Calculate Revenue
Research Markets
Find For Sale Properties
Compare My Listing
Airbnb Revenue Calculator
Custom Comp Sets
Submarket Insights
Custom Search Filters
Rate Recommendations
Performance Benchmarking
Competitor Comparison
Property-level performance data
Tourism Insights
Real Estate Investment Analytics
Individual Plans
Business Plans
About Us
Sales
Support
PressThis Data Processing Addendum, including the Standard Contractual Clauses where applicable (“DPA”), is entered into between AirDNA, LLC (“AirDNA”) and the entity identified in the Agreement (“Customer”) (each referred to as a “Party” and collectively as the “Parties”). This DPA is incorporated by reference into the applicable Terms of Service (the “Agreement”) between the Parties. All capitalized terms used in this DPA but not defined will have the meaning set forth in the Agreement.
This DPA sets out the terms that apply when personal data is processed by AirDNA under the Agreement. The purpose of the DPA is to ensure such processing is conducted in accordance with Applicable Law and respects the rights of individuals whose personal data are processed under the Agreement.
1. Definitions
“Applicable Law(s)” means all applicable laws, regulations, and other legal or regulatory requirements in any jurisdiction relating to privacy, data protection, security, or the processing of personal data, including without limitation (i) the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA” and subsequent California Privacy Rights Act of 2020 “CPRA”), (ii) the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), (iii) in respect of the United Kingdom, the Data Protection Act 2018 (“UK DPA 2018”) and the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”), and (iv) the Swiss Federal Data Protection Act (“FADP”). For the avoidance of doubt, if AirDNA’s processing activities involving personal data are not within the scope of an Applicable Law, such law is not applicable for purposes of this DPA.
“AirDNA” means AirDNA, LLC, a company incorporated in California, and its Affiliates.
“controller”, “business operator”, “personal data”, “process”, “processing”, “processor”, and “data subject” will have the same meanings as defined by Applicable Law. Other relevant terms such as “business”, “business purpose”, “consumer”, “personal information”, “sale” (including the terms “sell”, “selling”, “sold”, and other variations thereof), “service provider”, “share” or “sharing” for purposes of “cross-context behavioral advertising”, and “third party” have the meanings given to those terms under Applicable Law.
“Customer Personal Data” means personal data, personal information or personally identifiable information Customer uploads or otherwise inputs into the Service and which is processed in connection with the provision of the Service under the Agreement by AirDNA on behalf of the Customer. Unless otherwise agreed to in writing, Customer Personal Data processed pursuant to the Agreement explicitly excludes Restricted Data.
“Data Privacy Principles” means the Data Privacy Framework principles (as supplemented by the Supplemental Principles).
“Data Privacy Frameworks” means the EU-U.S Data Privacy Framework (“EU-U.S. DPF”), the Swiss-U.S. Data Privacy Framework (“Swiss DPF”), and the UK Extension to the EU-U.S. DPF (“UK Extension”) as administered by the U.S. Department of Commerce.
“EEA” means the European Economic Area, which constitutes the member states of the European Union and Norway, Iceland, and Liechtenstein.
“Restricted Data” means personal data that may be categorized as “special categories of data” under Applicable Laws including, but not limited to, social security numbers, financial account numbers, credit card information, or health information.
“Restricted Transfer" means: (i) where the GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not subject to adequacy regulations adopted pursuant to Section 17A of the UK DPA 2018; and (iii) where the FADP applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.
“Security Incident” means any confirmed breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data processed by AirDNA and/or its subprocessors in connection with the provision of the Service.
“Service” means the Data Services as defined in the Agreement.
“Standard Contractual Clauses” means (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the European Council (available as of June 2021 https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj), (the “EU SCCs”); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR including the standard data protection clauses issued by the commissioner under s119A(1) of the UK DPA 2018 as revised from time to time (“UK Addendum”); and (iii) where the FADP applies, the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (the “Swiss SCCs”), in each case as completed as described in Section 9 (Data Transfers) below.
2. Relationship of the Parties
2.1 AirDNA as a Processor and Service Provider. The Parties acknowledge and agree that with regard to Customer Personal Data, Customer is a controller and business and AirDNA is a processor and service provider, as defined by Applicable Law.
2.2 AirDNA as a Subprocessor. In circumstances in which Customer may be a processor, Customer appoints AirDNA as Customer’s subprocessor, which will not change the obligations of either Customer or AirDNA under this DPA.
