Data Processing Agreement

Version 1.0, effective 5 May 2026

This Data Processing Agreement (DPA) forms part of the agreement between:

RoomPriceGenie AG, Sumpfstrasse 18, 6312 Steinhausen, Switzerland (“RoomPriceGenie”, “Provider”, “Processor”), and

the entity identified as customer in the applicable order form, subscription, or terms (“Customer”, “Controller”).

This DPA applies where and to the extent RoomPriceGenie processes Personal Data on behalf of Customer in connection with the Services.

1. Definitions

1.1 Capitalised terms not defined in this DPA have the meaning given in the Agreement.

1.2 Applicable Data Protection Laws means all data protection and privacy laws applicable to the Processing under this DPA, including (as applicable):

the Swiss Federal Act on Data Protection (as revised) (“Swiss FADP”) and its ordinances;
Regulation (EU) 2016/679 (“GDPR”);
the UK GDPR and Data Protection Act 2018 (to the extent applicable); and
any binding guidance, codes, or implementing legislation.

1.3 Customer Personal Data means Personal Data processed by RoomPriceGenie on behalf of Customer under this DPA.

1.4 Data Subject, Personal Data, Processing, Controller, Processor, Supervisory Authority, and Personal Data Breach have the meanings given in Applicable Data Protection Laws.

1.5 Standard Contractual Clauses or SCCs means the standard contractual clauses adopted by the European Commission for the transfer of personal data to third countries pursuant to GDPR, as updated or replaced from time to time.

1.6 Sub-processor means any Processor engaged by RoomPriceGenie to process Customer Personal Data.

2. Scope and Roles

2.1 Processor role. Customer appoints RoomPriceGenie as Processor to process Customer Personal Data on Customer’s behalf to provide the Services.

2.2 Controller role. Customer is the Controller of Customer Personal Data.

2.3 RoomPriceGenie as independent controller. Nothing in this DPA restricts RoomPriceGenie’s processing of personal data as an independent controller for its own legitimate business purposes, including account administration, billing, fraud prevention, product security, and legal compliance.

3. Swiss Data Residency

3.1 Primary hosting. RoomPriceGenie is a Swiss company and the Services are designed so that Customer Personal Data is hosted primarily in Switzerland and/or the European Economic Area (EEA).

3.2 Operational access. Customer acknowledges that, as part of operating and supporting the Services, Customer Personal Data may be accessed from other jurisdictions (for example, by authorised personnel or Sub-processors), including from countries outside Switzerland or the EEA.

3.3 RoomPriceGenie will not transfer Customer Personal Data to countries outside Switzerland or the EEA except where necessary to provide the Services and in accordance with Applicable Data Protection Laws and Section 12 (International Transfers).

4. Details of Processing

The subject matter, duration, nature and purpose of Processing, the types of Customer Personal Data and categories of Data Subjects are described in Annex 1.

5. Customer Obligations

5.1 Customer shall:

a) ensure it has a lawful basis to collect and provide Customer Personal Data to RoomPriceGenie;
b) ensure it provides all required notices to Data Subjects;
c) ensure its instructions comply with Applicable Data Protection Laws; and
d) be responsible for the legality, accuracy and quality of Customer Personal Data.

5.2 Customer shall not provide RoomPriceGenie with special categories of personal data (sensitive personal data) unless expressly agreed in writing and supported by appropriate safeguards.

6. RoomPriceGenie Obligations

6.1 RoomPriceGenie shall:

a) process Customer Personal Data only on documented instructions from Customer (including with regard to transfers), unless required to do otherwise by applicable law;
b) inform Customer if, in RoomPriceGenie’s reasonable opinion, an instruction infringes Applicable Data Protection Laws (unless prohibited by law);
c) ensure persons authorised to process Customer Personal Data are subject to confidentiality obligations; and
d) implement and maintain appropriate technical and organisational measures as described in Annex 2.

6.2 RoomPriceGenie may process Customer Personal Data as necessary to:

a) provide the Services;
b) maintain the security, availability and integrity of the Services;
c) provide support and troubleshooting; and
d) fulfil its contractual obligations under the Agreement.

