Dwell Bell
BOSU GmbH
Last updated: February 2026
1. Data Controller
The data controller responsible for the processing of your personal data on this website and in connection with our property management and hospitality consulting services is:
Company: BOSU GmbH
Brand: Dwell Bell
Address: Hörlgasse 5/2, 1090 Vienna, Austria
Company Registration: FN 587756 y – Commercial Court Vienna
Email: [email protected]
Phone: +43 681 205 385 78
If you have any questions about data protection or wish to exercise your rights, please contact us at the email address above. We will respond within one month in accordance with GDPR requirements.
2. Overview and Scope
This privacy policy explains how we collect, use, store, and protect your personal data when you:
- Visit our website (https://dwellbell.at)
- Make a booking directly or through third-party platforms (Booking.com, Airbnb, Marriott)
- Stay at one of our managed properties
- Subscribe to our newsletter
- Contact us via the website, email, or phone
- Use our hospitality consulting services
This policy has been prepared in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Austrian Data Protection Act (Datenschutzgesetz, “DSG”). We process personal data only when there is a lawful basis to do so and only for the purposes described in this policy.
3. Legal Bases for Processing
We process your personal data on the following legal bases under Article 6(1) GDPR:
- Consent (Art. 6(1)(a) GDPR): Where you have given explicit consent, e.g. for marketing emails/newsletter, non-essential cookies (analytics, advertising), or sharing data with specific partners.
- Performance of a contract (Art. 6(1)(b) GDPR): Where processing is necessary to fulfil a booking, rental agreement, or provide our accommodation and property management services.
- Legal obligation (Art. 6(1)(c) GDPR): Where we are required by law to process your data, e.g. guest registration (Meldegesetz), tax retention obligations (§ 132 BAO), or reporting to tourism authorities.
- Legitimate interest (Art. 6(1)(f) GDPR): Where processing is necessary for our legitimate interests, e.g. website security, fraud prevention, improving our services, and displaying map locations, provided these interests are not overridden by your rights.
4. Personal Data We Collect
4.1 Website Visit Data
When you visit our website, the following data is automatically collected for technical and security reasons (legal basis: legitimate interest, Art. 6(1)(f) GDPR):
- IP address (anonymised where possible)
- Date, time, and duration of the visit
- Browser type and version, operating system
- Referring URL (the page from which you accessed our site)
- Pages accessed on our website
- Device type and screen resolution
4.2 Booking and Guest Data
When you make a reservation (directly or via a platform) or stay at one of our managed properties, we collect the following data (legal basis: contract performance, Art. 6(1)(b), and legal obligation, Art. 6(1)(c) GDPR):
- Full name, date of birth, nationality
- Home address
- Email address and phone number
- Passport or ID number (as required by Austrian Meldegesetz for guest registration)
- Payment information (processed securely via Stripe)
- Booking dates, property preferences, and special requests
- Accompanying guests’ names and relevant details
- Security deposit information
4.3 Data Received from Third-Party Platforms
When you book through third-party platforms (Booking.com, Airbnb, or Marriott), we receive certain personal data from these platforms to fulfil your booking. This typically includes your name, contact details, booking dates, and payment confirmation. The respective platform’s own privacy policy governs how they collect and handle your data before transmitting it to us.
4.4 Contact Form and Email
When you contact us via the website form or email, we collect your name, email address, and the content of your message (legal basis: consent, Art. 6(1)(a), or pre-contractual measures, Art. 6(1)(b) GDPR).
4.5 Newsletter / Email Marketing
If you subscribe to our newsletter, we collect your email address and, optionally, your name. We use Mailchimp (The Rocket Science Group LLC, Atlanta, USA) to manage our email marketing. Your data is stored on Mailchimp’s servers in the United States – see Section 10 for information about international transfers.
Legal basis: Your explicit consent (Art. 6(1)(a) GDPR), obtained through a double opt-in process. You may unsubscribe at any time using the unsubscribe link in each email or by contacting us directly at [email protected]. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.
4.6 Cookies and Tracking Technologies
See Section 9 below for detailed information about cookies and tracking.
