We’re onboarding the first Habitats. Bookings open soon. Join the list for a chance to win €250 credit.

Info@gohabitat.earth

0 0

No products

0,00 € Convenience Fees

0,00 € Total

Check out

Room successfully added to your cart

Item successfully added to your cart

Time Duration -

Room occupancy - Quantity -

Room type cost - Total -

There are 0 item(s) in your cart. 1 item in your cart.

Total Rooms Cost in cart (tax incl.)

Convenience Fees (tax incl.) 0,00 €

Total (tax incl.)

Continue browsing Proceed to checkout

GoHabitat Privacy Policy

Effective date: 05/03/2026

We built this policy to explain in plain language what data we collect, why we collect it, and how you can stay in control.

1) Who we are

Controller: GoHabitat B.V.
CoC/KvK: 95798862 · VAT: NL867306610B01
Email: info@gohabitat.earth

GoHabitat provides a nature‑inclusive travel marketplace. We connect guests with hosts (local stewards) and channel visitor income into landscape restoration.

Role split (important)

GoHabitat as controller. We are the controller for data we process to run the platform (accounts, bookings, support, fraud prevention, analytics, cookies, etc.).
Hosts as independent controllers. Hosts may process guest data for their own purposes (e.g., check‑in, local regulations). Where hosts use data outside our platform, they act as independent controllers and must provide their own privacy notices.
Stripe as separate controller/processor. Stripe handles payments and KYC/verification. Stripe may act as an independent controller for certain activities (e.g., compliance checks). See Stripe’s privacy notice.

2) What this policy covers

Our website, platform, and apps at gohabitat.earth and related subdomains.
Guest, host, and visitor interactions (support, email, social posts you send us, etc.).
Cookies and similar technologies on our services.

It doesn’t cover third‑party websites you visit via outbound links or what hosts do outside of our platform.

In addition to the GDPR, we follow applicable Dutch law, including the UAVG and the Telecommunicatiewet (ePrivacy rules on cookies).

3) The data we collect

We follow data minimisation: only what’s needed, when it’s needed.

Account & profile (guests and hosts)
Name, date of birth, email, password (hashed), phone, country, organisation & VAT/KvK (hosts), payout details (hosts via Stripe Connect), profile text and images you upload.

Booking & stay information
Bookings made, dates, party size, preferences you share (e.g., accessibility needs), messages exchanged with hosts via the platform, cancellation/refund history.

Payment & verification (processed primarily by Stripe)
Payment card details (tokenised), charges, refunds, dispute info, anti‑fraud signals; host identity/KYC data (legal name, address, date of birth, ID verification results) handled by Stripe Connect.

Social login (optional)
If you choose to sign in with a third‑party login provider, we receive your name, email address, and an authentication token from that provider. We use this only to authenticate your account on GoHabitat. Your use of the third‑party provider is governed by its own privacy policy.

Communications
Support tickets, emails, in‑app messages, call notes (if any), feedback, reviews, and survey responses.

Device & usage data
IP address, device type, browser, operating system, log data, pages viewed, clicks, referrers, approximate location (to city/region level), cookie identifiers.

Server access logs
When you visit our site, our servers record standard log data (e.g., IP address, date/time, URL, HTTP status, user agent, referrer). We use these short‑term logs to operate, secure, and debug the service (see retention in §5).

Location & maps
When you view listings on a map, we use third‑party map services (e.g., Google Maps Platform) to render pins and calculate distances. When map tiles load, the provider receives your IP address and request metadata. Where data may leave the EEA, we rely on safeguards described in §7.

Calendar syncing (iCal)
Hosts may import/export iCal links to sync availability with other platforms. We store booking blocks (dates/times). We do not require or use event titles or personal notes contained in external calendars; if they are present in an imported calendar, we ignore and/or redact them during import.

User‑generated content
Photos, listing descriptions, comments, reviews.

Cookies & similar tech
See Section 10.

4) Purposes and legal bases (GDPR)

We only process personal data when a legal basis applies:

Purpose	Legal basis	Details
Provide the service (accounts, bookings, customer support)	Performance of a contract (Art. 6(1)(b))	Create/manage your account, process bookings, send confirmations, handle check‑in/out messages.
Payments, payouts, fraud prevention	Performance of a contract & Legitimate interests (Art. 6(1)(b),(f)); Legal obligation (Art. 6(1)(c))	Via Stripe Connect; screening for fraud/abuse; accounting and tax compliance.
Host onboarding & verification (KYC)	Legal obligation & Legitimate interests	Identity and business verification facilitated by Stripe.
Platform safety & abuse prevention	Legitimate interests	Detect and prevent spam, abuse, security incidents.
Analytics & service improvement	Consent (for non‑essential cookies) & Legitimate interests (for aggregated/essential metrics)	Measure usage to improve UX, fix bugs, plan capacity.
Marketing communications	Consent (Art. 6(1)(a)) or Legitimate interests (for existing customers, soft opt‑in where applicable)	Newsletters, product updates. You can unsubscribe anytime.
Legal claims & compliance	Legal obligation & Legitimate interests	Respond to lawful requests, defend legal claims.

