Last updated: March 4, 2026
BookNLoop is operated by Panagiotis Doganis ("Data Controller"), based in Athens, Greece. We are committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR — Regulation 2016/679) and applicable Greek data protection law (Law 4624/2019).
For any privacy-related questions or to exercise your rights, contact us at: p.doganis@booknloop.com
We collect different data depending on how you interact with the Platform:
When you register and use the hotel dashboard, we collect: email address, password (stored as a secure hash, never in plain text), hotel name, property details, room information, photos, amenities, contact phone number, and any auto-negotiation rules you configure.
When you register or submit a bid, we collect: email address, password (stored as a secure hash), full name, phone number (optional), search queries, bid amounts, and booking details.
When you visit any page on BookNLoop, we automatically collect: IP address (anonymized for analytics), browser type and version, pages viewed, timestamps, referrer URL, and a randomly generated session identifier. We also collect data through Google Analytics 4 (see Section 5 on Cookies).
If you submit a message through our contact form, we collect: your email address and message content.
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Account creation and authentication | Email, password hash | Contract performance (Art. 6(1)(b)) |
| Facilitating bookings between partners and travelers | Name, email, phone, bid details, booking details | Contract performance (Art. 6(1)(b)) |
| Sending booking notifications and bid updates | Email address | Contract performance (Art. 6(1)(b)) |
| Hotel profile and room management | Property details, room data, photos | Contract performance (Art. 6(1)(b)) |
| Auto-negotiation (Autopilot) | Bid data, negotiation rules | Contract performance (Art. 6(1)(b)) |
| Analytics and platform improvement | Page views, session data, anonymized IP | Legitimate interest (Art. 6(1)(f)) |
| Responding to contact form inquiries | Email, message content | Legitimate interest (Art. 6(1)(f)) |
| Google Analytics tracking | See Section 5 | Consent (Art. 6(1)(a)) |
We share personal data only with the following categories of recipients, and only to the extent necessary:
Booking counterparties: When a booking is confirmed, the hotel receives the traveler's name, email, and phone number, and the traveler receives the hotel's name and contact details. This is necessary to fulfill the accommodation contract.
Service providers: We use the following third-party services that process data on our behalf:
| Service | Purpose | Data Shared | Location |
|---|---|---|---|
| Railway (hosting) | Platform hosting and database | All platform data | US (with EU safeguards) |
| SendGrid (Twilio) | Email notifications | Email addresses, booking details | US (with EU safeguards) |
| OpenAI | AI search parsing, hotel extraction, match scoring | Search queries, hotel website content (no personal data) | US (with EU safeguards) |
| Google Analytics 4 | Website analytics | Anonymized browsing data | US (with EU safeguards) |
For US-based processors, data transfers are covered by the EU-US Data Privacy Framework or Standard Contractual Clauses as applicable. We do not sell, rent, or trade your personal data to third parties.
BookNLoop uses the following cookies and tracking technologies:
| Cookie / Technology | Type | Purpose | Duration |
|---|---|---|---|
| Session cookie (connect.sid) | Essential | Site access authentication | Session |
| JWT token (hotel auth) | Essential | Hotel dashboard authentication | 24 hours |
| Traveler auth cookie | Essential | Traveler account authentication | 7 days |
| bnl_sid (sessionStorage) | Analytics | Session-based event tracking | Session |
| Google Analytics (_ga, _ga_*) | Analytics | Usage statistics, visitor behavior | Up to 2 years |
Essential cookies are required for the Platform to function and cannot be disabled. Analytics cookies are used to understand how visitors interact with the Platform. You can manage cookie preferences through your browser settings. For Google Analytics specifically, you may opt out by installing the Google Analytics Opt-Out Browser Add-on.
We retain your data for as long as your account is active or as needed to provide services. Specifically: account data is retained until you request deletion; booking records are retained for 5 years for tax and legal compliance (Greek tax law); analytics data is retained for 26 months (Google Analytics default); contact form submissions are retained for 12 months; and server logs are retained for 30 days.
After the applicable retention period, data is permanently deleted or fully anonymized.
As a data subject in the EU, you have the following rights:
Right of access — You can request a copy of all personal data we hold about you. Right to rectification — You can request correction of inaccurate data. Right to erasure ("right to be forgotten") — You can request deletion of your data, subject to legal retention obligations. Right to restrict processing — You can request that we limit how we use your data. Right to data portability — You can request your data in a structured, machine-readable format. Right to object — You can object to processing based on legitimate interest. Right to withdraw consent — Where processing is based on consent (e.g., analytics cookies), you can withdraw consent at any time.
To exercise any of these rights, email us at p.doganis@booknloop.com. We will respond within 30 days as required by GDPR.
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA): www.dpa.gr
We implement appropriate technical and organizational measures to protect your data, including: passwords stored using bcrypt hashing (never stored in plain text), HTTPS encryption for all data in transit, JWT-based authentication with expiring tokens, database hosted on secure cloud infrastructure, and access limited to the data controller.
BookNLoop is not intended for use by individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately.
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Registered users will be notified of material changes via email.
Panagiotis Doganis
BookNLoop — Data Controller
Athens, Greece
p.doganis@booknloop.com
+30 6970557567