Data privacy is a matter of trust, and your trust matters to Interhome. It is therefore important to us that your personal data is protected and that its collection, processing and use in relation to Interhome's services in our app and on our website interhome.co.uk complies with the law. In this Policy, we want to tell you about how we collect and use data, in order to give you an overview of how your personal data will be used.
1. Overview
This privacy policy provides information about the nature and scope of the processing of personal data by Interhome in accordance with the GDPR. Personal data are any pieces of information that relate to an identified or identifiable person, such as name or email address.
As a rule, we only store personal data for as long as is necessary to fulfill the purposes for which we collected the data. Thereafter, we delete the data in accordance with the implemented retention and deletion policy, observing legal retention periods, unless we need to retain the data until the expiry of the statutory limitation period for civil law claims or due to legal storage obligations. In specific individual cases, storage may also occur for a longer period if there is another legal basis under data protection law for the continued processing of the data.
We are obliged to retain personal data based on statutory documentation requirements, including those stipulated in the German Commercial Code (retention of business documents), the German Fiscal Code (accounting and financial reporting), the Money Laundering Act, or other tax law requirements (DAC7). The retention periods stipulated there for documents in separate and protected areas are up to ten years.
2. Name and contact details of the controller and the data protection officer
This privacy policy applies to the data processing carried out by HHD AG (Interhome), Sägereistrasse 20, 8152 Glattbrugg, Switzerland (the controller, hereinafter referred to as “Interhome”), reachable at [email protected], and to the following website and application: www.interhome.de.
The data protection officer of Interhome can be contacted at [email protected] or [email protected].
3. Purposes of data processing, legal bases, and legitimate interests pursued by Interhome or a third party, as well as categories of recipients
3.1 Accessing our website/application
3.1.1 Provision of data, mandatory information
To use our services, it is necessary to provide certain data. The scope of these mandatory details depends on the specific service requested and is either legally required or necessary for potential contract conclusions with us or third parties on the portal. The fields marked with an asterisk (*) or a note indicating they are mandatory must be completed; otherwise, we will not be able to provide the service or offer you have requested.
3.1.2 External hosting
This website and the databases used for data processing are hosted by external service providers (hereinafter “hosting providers”). In the processing activities described below, personal data is transmitted to the hosting providers, stored on their data centers ("servers"), and processed on our behalf. This may particularly involve:
-
IP addresses,
-
contact requests,
-
metadata and communication data about devices used,
-
search queries,
-
contract data (e.g. bookings, booking requests),
-
transaction data,
-
names, possibly pseudonymized identification numbers,
-
website visits and pages accessed, and
-
other data generated via a website.
The use of hosting providers is for the purpose of fulfilling contracts with our potential and existing customers (Art. 6(1)(b) GDPR) and in the interest of a secure, fast, and efficient provision of our online services by a professional provider (Art. 6(1)(f) GDPR).
Our hosting providers will only process data to the extent necessary to fulfill their service obligations and will follow our instructions regarding this data. To ensure GDPR-compliant processing, we have concluded a data processing agreement with our hosting providers. These providers process data either exclusively within the European Economic Area or in third countries under the strict conditions applicable to international data transfers.
3.1.3 Content Delivery Network
This website uses a content delivery network (CDN), which provides protective functions for the website (such as a web application firewall). The data transfer between the browser and the hosted servers flows through the CDN infrastructure and is analyzed there in order to prevent attacks, deliver content, and implement further security measures.
The following data, among others, may be processed in the process:
We process this data on the basis of our legitimate interest pursuant to Art. 6(1)(f) GDPR. The use of a CDN is in our interest in ensuring the secure use of our online presence and in preventing harmful external attacks. We have concluded a data processing agreement with our CDN provider.
3.1.4 Log files
When our website/application is accessed, the browser on the end device automatically sends information to our server and temporarily stores it in a so-called log file. We have no influence over this process.
The following information is collected and stored automatically without your intervention until it is automatically deleted:
-
the IP address of the requesting internet-enabled device,
-
the date and time of access,
-
the name and URL of the file accessed,
-
the website/application from which the access was made (referrer URL),
-
the browser used and, if applicable, the operating system of the internet-enabled device as well as the name of the access provider,
-
the device used (e.g. desktop or smartphone),
-
the language of your browser.
