Privacy

Privacy policy (RGPD)

Last updated 14 July 2026 · governed by Regulation (EU) 2016/679 (GDPR/RGPD) and Loi Informatique et Libertés n° 78-17 modifiée

1. Responsable du traitement

The data controller is Blastnes Retail SAS, 12 rue de Rivoli, 75004 Paris, France (SIREN 928 471 653). Data protection officer contact : dpo@blastnes.org. Regulator : Commission Nationale de l'Informatique et des Libertés (CNIL), 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — déclaration n° 2497183.

2. What we collect from your Lodgify account

When you sign in with your Lodgify Login, Lodgify issues Blastnes a scoped Public API token. We use this token to read only the endpoints each specific module needs — for example, Autopricer reads Rates and Availability; Cleaning Coordinator reads Bookings and Guests. The full list of endpoints touched per module is on each product page.

We never receive or store your Lodgify password. The scoped token can be revoked at any time from your Lodgify account settings, which immediately disables all Blastnes modules.

3. Personal data categories

  • Account holder — name, email, billing address, VAT number (if company).
  • Guest data — read from Lodgify only when strictly necessary for a specific module (Cleaning Coordinator: phone; Guest ID Verification: forwarded to KYC provider, never stored by us; Damage Deposit: email for Stripe receipt).
  • Technical logs — IP, browser, timestamps, per Art. 5(1)(f) RGPD, kept 30 days.
  • Support correspondence — emails, ticket content, kept 3 years then anonymised.

4. Legal bases (Art. 6 RGPD)

Contract performance (Art. 6-1-b) for module operation; legal obligation (Art. 6-1-c) for invoicing and tax retention; legitimate interest (Art. 6-1-f) for security logs and fraud prevention; consent (Art. 6-1-a) for non-essential cookies and the optional monthly newsletter.

5. Retention periods

Module data: 30 days after cancellation, then purged. Invoices: 6 years per Code de commerce Art. L123-22. Support tickets: 3 years then anonymised. Marketing consent: revoked at any time; anonymised within 30 days of revocation.

6. Transfers outside the EU

By default, no data leaves the European Union — our infrastructure runs on Scaleway EU-west (Paris, Amsterdam). Two exceptions require your explicit action to enable: Guest ID Verification via Onfido (UK — adequacy decision) or Veriff (EE); Data Warehouse Bridge writing to your Snowflake / BigQuery / Redshift instance in the region you configure. In both cases you actively pick the destination.

7. Your rights (Art. 15-22 RGPD)

You may exercise, free of charge, the rights of access, rectification, erasure ("right to be forgotten"), restriction, portability, objection, and the right not to be subject to automated decision-making. Send requests to dpo@blastnes.org — we respond within 30 days per Art. 12(3). If unsatisfied you may lodge a complaint with the CNIL at cnil.fr/plaintes.

8. Cookies

Only strictly necessary cookies (session, CSRF) are set without consent, per CNIL délibération 2020-091. Full breakdown on the cookie policy page.

9. Security

All data in transit uses TLS 1.3. Data at rest is encrypted with AES-256. Access is limited to named engineers; every access is logged. Any personal-data incident is reported to the CNIL within 72 hours per Art. 33 RGPD and to affected users the same day.

10. Changes to this policy

Material changes are notified 30 days in advance via email to account holders and highlighted on this page. Non-material clarifications (typos, wording) can be updated without notice.

Contact DPO : dpo@blastnes.org · postal : Blastnes Retail SAS — DPO, 12 rue de Rivoli, 75004 Paris, France.