Last updated: May 2026

Privacy Policy

This Privacy Policy explains how we collect, use, share, and protect personal data when you use myperfectstay.com and the MyPerfectStay mobile apps for iOS and Android (the “Service”). We process personal data in accordance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the German Telecommunications-Digital-Services Data Protection Act (TDDDG).

1. Data controller

The data controller for the Service within the meaning of Art. 4 (7) GDPR is:

CloudCops GmbH
Amselweg 20
33758 Schloß Holte-Stukenbrock
Germany
Email: privacy@myperfectstay.com

See our Imprint for the full company details, including commercial register number and VAT-ID.

2. Data Protection Officer

We have not appointed a Data Protection Officer because the statutory thresholds in Art. 37 GDPR and § 38 BDSG do not currently apply to us. You may direct any data-protection question to privacy@myperfectstay.com and we will route it to the responsible person inside CloudCops GmbH.

3. Our UAE sister entity

MyPerfectStay’s commercial operations and B2B partner payouts in the MENA region are processed by Cloud Cops Technology L.L.C in the United Arab Emirates. Cloud Cops Technology L.L.C is not a controller, joint controller, or processor of MyPerfectStay user personal data. Personal data processed under this policy is processed exclusively by CloudCops GmbH in Germany on infrastructure located inside the European Union (see § 7 below). Commercial payouts to UAE partners do not contain personal data of MyPerfectStay end users.

4. Categories of personal data we process

We process only the data necessary to operate the Service. We never sell personal data, and we do not engage in third-party behavioural advertising.

  • Account data — name, email address, password hash, profile photo (optional), language and currency preferences. Created when you register.
  • Trip planning data — destinations, dates, group membership, votes, comments, saved itineraries.
  • Booking data — traveller names, contact details, party composition, special requests, booking dates. Required to fulfil bookings with the relevant supplier.
  • Payment data — for MyPerfectStay’s own payment flows, your full card number, CVC, and expiry date are tokenised by our payment processor and never stored on our servers. For affiliate bookings, payment is taken directly by the supplier (see § 6) and we do not see card details at all.
  • Communications — emails you send us, support conversations, and lead-form submissions on /for-hotels and similar marketing pages.
  • Device and diagnostics — crash reports, anonymised performance traces, and session-replay data with text and form input automatically masked (e.g. email and password fields are recorded as a black bar, not your typed values). Used to diagnose bugs and improve stability.
  • Usage data — anonymised page and feature interaction counts; aggregated for product analytics.
  • Server logs — IP address, user agent, requested URL, timestamp; retained short-term for security and fraud prevention.

5. Purposes and legal bases (Art. 6 GDPR)

We process personal data on the following legal bases:

PurposeLegal basis
Creating and operating your account; group-trip featuresContract — Art. 6 (1) (b) GDPR
Processing bookings and payments; sending booking confirmationsContract — Art. 6 (1) (b) GDPR
Tax records, accounting, and statutory retentionLegal obligation — Art. 6 (1) (c) GDPR; §§ 147, 257 HGB / § 147 AO
Fraud prevention, security, abuse investigationLegitimate interest — Art. 6 (1) (f) GDPR
Diagnostics, crash reports, masked session replayLegitimate interest — Art. 6 (1) (f) GDPR
Aggregated, anonymised product analyticsLegitimate interest — Art. 6 (1) (f) GDPR
Marketing emails, newsletters, lead-form responsesConsent — Art. 6 (1) (a) GDPR; § 7 (2) UWG

6. Recipients and processors

We share personal data only with carefully selected processors under written data-processing agreements pursuant to Art. 28 GDPR. We currently rely on:

RecipientPurposeLocation
Hetzner Online GmbHPrimary application hosting and databaseGermany (EU)
Microsoft Azure (Microsoft Deutschland GmbH)Kubernetes infrastructure, secrets storageGermany / EU regions
Cloudflare, Inc.Image CDN delivery (imagedelivery.net)USA — SCC + EU-US DPF
Functional Software, Inc. (Sentry)Crash reports and masked session replayUSA — SCC + EU-US DPF
Resend, Inc.Transactional and lead-response email deliveryUSA — SCC + EU-US DPF
Stripe Payments Europe LtdPayment processing for MyPerfectStay-direct flowsIreland (EU)
Tripadvisor LLC (Viator)Activity supplier — booking, payment, and fulfilment for affiliate activity sales. When you book a Viator activity we transfer the traveller details necessary to fulfil the booking; payment is taken directly by Viator.USA — SCC + EU-US DPF
Google LLCGoogle OAuth sign-in (only if you choose it) and Google Maps tilesUSA — SCC + EU-US DPF
Google Ireland Limited (controller-processor, EU) and Google LLC (sub-processor, US)Google Analytics 4 — web analytics for property G-M0JXP157C3. Loaded only with your analytics consent. Configured with anonymize_ip and ads_data_redaction; advertising features (Google Signals, remarketing) are disabled. See § 10 for the full data inventory and your rights.USA — SCC + EU-US DPF
MongoDB, Inc. (Atlas)Supplier response cache (no end-user PII stored here)EU region
Slack Technologies, LLCInternal team notifications for B2B lead-form submissions onlyUSA — SCC + EU-US DPF

The list above is a current snapshot. Where required, processors are bound to the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and certified under the EU-US Data Privacy Framework. Where additional safeguards apply (e.g. supplementary technical measures) we apply them on a case-by-case basis.

