Uniek Platform operated by Simple Management BV — Version 2
Last updated: 18 May 2026
Simple Management BV, a private limited liability company (besloten vennootschap met beperkte aansprakelijkheid) incorporated under the laws of the Netherlands, having its registered office at Josef Israelskade 46, 1072SB, Amsterdam, The Netherlands, and registered with the Dutch Chamber of Commerce (Kamer van Koophandel) under number 59878592 (hereinafter referred to as "Uniek", "we", "us", or "our"), respects your privacy and is committed to protecting your personal data.
This Privacy Policy (the "Policy") describes how we collect, use, disclose, retain, transfer and otherwise process personal data relating to the users of the Uniek platform, which is made available worldwide through the websites located at www.uniek.ai and app.uniek.ai, together with any mobile applications, application programming interfaces, software-as-a-service tools and ancillary services provided by us (collectively, the "Platform").
Our principal establishment for data protection purposes is in the Netherlands and our principal lead supervisory authority within the European Union is the Autoriteit Persoonsgegevens. This Policy is issued in accordance with Regulation (EU) 2016/679 (the "GDPR"), the UK GDPR, and, where applicable, the Swiss Federal Act on Data Protection (FADP).
We have prepared this Policy to be transparent, accessible and detailed. If you do not agree with the practices described in this Policy, you must not access or use the Platform.
This Policy applies to all natural persons whose personal data is processed by us in connection with the Platform, including:
This Policy does not apply to the privacy practices of third parties whose websites, applications or services are linked to or integrated with the Platform but which are not operated by us.
For the purposes of this Policy, the following terms have the meanings set out below. Capitalised terms not defined here have the meaning given to them in the GDPR.
Simple Management BV is the Data Controller for the Personal Data described in this Policy, except where expressly stated otherwise.
Legal entity: Simple Management BV
Registered office: Josef Israelskade 46, 1072SB, Amsterdam, The Netherlands
Chamber of Commerce number: 59878592
General contact: support@uniek.ai
Privacy contact: support@uniek.ai
Our relationship with Property Owners in respect of the Processing of Guest Personal Data consists of two distinct stages, each governed by a different legal characterisation under the GDPR.
Stage 1 — Forwarding of Guest Personal Data to Uniek (Controller-to-Controller Transfer): Where a Property Owner forwards Guest Personal Data to Uniek in order to initiate the Uniek Guest experience, the Property Owner and Uniek act as separate and independent Data Controllers within the meaning of Article 4(7) GDPR. Because in Stage 1 Uniek receives Forwarded Guest Data from a source other than the Guest, Uniek complies with its Article 14 GDPR obligation by providing the Guest with an Article 14 notice at the first contact with the Guest (the "Welcome Notice").
Stage 2 — Joint Processing on the Platform: From the moment Guest Personal Data is received by Uniek and is then used by Uniek and the Property Owner together to deliver the Guest experience, the Parties act as joint controllers within the meaning of Article 26 GDPR in respect of: the publication of listings; matching of Guests with properties and Service Providers; management of the booking and stay lifecycle; facilitation of communication between the Guest and the Property Owner; collection, moderation and publication of reviews and ratings; and resolution of disputes. Uniek acts as the primary point of contact for data subjects in respect of the Joint Processing. The essential elements of the arrangement are summarised in Annex B to this Policy.
Where we host, store or otherwise process Guest Personal Data exclusively on behalf of and pursuant to the documented instructions of a Property Owner — for example, when the Property Owner uses our SaaS tools to manage its own guest database — we act as a Data Processor within the meaning of Article 28 GDPR. In such cases, the Property Owner is the Data Controller and is responsible for ensuring that the underlying processing complies with the GDPR.
We have appointed a Data Protection Officer in accordance with Article 37 GDPR. You can contact our Data Protection Officer at any time in relation to any matter concerning the processing of your Personal Data or the exercise of your rights.
Name: Sebastiaan Kohnke
Email: support@uniek.ai
Postal address: Data Protection Officer, Simple Management BV, Josef Israelskade 46, 1072SB, Amsterdam, The Netherlands
Because the Platform is offered globally, we may from time to time be required to appoint a representative under Article 27 UK GDPR or under similar provisions of other applicable data protection legislation. Where we have appointed such a representative, the contact details are made available to data subjects on request through our Data Protection Officer.
Some Personal Data we collect from Guests may indirectly reveal information that falls within the special categories referred to in Article 9 GDPR (for example, dietary preferences that reveal religious convictions). We process such data only to the extent strictly necessary for the performance of the booking and only where you have explicitly chosen to provide that information.
