Annex to the Terms of Sale. This agreement governs the processing of personal data carried out by Anywhere on behalf of the Client, in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR).
Reference version · 8 June 2026The Client, i.e. the legal entity or individual holding the Anywhere account and identified upon online subscription, acting as data controller within the meaning of the GDPR, hereinafter referred to as the “Controller” or the “Client”.
LIVING PARISIAN INVESTORS & RESIDENCES, a French EURL with a share capital of €527,900, registered with the Nanterre Trade and Companies Register under number 804 662 716, whose registered office is located at Boulogne-Billancourt (92100), France, publisher of the Anywhere ecosystem, hereinafter referred to as the “Processor” or “Anywhere”.
The Controller and the Processor are hereinafter referred to collectively as the “Parties” and individually as a “Party”.
The Processor provides the Controller with the services of the Anywhere ecosystem, including in particular the Channel Manager, the Online Check-in and the tools related to direct booking, under the conditions defined by the Terms of Sale or any other main agreement entered into between the Parties.
In this context, the Processor may process personal data on behalf of the Controller, in particular data relating to travellers, bookings and account users.
This data processing agreement, hereinafter the “DPA”, aims to govern such processing in accordance with Article 28 of Regulation (EU) 2016/679 (the “GDPR”).
This DPA forms an integral part of the Main Agreement. In the event of any conflict between the Main Agreement and this DPA regarding the protection of personal data, this DPA shall prevail.
This DPA defines the conditions under which the Processor processes, on behalf of and on documented instructions from the Controller, the personal data necessary for the provision of the Services.
A description of the processing is set out in Annex 1.
The terms “personal data”, “processing”, “controller”, “processor”, “data subject”, “personal data breach”, “sub-processor” and “supervisory authority” have the meaning given to them by the GDPR.
The Controller determines the purposes and essential means of the processing.
The Processor acts solely on behalf of the Controller, on its documented instructions, within the framework of the provision of the Services.
The nature and purposes of the processing, the categories of data subjects, the categories of data processed and the applicable retention periods are described in Annex 1.
The Processor does not process personal data for its own purposes, except where required by law or with the Controller's express agreement.
The Processor processes personal data only on documented instructions from the Controller.
The following constitute documented instructions in particular:
The Controller is solely responsible for the lawfulness of the processing it decides to implement via the Services, in particular when it activates optional features such as the collection of a photograph, a selfie or an identity document image.
The Processor informs the Controller if it considers that an instruction infringes the GDPR or any other applicable data protection provision.
The Controller remains solely responsible for:
The Processor acts solely as a technical provider enabling the Controller to manage its bookings, traveller arrivals, Online Check-in and direct bookings.
Where the Controller activates an optional feature allowing it to request a photograph, a selfie or an identity document image, it does so under its sole responsibility. The Processor carries out no automatic identity verification, no facial recognition and no biometric processing.
The Processor ensures that the persons authorised to process the personal data are bound by an appropriate confidentiality obligation, whether contractual, statutory or legal.
The Processor limits access to the data to those persons who need access to it for the provision of the Services, maintenance, support or the security of the platform.
The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risks presented by the processing.
These measures are described in Annex 2.
The Processor undertakes in particular to implement measures intended to protect the data against destruction, loss, alteration, unauthorised disclosure or unauthorised access, whether accidental or unlawful.
The Controller remains responsible for the security of its own environment, in particular the management of its credentials, its user accesses, its devices and its own internal obligations.
The Services may allow the Controller, if it wishes, to activate an optional feature for requesting a photograph, a selfie or an identity document image from a traveller.
This feature is provided as a technical tool made available to the Controller.
The Controller decides alone:
The Processor carries out no automatic identity verification, no facial recognition, no biometric matching and no biometric processing.
Verification, where carried out, is performed manually by the Controller or by the persons it authorises.
Unless otherwise expressly provided technically in the Main Agreement or in the Services documentation, identity document images and selfies are accessible only to the Controller via its account, within the limits of the security measures provided by the platform.
The Processor recommends that the Controller activate this feature only where it is strictly necessary, proportionate and legally justified, and that it favour, where possible, verification without durable retention of a copy of the identity document.
Identity document images and selfies are automatically deleted under the conditions specified in Annex 1, unless a contrary documented instruction from the Controller applies where such instruction is lawful.