7. International transfers

We host the primary application and database inside the European Union. Some processors listed in § 6 are established in the United States; in those cases we rely on:

  • an EU adequacy decision under Art. 45 GDPR (EU-US Data Privacy Framework) where the recipient is self-certified, and
  • the EU Standard Contractual Clauses (SCCs) under Art. 46 (2) (c) GDPR as a secondary safeguard.

We do not transfer MyPerfectStay user personal data to our UAE sister entity, Cloud Cops Technology L.L.C, or to any other recipient outside the EU/EEA without an Art. 45 or Art. 46 safeguard.

8. Retention

CategoryRetention
Account, profile, trip-planning dataFor as long as your account is active + 90 days after deletion
Booking records and invoices10 years (§ 147 AO, §§ 257, 238 HGB)
Payment receipts and tax-relevant payment metadata10 years (§ 147 AO)
Crash reports and session replay (masked)90 days
Server access logs14 days
Google Analytics 4 user / event data (consent required)14 months server-side (configured in GA4 admin); cookies expire 24 hours to 2 years on your device. See § 10 for the full inventory.
Marketing email listUntil you withdraw consent or unsubscribe
Support emails3 years after last contact

9. Your rights

You have the following rights under the GDPR:

  • Access — Art. 15 GDPR — confirmation of processing and a copy of the data we hold about you.
  • Rectification — Art. 16 GDPR — correction of inaccurate data.
  • Erasure — Art. 17 GDPR — deletion when one of the listed grounds applies. You can delete your account at any time from the in-app settings.
  • Restriction — Art. 18 GDPR — restriction of processing during a dispute.
  • Portability — Art. 20 GDPR — receipt of your data in a structured, machine-readable format.
  • Objection — Art. 21 GDPR — objection to processing based on legitimate interest, including direct marketing at any time.
  • Withdraw consent — Art. 7 (3) GDPR — for any processing based on consent, without affecting processing already carried out.
  • Complaint to a supervisory authority — Art. 77 GDPR. Our lead supervisory authority is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Kavalleriestraße 2–4, 40213 Düsseldorf, Germany.

To exercise any of these rights, write to privacy@myperfectstay.com. We respond within 30 days (extendable by up to two further months under Art. 12 (3) GDPR for complex requests).

10. Cookies, tracking technologies, and Google Analytics

When you visit our site we store small data files on your device and read data from your device. Under § 25 TDDDG, any storage of, or access to, information on your device requires your prior consent unless that storage or access is strictly necessary to provide a service you have requested. We treat anything that is not strictly necessary as consent-required, regardless of whether it is technically a cookie, a localStorage entry, a pixel, a fingerprint, or any other form of device-bound identifier.

10.1 How you control this

When you first visit our site, a banner asks you to choose: Accept all, Reject all, or Customize. The Accept and Reject buttons are equally prominent. Until you make a choice, no analytics or marketing technologies are loaded that store data on, or read data from, your device beyond what is strictly necessary. You can change your choice at any time by clicking “Cookie Settings” in the site footer. Withdrawal does not affect the lawfulness of processing carried out before withdrawal (Art. 7 (3) GDPR).

10.2 Categories

CategoryWhat it doesConsent?Lawful basis
Strictly necessarySession, authentication, CSRF protection, load balancing, your stored consent choice.Not requiredArt. 6 (1) (b) GDPR + § 25 (2) TDDDG
Preferences / functionalityRemembers your language, theme, and other UI settings.RequiredArt. 6 (1) (a) GDPR + § 25 (1) TDDDG
AnalyticsGoogle Analytics 4 — measures aggregate site usage.RequiredArt. 6 (1) (a) GDPR + § 25 (1) TDDDG
MarketingNot currently active. Reserved for future use (e.g. remarketing pixels).RequiredArt. 6 (1) (a) GDPR + § 25 (1) TDDDG

10.3 Cookie and storage inventory

NameTypePurposeCategoryRetentionSet by
Session / auth cookiesFirst-partyKeeps you signed inNecessarySessionMyPerfectStay
CSRF tokenFirst-partyProtects against cross-site request forgeryNecessarySessionMyPerfectStay
mps_consent_v1localStorageStores your cookie preferencesNecessaryUntil cleared or changedMyPerfectStay
_gaFirst-party (set by Google library, scoped to our domain)Distinguishes unique users (pseudonymous client ID)Analytics2 years from last visitGoogle
_ga_M0JXP157C3First-partyMaintains session state for our GA4 propertyAnalytics2 years from last visitGoogle
_gidFirst-partyDistinguishes users (24-hour window)Analytics24 hoursGoogle