3. Customer’s Instructions to AirDNA
3.1 Purpose Limitation. AirDNA will process Customer Personal Data (a) in order to provide the Service in accordance with the Agreement; (b) with Customer’s lawful instructions as set forth under Section 3.3; (c) as necessary to comply with Applicable Law; and (d) as otherwise agreed in writing. Customer, as the controller, acknowledges that the Service as provided is not intended for the storage or use of Restricted Data. At its sole discretion, Customer determines all categories and types of Customer Personal Data it may submit and transfer to AirDNA through the Service. Customer is responsible for secure and appropriate use of the Service to ensure a level of security appropriate to the risk in respect of the Customer Personal Data and agrees that compliance and security measures as set forth in the Agreement and this DPA are deemed sufficient safeguards for processing of any such Restricted Data that Customer provides to the Service.
3.2 No Sale of Personal Information/Sharing for Targeted Advertising. AirDNA will not sell (as defined by Applicable Law) Customer Personal Data, share Customer Personal Data for purposes of cross-context behavioral advertising or otherwise process Customer Personal Data for any purpose other than as set forth in the Agreement, unless obligated to do so under Applicable Law. In such case, AirDNA will inform Customer of that legal requirement before such processing unless legally prohibited from doing so. AirDNA will not retain, use, or disclose Customer’s Personal Data for any commercial purposes (as defined by Applicable Law) other than to provide the Service. AirDNA understands its obligations as set forth in this section and will comply with them. Further details regarding AirDNA’s processing operations are set forth in Exhibit A.
3.3 Lawful Instructions. Customer appoints AirDNA as a processor (or subprocessor) to process Customer Personal Data on behalf of, and in accordance with, Customer’s instructions. Customer will not instruct AirDNA to process Customer Personal Data in violation of Applicable Law. AirDNA will promptly inform Customer if, in AirDNA’s opinion, an instruction from Customer infringes Applicable Law. The Agreement, including this DPA, along with Customer’s configuration of the Service (as Customer may be able to modify from time to time), constitutes Customer’s complete and final instructions to AirDNA regarding the processing of Customer Personal Data, unless otherwise agreed in writing.
4. Subprocessing
4.1 Subprocessors. Customer acknowledges and agrees that AirDNA’s Affiliates and certain third parties may be retained as subprocessors (“Subprocessors”) to process Customer Personal Data on AirDNA’s behalf in order to provide the Service. AirDNA will impose contractual obligations on any Subprocessor AirDNA appoints requiring it to protect Customer Personal Data to standards which are no less protective than those set forth hereunder. AirDNA remains liable for its Subprocessors’ performance under this DPA to the same extent AirDNA is liable for its own performance.
4.2 Right to Object. Customer may object to AirDNA’s use of a new Subprocessor (based on reasonable grounds relating to data protection) by notifying AirDNA promptly in writing at [email protected]. In the event Customer objects to a new Subprocessor, AirDNA will use commercially reasonable efforts to make available to Customer a change in the Service or Customer’s configuration or use of the Service to avoid processing of Customer Personal Data by the objected-to new Subprocessor.
5. Assistance and Cooperation
5.1 Security. AirDNA will use appropriate technical and organizational measures to protect Customer Personal Data that it processes. Such measures will take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risk. AirDNA will ensure that the persons AirDNA authorizes to process Customer Personal Data are subject to written confidentiality agreements or a statutory obligation of confidentiality no less protective than the confidentiality obligations set forth in the Agreement.
5.2 Security Incident Notification and Response. To the extent required by Applicable Law and taking into account the nature of processing and the information available to AirDNA, AirDNA will assist Customer by notifying it of a Security Incident without undue delay or within the time period required under Applicable Law. To the extent available, this notification will include AirDNA’s then-current assessment of the following:
- (a) the nature of the Security Incident, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- (b) the likely consequences of the Security Incident; and
- (c) measures taken or proposed to be taken by AirDNA to address the Security Incident, including, where applicable, measures to mitigate its possible adverse effects.
AirDNA will provide timely and periodic updates to Customer as additional information regarding the Security Incident becomes available. Customer acknowledges that any updates may be based on incomplete information. AirDNA will not assess the contents of Customer Data for the purpose of determining if such Customer Data is subject to any requirements under Applicable Law. Nothing in this DPA will be construed to require AirDNA to violate, or delay compliance with, any legal obligation it may have with respect to a Security Incident or other security incidents generally.
