1. Parties
This Data Processing Agreement (“Agreement”) is entered into between:
(1) Coolstays Ltd, company number 07652703, registered in England & Wales, with registered office at Nile House, Nile Street, Brighton, BN1 1HW (“Coolstays”, “we”, “us”, “our”); and
(2) The Property Owner or Agent (“Owner”, “you”, “your”), being the individual or entity listing or managing accommodation via the Coolstays platform.
Coolstays and the Owner are each a Data Controller of certain personal data, and in some cases the Owner acts as a Data Processor on behalf of Coolstays, as defined below.
2. Purpose and scope
This Agreement sets out the data-protection responsibilities and obligations of both parties when personal data of guests or potential guests (“Guest Data”) is shared or processed through the Coolstays platform for the purpose of managing accommodation bookings and related services.
3. Roles of the parties
Coolstays as Data Controller: Coolstays determines the purposes and means of processing Guest Data collected through its website and systems.
Owner as independent or joint Controller:
- When the Owner receives Guest Data directly from Coolstays to fulfil a booking, both parties act as independent controllers.
- If processing decisions are jointly made (e.g., marketing co-operations), both parties will act as joint controllers under Article 26 UK GDPR.
Owner as Data Processor:
- Where the Owner processes Guest Data solely on documented instructions from Coolstays, the Owner acts as a Data Processor.
- This Agreement governs that processor relationship.
4. Definitions
All capitalised terms have the meanings given in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
“Personal Data”, “Data Subject”, “Controller”, “Processor”, “Processing”, and “Personal Data Breach” have the meanings set out in those laws.
5. Categories of personal data
Guest Data processed under this Agreement may include (as applicable):
- Name, address, email, phone number
- Booking details (property, dates, payment status)
- Special requests or preferences
- Communication history
- IP address and device data (if transmitted via platform)
Special Category Data (e.g. health or accessibility information) will only be shared where necessary for the booking and must be handled with enhanced safeguards.
6. Owner obligations (when acting as Processor)
When processing Guest Data on behalf of Coolstays, the Owner must:
- Process only on documented instructions from Coolstays and only for the purpose of fulfilling the booking.
- Ensure confidentiality – restrict access to authorised persons under a duty of confidentiality.
- Implement appropriate technical and organisational measures to ensure data security, including:
- Secure storage and access control
- Encryption or pseudonymisation where appropriate
- Regular backups and patch management
- Physical security of devices or paper records
- Assist Coolstays in responding to Data Subject requests (access, erasure, rectification, etc.).
- Notify Coolstays immediately upon becoming aware of any actual or suspected personal-data breach (no later than 24 hours).
- Maintain records of processing activities where required by Article 30 UK GDPR.
- Not subcontract or transfer Guest Data to any third party without Coolstays’ prior written authorisation.
- Return or delete Guest Data upon completion of the booking or termination of this Agreement, unless retention is required by law.
7. Owner obligations (when acting as Controller)
When the Owner acts as an independent or joint Data Controller (for example, where the Owner determines how guest personal data is used for managing bookings, guest communications, or regulatory compliance), the Owner shall:
- Comply fully with UK Data Protection Law. The Owner must ensure that all processing of guest data complies with the UK GDPR and the Data Protection Act 2018, including having a valid lawful basis for each activity.
- Use guest data only for permitted purposes. The Owner may use guest data solely for:
- managing and fulfilling bookings received via the Coolstays platform;
- communicating directly with guests about their booking or stay; and
- complying with legal or tax obligation.
Any other use (such as direct marketing) requires the guest’s explicit, provable consent.
- Provide transparency to guests. The Owner must ensure guests are informed of their identity, contact details, and data-handling practices (for example, through a privacy notice displayed on the Owner’s website, booking confirmation, or in-property information).
- Respect guest rights. The Owner must handle any guest requests to exercise data-subject rights (access, erasure, etc.) promptly, and where relevant notify Coolstays without undue delay.
- Maintain security and accountability. The Owner shall implement appropriate technical and organisational measures to safeguard personal data, maintain internal records of processing, and perform data-protection impact assessments where required.
- Data sharing with Coolstays. When sharing personal data back to Coolstays (for example, post-stay feedback, dispute information, or cancellation details), the Owner must ensure that the sharing is lawful, proportionate, and limited to what is necessary.
- Breach notification. The Owner must notify Coolstays of any personal-data breach relating to guest data obtained through the platform, within 24 hours of becoming aware of it, even if the Owner acts as controller.
- Indemnity. The Owner shall indemnify and hold harmless Coolstays against any claims, fines, or losses arising from the Owner’s failure to comply with this section or applicable data-protection laws.
8. Coolstays obligations
Coolstays shall:
- Provide Owners with only the minimum personal data necessary for the enquiry or booking.
- Ensure that Guests are informed, via the Privacy Policy, that their data will be shared with Owners.
- Maintain its own security and compliance measures consistent with UK GDPR.
- Provide documented instructions and updates about data-protection expectations for Owners.
9. International transfers
If either party transfers Guest Data outside the UK, it must ensure an appropriate safeguard is in place under Chapter V UK GDPR, such as:
- UK International Data Transfer Agreement (IDTA), or
- UK Addendum to EU Standard Contractual Clauses.
10. Data breach notification
Each party shall notify the other without undue delay of any personal-data breach relevant to this Agreement.
Notifications must include:
- Nature of the breach
- Categories and approximate number of data subjects affected
- Likely consequences
- Measures taken or proposed to address the breach
Coolstays is responsible for notifying the ICO and affected individuals where required.
11. Data subject rights
Both parties must cooperate in good faith to ensure that any Guest exercising rights under UK GDPR can do so effectively and within statutory deadlines.
If an Owner receives a rights request directly from a Guest for which Coolstays is the controller, the Owner must forward it to privacy@coolstays.com without undue delay and in any case within two business days.
12. Audit and inspection
Coolstays may, on reasonable notice, request evidence of the Owner’s data-protection compliance. This may include written questionnaires or audits limited to verifying compliance with this Agreement and UK GDPR. Owners must provide full cooperation.
13. Liability
Each party is liable for any breaches of its own obligations under this Agreement and UK GDPR. Where acting as joint controllers, liability is apportioned according to Article 82 UK GDPR.
14. Term and termination
This Agreement remains in force for as long as the Owner uses Coolstays’ Services or continues to process Guest Data obtained through Coolstays. Upon termination, all Guest Data must be returned or securely deleted, unless retention is legally required.
15. General
- This Agreement forms part of the Owner Terms and supplements, but does not replace, those terms.
- In case of conflict between this Agreement and other contractual terms, this Agreement prevails regarding data-protection matters.
- Governed by the laws of England and Wales, with exclusive jurisdiction of the English courts.
16. Contact
For data-protection queries or breach reports, contact:
Email: privacy@coolstays.com
Address: Nile House, Nile Street, Brighton, BN1 1HW