10.4 Data collected by Google Analytics 4

If you grant analytics consent, the Google Analytics 4 library (gtag.js) collects and transmits the following data to Google for processing on our behalf:

  • A pseudonymous client identifier (the _ga cookie value), which Google uses to recognise your browser across visits.
  • Device, browser, and operating system information (e.g. browser name and version, device category, screen resolution, OS, set language).
  • Coarse geographic location derived from IP address (country and, where applicable, region or city). The IP address itself is anonymised before being stored (we have anonymize_ip enabled) and is not retained by Google in identifiable form.
  • Pages and screens viewed, page titles, page paths, referring URL, time on page, and scroll behaviour.
  • Interaction events automatically captured by GA4 enhanced measurement (clicks on outbound links, file downloads, video engagement, site search where applicable).
  • Session metadata — session start, session duration, session source / medium / campaign (where you arrived from).
  • A timestamp for each event.

We have disabled Google Signals and any advertising features in GA4. We do not enable Google Ads remarketing, demographic data, or interest categories. No data from Google Analytics is used to build advertising audiences.

10.5 How and where this data is stored

  • Data is transmitted from your browser directly to Google’s servers (region-routed by Google; primary processing region is the United States).
  • Google acts as our processor under a Data Processing Addendum (Google Ads Data Processing Terms).
  • Cross-border transfer: personal data is transferred from the EU to the United States. The transfer is covered by (a) the EU Standard Contractual Clauses in their current form (Commission Implementing Decision (EU) 2021/914) and (b) Google LLC’s active certification under the EU-US Data Privacy Framework (adequacy decision Implementing Decision (EU) 2023/1795 of 10 July 2023). Either mechanism, on its own, suffices under Chapter V GDPR; we rely on both as a belt-and-braces measure.
  • Server-side retention: 14 months from collection, after which Google automatically deletes user-level and event-level data. This is configured in our GA4 admin and we do not extend it.
  • No cross-site profiling: we do not link your GA4 client ID to your MyPerfectStay account, to data from third-party data brokers, or to data from any other site or app.

10.6 Your rights regarding analytics

In addition to the rights described in § 9 (“Your rights”), you specifically have the right to:

  1. Withdraw consent at any time by clicking “Cookie Settings” in the footer. Withdrawal stops further data collection and instructs the Google Analytics library to discontinue using cookies on your device.
  2. Install the official Google Analytics opt-out browser add-on at tools.google.com/dlpage/gaoptout, which blocks GA4 across every site you visit.
  3. Clear cookies and localStorage in your browser settings, which will delete the _ga, _ga_M0JXP157C3, _gid, and mps_consent_v1 entries and present you with the consent banner again on your next visit.
  4. Request access to, correction of, or deletion of your GA4 data via privacy@myperfectstay.com. Because GA4 data is pseudonymous, we will need additional information from you (e.g. approximate visit dates) to locate it. We will forward valid deletion requests to Google.

10.7 Sentry (separate basis)

We use Sentry for application error monitoring and short-form session replay. Sentry runs on the basis of our legitimate interest in service security, integrity, and reliability (Art. 6 (1) (f) GDPR) and is not gated behind analytics consent. Session replay masks all input fields and text content by default; only structural and click event data is recorded. Sentry data is hosted in the EU and is retained for 90 days. You can object to processing on legitimate-interest grounds at privacy@myperfectstay.com; we will assess whether your interests override ours.

11. Marketing communications

We send marketing emails (e.g. product updates, B2B newsletters) only with your prior opt-in consent. Every marketing email includes a one-click unsubscribe link. If you submit a B2B lead-form (e.g. the revenue calculator on /for-hotels), we use the email address you provide to send you the requested report and to follow up on your enquiry; you may withdraw consent at any time by replying with the word “unsubscribe”.

12. Children

The Service is not directed to children under 16. We do not knowingly process personal data of children. If you believe a child has provided us with personal data, please contact us and we will delete it.

13. Automated decision-making

We do not use automated decision-making or profiling that produces legal effects concerning you within the meaning of Art. 22 GDPR.

14. Changes to this policy

We will update this policy as our processing changes or as the law evolves. Material changes will be announced inside the Service and via email to active users at least 30 days before they take effect. The current version is always available at myperfectstay.com/privacy; the “Last updated” date at the top of this page reflects the latest revision.

15. Parent company privacy notice

CloudCops GmbH also operates a consulting business under cloudcops.com. The privacy notice for that business is available at cloudcops.com/en/privacy-policy. That notice governs visits to the cloudcops.com website and does not apply to the MyPerfectStay Service.

16. Contact

CloudCops GmbH, Amselweg 20, 33758 Schloß Holte-Stukenbrock, Germany
privacy@myperfectstay.com

Privacy Policy — MyPerfectStay