When you visit the Platform without registering, we collect technical data (IP address, device identifiers, browser type, operating system, time zone, pages visited and time spent on each page), data submitted through contact or newsletter sign-up forms, and data collected through cookies and similar technologies as described in Section 13 below.
We collect Personal Data primarily from you directly. We may also receive Personal Data from other users of the Platform (for example, Forwarded Guest Data), from our service providers and Sub-processors (for example, identity verification or fraud prevention providers), from publicly available sources (for example, the KvK register or sanctions lists), and from our affiliates or business partners where permitted by law.
Where we collect Personal Data from sources other than you, we will provide you with the information required under Article 14 GDPR within one month of obtaining the data, or at the latest at first contact with you, unless one of the exceptions in Article 14(5) GDPR applies.
We process Personal Data only where we have a legal basis to do so under Article 6 GDPR. The table below describes, for each purpose of processing, the legal basis and the categories of data subjects concerned.
| Purpose of processing | Legal basis (Article 6 GDPR) | Data subjects |
|---|---|---|
| Creation and management of user accounts and provision of the Platform | Art. 6(1)(b) — performance of contract (the Terms of Service) | Property Owners, Service Providers, Guests |
| Onboarding of Guests via Forwarded Guest Data | Art. 6(1)(b) — pre-contractual steps; Art. 6(1)(f) — legitimate interests in providing a consistent Guest experience | Guests |
| Facilitation of bookings and provision of services by Service Providers | Art. 6(1)(b) — performance of contract; Art. 6(1)(f) — legitimate interests in operating the marketplace | Guests, Property Owners, Service Providers |
| Processing of payments, payouts and commissions | Art. 6(1)(b) — performance of contract; Art. 6(1)(c) — compliance with legal obligations including anti-money laundering and tax law | Guests, Property Owners, Service Providers |
| Identity verification of users | Art. 6(1)(c) — legal obligation (DSA and AML); Art. 6(1)(f) — legitimate interests in preventing fraud and protecting users | Property Owners, Service Providers, Guests (where applicable) |
| Algorithmic matching and search ranking | Art. 6(1)(b) — performance of contract; Art. 6(1)(f) — legitimate interests in providing relevant results | Guests, Property Owners, Service Providers |
| In-platform messaging and third-party messaging integrations (incl. WhatsApp Business) | Art. 6(1)(b) — performance of contract; Art. 6(1)(a) — consent where required for third-party channel integration | Guests, Property Owners, Service Providers |
| Collection, publication and moderation of reviews and ratings | Art. 6(1)(b) — performance of contract; Art. 6(1)(f) — legitimate interests in operating a trusted marketplace | Guests, Property Owners, Service Providers |
| Sending transactional communications (booking confirmations, account notifications, Article 14 Welcome Notice) | Art. 6(1)(b) — performance of contract; Art. 6(1)(c) — compliance with Art. 14 GDPR | Guests, Property Owners, Service Providers |
| Sending marketing communications and newsletters | Art. 6(1)(a) — consent; or Art. 6(1)(f) — legitimate interests in marketing to existing customers, subject to soft opt-in rules | All users |
| Fraud prevention, platform integrity and dispute resolution | Art. 6(1)(f) — legitimate interests in protecting our business and users; Art. 6(1)(c) — compliance with legal obligations | All users |
| Compliance with GDPR, DSA, AML, tax and other applicable law | Art. 6(1)(c) — compliance with a legal obligation | All users |
| Establishment, exercise or defence of legal claims | Art. 6(1)(f) — legitimate interests in protecting our legal rights; Art. 9(2)(f) where special categories of data are involved | All users |
| Service improvement, troubleshooting, analytics and product development | Art. 6(1)(f) — legitimate interests in improving the Platform; or Art. 6(1)(a) — consent where required (e.g. analytical cookies) | All users |
| Corporate transactions (mergers, acquisitions, restructurings) | Art. 6(1)(f) — legitimate interests in conducting our business | All users |
Where we process your Personal Data on the basis of your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. You can exercise this right by contacting us at the addresses set out in Section 11, or by using the unsubscribe link included in each marketing communication.
Where we process your Personal Data on the basis of our legitimate interests, you have the right to object to such processing on grounds relating to your particular situation, as set out in Section 11 below.
We use automated processing, including profiling, in the following limited circumstances:
Algorithmic matching and search ranking: We use algorithms to recommend properties and services to Guests and to determine the order in which listings appear in search results. These algorithms take into account factors such as your search criteria, location, dates, prior bookings, ratings, language and behavioural data on the Platform. This processing is not used to make decisions that produce legal effects concerning you within the meaning of Article 22(1) GDPR; rather, it serves to improve the relevance of the results we present to you.
