GDPR & Data Protection
Last updated: 13 July 2026
This page explains Bokable's approach to the EU General Data Protection Regulation (GDPR). It supplements our Privacy Policy and does not replace a customer agreement or data processing agreement.
Bokable is a product of Destination AS, organisation number 921 817 320, Malurtveien 8, 1369 Stabekk, Norway. Destination AS is the legal party behind the roles described below.
1. Our roles under GDPR
Our role depends on why and how personal data is processed:
- Controller: Bokable is the controller when we process account, billing, website, sales, and support information for our own business purposes.
- Processor: A Bokable customer is normally the controller for guest, booking, and property data entered into the platform. Bokable processes that data on the customer's documented instructions.
2. Legal bases
When Bokable acts as controller, processing may be based on:
- Performance of a contract or steps requested before entering a contract
- Compliance with legal obligations, including accounting requirements
- Our legitimate interests in operating, securing, and improving the service
- Consent, where consent is the appropriate basis and can be withdrawn
3. Data processing commitments
When Bokable acts as a processor, our data processing arrangements are designed to:
- Limit processing to the customer's documented instructions
- Require confidentiality from people authorised to process personal data
- Apply appropriate technical and organisational security measures
- Use subprocessors subject to appropriate data protection obligations
- Assist customers with data-subject requests, security incidents, and compliance duties
- Return or delete personal data at the end of the service, subject to legal requirements
Customers may request a data processing agreement by contacting [email protected].
4. Your rights
Depending on the circumstances, GDPR may give you the right to:
- Access personal data and receive information about its processing
- Correct inaccurate or incomplete personal data
- Request erasure or restriction of processing
- Receive portable data where the portability right applies
- Object to processing based on legitimate interests or direct marketing
- Withdraw consent without affecting earlier lawful processing
- Receive safeguards relating to applicable automated decision-making
If your request concerns a booking or guest record, contact the accommodation provider first because it normally controls that data. Bokable assists its customers in responding. For data Bokable controls, email us at the address below. We normally respond within one month and may ask for information needed to verify your identity.
5. Security
Bokable uses measures intended to protect personal data against unauthorised access, alteration, loss, or disclosure. These include encryption in transit, access controls, logging, backups, and security monitoring. Primary service data is hosted on Microsoft Azure infrastructure within the European Economic Area (EEA).
6. Subprocessors and international transfers
We use service providers for functions such as infrastructure, payments, email, and media delivery. Where personal data is transferred outside the EEA, we use a lawful transfer mechanism where required, such as an adequacy decision or the European Commission's Standard Contractual Clauses, together with additional safeguards when appropriate.
7. Personal data breaches
We maintain procedures for identifying, assessing, and responding to security incidents. When Bokable acts as processor, we notify the affected customer without undue delay after becoming aware of a personal data breach. When Bokable acts as controller, we notify the relevant authority and affected individuals when GDPR requires it.
8. Retention and deletion
Personal data is kept only for as long as needed for the relevant purpose, the customer agreement, and applicable legal obligations. Customer-controlled data can be exported or deleted in accordance with the service agreement. Residual backup copies are removed through scheduled backup-retention cycles.
9. Contact and complaints
To exercise a right or ask a data protection question, contact [email protected]. You also have the right to lodge a complaint with the Norwegian Data Protection Authority or the supervisory authority in your country of residence or work.
10. The regulation
The full legal text is available from EUR-Lex. We may update this overview as our services, suppliers, or legal obligations change.