6. Responding to Individuals Exercising Their Rights Under Applicable Law
To the extent legally permitted, AirDNA will refer the individual back to the Customer if AirDNA receives any requests from an individual seeking to exercise any rights afforded to them under Applicable Law regarding their personal data, which may include: access, rectification, restriction of processing, erasure (“right to be forgotten”), data portability, objection to the processing, or to not be subject to an automated individual decision making (each, a “Data Subject Request”). In the event Customer is unable to address a Data Subject Request in its use of the Service, AirDNA will, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent AirDNA is legally permitted to do so and such response is required under Applicable Law. To the extent legally permitted,
7. DPIAs and Consultation with Supervisory Authorities or other Regulatory Authorities
Taking into account the nature of the processing and the information available to AirDNA, AirDNA will provide reasonable assistance to and cooperation with Customer for Customer’s performance of any legally required data protection impact assessment of the processing or proposed processing of Customer Personal Data involving AirDNA, and in consultation with supervisory authorities or other regulatory authorities as required, by providing Customer with any publicly available documentation for the Service or by complying with Section 10 (Audits) below. Additional support for data protection impact assessments or relations with regulators may be available and would require mutual agreement on fees, the scope of AirDNA’s involvement, and any other terms that the Parties deem appropriate.
8. Responding to Law Enforcement Requests
AirDNA responds only to law enforcement requests that adhere to established legal process and applicable laws.
9. Data Transfers
9.1 Customer authorizes AirDNA and its Subprocessors to make international transfers of Customer Personal Data in accordance with this DPA and Applicable Law.
9.2 Customer acknowledges and agrees that, subject to compliance with Applicable Laws, AirDNA may process Customer Personal Data where AirDNA, its Affiliates or its subprocessors maintain data processing operations. The Parties agree that when the transfer of Customer Personal Data from Customer (as “data exporter”) to AirDNA (as “data importer”) requires that certain appropriate safeguards (“Transfer Mechanism(s)”) are put in place, the Parties will be subject to the following frameworks and Transfer Mechanisms which will be deemed incorporated into and form a part of this DPA, as follows:
- (a) In the event the Service is covered by more than one Transfer Mechanism, the transfer of personal data will be subject to a single Transfer Mechanism, as applicable, and in accordance with the following order of precedence: (a) the Data Privacy Frameworks; (b) the Standard Contractual Clauses as set forth in Section 9.2(c)-(e); and, if neither of the preceding is applicable, then (c) other alternative data Transfer Mechanisms permitted under Applicable Laws will apply.
- (b) To the extent AirDNA processes Customer Personal Data originating from the EEA, United Kingdom, or Switzerland, AirDNA represents that AirDNA is self-certified under the Data Privacy Frameworks and will adhere to the Data Privacy Principles.
- (c) The EU SCCs will apply to Restricted Transfers of Customer Personal Data protected by the GDPR and will be completed as follows:
- (i) The clauses as set forth in Module Two (controller to processor) will apply only to the extent Customer is a controller and AirDNA is a processor;
- (ii) The clauses as set forth in Module Three (processor to processor) will only apply to the extent Customer is a processor and AirDNA is a subprocessor;
- (iii) The “data exporter” is the Customer, and the exporter’s contact information is set forth below;
- (iv) The “data importer” is AirDNA, and AirDNA’s contact information is set forth below;
- (v) In Clause 7, the optional docking clause will apply;
- (vi) In Clause 9, Option 2 will apply;
- (vii) In Clause 11, the optional language will not apply;
- (viii) In Clause 17, Option 1 will apply, and the EU SCCs will be governed by Spanish law;
- (ix) In Clause 18(b), disputes will be resolved before the courts of Spain; and
- (x) Annexes I and II of the Appendix are set forth in Exhibit A below.
- (d) The UK Addendum will apply to Restricted Transfers of Customer Personal Data protected by the UK GDPR and will be completed as follows:
- (i) Table 1 will be completed with the relevant information in Annex I set forth in Exhibit A;
- (ii) Table 2 will be completed with the selected modules and clauses the EU SCCs as identified in Section 9.2(c) of this DPA;
- (iii) Table 3 will be completed with the relevant information from Annexes I and II set forth in Exhibit A and Section 4.1 of this DPA; and
- (iv) In Table 4, the Importer may end the UK Addendum in accordance with the terms of the UK Addendum.