The Controller authorises the Processor to use the sub-processors necessary for the provision of the Services.
The list of authorised sub-processors is set out in Annex 3.
The Processor informs the Controller of any intended change concerning the addition or replacement of a sub-processor, with reasonable prior notice of fifteen (15) days, save in cases of urgency relating to security, the continuity of the Services or a legal obligation.
The Controller may raise a reasonable and substantiated objection regarding a new sub-processor. In such case, the Parties shall consult in good faith to examine possible solutions.
The Processor imposes on its sub-processors data protection obligations substantially equivalent to those provided for in this DPA.
The Processor remains responsible to the Controller for its sub-processors' compliance with the obligations entrusted to them.
The Processor assists the Controller, as far as possible and taking into account the nature of the processing, in responding to requests from data subjects exercising their rights.
These rights may include in particular:
Where the Processor receives directly a request from a data subject relating to data processed on behalf of the Controller, it forwards it to the Controller as soon as possible, without responding to it itself unless instructed otherwise by the Controller or required by law.
Taking into account the nature of the processing and the information available to it, the Processor assists the Controller in complying with its obligations relating to:
This assistance is provided within the reasonable limits of the information available to the Processor and of its role as a technical provider.
Where the assistance requested exceeds the standard support provided for in the Main Agreement, it may be subject to specific charges, after prior notice to the Controller.
The Processor notifies the Controller of any personal data breach concerning it as soon as possible after becoming aware of it, and no later than within forty-eight (48) hours.
The notification specifies, as far as possible:
The Processor cooperates reasonably with the Controller to enable it to comply with its own notification obligations to the supervisory authority or to data subjects.
Notification of a personal data breach by the Processor does not constitute an acknowledgement of liability.
The Processor transfers personal data outside the European Union or the European Economic Area only where such transfer is necessary for the provision of the Services or results from the authorised sub-processors.
Where data is transferred to a country not benefiting from an applicable adequacy decision, the Processor ensures that appropriate safeguards are in place, in particular the European Commission's standard contractual clauses or any other mechanism recognised by the GDPR.
Certain sub-processors may process data from the United States, in particular Stripe and Google. These transfers are framed by the safeguards implemented by these providers, as specified in their applicable data processing terms or data processing agreements.
The list of sub-processors, their purpose and their location are indicated in Annex 3.
On termination of the Main Agreement, the Processor deletes or returns the personal data processed on behalf of the Controller, at the Controller's choice, except where storage is required by law or where temporary retention is necessary for evidential, security, billing or defence-of-rights purposes of the Processor.
The Controller's account data is deleted within ninety (90) days after the effective termination of the Main Agreement, unless otherwise requested or required by law.
Identity document images, selfies and equivalent files collected via the Online Check-in are automatically deleted within thirty (30) days after they are uploaded, unless a different setting or documented instruction from the Controller applies, provided that such instruction is lawful.
Backups are purged in accordance with their normal rotation cycle, within a reasonable period, save for any legal obligation, security need or incident under analysis.
The Processor may retain data strictly necessary to comply with its legal, accounting, tax, contractual or litigation obligations, for the legally applicable periods.
The Processor makes available to the Controller the information reasonably necessary to demonstrate compliance with the obligations provided for in this DPA.
The Controller may carry out or have carried out an audit, including an inspection, under reasonable conditions.
Save in the event of a proven security incident, a request from a supervisory authority or a particular legitimate reason, audits are limited to once per year.
Any audit must be preceded by reasonable prior notice of at least thirty (30) days, be carried out during business hours, respect the confidentiality of the Processor's information and not disproportionately disrupt the continuity of the Services.
The Controller and any auditor mandated by it undertake to respect the confidentiality of the technical, commercial, organisational or security information to which they may have access.
Audits carried out on site or requiring significant mobilisation of the Processor's teams may be subject to reasonable charges, after prior notice to the Controller.
The Processor maintains, where required by the GDPR, a record of the categories of processing activities carried out on behalf of controllers.
Each Party remains responsible for its own documentation obligations, in particular regarding records of processing, informing data subjects, handling rights requests and, where applicable, impact assessments.
This DPA takes effect on the same date as the Main Agreement.
It remains in force throughout the term of the Main Agreement, as well as for any period necessary for the return, deletion or temporary retention of the data in accordance with this DPA.
The liability of the Parties is governed by the Main Agreement.