7. Security

7.1 RoomPriceGenie shall implement appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data.

7.2 RoomPriceGenie may update the Security Measures from time to time, provided that such updates do not materially reduce the overall security of the Services.

8. Sub-processors

8.1 General authorisation. Customer provides a general authorisation for RoomPriceGenie to appoint Sub-processors.

8.2 Sub-processor list. RoomPriceGenie will maintain a list of Sub-processors which will be made available to Customer upon written request.

8.3 Notification. RoomPriceGenie will notify Customer of any intended addition or replacement of Sub-processors and give the Customer the opportunity to object.

8.4 Objection. Customer may object to a new Sub-processor within ten (10) Business Days of the update, on reasonable grounds relating to data protection. If Customer objects, the parties will work in good faith to find a commercially reasonable alternative. If no alternative is available, Customer may terminate the affected part of the Services and receive a pro-rata refund of prepaid fees for the terminated portion.

8.5 Flow-down. RoomPriceGenie shall impose data protection obligations on Sub-processors no less protective than those in this DPA.

8.6 RoomPriceGenie remains responsible for the performance of its Sub-processors’ obligations.

9. Assistance with Data Subject Requests

9.1 Taking into account the nature of the Processing, RoomPriceGenie shall provide reasonable assistance to Customer to respond to Data Subject requests under Applicable Data Protection Laws.

9.2 Where RoomPriceGenie provides such assistance, it shall do so at Customer’s cost, calculated at RoomPriceGenie’s then-current professional services rates (or as otherwise agreed in writing).

9.3 If RoomPriceGenie receives a request directly from a Data Subject relating to Customer Personal Data, RoomPriceGenie shall (unless legally prohibited):

a) notify Customer without undue delay; and
b) not respond to the request except on Customer’s documented instructions.

10. DPIAs and Supervisory Authority Consultation

10.1 RoomPriceGenie shall provide reasonable assistance to Customer with DPIAs and consultation with supervisory authorities, to the extent required under Applicable Data Protection Laws and taking into account the nature of Processing and information available to RoomPriceGenie.

10.2 Any such assistance shall be provided at Customer’s cost, calculated at RoomPriceGenie’s then-current professional services rates (or as otherwise agreed in writing).

11. Personal Data Breach

11.1 RoomPriceGenie shall notify Customer without undue delay of a Personal Data Breach affecting Customer Data after becoming aware.

11.2 The notification shall include, to the extent available:

a) a description of the breach;
b) the categories and approximate number of Data Subjects and records concerned;
c) likely consequences; and
d) measures taken or proposed to address the breach.

11.3 RoomPriceGenie shall cooperate with Customer in good faith to investigate, mitigate and remediate the breach.

11.4 RoomPriceGenie’s breach notification obligations do not apply to unsuccessful attempts or events that do not compromise the security of Customer Personal Data.

12. International Transfers

12.1 Transfers from the EEA. Where the GDPR applies and Customer Personal Data is transferred from the EEA to a country not recognised by the European Commission as providing an adequate level of protection, the parties agree that the EU SCCs (Module Two – Controller to Processor) are incorporated into this DPA by reference.

12.2 Transfers from Switzerland. Where the Swiss FADP applies and Customer Personal Data is transferred from Switzerland to a country not recognised by the Swiss Federal Council as providing an adequate level of protection, the parties agree that the EU SCCs are incorporated into this DPA by reference and shall be deemed amended as necessary to comply with Swiss requirements (including the FDPIC guidance and the Swiss addendum principles).

12.3 Transfers from the UK (if applicable). Where UK data protection law applies and Customer Personal Data is transferred from the United Kingdom to a country not recognised as adequate, the parties agree that the EU SCCs are incorporated by reference together with the UK Addendum (or UK IDTA, as applicable).

12.4 Supplementary measures. Where required, the parties will cooperate in good faith to implement supplementary measures.

12.5 Conflict. If there is a conflict between the SCCs and this DPA in respect of international transfers, the SCCs shall prevail.

13. Return and Deletion

13.1 Upon termination or expiry of the Services, RoomPriceGenie shall, at Customer’s choice and to the extent supported by the Services:

a) make Customer Personal Data available for export; and/or
b) delete Customer Personal Data.

