Host Privacy Standards

Handling Guest Personal Information

As a Host, you will receive and use Guests’ personal information to manage your reservations and deliver your Sessions. Please remember that you are responsible for complying with applicable privacy laws when you handle and process personal information. You should only use the personal information you receive through the Popless Platform as necessary to manage your reservations, comply with applicable laws, and deliver your Sessions. You may not encourage or require Guests to: open an account, leave a review, or otherwise interact with a third-party website, application or service before, during, or after a Session, unless authorized by Popless.

Cross-Border Transfers

If in the course of providing Session, (i) personal information is transferred to you from the European Economic Area, Switzerland or the UK (within the meaning of Article 44 of the General Data Protection Regulation “GDPR”) and (ii) the transfer does not benefit from an adequacy decision under Article 45 of the GDPR, then you agree to process the personal information you receive in accordance with the obligations of module 1 (transfer controller-to-controller) of the standard contractual clauses (“Clauses”) contained in European Commission Implementing Decision (EU) 2021/914 of 4 June 2021. The Clauses are hereby incorporated into your agreement with us with the same force and effect as if they were fully set forth in that agreement.

Standard Contractual Clauses

The information to complete the Clauses is as follows:

• The option under clause 7 (docking clause) shall not apply.

• The option under clause 11 (redress) shall not apply.

• The governing law for the purposes of clause 17 (governing law) shall be the law of Ireland.

• The courts under clause 18 (choice of forum and jurisdiction) shall be the courts Ireland.

The information to complete the Appendix to the Clauses is as follows: 

For Annex I.A of the Clauses:

• You are the “data importer.”

• If you are hosting or booking a Listing in Japan, the “data exporter” is Popless Global Services Limited.

• If you are hosting somewhere other than Japan, the “data exporter” is Airbnb Ireland UC.

• For data protection inquiries, you may contact our data protection officer using the email hello@popless.com and we may contact you by email at the address on your profile.

For Annex I.B of the Clauses:

• the data subjects are Guests;

• the purpose of the transfer is to enable you to provide the Session;

• the categories of data may include the Guest’s profile and full name, the full name of any additional Guests (if entered), the Guest’s cancellation history, Guest’s phone number, any other information the Guest chooses to share, and additional information to assist with coordinating the trip including messages exchanged with the Guest;

• the recipients of the data are any service providers you may choose to retain to assist you in providing the Session;

• no sensitive data is being transferred;

• the frequency of the transfer is subject to the frequency of reservations of your listing(s); and

• the data are retained for the period determined by you as necessary to manage your reservations, comply with applicable laws, and deliver your Session

For Annex I.C of the Clauses:

• The Irish Data Protection Commission is the competent supervisory authority in accordance with Clause 13.

For Annex II of the Clauses:

Have in place appropriate security measures to meet the requirement of Article 32 GDPR. In particular, taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

1. the pseudonymization and encryption of personal data;

2. the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

4. a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.