Privacy Policy — dAirect

The Data Controller is:

Takyon S.r.l. Via Crema n. 15, 20135 Milano C.F. / P.IVA 12424180961 PEC: dairect@pec.it Email: privacy@dairect.io

For any requests relating to the processing of personal data or the exercise of rights under applicable law, the data subject can contact the Company at the details indicated on the Platform.

This Privacy Policy applies to the processing of personal data carried out by the Company in the following contexts:

• visiting the website and the Platform
• registering and creating an Account
• using the Platform as a B2C user
• using the management system as a B2B user
• purchasing, selling, viewing, or managing Bookings
• processing of data relating to the End User who is the beneficiary of the Booking
• requests for information, contacts, support, or demos
• payment management via third-party providers
• IT security, technical logs, maintenance, and abuse prevention
• fulfillment of legal obligations or protection of the Company's rights

This Privacy Policy governs the processing of personal data carried out by the Company as the data controller.

It is understood that, in relation to specific data flows connected to the contracted dAirect Connect and dAirect Resell services, separate contractual agreements or further privacy agreements between the Company and the business client may apply.

The Company may process personal data relating to the following categories of data subjects:

• visitors to the website and Platform
• registered B2C users
• registered B2B users
• contact persons, employees, collaborators, or appointees of business clients
• buyers or sellers of Bookings
• End Users benefiting from Bookings
• subjects who contact the Company or request a demo
• suppliers, partners, or other subjects interacting with the Company

The Company may process the following categories of personal data, as appropriate:

• identification and biographical data, such as first and last name
• contact data, such as email address and phone number
• Account-related data, such as credentials, internal identifiers, login history, and sessions
• Booking-related data, including status, history, operations performed, and linked data
• End User data necessary for using the service
• administrative, tax, and accounting data, where necessary
• payment data, to the extent they are processed by the Company
• technical and navigation data, such as IP address, browser and device information, logs, timestamps, technical, and security events
• data and content uploaded or transmitted via the Platform or management system, including URLs, instructions, materials, content, output, and requests
• data relating to support requests, contacts, demos, or communications
• data related to onboarding with Payment Providers, to the extent they are communicated or made visible to the Company in connection with the operational flows of the Platform

The Company processes personal data for the purposes and on the legal bases indicated below.

5.1 Navigation and technical functioning of the Platform

The Company processes technical and navigation data to enable the functioning of the site, use of the Platform, session management, security, stability, and operational continuity.

Legal basis: performance of pre-contractual measures requested by the data subject; legitimate interest of the Data Controller in the security, maintenance, and correct operation of the Platform.

5.2 Registration, authentication, and Account management

When the user creates an Account or logs into the Platform, the Company processes the data necessary to:

• create and manage the Account
• authenticate the user
• allow access to restricted areas
• keep track of sessions and logins
• manage technical, operational, and security requests

Legal basis: performance of a contract or pre-contractual measures taken at the data subject's request; legitimate interest of the Data Controller in protecting the Platform and preventing unauthorized access.

5.3 B2C use of the Platform and Booking management

When the user registers and uses the Platform as a B2C user, the Company processes the data necessary to:

• create and manage the Account
• view any Bookings related to the user
• allow the listing of Bookings for sale, where available
• allow the purchase of Bookings listed for sale by other users, where available
• associate the purchased Booking with the purchasing user's profile
• manage the status of operations and related communications
• provide support in relation to resale, transfer, or technical management features of the Booking

If the user purchases a Booking listed for sale by another user, the Company may process the data necessary to manage the operational flow and correctly update the systems, provided that payment may be primarily managed by the Payment Provider.

Legal basis: performance of a contract or pre-contractual measures taken at the data subject's request; legitimate interest of the Data Controller in the technical management, security, and traceability of operations carried out via the Platform.

5.4 B2B use of the management system

When a B2B user accesses the management system, the Company processes the data necessary to allow access to the features available based on the existing contractual relationship.

If the B2B client has activated dAirect Connect, the management system may show results, analyses, activities performed, content, insights, technical data, and other outputs related to the service.

If the B2B client has activated dAirect Resell, the management system may show data relating to Bookings, statuses, repurchase operational functions, and additional elements provided for by the separate contract.

This Privacy Policy governs the processing of personal data carried out by the Company via the management system as a data controller, without prejudice to the potential application of further privacy agreements relating to contractual services.

