Your data,kept like a guest key.

We treat your data the way we treat a guest house key: collected carefully, kept somewhere quiet, never handed to strangers, and returned to you on request.

• We collect only what an enquiry or a newsletter strictly needs.
• We do not sell, rent or trade personal data — not now, not later.
• We host inside the European Union and prefer European processors.
• You may, at any hour, ask us to show, correct or erase what we hold.

The pages below describe each of these points in the detail the law asks for.

The controller within the meaning of Article 4(7) of the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") is the operator named in the imprint: Marea Stays, with registered seat at 41 Rue d'Antibes, 06400 Cannes, France.

You may reach the maison's data protection desk in writing at privacy@mareastays.example or by post at the address above, marked "à l'attention du DPO". We answer within the statutory thirty days, and usually well before.

Enquiry forms. When you write to us about a residence, we collect the name, electronic address, telephone number (if you offer one), the dates and party size of the stay you have in mind, and the free-text content of your message. Sensitive categories within the meaning of Article 9 GDPR are never asked for, and should not be volunteered.

Newsletter. If you subscribe to our letters we keep your electronic address, your subscription date, the proof of your opt-in, and the timestamps of opens and clicks where your mail client signals them.

Server logs. Our hosting infrastructure automatically records the customary technical data of an HTTP visit — IP address, user agent, referrer, requested resource and timestamp — to detect malice and to keep the service available.

Cookies. A short description follows below; in short, we set strictly necessary cookies without asking, and request your consent for the rest.

We use enquiry data to answer you, to prepare an itinerary, to arrange a stay where one is requested, and — where applicable — to execute and account for that stay. Newsletter data is used to send the letters you signed up for and to measure, in aggregate, whether we are sending the right ones. Server logs are used to operate the service, prevent abuse and remediate incidents.

We do not engage in automated decision-making with legal effect (Article 22 GDPR), and we do not build behavioural profiles of individuals across third-party properties.

• Article 6(1)(b) GDPR — performance of a contract, or pre-contractual measures at your request — for enquiries and stays.
• Article 6(1)(a) GDPR — consent — for the newsletter and for non-essential cookies, withdrawable at any time.
• Article 6(1)(c) GDPR — legal obligation — for the retention of accounting records, tax records and the obligations of a property professional.
• Article 6(1)(f) GDPR — legitimate interests — for the security of the service, prevention of fraud and aggregate measurement, balanced against your rights.

We share personal data only with carefully selected processors acting on documented instructions under a written processing agreement (Article 28 GDPR), and only to the extent strictly needed:

• Hosting & mail. Vercel (EU edge), ProtonMail (Geneva) and the SMTP relay of Postmark (London).
• Newsletter. Buttondown (Frankfurt-am-Main region) for letter sending and consent records.
• Maps. Mapbox (Berlin region) for the tile rendering on residence detail pages.
• Accounting & payments. A French chartered accountant under professional secrecy, and where a stay is booked, Stripe Payments Europe Ltd (Dublin).

Owners and the property concerned receive your booking details to the extent necessary for the stay; that flow is described in the terms.

We host within the European Union by design. Where a processor is headquartered outside the EU, the personal data we entrust to it remains in the EU at rest and in transit, and the transfer of any metadata to the headquarters takes place under the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) together with the technical and organisational supplements required by Schrems II.

A current list of processors and the safeguards in place is provided on written request.

• Unanswered enquiries. Six months, then deleted.
• Answered enquiries without a booking. Two years, unless you ask earlier.
• Bookings and stays. Ten years, as French commercial law requires of a property professional.
• Newsletter records. Until you unsubscribe, plus three years to evidence the original consent.
• Server logs. Thirteen months, in line with the CNIL guidance on hosting logs.

You may, at any time and free of charge, request:

• access to your personal data and a copy of it (Article 15 GDPR);
• rectification of inaccurate or incomplete data (Article 16);
• erasure, where one of the grounds in Article 17 applies;
• restriction of processing under Article 18;
• portability of data you have provided to us (Article 20);
• objection on grounds relating to your particular situation (Article 21), and at any time for direct marketing.

You may withdraw your consent at any time, without prejudice to the lawfulness of processing carried out before the withdrawal. You may also lodge a complaint with the French supervisory authority — the Commission nationale de l'informatique et des libertés (CNIL), 3 place de Fontenoy, 75007 Paris — or with the supervisory authority of your habitual residence.

We use the following categories of cookies and equivalent local storage:

• Strictly necessary. Session continuity, security tokens, language preference. Lifespan: the session, or up to one year for preferences. No consent required.
• Audience measurement, anonymised. An EU-hosted audience measurement that does not set persistent identifiers and does not cross-reference with third parties. Configured to fall within the consent-exemption guidelines of the CNIL where possible; otherwise loaded only after consent.
• Embedded maps. Mapbox tiles, loaded only on pages that show a map and only after your visit to such a page.

We do not use advertising cookies, social plugins, fingerprinting or cross-site behavioural identifiers.

Write to privacy@mareastays.example or, by post, to: Marea Stays — DPO desk, 41 Rue d'Antibes, 06400 Cannes, France. We acknowledge within five working days and answer in substance within thirty.