5. Purposes of Processing
We use your personal data for the following purposes:
- Fulfilling reservations and providing accommodation services
- Mandatory guest registration under Austrian law (Meldegesetz)
- Reporting to the municipality/city and tourism association as required by law
- Processing payments via Stripe
- Managing security deposits and damage claims
- Responding to your enquiries
- Sending newsletters and marketing communications (only with explicit consent, via Mailchimp)
- Website analytics and performance measurement (Google Analytics, with consent)
- Online advertising measurement and remarketing (Meta Pixel, Google Ads, with consent)
- Displaying interactive maps on our website (Google Maps)
- Rendering web fonts for consistent website display (Google Fonts)
- Communication with booking platforms (Booking.com, Airbnb, Marriott) to fulfil reservations
- Hospitality consulting services
- Website operation, security, and improvement
- Compliance with tax and accounting obligations
6. Data Recipients and Third-Party Sharing
We share your personal data with the following categories of recipients, only to the extent necessary:
6.1 Legal and Regulatory Authorities
- Municipality/City of Vienna – for mandatory guest registration (Meldegesetz)
- Vienna Tourism Association (Wien Tourismus) – for statistical reporting as required by law
- Tax authorities – as required by Austrian tax law (§ 132 BAO)
6.2 Service Providers (Data Processors)
We use the following service providers who process data on our behalf under data processing agreements (Art. 28 GDPR):
- Stripe, Inc. (stripe.com, San Francisco, USA / Stripe Payments Europe Ltd, Dublin, Ireland) – Payment processing. Stripe processes your payment data securely. Stripe is PCI DSS Level 1 certified. See Section 10 for international transfers.
- DigitalOcean, LLC (digitalocean.com, New York, USA) – Website hosting. See Section 10 for international transfers.
- Google Ireland Limited (Dublin, Ireland) – Google Analytics (website usage analysis), Google Ads (advertising measurement), Google Maps (interactive maps), and Google Fonts (web font delivery). Analytics and advertising tools are only activated with your cookie consent. Maps and Fonts operate on the basis of legitimate interest. Data may be transferred to Google LLC in the USA – see Section 10.
- Meta Platforms Ireland Limited (Dublin, Ireland) – Meta Pixel for advertising analytics (only activated with cookie consent). Data may be transferred to Meta Platforms, Inc. in the USA – see Section 10.
- The Rocket Science Group LLC (Mailchimp) (mailchimp.com, Atlanta, USA) – Email marketing and newsletter distribution (only if subscribed). See Section 10 for international transfers.
6.3 Booking Platforms (Independent Controllers)
When you book through the following platforms, they act as independent data controllers for the data they collect from you. We receive only the data necessary to fulfil your booking:
- Booking.com B.V. (Amsterdam, Netherlands) – Privacy policy: https://www.booking.com/content/privacy.html
- Airbnb Ireland UC (Dublin, Ireland) – Privacy policy: https://www.airbnb.com/terms/privacy_policy
- Marriott International, Inc. (Bethesda, USA) – Privacy policy: https://www.marriott.com/about/privacy.mi – See Section 10 for international transfers.
We do not sell your personal data to any third party.
7. Property Owners
Dwell Bell manages properties on behalf of property owners. In the course of providing accommodation services, certain guest data (e.g. booking confirmation, check-in/check-out dates, damage reports) may be shared with the respective property owner to the extent necessary for the management of their property. Property owners are contractually bound to handle this data in compliance with GDPR.
8. Data Retention Periods
We retain your personal data only for as long as is necessary for the purpose for which it was collected or as required by law:
| Data Category | Retention Period | Legal Basis |
| Guest registration data | 7 years | Austrian tax retention (§ 132 BAO) |
| Booking and payment data | 7 years | Tax and accounting obligations |
| Rental agreements | 7 years | Tax and legal obligations |
| Security deposit records | 6 months after checkout | Contract performance |
| Contact form enquiries | 6 months | After completion of enquiry |
| Newsletter subscriber data | Until unsubscribe | Consent (Art. 6(1)(a)) |
| Server log files | 14 days | Website security |
| Cookie consent records | 3 years | Proof of consent |
| Google Analytics data | 14 months | Consent; GA4 default retention |
| Marketing consent data | Until withdrawal | Consent (Art. 6(1)(a)) |
After the retention period expires, data is securely deleted or anonymised.