The legal basis for processing the IP address is Article 6(1)(f) GDPR. Our legitimate interest results from the purposes of data collection listed below. We would like to note that the data collected does not allow us to directly infer your identity, nor do we attempt to do so.
The IP address and the other data listed above are used by us for the following purposes:
-
to ensure a smooth connection to the website,
-
to ensure convenient use of our website/application,
-
to analyze system security and stability.
The data is deleted as soon as it is no longer required for the purpose for which it was collected. In the case of data collected to provide the website, this is the case when the respective session has ended. If the data is stored in log files, it is limited to the strictly necessary extent. Data is not stored beyond that. In such cases, the users’ IP addresses are deleted so that assigning them to the accessing user is no longer possible.
3.2 Creating and using a user account for bookings, booking inquiries, vouchers for bookings, and participation in sweepstakes
3.2.1 Creating a user account
If you create a user account with us, we process personal data, specifically:
-
when logging in via a social media login account (see below), the email address and the information transmitted from the relevant social media profile (if applicable, name, profile picture, link to the account and top-level domain, gender, and additionally age range, language, country, and other public information),
-
when logging in via email, the email address used.
For technical reasons, a user account is also created when the email address is entered during a booking or booking inquiry on our website or when subscribing to our newsletter.
Within the user account, the following data can also be stored:
-
First and last name,
-
(optional) salutation and gender,
-
(optional) date of birth,
-
place of residence / address,
-
contact details (telephone),
-
previous bookings (including travel dates, number of guests, booking number, partner/provider).
In the case of direct bookings, name, address, and booking information are stored under the "Bookings" section of the user account for invoicing and tax calculation purposes, if applicable and necessary.
Additionally, settings regarding language and currency preferences, as well as newsletter consent, can be managed in the user account.
Each time you log in, technical information about the device and browser used, as well as details about your search queries, is stored. This serves to improve the user experience on the website and enhance our overall service offering.
The legal basis for processing the provided data is Article 6(1)(b) and (f) GDPR, based on the contractual relationship for using the website services. Furthermore, our legitimate interest arises from the protection of user identity and the prevention of fraudulent activity pursuant to Article 6(1)(f) GDPR.
We delete collected data in accordance with legal retention and archiving requirements after the termination of the usage agreement with us. You may terminate this agreement and request the deletion of all data stored in your account at any time by sending a message via email, using the contact form, or directly via the account settings in the app, provided there are no conflicting legal obligations.
3.2.2 Bookings and booking inquiries as well as payment processing
For booking inquiries, we collect the following data:
the requested arrival and departure dates;
first and last names; if applicable, also of accompanying guests;
email address;
(optional) message related to the booking;
postal address;
telephone number;
(optional) selected extras;
payment method.
The collection of the aforementioned data and its transfer to the providers is a pre-contractual measure necessary for concluding a contract (Art. 6(1)(b) GDPR).
Interhome works with property owners and local keyholders (see our General Terms and Conditions for details). When booking an accommodation through the portal, we collect and use the provided personal data to process payments and, where necessary for contract fulfillment, to forward the data to our partners.
In the case of direct bookings, payment processing is carried out by Interhome. In this context, we collect the payment information provided during the booking process and process all required data (name, payment details such as credit card/bank transfer data, billing address, cookie information, or other relevant information) necessary for a secure and valid transaction, fraud detection, risk assessment, or the selected payment method. The reverse applies in the case of cancellations where a full or partial refund is issued — the refund amount is returned to the original payment method.
The legal basis for processing payment data for all processes related to payment handling and asserting claims for contract initiation and fulfillment is Art. 6(1)(b) GDPR. The legal basis for activities related to tax audits and the preparation of annual financial statements is Art. 6(1)(c) GDPR.