Fraud prevention and risk scoring: We use automated tools to detect indicators of fraud, payment risk, platform circumvention or other prohibited behaviour. Where an automated risk score leads to a measure that may significantly affect you (for example, the suspension of an account or the blocking of a payment), we ensure that a human decision-maker reviews the case before any final decision is taken, in accordance with Article 22(3) GDPR. You have the right to obtain human intervention, to express your point of view and to contest the decision.
We do not engage in any other form of automated decision-making that produces legal effects concerning you or that similarly significantly affects you within the meaning of Article 22(1) GDPR.
We do not sell your Personal Data. We disclose your Personal Data only to the categories of recipients described in this Section, and only to the extent necessary for the purposes set out in Section 6 above.
Where it is necessary for the performance of a booking or the provision of a service, we share Personal Data between users of the Platform: with Property Owners (Guest name, contact details, booking details and special requests); with Service Providers (Guest or Property Owner data necessary to perform the requested service); and with Guests (Property Owner or Service Provider name and contact details necessary to perform the booking or service). In each case, the recipient becomes an independent Data Controller in respect of the Personal Data shared with it.
We engage third parties to provide services to us in connection with the operation of the Platform. Where these third parties process Personal Data on our behalf, they act as our Sub-processors and are bound by written contractual arrangements that comply with Article 28 GDPR. The categories of Sub-processors we engage include:
A full list of our current Sub-processors is set out in Annex A to this Policy.
We may also disclose your Personal Data to: competent supervisory, regulatory and law enforcement authorities where required by law; tax authorities (in particular the Dutch Belastingdienst); insurers and insurance brokers; counterparties to corporate transactions; and courts, arbitrators and other dispute resolution bodies where necessary for the establishment, exercise or defence of legal claims.
We do not sell, rent, lease or otherwise commercialise your Personal Data to third parties for their own marketing or commercial purposes.
Because the Platform is offered globally, Personal Data may be transferred to, stored in or otherwise processed in countries other than the country in which you are located, including countries outside the European Economic Area, the United Kingdom and Switzerland. We undertake all such transfers in accordance with Chapter V GDPR and the equivalent provisions of the UK GDPR or the FADP.
We transfer Personal Data to recipients in the United States using one or more of the following mechanisms:
Where we transfer Personal Data to recipients in third countries other than the United States, we apply the following safeguards in order of preference: adequacy decisions under Article 45 GDPR; SCCs or equivalent instruments; or, exceptionally, the derogations for specific situations set out in Article 49 GDPR.
Following the Schrems II judgment and in accordance with EDPB recommendations, we carry out a Transfer Impact Assessment (TIA) for each transfer to a third country that does not benefit from an adequacy decision. Where the TIA indicates that the SCCs alone are not sufficient, we implement supplementary measures including: strong encryption of Personal Data in transit and at rest, with encryption keys held within the EEA where feasible; pseudonymisation of Personal Data where appropriate; contractual commitments by the Sub-processor to challenge any disproportionate request for access by public authorities; and organisational measures including data minimisation and strict access controls.
You have the right to obtain a copy of the safeguards we have put in place for transfers of Personal Data outside the EEA, the United Kingdom or Switzerland. To exercise this right, please contact our Data Protection Officer at the address set out in Section 4.4.
In accordance with Article 5(1)(e) GDPR, we retain Personal Data only for as long as is necessary for the purposes for which it was collected, taking into account our legitimate need to defend against legal claims, to comply with legal and regulatory obligations and to maintain the integrity of the Platform.
