Data Processing Information

Sommer operates as a data controller under the European General Data Protection Regulation (GDPR). We are responsible for determining the purposes and means of processing personal data through our vacation rental management platform.

• Company Name: Sommer, Inc.
• Registration: Incorporated in Delaware, United States
• Business Address: [Company Address]
• Platform: Vacation rental property management platform

For all data protection inquiries, privacy concerns, and exercising your data subject rights:

• Email: privacy@sommer.com
• Subject Line: Data Protection Inquiry
• Response Time: Within 30 days (GDPR requirement)

Sommer has appointed a Data Protection Officer (DPO) to oversee GDPR compliance and data protection matters:

• DPO Contact: dpo@sommer.com
• Responsibilities: GDPR compliance monitoring, privacy impact assessments, data subject rights facilitation

Purpose: Account creation, authentication, user profile management, and platform access control.

• Data Processed: Name, email address, password hash, profile information, authentication tokens
• Legal Basis: Contract performance (Terms of Service)
• Retention: Duration of account plus 30 days for deletion processing
• Recipients: Authentication service providers, email service providers

Purpose: Vacation rental property listing creation, management, and optimization services.

• Data Processed: Property details, addresses, amenities, photos, pricing information, availability
• Legal Basis: Contract performance (service provision)
• Retention: Duration of property listing plus 1 year for business analytics
• Recipients: Cloud storage providers, image processing services

Purpose: Multi-tenant organization structure, team collaboration, and role-based access management.

• Data Processed: Organization details, member roles, permissions, collaboration data
• Legal Basis: Contract performance and legitimate interests (business operations)
• Retention: Duration of organization membership plus 2 years for compliance
• Recipients: Team collaboration tools, business analytics services

Purpose: Platform security, performance monitoring, customer support, and service improvement.

• Data Processed: Usage logs, IP addresses, device information, support communications
• Legal Basis: Legitimate interests (platform security and improvement)
• Retention: 13 months for operational data, 3 years for support records
• Recipients: Security monitoring services, analytics providers, support tools

Most data processing activities are necessary for performing our contract with you (Terms of Service):

• Account creation and authentication
• Property management services
• Organization collaboration features
• Platform access and functionality

We process certain data based on legitimate interests (balanced against your rights):

• Platform Security: Fraud prevention, abuse detection, security monitoring
• Service Improvement: Analytics, performance optimization, feature development
• Business Operations: Customer support, business analytics, legal compliance

Some processing is required to comply with legal obligations:

• Tax reporting and financial record keeping
• Data protection law compliance (GDPR, CCPA)
• Regulatory reporting requirements

We obtain explicit consent for specific processing activities:

• Marketing communications (newsletters, product updates)
• Non-essential cookies and tracking
• Participation in surveys or feedback programs

• Identity Data: First name, last name, username, title
• Contact Data: Email address, phone number, mailing address
• Account Data: Username, password hash, security preferences
• Profile Data: Interests, preferences, feedback, survey responses

• Property Information: Address, description, amenities, capacity
• Media Content: Photos, videos, virtual tour content
• Pricing Data: Rates, availability, booking terms
• Performance Data: Views, inquiries, booking metrics

• Device Information: IP address, browser type, device identifiers
• Usage Data: Page views, clicks, feature usage, session duration
• Performance Data: Load times, error logs, system performance

• Support Communications: Help desk tickets, chat logs
• Platform Communications: In-app messages, notifications
• Marketing Communications: Email engagement, preferences

Individuals who create accounts and use our vacation rental management platform:

• Property owners and managers
• Vacation rental hosts
• Property management professionals
• Real estate agencies

Team members invited to collaborate within organizations:

• Organization owners and administrators
• Team members and collaborators
• Guest users with limited access

Individuals who visit our website without creating accounts:

• Prospective customers browsing features
• Blog readers and resource users
• Contact form submitters

We share data with trusted service providers under data processing agreements:

• Cloud Infrastructure: Data hosting, storage, backup services
• Authentication: Identity verification and access management
• Communications: Email delivery, SMS, push notifications
• Analytics: Platform usage analysis and business intelligence
• Support: Customer service and helpdesk platforms

Limited sharing with third parties for specific purposes:

• Legal Compliance: Regulatory authorities when required by law
• Business Transfers: Potential acquirers during M&A due diligence
• Security: Law enforcement for fraud prevention and investigation

Some data may be transferred internationally with appropriate safeguards:

• Primary Location: United States (adequacy decision pending)
• Safeguards: Standard Contractual Clauses (SCCs), Privacy Shield successors
• EU Representatives: Appointed for GDPR compliance

We retain personal data only as long as necessary for the stated purposes:

• Active Accounts: Duration of account plus 30 days for deletion processing
• Property Data: Duration of listing plus 1 year for analytics
• Support Records: 3 years from last interaction
• Legal Compliance: As required by applicable law (typically 7 years)
• Marketing Data: Until consent withdrawn or 2 years of inactivity

Data is deleted based on these criteria:

• Expiration of retention period
• Account deletion request
• Withdrawal of consent
• Successful erasure request
• End of legal obligation period

• Encryption: Data encrypted in transit (TLS) and at rest (AES-256)
• Access Controls: Role-based access, multi-factor authentication
• Network Security: Firewalls, intrusion detection, DDoS protection
• Data Backup: Regular backups with encryption and offsite storage
• Monitoring: 24/7 security monitoring and incident response

• Staff Training: Regular data protection and security training
• Access Management: Principle of least privilege, regular access reviews
• Incident Response: Documented procedures for data breaches
• Vendor Management: Due diligence and contractual safeguards
• Privacy by Design: Data protection integrated into development

You have the right to access your personal data and receive information about processing:

• Request a copy of your personal data
• Information about processing purposes and legal basis
• Details about recipients and retention periods
• Source of data if not collected directly from you

You can request correction of inaccurate or incomplete personal data:

• Correct factual errors in your profile
• Update outdated information
• Complete incomplete data sets

You can request deletion of your personal data in certain circumstances:

• Data no longer necessary for original purpose
• Withdrawal of consent (where consent is the legal basis)
• Objection to processing (where legitimate interests is the legal basis)
• Data has been unlawfully processed

You can request a machine-readable copy of your data to transfer to another service:

• Applies to data provided to us (not derived data)
• Where processing is based on consent or contract
• Where processing is carried out by automated means