By selecting one of the available payment methods (e.g. credit card, invoice), you agree to the use of the respective payment service, the outsourcing of such a service, and the associated transmission and processing of your data. We share payment data with our house bank and use the following payment service providers and payment methods:
PayPal, a service of PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg. Further information about processed personal data can be found at:
https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE
Services of Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium. Further information is available at:
https://www.mastercard.de/de-de/datenschutz.html
Services of Visa Europe Management Services Limited, German Branch, Neue Mainzer Strasse 66–68, 60311 Frankfurt, Germany. Further information is available at:
https://www.visa.de/legal/privacy-policy.html
In some countries, Interhome uses the services of regional providers. Contact details for these providers, including their data protection officers (if applicable), and additional privacy information can be found on their respective information pages.
No further transfer of data to third parties takes place unless we are legally obliged to do so or the transfer serves law enforcement purposes.
For certain selected payment methods, a risk assessment is conducted by the payment providers using the entered data before the transaction is processed, in order to prevent fraud or payment defaults. You will also be notified accordingly.
The legal basis for activities related to any risk assessment by the payment provider or the choice of payment method is Art. 6(1)(f) GDPR. Our legitimate interest is based on our business interest in providing direct booking services and in avoiding payment defaults, while protecting your personal data through a data processing agreement with the payment provider.
3.2.3 Use and redemption of an Interhome voucher
When redeeming an Interhome voucher, the following data is collected and processed:
We process the data exclusively for the handling, reconciliation, and (if applicable) disbursement of the voucher value, provided all redemption requirements under the respective voucher terms are met. The data is stored in accordance with statutory retention periods.
The legal basis is Art. 6(1)(b) GDPR.
3.2.4 Sweepstakes and special offers
In connection with sweepstakes and other promotional campaigns via our website, applications, campaign pages, or social media channels, we store the data of all participants in accordance with the applicable terms and conditions of participation. In the event of a potential win, we may contact participants.
In sweepstakes, the personal data (salutation, name, address, title, telephone numbers, email addresses) of the winners may be transmitted to the respective sweepstake and cooperation partners. This is done on the basis of contractual fulfillment (Art. 6(1)(b) GDPR).
Participation in sweepstakes, including the associated data transmission, is voluntary.
3.3 Data processing for additional services
3.3.1 Insurance brokerage
In the case of a direct booking, an insurance benefit is already included, and additional insurance packages offered can also be selected via a certified partner. Interhome cooperates for the purpose of insurance brokerage with:
Helvetia Swiss Insurance Company Ltd,
Dufourstrasse 40, CH-9001 St. Gallen, Switzerland.
Responsible for this insurance: Europäische Reiseversicherung (referred to as “ERV” in the GTC), a branch of Helvetia Swiss Insurance Company Ltd, based at St. Alban-Anlage 56, P.O. Box, CH-4002 Basel, Switzerland.
We store the data solely for the brokerage and processing of the insurance contract, and only for the duration of the insurer's contractual obligations toward the beneficiaries.
The legal basis is Art. 6(1)(b) GDPR.
Further details regarding data processing by ERV / Helvetia can be found at:
https://www.helvetia.com/de/web/de/ueber-uns/service/datenschutz.html
3.3.2 WeatherPromise
We integrate services provided by WeatherPromise (Germany) GmbH, located at Tieckstraße 2, 10115 Berlin (“WeatherPromise”). WeatherPromise offers the possibility of protecting a trip by automatically generating a personalized weather guarantee for the booked trip, based on weather data from leading and independent global providers.
WeatherPromise and Interhome act as independent controllers when processing data for the purpose of contract initiation. Interhome is responsible for processing data related to brokerage and, if applicable, payment processing. WeatherPromise is responsible for the execution of the offered insurance service.
Further information can be found in the WeatherPromise privacy policy:
https://www.weatherpromise.com/de/privacy/
3.4 Social logins (login via Facebook, Apple, or Google) and email communication
In addition to the option of creating a user account via email, social media logins offer a service that allows you to log in to our portal and websites using your social media login profile.
The use of this data serves the purpose of identification, setting up the user account, and checking the entered data for plausibility. The connection can be removed at any time in the settings of your social media profile. Of the transmitted data, we use and store the following information until it is automatically deleted after the contract for using our portal is terminated:
-
the email address used on the social media channel,
-
the profile name (first and last name),
-
the profile and background image used,
-
age range (e.g. over 18, over 21),
-
a link to the social media account,
-
gender,
-
the top-level domain of the logged-in account,
-
the time zone of the account,
-
if applicable, the top-level domain of the logged-in Google account,
-
if applicable, the user domain maintained by the channel (hosted domain, HD).