Legal basis: performance of the contractual relationship or pre-contractual measures; legitimate interest of the Data Controller in the proper technical, administrative, and security management of the system.

Generally, the dAirect Connect service is aimed at business clients and is not designed to process personal data of the end users of the accommodation facility's website, except where necessary for technical functioning, security, system logs, or specific service configurations.

5.5 Contacts, demos, commercial requests, and follow-up

When a user or potential client contacts the Company, requests a demo, support, or information, the Company processes the data necessary to:

• respond to the request
• organize any appointments or demonstrations
• manage commercial or technical follow-up
• document communications exchanged
• manage any onboarding activities or preliminary evaluation of the service

Legal basis: performance of pre-contractual measures requested by the data subject; legitimate interest of the Data Controller in managing commercial and organizational relationships; consent, where required by applicable law for specific promotional communications.

5.6 Data from partner accommodation facilities

In some cases, the Company may receive personal data from partner accommodation facilities referring to users who have purchased Bookings eligible for use on the Platform, including any subsequent resale or technical management of the Booking.

Such data may be processed by the Company to:

• associate the Booking with the user
• send initial communications functional to accessing the Platform
• allow user registration and subsequent management of the Booking via Account
• make available the features related to the Booking

If the user registers on the Platform, the Company will process their data as a data controller for the additional purposes connected to the Account, Booking management, and available features.

Legal basis: performance of pre-contractual measures requested by the data subject or otherwise functional to using the Platform; legitimate interest of the Data Controller in properly activating the requested features and technically managing the service.

5.7 End User data

The user may communicate to the Company data relating to the End User who will actually use the Booking. Such data is processed exclusively to the extent necessary to allow the proper management of the Booking and its execution by the third-party provider.

The user communicating third-party data guarantees that they are authorized to do so and, where required by applicable law, that they have provided the data subjects with the necessary information regarding the processing.

Legal basis: performance of the service requested by the user; legitimate interest of the Data Controller in the proper technical and operational management of the Booking.

5.8 Payments and Payment Providers

When the user makes or receives payments via the Platform, the Company may process the data necessary to:

• manage the operational flow of the transaction
• verify its successful outcome
• record the transaction status
• fulfill administrative, accounting, and tax obligations
• interface with the Payment Provider
• allow, where necessary, the enabling of collection or crediting functions

The user's financial data may be predominantly collected and processed by the Payment Provider, according to their own terms and privacy policy.

Legal basis: performance of a contract or pre-contractual measures; fulfillment of legal obligations; legitimate interest of the Data Controller in the operational, accounting, and security management of payment flows.

5.9 Support, assistance, and communication management

The Company processes data contained in communications sent by users to manage support requests, technical assistance, reports, disputes, or other operational communications.

Legal basis: performance of a contract or pre-contractual measures; legitimate interest of the Data Controller in managing requests, service quality, and protecting its rights.

5.10 Security, logs, maintenance, and abuse prevention

The Company processes technical data and system logs to:

• ensure the proper functioning of the Platform
• monitor its availability, performance, and security
• prevent fraud, unauthorized access, or anomalous behavior
• identify and fix bugs or malfunctions
• perform maintenance and technical support

Legal basis: legitimate interest of the Data Controller in Platform security, abuse prevention, and operational continuity; fulfillment of legal obligations, where applicable.

5.11 Service improvement, internal analysis, and product development

The Company may process personal data, operational data, Booking-related data, and technical data in a manner compatible with the intended purpose for internal analysis, monitoring Platform usage, improving features, optimizing flows, product development, technical generation of tokens or identifiers linked to Bookings, and general improvement of services offered.

Such processing will be carried out in compliance with the principles of minimization and proportionality and, where possible, using aggregated or pseudonymized data, or otherwise processed with appropriate measures to reduce the impact on data subjects.

Legal basis: legitimate interest of the Data Controller in improving the Platform, services, and technical and organizational processes.

5.12 Fulfillment of legal obligations and defense of rights

The Company may process personal data to fulfill obligations established by law, regulations, requests from competent authorities, or to establish, exercise, or defend its rights in judicial or extrajudicial proceedings.

Legal basis: fulfillment of legal obligations; legitimate interest of the Data Controller in protecting its rights.

The provision of data required for registration, authentication, Account management, use of the Platform, execution of requested operations, management system functioning, Booking management, or fulfillment of legal obligations is necessary.