- (e) In relation to Restricted Transfers of Customer Personal Data protected by the FADP, the EU SCCs will also apply to such transfers in accordance with paragraph (c) above, subject to the following:
- (i) Any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” will be interpreted as references to the FADP;
- (ii) Any references to “EU”, “Union” and “Member State law” will be interpreted as references to Swiss law; and
- (iii) Any references to the “competent supervisory authority” and “competent courts” will be interpreted as references to the relevant data protection authority and courts in Switzerland;
unless the EU SCCs as implemented above cannot be used to lawfully transfer such Customer Personal Data in compliance with the FADP, in which event the Swiss SCCs will instead be incorporated by reference and form an integral part of this DPA and will apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the Swiss SCCs will be populated using the information contained in Exhibit A of this DPA (as applicable).
- (f) To the extent that transfers of Personal Data are subject to Data Protection Laws other than the GDPR, UK GDPR or FADP that require the use of standard contractual clauses to facilitate such transfers, the Parties are deemed to have entered into such standard contractual clauses to the extent legally required.
9.3 It is not the intention of either Party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA) the Standard Contractual Clauses will prevail to the extent of such conflict.
9.4 By entering into this DPA, the Parties are deemed to be signing the applicable Standard Contractual Clauses and its applicable Appendices and Annexes.
10. Audits
10.1 Audit. AirDNA will allow for and contribute to audits conducted by Customer (or a third party auditor mutually agreed by both Parties (“Auditor”)) of documentation, data, certifications, reports, and records relating to AirDNA's processing of Customer Personal Data (“Records”) for the sole purpose of determining AirDNA's compliance with this DPA subject to the terms of this Section 10 provided the Agreement remains in effect and such audit is at Customer’s sole expense (an “Audit”).
10.2 Written Notice. Customer may request an Audit upon fourteen (14) days’ prior written notice to AirDNA, no more than once annually. However, in the event of a Security Incident occurring on AirDNA’s systems, Customer may request an Audit within a reasonable period of time following such Security Incident.
10.3 Further Written Requests and Inspections. In the event that the provision of Records does not provide sufficient information to allow Customer to determine AirDNA’s compliance with this DPA, Customer may, as necessary: (i) request additional information from AirDNA in writing, and AirDNA will respond to such written requests in within a reasonable period of time (“Written Requests”); and (ii) only where AirDNA's responses to such Written Requests do not provide the necessary level of information required by Customer, request access to AirDNA's premises, systems and staff, upon twenty one (21) days’ prior written notice to AirDNA (an “Inspection”) subject to the Parties having mutually agreed upon (a) the scope, timing, and duration of the Inspection, (b) the use of an Auditor to conduct the Inspection, (c) the Inspection being carried out only during AirDNA's regular business hours, with minimal disruption to AirDNA’s business operations, and (d) all costs associated with the Inspection being borne by Customer (including AirDNA's time in connection with facilitating the Inspection). Inspections will be permitted no more than once annually, except in the event of a Security Incident.
10.4 Confidentiality. In connection with any Audit or Inspection conducted in accordance with this Section 10, the Auditor must be bound by obligations of confidentiality no less protective than those contained in the Agreement. Auditors will not be entitled to receive any data or information pertaining to other clients of AirDNA or any other Confidential Information of AirDNA that is not directly relevant for the authorized purposes of the Audit or Inspection.
10.5 Corrective Action. If any material non-compliance is identified by an Audit or Inspection, AirDNA will take prompt action to correct such non-compliance.
11. Return or Destruction of Customer Personal Data
Upon termination of the Agreement and written verified request from Customer’s authorized representative, AirDNA will delete Customer Personal Data, unless prohibited by Applicable Law. If no such request is received by AirDNA following termination, AirDNA may delete Customer Personal Data in line with its obligations under Applicable Law.