13.2 RoomPriceGenie may retain Customer Personal Data where required by law or for legitimate purposes such as establishing, exercising or defending legal claims, provided that retained data remains protected and access is restricted.

13.3 Deletion will occur within a reasonable period following termination, taking into account backup and disaster recovery retention cycles.

14. Audits and Compliance

14.1 RoomPriceGenie shall make available to Customer information reasonably necessary to demonstrate compliance with this DPA.

14.2 RoomPriceGenie may satisfy audit obligations by providing:

a) a SOC 2, ISO 27001 or equivalent third-party report (if available); and/or
b) a written summary of the Security Measures.

14.3 Customer audit. Customer may conduct an audit only:

a) where required by a Supervisory Authority or Applicable Data Protection Laws; or
b) where Customer reasonably believes RoomPriceGenie is in material breach of this DPA,

and in both cases subject to:

i) at least 30 days’ prior written notice;
ii) audits limited to once per 12-month period;
iii) audits conducted during normal business hours;
iv) scope limited to controls relevant to Customer Personal Data;
v) confidentiality obligations; and
vi) Customer paying RoomPriceGenie’s reasonable costs and expenses, including internal time, third-party costs, and legal or security review costs, in each case calculated at RoomPriceGenie’s then-current rates.

14.4 RoomPriceGenie may object to an audit request that would compromise security, confidentiality, or other customers’ data.

15. Confidentiality

RoomPriceGenie shall ensure that persons authorised to process Customer Personal Data are subject to confidentiality obligations.

16. Liability

16.1 The liability provisions and limitations in the Agreement apply to this DPA.

16.2 Nothing in this DPA limits liability that cannot be limited under Applicable Data Protection Laws.

17. Order of Precedence

In the event of conflict:

a) the SCCs prevail for international transfer matters;
b) this DPA prevails over the Agreement in respect of Processing of Customer Personal Data; and
c) the Agreement prevails for all other matters.

18. Term

This DPA remains in force for as long as RoomPriceGenie processes Customer Personal Data on behalf of Customer.

Annex 1 – Details of Processing

Subject matter: Provision of the RoomPriceGenie revenue management platform and related support services.

Duration: For the duration of the Agreement and for any additional period required to return or delete Customer Personal Data in accordance with the Agreement and this DPA.

Nature and purpose: Hosting, storing, transmitting, analysing, and otherwise processing Customer Personal Data as necessary to provide the Services, maintain the security and integrity of the Services, provide customer support, and fulfil contractual obligations. Customer determines the categories of Customer Personal Data submitted to the Services and is responsible for ensuring that such Personal Data is collected and provided to RoomPriceGenie in compliance with Applicable Data Protection Laws.

Categories of Data Subjects:

Customer personnel (including employees, agents, and authorised users of the Services)
Employees or representatives of hotels or organisations using the Services
Other individuals whose Personal Data may be included in data uploaded to the Services by the Customer

Types of Customer Personal Data:

Contact information (such as name, email address, and phone number)
Professional information (such as job title, organisation, and role)
Account and authentication data
Usage data relating to use of the Services
Technical data (such as IP address, device identifiers, and log data)
Billing and subscription information
Data uploaded to the Services by or on behalf of the Customer

Special categories: Processing of special categories of personal data is not intended and should not be included in the data submitted to the Services. Customer agrees not to submit special categories of Personal Data to the Services unless expressly agreed in writing with RoomPriceGenie.

Annex 2 – Security Measures

RoomPriceGenie implements technical and organisational measures designed to ensure a level of security appropriate to the risk, taking into account the nature, scope, context and purposes of processing.

Access Control

Role-based access controls and least-privilege principles for internal systems
Multi-factor authentication (MFA) for privileged or administrative access

Encryption

Encryption of data in transit using industry-standard protocols (e.g. TLS)
Encryption at rest where supported by the underlying infrastructure provider

Infrastructure Security

Hosting on secure cloud infrastructure providers with industry-standard security controls
Logical access restrictions to production systems

Monitoring and Logging

Logging of relevant system and access events
Monitoring mechanisms to detect potential security incidents or service disruptions

Vulnerability Management

Use of automated tools and development practices to identify and remediate security vulnerabilities where appropriate
Application of security patches and updates as part of regular maintenance

Backup and Availability

Backup processes designed to support data recovery in the event of system failure
Measures intended to maintain availability and resilience of the Services

Personnel Security

Confidentiality obligations for personnel with access to Customer Personal Data
Internal security awareness and data protection practices

Sub-processor Management

Evaluation of Sub-processors prior to engagement
Contractual obligations requiring Sub-processors to implement appropriate security measures

Annex 3 – Standard Contractual Clauses

Where Section 12 applies, the SCCs are incorporated by reference.