5) How long we keep data (retention)

We keep data only as long as necessary for the purposes above, then delete or anonymise it.

Data category	Typical retention
Account data	For the life of the account + up to 24 months after closure (to resolve disputes/prevent fraud), unless legal retention applies.
Booking records	7 years (Dutch/EU bookkeeping rules).
Payment records	7 years (tax/accounting). Actual card data is tokenised by Stripe.
Support tickets	Up to 36 months after resolution.
Analytics (aggregated)	Aggregates may be kept longer; raw event data up to 26 months (or less, per tool settings).
Server access logs	Up to 7 days (longer only to investigate security incidents), then deleted or anonymised.
Marketing consents	Until you withdraw consent or after inactivity per local rules.

6) Sharing your data

We don’t sell personal data. We share it only with:

Hosts (when you book)
We share necessary booking details so hosts can provide your stay (e.g., name, party size, date range, messages, preferences you choose to share). Hosts must handle your data lawfully and securely.

Service providers (processors)
We use carefully selected providers under contracts that meet GDPR Article 28 requirements. Typical categories:

Payments & payouts: Stripe Payments Europe/Stripe Connect.
Hosting & storage: e.g., AWS EU region.
Email & notifications: e.g., HubSpot, Mailchimp and similar.
Social login/authentication: your chosen third‑party login provider(s).
Customer support/helpdesk: e.g., Zendesk
Analytics & A/B testing: e.g., Google Analytics
Maps & geocoding: Google Maps Platform.

Authorities & legal
Where required by law or necessary to protect rights, security, or comply with lawful requests.

Social media pages. We maintain pages on social platforms (e.g., Facebook, Instagram, LinkedIn). When you interact there, your data is also processed by the platform under its own privacy policy; for Page Insights data on Meta platforms, we and Meta act as joint controllers under Art. 26 GDPR.

7) International data transfers (outside the EEA)

Some providers may be based outside the EEA or store data internationally. When we transfer data internationally, we use appropriate safeguards, such as:

Adequacy decisions (e.g., EU–US Data Privacy Framework where applicable).
Standard Contractual Clauses (SCCs) approved by the European Commission.
Supplementary measures (encryption, access controls, data minimisation).

You can contact us for copies of relevant safeguards.

8) Your rights (EU/EEA)

You can:

Access your data and receive a copy
Rectify inaccurate data
Erase data (“right to be forgotten”)
Restrict or object to processing
Port data to another service
Withdraw consent at any time (where processing is based on consent)

We will respond within one month (extendable by two months for complex requests). You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local DPA.

To exercise rights, email info@gohabitat.earth from the address tied to your account. We may need to verify your identity.

Automated decision‑making. We do not make decisions based solely on automated processing that produce legal or similarly significant effects. Any profiling is limited to analytics/marketing with your consent.

9) Security

We use technical and organisational measures to protect your data:

Encryption in transit (HTTPS/TLS) and at rest (where applicable)
Access controls and least‑privilege permissions
Regular updates and vulnerability patching
Backups and recovery procedures
Staff confidentiality and training
Vendor due diligence and DPAs
No system is 100% secure, but we work hard to protect your information. If we detect a breach that poses risks to you, we’ll notify you and the authorities as required.

10) Cookies & similar technologies

We currently use only strictly necessary session cookies required to maintain login sessions and protect against CSRF attacks. These cookies do not require consent under the ePrivacy rules.

Future cookie usage

As the platform evolves, we may introduce additional cookies for analytics, functionality, or marketing. When such cookies are implemented, visitors will be presented with a cookie consent banner allowing them to manage their preferences.

Third‑party providers may place cookies when integrated on our site (e.g., maps, payment widgets). Some providers may be outside the EEA; see Section 7 for transfer safeguards.

11) Emails, messages & marketing

Transactional emails (bookings, receipts) are required to use the service.
Marketing emails are sent only with consent or to existing customers under soft opt‑in rules (where allowed). You can unsubscribe at any time.
In‑platform messages (host ↔ guest) are monitored automatically for safety (spam, fraud). Human review occurs only if flags are triggered or you ask for help.

Newsletter consent. We currently use single opt‑in for marketing emails. Where you consent (or where soft opt‑in applies under local law), we log minimal evidence of consent (e.g., timestamp and method). You can unsubscribe at any time via the link in each email.