing carried out prior to its withdrawal

10.2. The above rights are not absolute and in certain cases may be subject to limitations arising from the provisions of law, in particular where processing is necessary for:

  • the performance of a legal obligation incumbent upon the Administrator,
  • tax and accounting settlements,
  • the establishment, pursuit, or defense of claims,
  • ensuring the security of the Platform or the protection of the rights of other persons.

10.3. To exercise your rights, please contact us at: [email protected]. The identity of the person submitting the request may be verified prior to its fulfillment.

10.4. You have the right to lodge a complaint with the President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw, Poland.

11. Contact with the Administrator

11.1. For all matters related to the protection of personal data, please contact:

  • Email: [email protected]
  • Postal address: C0D3 sp. z o.o., ul. Karmelicka 27/301, 31-131 Krakow, Poland

11.2. We respond to inquiries concerning personal data without undue delay, no later than within 30 days. In the case of complex or numerous requests, this period may be extended by a further two months, of which the User shall be informed.

12. Changes to the Privacy Policy

12.1. The Privacy Policy may be updated in connection with changes in law, technology, the scope of services, or the manner of data processing.

12.2. We shall inform you of material changes in a manner appropriate to the nature of the change, in particular through the Platform or by email.

12.3. The current version of the Privacy Policy is always available on the Platform.

Previous versions

v2 Current 19.03.2026
v1 10.02.2026
Back

This website uses cookies to provide the best quality of service. Privacy policy