The legal basis for using this data is Art. 6(1)(b) GDPR. The use serves to fulfill our contractual obligations arising from our Terms of Use (Art. 6(1)(b) GDPR). If you have expressly given consent to the social media platform, the legal basis is Art. 6(1)(a) GDPR, and your personal data will be transmitted to us as part of registration. If providers are based outside the EU, it cannot be ruled out that the data will also be transferred to the United States as part of an international data transfer.
3.4.1 Facebook Connect
This service is provided by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland (“Facebook,” “Meta”). When logging in via Facebook Connect, a direct connection to Facebook's servers (1601 South California Avenue, Palo Alto, CA 94304, USA) is established. Facebook becomes aware that the login credentials are being used on Interhome.
The purpose and scope of data collection and the further processing and use of the data by Meta, as well as related rights and privacy settings, can be found in Facebook’s privacy policy:
https://www.facebook.com/privacy/policy
3.4.2 Sign in with Google
When logging in via Google by selecting “Sign in with Google,” a direct connection to the servers of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”) is established. Google is informed that these login credentials were used with Interhome. We do not receive Google account information.
Google will inform you whether and which data from your Google account will be made available to us. For registration and use of Google, Google's terms and privacy policies apply:
https://policies.google.com/privacy
https://business.safety.google/privacy/
3.4.3 Apple Sign-in
When logging in via Apple Sign-in, a direct connection to the servers of Apple Distribution International Limited, Hollyhill Industrial Estate, Hollyhill, Cork, Ireland (“Apple”) is established. Apple becomes aware that the login credentials are being used.
Depending on the settings in your Apple profile, certain data may be hidden, and Apple may send us an email address generated by Apple.
Further information about Apple’s data processing can be found here:
https://www.apple.com/legal/privacy/data/en/sign-in-with-apple/
3.4.4 Email service
We use the SendGrid service from Twilio / SendGrid, Inc., 1801 California Street, Suite 500, Denver, Colorado 80202, USA ("SendGrid") to send relevant emails (e.g. booking and inquiry confirmations, notifications). For this purpose, your email address and your name (to personalize the email) are processed.
A data processing agreement exists with Twilio / SendGrid under the conditions applicable to international data transfers.
The legal basis for this processing is contract execution under Art. 6(1)(b) GDPR.
Further information can be found in the privacy policy of SendGrid:
https://sendgrid.com/policies/privacy
3.5 Data processing for advertising purposes
To send promotional messages via email, push notifications (if applicable), surveys, review requests, feedback, and other company-related information (“newsletters”), we use the provider Braze, Inc., 330 West 34th Street, 18th Floor, New York, NY 10001, USA (“Braze”).
Additionally, data on the use of these notifications (such as open rates, click rates, or display duration) is collected and stored.
For the purpose of sending emails, the following data is processed:
-
Email address,
-
Device data related to the device used (primarily for push notifications via app, if applicable),
-
Name (for personalizing the email),
-
and, for the creation of groups and related campaigns, transactional data regarding bookings and booking inquiries.
The legal basis for sending newsletters is your consent pursuant to Art. 6(1)(a) GDPR.
The legal basis for evaluating and analyzing the newsletter is Art. 6(1)(f) GDPR, as we have a legitimate interest in improving and tailoring our service offerings. We have entered into a data processing agreement with the service provider and comply with the requirements for international data transfers.
More information can be found in Braze’s privacy policy:
https://www.braze.com/company/legal/privacy
3.5.1 Newsletter delivery
On our website, we offer the opportunity to sign up for our newsletter. To ensure that no errors occur during the input of the email address, we use the so-called double opt-in procedure. After entering your email address into the registration field, we will send a confirmation link to that address. Your email address will only be added to our mailing list once the confirmation link has been clicked.
You may revoke your consent at any time with effect for the future. This can be done by clicking the unsubscribe link at the end of the newsletter, changing the settings in your user account, or sending a message to the controller by email or through the contact form. The legality of any data processing that occurred prior to the revocation remains unaffected.
