Last updated: 12 February 2026
1. Introduction
Ostaal SAS (hereinafter "Ostaal", "we") is committed to protecting the privacy of its users. This Privacy Policy describes how we collect, use, store and protect your personal data in accordance with the General Data Protection Regulation (GDPR).
2. Data controller
- Ostaal SAS
- Registered office: [address]
- Email: contact@benode.fr
3. Data collected
3.1 Registration data
- First and last name
- Email address
- Phone number (optional)
- Profile picture (optional)
3.2 Identity verification data
- Identity document (national ID / passport)
- SIRET number (for professional Hosts)
- Property title or lease (for Hosts)
3.3 Usage data
- IP address
- Browser type and device
- Pages visited and actions taken
- Connection dates and times
3.4 Communication data
- Messages exchanged via the integrated messaging service
- Rental contracts signed electronically
4. Purposes of processing
Your data is processed for the following purposes:
- Account management: creation, authentication, profile management
- Matchmaking: messaging between Hosts and Travelers
- Identity verification: fraud prevention, regulatory compliance
- Billing: subscription and payment management
- Service improvement: anonymised statistics, bug fixes
- Communication: notifications, transactional emails
5. Legal bases
| Purpose | Legal basis |
|---|---|
| Account management | Contract performance |
| Matchmaking | Contract performance |
| Identity verification | Legal obligation |
| Billing | Contract performance |
| Statistics | Legitimate interest |
| Notifications | Consent |
6. Retention period
- Account data: account lifetime + 3 years after deletion
- Verification data: 5 years (legal obligation)
- Messages: 3 years after last interaction
- Signed contracts: 10 years (legal obligation)
- Payment data: retained by Stripe according to its own policy
- Connection logs: 12 months
7. Data recipients
Your data may be shared with:
- Clerk: authentication and session management
- Stripe: payments and identity verification
- Cloud host: secure data storage
- Resend: transactional email delivery
No data is sold to third parties.
8. International transfers
Some of our sub-processors are located outside the European Union. Transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission.
9. Your rights
In accordance with the GDPR, you have the following rights:
- Right of access: obtain a copy of your data
- Right of rectification: correct inaccurate data
- Right to erasure: request deletion of your data
- Right to portability: receive your data in a structured format
- Right to object: object to the processing of your data
- Right to restriction: restrict the processing of your data
To exercise your rights: contact@benode.fr
You also have the right to lodge a complaint with the relevant data protection authority.
10. Security
We implement appropriate technical and organisational measures to protect your data:
- Encryption of data in transit (TLS) and at rest
- Secure authentication via Clerk
- SHA-256 hashing of contractual documents
- Restricted access to data based on the principle of least privilege
- Regular security audits
11. Cookies
We only use cookies essential to the Platform's operation and analytical cookies via Umami (a privacy-friendly solution with no personal tracking).
12. Contact
For any questions regarding the protection of your data:
- Email: contact@benode.fr
- Post: Ostaal SAS — DPO, [address]