9. Cookies and Tracking Technologies
Our website uses cookies – small text files stored on your device by your browser.
9.1 Types of Cookies
Strictly necessary cookies: Essential for the website to function (e.g. session management, cookie consent preferences, security). They do not require your consent (§ 165(3) TKG 2021, Art. 5(3) ePrivacy Directive).
Analytics cookies (Google Analytics): Help us understand how visitors use our website. Only set after explicit consent.
Advertising/marketing cookies (Meta Pixel, Google Ads): Used to measure advertising effectiveness and display relevant ads. Only set after explicit consent.
9.2 Google Analytics
Our website uses Google Analytics 4 (GA4), a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses cookies to analyse your use of the website.
We have enabled IP anonymisation, so your IP address is truncated within the EU/EEA before transmission. Google Analytics is activated only after you provide explicit consent via our cookie consent banner. Google’s privacy policy: https://policies.google.com/privacy
9.3 Google Ads / Conversion Tracking
Our website uses Google Ads conversion tracking, provided by Google Ireland Limited. When you click on a Google ad, a conversion tracking cookie is placed on your device to measure the effectiveness of our campaigns. Activated only after explicit consent.
9.4 Meta Pixel (Facebook Pixel)
Our website uses the Meta Pixel, provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. Activated only after explicit consent via our cookie consent banner.
The Meta Pixel collects data such as your IP address, browser information, pages visited, and actions taken. This data is used to measure advertising effectiveness and display targeted ads on Facebook and Instagram. Data may be transferred to the USA – see Section 10.
9.5 Google Maps
Our website embeds Google Maps, a map service provided by Google Ireland Limited. When you access a page containing Google Maps, your browser establishes a direct connection to Google’s servers. Your IP address and browsing data are transmitted to Google.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) – displaying property locations enhances our service. Data may be transferred to the USA – see Section 10. Google’s privacy policy: https://policies.google.com/privacy
9.6 Google Fonts
Our website uses Google Fonts, provided by Google Ireland Limited, for consistent display of web fonts. When you access our website, your browser loads fonts from Google’s servers, which transmits your IP address and browser data to Google.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) – consistent and optimised website presentation. Data may be transferred to the USA – see Section 10. Google’s privacy policy: https://policies.google.com/privacy
Recommendation: For enhanced privacy, we recommend considering self-hosting Google Fonts to eliminate third-party data transfers entirely.
9.7 Your Cookie Choices
When you first visit our website, a cookie consent banner is displayed. You may accept or reject non-essential cookies by category (analytics, marketing). You can change your cookie preferences at any time by clicking the cookie settings link in the footer of our website. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.
10. International Data Transfers
Some of our service providers are located outside the European Economic Area (EEA), specifically in the United States. Where personal data is transferred to countries outside the EEA, we ensure appropriate safeguards are in place in accordance with Chapter V of the GDPR:
- EU-U.S. Data Privacy Framework (DPF): Google LLC, Meta Platforms Inc., The Rocket Science Group LLC (Mailchimp), DigitalOcean LLC, and Stripe Inc. are certified under the EU-U.S. Data Privacy Framework (European Commission adequacy decision of 10 July 2023). Transfers to these companies are covered by this adequacy decision.
- Standard Contractual Clauses (SCCs): Where the Data Privacy Framework does not apply, or as an additional safeguard, we rely on the European Commission’s Standard Contractual Clauses.
- Adequacy decisions: For service providers in countries with existing adequacy decisions (e.g. the UK, Canada), transfers are permitted under Art. 45 GDPR.
Important: The EU-U.S. Privacy Shield, previously referenced on this website, was invalidated by the Court of Justice of the European Union in July 2020 (Schrems II). It has been replaced by the EU-U.S. Data Privacy Framework.
You may request a copy of the relevant safeguards by contacting us at [email protected].