3.5.2 Product recommendations
After completing a booking or submitting a booking inquiry, and having collected your email address for the purpose of initiating or performing a contract, we may use this email address for the purpose of maintaining our customer relationship by sending direct advertising for similar goods or services (“product recommendations”).
These product recommendations are sent regardless of whether you have subscribed to a newsletter. Our intention is to provide you with relevant information about our services based on your previous transactions and searches.
If you no longer wish to receive product recommendations from us, you can let us know at any time. Our contact details are listed in Section 2. Naturally, each email also contains an unsubscribe link.
3.5.3 Interest-based advertising
We categorize user profiles based on information from completed search queries so that we only send information that is likely to be of interest. Based on this information, we tailor our newsletter content and promotional emails.
The goal is to provide interest-based advertising that is aligned with actual user needs and to avoid sending irrelevant content.
The legal basis for the above-mentioned processing is Art. 6(1)(f) GDPR. The processing of existing customer data for advertising purposes is considered a legitimate interest.
3.5.4 Disclosure to third parties
To display interest-based advertising—and provided that you have given your consent—we may share email addresses in hashed (pseudonymized) form with social media platforms (such as Google and Facebook). We have signed corresponding data protection agreements with both Google and Facebook.
The legal basis for sharing hashed email addresses with social media platform operators is Art. 6(1)(a) GDPR. This consent may be withdrawn at any time with effect for the future, using the contact methods mentioned above.
3.5.5 Review requests for accommodations, satisfaction surveys
When you book via Interhome, we send a follow-up email after your departure that includes a link allowing you to submit a review of the vacation rental you booked.
The review, which includes a 1-to-5 rating scale (with 5 being the best possible score) and an optional written comment, may be published on our website alongside the relevant accommodation listin
4. “Cookies” and other tracking technologies – General information
On our websites and applications, we use cookies, pixels, web beacons, or similar technologies on the basis of Art. 6(1)(a), (b), and (f) GDPR.
Cookies are small files that are automatically created by the browser and stored on the device when our website is visited or our application is used. Pixels and web beacons are small graphics and code fragments that serve to measure activities on our website. Hereinafter, we refer to pixels, web beacons, and similar technologies collectively as “cookies.”
Cookies do not cause any damage to your device, nor do they contain viruses, Trojans, or other malware. The cookie stores information that arises in connection with the specific device used. However, this does not mean that we gain direct knowledge of your identity.
When our website or application is accessed, a notice appears regarding our use of cookies.
Some cookies help us provide users with the best possible and functional service and ensure a secure experience on our website and in our application (“functional cookies”). Functional cookies are technically necessary and essential for the uninterrupted and risk-minimized operation of our services, as they ensure security, user experience, and settings (e.g. for making a booking, creating a user account, storing preferred searches).
As they are essential for the operation and functionality of our website and application, the processing of data through functional cookies is based on Art. 6(1)(f) GDPR and, for the performance of our usage contracts (Terms of Use), on Art. 6(1)(b) GDPR.
We use so-called session cookies to recognize that you have already visited specific pages on our website or logged into your user account. These are automatically deleted when you leave our website.
In addition, we also use temporary cookies for the purpose of fulfilling our usage contracts. These are stored on your device for a specified period. If you revisit our website to use our services, the cookie automatically recognizes that you have previously visited and what entries and settings you made, so we can provide our services accordingly.
If you have a user account and are logged in or activate the “stay logged in” function, the information stored in cookies will also be saved to your user account.
We also use analytical cookies, based on Art. 6(1)(a) GDPR, to statistically evaluate the use of our website and optimize our offering, as well as marketing cookies to show you personalized information and tailored content. These cookies are only set after you have given your express consent.
Consent can be revoked at any time. The legality of the data processing performed based on the consent prior to its withdrawal remains unaffected. You may revoke your consent at any time by adjusting your cookie settings.
You can also configure your browser to prevent cookies from being stored on your device or to notify you whenever a new cookie is being set. However, disabling cookies entirely may result in some parts of our website or app not functioning properly.
The storage period of cookies depends on their purpose and therefore varies. In all cases, cookies are automatically deleted after a specified period.
You can find more detailed information about the analytical and marketing cookies we use in the sections below.