Failure to provide the necessary data may result in the inability to:

• create or use the Account
• access the management system
• buy or sell Bookings
• receive support
• complete economic transactions
• use the requested features

Providing data for purposes other than strictly necessary ones may be optional and, where required by law, subject to the data subject's consent.

The Company may process data, content, URLs, texts, instructions, files, configurations, or other materials entered or transmitted by the user via the Platform or management system.

The user remains solely responsible for the lawfulness, correctness, relevance, and legitimate availability of such data and content. The Company processes them exclusively to the extent necessary to make the requested functionality available, provide assistance, maintenance, security, and correct functioning of the Platform, as well as to protect its own rights.

Personal data may be communicated or made accessible, within the limits of their respective competencies and needs, to:

• authorized personnel of the Data Controller
• providers of IT, hosting, cloud, authentication, maintenance, support, CRM, and assistance services
• Payment Providers
• providers of communication, scheduling, or support services
• accommodation facilities or other providers linked to the Booking
• business clients or their authorized representatives, to the extent necessary for the provision of features linked to the contracted services
• consultants, professionals, and subjects assisting the Data Controller in legal, tax, technical, or organizational matters
• public authorities, bodies, or entities authorized to receive data under the law

Entities processing data on behalf of the Data Controller are appointed, where necessary, as data processors pursuant to Article 28 of the GDPR.

If data is processed via providers or infrastructure located outside the EEA—including, but not limited to, payment service providers and analytics tools—the Company adopts the measures required by law, including, where necessary, the Standard Contractual Clauses (SCCs) adopted by the European Commission or other suitable tools provided by the GDPR.

Personal data is kept for the time strictly necessary to achieve the purposes for which it was collected and processed, and, where necessary, for the time required by legal obligations or to protect the Data Controller's rights.

In particular, data may be retained according to the following general criteria:

• Account-related data: for the duration of the Account and, subsequently, for the time necessary to handle any disputes, requests, or legal obligations (generally no longer than 5 years after closure)
• data related to Bookings and operations performed via the Platform: for the time necessary to manage the Booking, related operations, and any subsequent disputes or verifications (generally no longer than 10 years for tax/accounting requirements)
• data related to contact, support, or demo requests: for the time necessary to handle the request and related follow-up, as well as for a subsequent period consistent with organizational, evidentiary, or commercial purposes (generally no longer than 24 months)
• administrative, accounting, and tax data: for the terms established by applicable law
• technical logs and security data: for the time necessary to prevent abuse, for security, maintenance, and technical documentation of activities performed (generally no longer than 12 months)
• data processed for marketing or promotional communications, where applicable: until consent is withdrawn or the data subject objects, and in any case according to criteria of proportionality and periodic updating

Once the applicable retention period has expired, the data will be deleted or anonymized, unless further retention is permitted or required by law.

The data subject may exercise, within the limits and conditions established by applicable law, the rights recognized by Articles 15–22 of the GDPR, including:

• the right of access to personal data
• the right to rectification of inaccurate or incomplete data
• the right to erasure of data, where the conditions are met
• the right to restriction of processing
• the right to object to processing, where provided for
• the right to data portability, where applicable
• the right to withdraw any given consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
• the right to lodge a complaint with the competent supervisory authority

To exercise their rights, the data subject may contact the Data Controller at the details indicated in this Privacy Policy or on the Platform.

The Company may send promotional or commercial communications only within the limits permitted by applicable law and, where required, subject to the data subject's prior consent.

If the user registers on the Platform, the Company may use the user's contact details for communications connected to the service, Account, Bookings, operations carried out via the Platform, or other administrative, technical, or transactional messages.

The data subject may at any time object to receiving promotional communications or withdraw any consent given, according to the methods indicated in the communication received or by contacting the Data Controller.

For information on the use of cookies and tracking tools via the Platform, please refer to the Cookie Policy available on the Platform.

The Company reserves the right to modify, integrate, or update this Privacy Policy at any time for legal, regulatory, technical, or organizational reasons.

The updated version will be made available on the Platform, indicating the date of the last update, and will become effective upon publication, unless otherwise indicated.

Any versions of this Privacy Policy translated into other languages are provided for informational purposes only. In the event of a dispute or misalignment, the Italian version strictly prevails. Translations are carried out automatically using artificial intelligence tools.