ELIIO BOOKING PLATFORM

Privacy Policy

Effective date: 12 June 2026
Version: 1.0

1. Who We Are

[Eliio B.V.] (“Eliio”, “we”, “us”) operates the Eliio booking platform used by entertainment venues (our “Tenants”) to manage and sell bookings. Our registered office is at [address], the Netherlands. For privacy questions, contact privacy@eliio.com.

This Privacy Policy explains how personal data is processed when you use the Eliio platform, whether you are a member of staff at one of our Tenants (a “Tenant User”), a person making a booking with a Tenant (an “End Customer”), or a visitor to our websites.

2. Our Role: Controller or Processor

The Eliio platform serves multiple businesses. Our role under the EU General Data Protection Regulation (“GDPR”) depends on the data in question:

  • Eliio as processor. When an End Customer books with a Tenant, the personal data submitted (name, contact details, booking details, payment status) is controlled by that Tenant. Eliio processes this data on the Tenant’s behalf, under a Data Processing Agreement. For requests about this data, the Tenant is your primary point of contact; we will support and redirect requests as appropriate.
  • Eliio as controller. We act as an independent controller for: Tenant User account data; billing and contractual data of Tenants; platform usage, security, and audit logs; and data collected on our own marketing websites.

3. Personal Data We Process

3.1 End Customers (on behalf of Tenants)

  • Identity and contact data: name, email address, phone number.
  • Booking data: product booked, venue/branch, date and time, party size, add-ons, special requests.
  • Payment-related data: payment status, transaction reference, refund history. Full card details are processed by Stripe and never stored by Eliio.
  • Communications: booking confirmations, reminders, and cancellation notices sent by email.

3.2 Tenant Users

  • Account data: name, business email address, role, branch assignment, hashed password.
  • Usage and security data: login timestamps, IP address, device/browser information, actions performed in the admin panel (audit log).

3.3 Website visitors

  • Technical data: IP address, browser type, pages visited, referral source.
  • Cookie data as described in Section 9.

4. Purposes and Legal Bases

Where Eliio acts as controller, we process personal data for the following purposes and legal bases under Article 6 GDPR:

  • Providing accounts and operating the platform — performance of a contract (Art. 6(1)(b)).
  • Security, fraud prevention, and tenant data isolation (including audit logs of access attempts) — legitimate interests (Art. 6(1)(f)) in protecting the platform and its users.
  • Billing and tax compliance — legal obligation (Art. 6(1)(c)) and performance of a contract.
  • Service communications (maintenance notices, security alerts) — legitimate interests or performance of a contract.
  • Product improvement and aggregate analytics — legitimate interests; where required, consent (Art. 6(1)(a)).
  • Marketing to prospective tenants — consent or legitimate interests, with an opt-out in every message.

Where Eliio acts as processor, the Tenant determines the purposes and legal bases; typically performance of the booking contract with the End Customer.

5. Sub-Processors and Recipients

We share personal data only as necessary to operate the platform, with parties including:

  • Stripe Payments Europe, Ltd. — payment processing and merchant onboarding (Ireland/EU; certain data may be transferred to Stripe, Inc. in the US under safeguards described in Section 6).
  • Amazon Web Services — cloud file storage (region: [EU region]), with tenant-scoped storage paths.
  • Google LLC — calendar synchronisation, only for Tenants who connect their Google Calendar; processing is limited to creating and updating booking events.
  • [Email provider, e.g. SendGrid/Twilio] — delivery of transactional emails.
  • [Hosting provider] — application hosting and infrastructure.

We may also disclose data where required by law, to enforce our agreements, or in connection with a corporate transaction (with notice where required). An up-to-date list of sub-processors is available on request and, for Tenants, in the DPA annex. We never sell personal data.

6. International Transfers

We store and process personal data primarily within the European Economic Area. Where a sub-processor transfers data outside the EEA (for example, Stripe or Google entities in the United States), the transfer is protected by an adequacy decision (such as the EU-US Data Privacy Framework, where the recipient is certified) or by the European Commission’s Standard Contractual Clauses, supplemented where necessary by additional safeguards.

7. Retention

We keep personal data only as long as necessary for the purposes described above:

  • Booking data — retained for the duration needed by the Tenant; booking records are automatically anonymised one year after the booking date, unless the Tenant’s configuration or legal obligations require otherwise.
  • Financial and transaction records — retained for 7 years to meet Dutch tax law obligations (fiscale bewaarplicht).
  • Tenant User accounts — retained for the duration of the Tenant agreement and deleted or anonymised within 30 days after account deletion, except where logs must be kept for security or legal reasons.
  • Security and audit logs — retained for up to [12-24 months], or longer where needed for an ongoing investigation.
  • Marketing data — until consent is withdrawn or after a prolonged period of inactivity.

8. Security

We apply technical and organisational measures appropriate to the risk, including:

  • encryption of data in transit (TLS) and at rest;
  • strict tenant data isolation enforced at multiple layers of the platform, with automated tests and audit logging of any cross-tenant access attempt;
  • role-based access control and the principle of least privilege for staff access;
  • hashed and salted password storage; signed, expiring session tokens;
  • regular backups, with encrypted storage and periodic restore testing;
  • vulnerability management and security review of changes before release.

No system is perfectly secure. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and inform affected individuals and Tenants without undue delay, in accordance with Articles 33 and 34 GDPR.

9. Cookies and Similar Technologies

The booking pages and admin panel use:

  • Strictly necessary cookies — session management, security (e.g. CSRF protection), and load balancing. These do not require consent.
  • Functional cookies — remembering language and preferences.
  • Analytics cookies — used only with your consent, to understand aggregate usage.

Where consent is required, it is requested via a cookie banner and can be withdrawn at any time via the cookie settings link in the footer. The embeddable booking widget sets only strictly necessary cookies inside its own frame.

10. Your Rights

Under the GDPR you have the right to:

  • access the personal data we hold about you and receive a copy;
  • rectify inaccurate or incomplete data;
  • erasure (“right to be forgotten”), where the legal conditions are met;
  • restriction of processing;
  • data portability, for data processed by automated means on the basis of contract or consent;
  • object to processing based on legitimate interests, and to object at any time to direct marketing;
  • withdraw consent at any time, without affecting prior processing;
  • not be subject to a decision based solely on automated processing that produces legal or similarly significant effects. The platform does not perform such automated decision-making.

How to exercise your rights. If your request concerns a booking with a specific venue, please contact that venue (the controller) first; we support Tenants in answering such requests. For data controlled by Eliio, email privacy@eliio.com. We respond within one month, extendable by two further months for complex requests.

You also have the right to lodge a complaint with a supervisory authority, in particular the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl) or the authority of your place of residence.

11. Children

The platform is not directed at children under 16, and we do not knowingly process their personal data as controller. Bookings must be made by adults; where an experience is attended by minors, the booking adult is responsible for the information provided.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced via the platform or by email before they take effect. The “Effective date” at the top indicates the latest revision. Earlier versions are available on request.

13. Contact

Controller (for data described in Section 2): [Eliio B.V.]

Address: Netherlands

Privacy contact: info@eliio.com