EXHIBIT A
Annex I to the Standard Contractual Clauses
| Data exporter(s): | Details/Descriptions |
|---|---|
| Name | Customer, a user of the Service |
| Address | Address as listed in the Agreement |
| Contact person’s name, position and contact details | Contact information as listed in the Agreement |
| Activities relevant to the data transferred under these Clauses | Activities relevant are described in Section B below |
| Signature and date | See Section 9.4 of DPA |
| Role (controller/processor) | Controller and/or processor |
| Data importer(s): | Details/Descriptions |
|---|---|
| Name | AirDNA, LLC, provider of the Service |
| Address | 1321 15th Street Denver, CO 80202 |
| Contact person’s name, position and contact details | [email protected] or [email protected] |
| Activities relevant to the data transferred under these Clauses | Activities relevant are described in Section B below |
| Signature and date | See Section 9.4 of DPA |
| Role (controller/processor) | Processor |
B. DESCRIPTION OF TRANSFER
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
Categories of data subjects whose personal data is transferred
The categories of data subjects whose personal data is transferred are determined solely by the data exporter. In the normal course of the data importer's Service, the categories of data subject might include (but are not limited to): the data exporter’s personnel, customers, service providers, business partners, affiliates.
Categories of personal data transferred
The categories of personal data transferred are determined solely by the data exporter. In the normal course of the data importer's Service, the categories of personal data transferred might include (but are not limited to): name, email address, telephone, title.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
No sensitive data is transferred.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous with use of the Service.
Nature of the processing
The provision of the Service to Customer in accordance with the Agreement.
Purpose(s) of the data transfer and further processing
To provide the Service to Customer as described in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For as long as necessary to provide the Service as described in the Agreement, as legally or contractually required, or upon receipt of Customer’s written request for deletion.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The subject matter, nature and duration of the processing are specified above and in the Agreement.
C. COMPETENT SUPERVISORY AUTHORITY
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
Identify the competent supervisory authority/ies in accordance with Clause 13
Customer agrees the competent supervisory authority will be the Spanish Data Protection Agency.
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
AirDNA emphasizes the following principles in the design and implementation of its security program and practices: (a) physical and environmental security to protect the Service against unauthorized access, use, or modification; (b) maintaining availability for operation and use of the Service; (c) confidentiality to protect customer data; and (d) integrity to maintain the accuracy and consistency of data over its life cycle.
Description of AirDNA’s current technical and organizational security measures are as follows:
1. Information Security Policies and Standards. AirDNA will maintain written information security policies, standards and procedures addressing administrative, technical, and physical security controls and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that process Customer Personal Data.
2. Physical Security. AirDNA will maintain commercially reasonable security controls to safeguard the physical security of devices that access Customer Personal Data. AirDNA shall ensure that all subcontractors that process Customer Personal Data maintain commercially reasonable physical security controls over any system that processes Customer Personal Data.
3. Organizational Security. AirDNA will maintain information security policies and procedures addressing media disposal, data classification, and incident response protocols.
4. Network Security. AirDNA maintains commercially reasonable requirements for secure network connections.
5. Access Control. AirDNA agrees that: (1) only authorized AirDNA staff can grant, modify or revoke access to an information system that processes Customer Personal Data; and (2) it shall require its personnel to create and maintain strong passwords for all systems that process Customer Personal Data.
6. Virus and Malware Controls. AirDNA protects Customer Personal Data from malicious code and will install and maintain anti-virus and malware protection software on laptops that process Customer Personal Data.
7. Personnel. AirDNA employees, subcontractors, or agents who have access to Customer Personal Data are required to agree to follow established security policies and procedures and to maintain the confidentiality of Personal Data. Disciplinary process is applied if they fail to adhere to relevant policies and procedures.
8. Data minimization. AirDNA only collects information that is necessary in order to provide the Services outlined in our Terms of Service. Our employees are directed to access only the minimum amount of information necessary to perform the task at hand.
9. Limited data retention. AirDNA will retain information for the period necessary to fulfill the purposes outlined in our Privacy Policy, unless a longer retention period is required or permitted by law, or where the Agreement requires or permits specific retention or deletion periods. Customer may request deletion of data at any time and Customer Personal Data is deleted or anonymized upon termination of the Agreement.
10. Accountability. AirDNA has established a comprehensive GDPR compliance program and is committed to partnering with its customers and vendors on GDPR compliance efforts. AirDNA has appointed a Data Protection Officer (“DPO”), who can be reached at [email protected]. We revise our policies and contracts with our partners, vendors, and users; we review and map the data we collect, use, and share; we have robust internal privacy and security documentation; we provide training to our employees on GDPR requirements and privacy and security best practices generally.
11. Data Portability. AirDNA provides a mechanism for individuals to exercise their privacy rights in accordance with applicable law. Individuals may contact AirDNA at any time using this form. More information can be found in our Privacy Policy.