For GDPR transfers: EU SCCs – Module Two (Controller to Processor). The official text is available at eur-lex.europa.eu.
For Swiss transfers: SCCs as adapted for Switzerland (Swiss addendum principles).

Updated May 2026

Cookie	Duration	Description
_calendly_session	21 days	Used by Calendly to enable scheduling functionality and maintain session state.
aka_debug	session	Used by Vimeo to ensure proper playback and debugging of embedded video content.
elementor	never	The website's WordPress theme uses this cookie. It allows the website owner to implement or change the website's content in real-time.
localTimeZone	session	Stores the user’s timezone to improve website functionality.
referrer_user_id	14 days	Used by Calendly to support scheduling and referral tracking functionality.
tf_respondent_cc	6 months	Used by Typeform to prevent duplicate responses and ensure proper form functionality.
trp_language	1 month	Translate-Press plugin sets this cookie to store the users chosen language for the next visit.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	Stores user preferences for YouTube video playback across devices.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	Used by YouTube to store user interaction preferences with embedded videos.

Cookie	Duration	Description
__hssc	1 hour	Used by HubSpot to track sessions and store session information.
__hssrc	session	Used by HubSpot to determine if the visitor has restarted their browser.
__hstc	6 months	Main cookie used by HubSpot to track visitors and collect analytics data.
_clck	1 year	Microsoft Clarity sets this cookie to retain the browser's Clarity User ID and settings exclusive to that website. This guarantees that actions taken during subsequent visits to the same website will be linked to the same user ID.
_clsk	1 day	Microsoft Clarity sets this cookie to store and consolidate a user's pageviews into a single session recording.
_ga	1 year 1 month 4 days 1 minute	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_Z5PN21JNGK	1 year 1 month 4 days	Used by Google Analytics to persist session state and measure user engagement on the website.
_gid	1 day	Used by Google Analytics to distinguish users and track usage.
attribution_user_id	1 year	Used by Typeform to track form submissions and user interactions.
CLID	1 year	Used by Microsoft Clarity to track user interactions and generate analytics reports.
hubspotutk	6 months	Used by HubSpot to track visitor identity and form submissions.
MR	7 days	Used by Microsoft to collect information for analytics and improve services.
SM	session	Used by Microsoft Clarity to synchronize the user ID across domains.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.

Cookie	Duration	Description
__Secure-ROLLOUT_TOKEN	6 months	YouTube sets this cookie to manage feature rollout and experimentation. It helps Google control which new features or interface changes are shown to users as part of testing and staged rollouts, ensuring consistent experience for a given user during an experiment.
__Secure-YEC	6 months	Used by YouTube to store user preferences and support advertising and video playback.
__Secure-YNID	6 months	YouTube cookie used to protect user security and prevent fraud, especially during the login process.
_fbp	3 months	Facebook sets this cookie to store and track interactions.
_gcl_au	3 months	Used by Google Tag Manager to store and track advertising conversion information.
AnalyticsSyncHistory	1 month	Used by LinkedIn to store information about the timing of synchronization with advertising services.
ANONCHK	10 minutes	The ANONCHK cookie, set by Bing, is used to store a user's session ID and verify ads' clicks on the Bing search engine. The cookie helps in reporting and personalization as well.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	Used by LinkedIn to track user interactions and support advertising services.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
MUID	1 year 24 days	Bing sets this cookie to recognise unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
SRM_B	1 year 24 days	Used by Microsoft Advertising to track visitors and measure the effectiveness of advertising campaigns.
test_cookie	16 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
UserMatchHistory	1 month	Used by LinkedIn to track users across websites and enable advertising and retargeting.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.