Any limitation of liability provided for in the Main Agreement applies between the Parties to the extent permitted by applicable law, without prejudice to the mandatory provisions of the GDPR and the rights of data subjects.
The Controller remains solely responsible for the consequences arising from an unlawful instruction, an inappropriate configuration of the Services or the activation of an optional data-collection feature without a sufficient legal basis.
This DPA is governed by French law.
Any dispute relating to this DPA falls within the jurisdiction of the Commercial Court of Nanterre, under the conditions provided for in the Main Agreement, save for any mandatory contrary legal provision.
The processing carried out by the Processor has the purpose of providing the Anywhere ecosystem, including in particular:
The Processor does not manage the individual police registration form on behalf of the Controller.
The data subjects are in particular:
The categories of data likely to be processed are in particular:
The Processor does not store full payment card data.
Payments are operated by the payment provider Stripe. The Processor may process limited payment-related information, such as the transaction identifier, the payment status, the amount, the currency, the payment date and the information necessary for reconciliation with the booking.
Collecting an identity document image or a selfie is an optional feature that the Controller may decide to activate or not.
The Processor carries out:
Any verification is carried out manually by the Controller.
The Controller remains solely responsible for the lawfulness of this collection, for informing the travellers and for the legal basis chosen.
Data is retained for the period necessary to provide the Services and according to the periods configured or documented by the Controller. By way of indication:
The Processor implements in particular the following measures.
The main data of the Services is hosted in France with OVH SAS.
Communications with the Services are protected by encryption in transit, in particular via TLS where applicable.
Sensitive files, in particular identity document images and selfies where collected, are subject to encryption measures.
Where the technical architecture allows it, the encryption key is held by the Controller, so that the Processor can technically store the files without accessing their content in clear text.
The Processor implements access control measures, including in particular:
The Processor implements logging mechanisms intended to ensure security, traceability, maintenance and the detection of abusive use. Logs are retained for a limited period, proportionate to these purposes.
The Processor may use mechanisms to protect against abusive use, in particular Google reCAPTCHA or any equivalent tool, in order to protect forms and the Services against automated, fraudulent or malicious use.
The Processor performs regular backups in order to contribute to the availability and resilience of the Services. Backups follow a regular rotation cycle and are then purged, and are protected by appropriate security measures.
The Processor ensures, where applicable, the separation of production, test and development environments. Real data must not be used in test or development environments without necessity, supervision or appropriate protective measures.
The Processor implements reasonable measures for the maintenance, remediation of vulnerabilities and updating of the technical components used to provide the Services.
Persons authorised to access the data are bound by a confidentiality obligation.
The Controller remains responsible for the security of its own accesses, user accounts, passwords, devices, staff and its own internal practices.
As at the reference date of this DPA, the authorised sub-processors are as follows.
| Sub-processor | Purpose | Data location |
|---|---|---|
| OVH SAS | Hosting of the Services and data | France |
| Stripe Payments Europe | Payment processing, transaction management and prevention of payment fraud | European Union / United States |
| Google Ireland Ltd / Google LLC | Sending e-mails via the Gmail API, abuse protection via reCAPTCHA, audience measurement via Google Analytics | European Union / United States |
The Processor may update this list in accordance with Article 9 of this DPA.
Where the sub-processors involve a transfer of data outside the European Union or the European Economic Area, the Processor ensures that such transfers are framed by appropriate safeguards within the meaning of the GDPR, in particular an applicable adequacy decision, standard contractual clauses or any other mechanism recognised by the applicable regulations.
For any request relating to the protection of personal data under this DPA:
The Controller's contact details are those entered in its Anywhere account and upon subscription.
For any question relating to this DPA, the Processor can be contacted at contact@anywhere-app.com.
This DPA is accepted online, inseparably from the acceptance of the Terms of Sale, upon subscription to the Services. This electronic acceptance, timestamped and retained by the Processor, constitutes a signature within the meaning of Article 28 of the GDPR and binds the Controller.
A Controller wishing to enter into a signed or amended data processing agreement may request this at contact@anywhere-app.com.
We use cookies to measure our site's audience. You can accept all, reject all, or choose. Cookies necessary for the site to function remain active at all times. Learn more
Necessary
Essential for the site to work (session, security, anti-spam).
Audience measurement
Help us understand how the site is used (Google). Disabled by default.