11. Your Rights Under the GDPR
Under the GDPR and the Austrian DSG, you have the following rights regarding your personal data:
| Right | Description |
| Right of Access (Art. 15) | You can request confirmation of whether we process your data and obtain a copy of it free of charge. |
| Right to Rectification (Art. 16) | You can request correction of inaccurate or incomplete personal data. |
| Right to Erasure (Art. 17) | You can request deletion of your data where there is no compelling reason for continued processing. |
| Right to Restriction (Art. 18) | You can request that we restrict the processing of your data in certain circumstances. |
| Notification Obligation (Art. 19) | We will notify each recipient of any rectification, erasure, or restriction unless this proves impossible or involves disproportionate effort. |
| Right to Data Portability (Art. 20) | You can request your data in a structured, commonly used, machine-readable format. |
| Right to Object (Art. 21) | You can object to processing based on legitimate interest. We will cease processing unless we have compelling grounds. |
| Automated Decisions (Art. 22) | You have the right not to be subject to decisions based solely on automated processing, including profiling. |
| Withdraw Consent (Art. 7(3)) | Where processing is based on consent, you may withdraw it at any time. This does not affect the lawfulness of processing before withdrawal. |
To exercise any of these rights, please contact us at [email protected]. We will respond within one month. If we need to extend this period (by up to two additional months), we will inform you within the first month.
Right to lodge a complaint: If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde):
Address: Barichgasse 40-42, 1030 Vienna, Austria
Website: https://www.dsb.gv.at/
Email: [email protected]
12. Guest Registration
Under the Austrian Registration Act (Meldegesetz), we are legally required to register all guests and report their data to the relevant municipal authority. This is a legal obligation (Art. 6(1)(c) GDPR) and does not require your consent.
For stays exceeding 3 days, guests are required to register with the authorities. For stays longer than 2 months, additional obligations such as secondary residence registration may apply. Guests are solely responsible for complying with all applicable registration duties.
If you are the main traveller or group leader, we kindly ask you to inform any accompanying guests about this data processing prior to arrival.
13. Server Log Files
Our web hosting provider (DigitalOcean) automatically collects and stores information in server log files that your browser transmits when you visit our website. This includes your IP address, browser type and version, operating system, referring URL, Internet service provider, and date/time of access.
This data is processed on the basis of our legitimate interest in ensuring website security and stability (Art. 6(1)(f) GDPR). Log files are retained for 14 days and then automatically deleted. This data is not combined with other personal data sources.
14. Contact Form and Email Communication
If you contact us via our website form or by email, we store your name, email address, and message content for the purpose of processing your enquiry. This data is retained for 6 months after the enquiry has been completed, unless a longer retention is required for contractual or legal reasons.
Legal basis: Consent (Art. 6(1)(a) GDPR) if you initiated the contact, or pre-contractual measures (Art. 6(1)(b) GDPR) if the enquiry relates to a potential booking or consulting engagement.
15. Email Security
If you send us personal data by email outside of this website, we cannot guarantee the secure transmission and protection of your data. We recommend that you do not send confidential or sensitive data (such as ID numbers or payment details) via unencrypted email.
16. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration, in accordance with Article 32 GDPR. These measures include:
- SSL/TLS encryption for all data in transit on our website
- Access controls and authentication for internal systems
- Regular security assessments and software updates
- Data processing agreements (Art. 28 GDPR) with all service providers
- PCI DSS-compliant payment processing through Stripe
- Secure key management for property access
17. Children’s Data
Our website and services are not directed at children under 16. We do not knowingly collect personal data from children under 16 without parental consent. If you believe a child’s data has been collected without appropriate consent, please contact us and we will delete it promptly.
18. Changes to This Privacy Policy
We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or services. The current version will always be available on our website at https://dwellbell.at/privacy-policy/. Material changes will be communicated via our website.
19. Online Dispute Resolution
In accordance with the Regulation on Online Dispute Resolution in Consumer Affairs (ODR Regulation), we inform you that the European Commission’s Online Dispute Resolution Platform is available at: https://ec.europa.eu/odr
We are neither willing nor obliged to participate in dispute resolution proceedings before a consumer arbitration board.
20. Contact
For all data protection enquiries, please contact:
BOSU GmbH / Dwell Bell
Address: Hörlgasse 5/2, 1090 Vienna, Austria
Company Registration: FN 587756 y
Email: [email protected]
Phone: +43 681 205 385 78