| Category of Personal Data | Retention period | Justification |
|---|---|---|
| Account data of active Property Owners, Service Providers and Guests | Duration of the account, plus a maximum of 7 years after account closure | Performance of the contract; defence of legal claims and tax retention obligations |
| Booking data (Guests) | 7 years from the date of the booking | Tax and accounting retention obligation (7 years, Article 52 AWR); defence of legal claims (5-year limitation period, Article 3:307 BW); prevention and detection of fraud |
| Forwarded Guest Data (where no booking is subsequently made on the Platform) | Up to 2 years from the date of receipt | Onboarding of the Guest, defence of claims, audit trail of the Article 14 notice |
| Financial and accounting records (invoices, payment records, payout records) | 7 years from the end of the financial year in which the record was created | Mandatory retention period under Article 52 of the Dutch General Tax Act (fiscale bewaarplicht) |
| Identity verification data (copies of identity documents) | Up to 5 years from the date of verification, or up to 7 years where required as evidence of compliance with a legal obligation | Compliance with AML and DSA obligations; defence of legal claims |
| Communication data (in-platform messages, WhatsApp, email correspondence) | 5 years from the date of the last communication, or longer if connected to a booking or dispute | Defence of legal claims; performance of contract; integrity of the Platform |
| Reviews and ratings | Duration of the relevant listing, plus a maximum of 7 years after removal of the listing | Performance of contract; transparency of the marketplace; defence of legal claims |
| Fraud, risk and abuse data (including data on suspended or banned accounts) | Up to 7 years from the relevant event, with anonymised retention thereafter | Legitimate interests in preventing recurrence of fraud; compliance with the DSA |
| Marketing data (preferences, consent records, engagement data) | Until consent is withdrawn or, where based on legitimate interests, until you object; in any event reviewed every 3 years of inactivity | Demonstration of consent (Article 7(1) GDPR); ePrivacy compliance |
| Technical data (IP addresses, device data, server logs) | Up to 12 months for raw logs; longer for security-related data linked to a security event | Legitimate interests in security, troubleshooting and platform integrity |
| Cookies and similar identifiers | As set out in our Cookie Notice; in any event no longer than 12 months for non-essential cookies | ePrivacy compliance; EDPB guidance on cookie lifetime |
| Personal Data relating to legal claims and litigation | Until the resolution of the claim, plus the applicable limitation period (typically 5 years, or up to 20 years in exceptional cases) | Defence of legal claims (Articles 3:306 and 3:307 of the Dutch Civil Code) |
After the expiry of the applicable retention period, we will either delete the Personal Data securely or, where we wish to retain the data for analytical or statistical purposes, we will anonymise it irreversibly such that it can no longer be linked to an identifiable natural person.
We maintain an internal retention policy that records, for each category of Personal Data, the applicable retention period, the legal or operational justification and the procedures we apply to delete or anonymise the data at the end of the period.
Under the GDPR, you have the following rights in respect of the Personal Data we process about you. Exercising these rights is free of charge, save where your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request in accordance with Article 12(5) GDPR.
You have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to the Personal Data and to the information set out in Article 15(1) GDPR, including a copy of the Personal Data undergoing processing.
You have the right to obtain from us, without undue delay, the rectification of inaccurate Personal Data concerning you, and to have incomplete Personal Data completed, including by means of providing a supplementary statement, in accordance with Article 16 GDPR.
You have the right to obtain from us the erasure of Personal Data concerning you, without undue delay, where one of the grounds set out in Article 17 GDPR applies. This right is not absolute and does not apply where processing is necessary for compliance with a legal obligation, for the establishment, exercise or defence of legal claims, or for reasons of public interest.
You have the right to obtain from us the restriction of processing of your Personal Data where one of the grounds set out in Article 18 GDPR applies, including where you contest the accuracy of the Personal Data or where you have objected to processing pending verification of whether our legitimate grounds override yours.
Where the processing is based on consent or on a contract and is carried out by automated means, you have the right to receive the Personal Data concerning you which you have provided to us in a structured, commonly used and machine-readable format, and to transmit those data to another controller, in accordance with Article 20 GDPR.
You have the right to object, on grounds relating to your particular situation, at any time to processing of Personal Data concerning you which is based on our legitimate interests (Article 6(1)(f) GDPR). Where Personal Data is processed for direct marketing purposes, you have the right to object at any time and your Personal Data shall no longer be processed for such purposes. This right is absolute, in accordance with Article 21(2)–(3) GDPR.
Where the processing of your Personal Data is based on your consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal, in accordance with Article 7(3) GDPR.
As described in Section 7 above, we do not make decisions based solely on automated processing that produce legal effects concerning you. Where, exceptionally, such automated decision-making is necessary, you have the right to obtain human intervention, to express your point of view and to contest the decision.
To exercise any of the rights described above, please contact us by one of the following means:
We will provide you with information on the action we have taken within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of requests.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement. In the Netherlands, the competent supervisory authority is the Autoriteit Persoonsgegevens (Postbus 93374, 2509 AJ Den Haag; www.autoriteitpersoonsgegevens.nl; +31 (0)88 1805 250). In the United Kingdom, the competent authority is the ICO (www.ico.org.uk). In Switzerland, the competent authority is the FDPIC (www.edoeb.admin.ch). We would, however, appreciate the opportunity to address your concerns directly before you approach the supervisory authority.
We have implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. These measures include:
In the event of a Personal Data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Autoriteit Persoonsgegevens without undue delay and, where feasible, not later than 72 hours after having become aware of it, in accordance with Article 33 GDPR.
We use cookies and similar technologies (such as web beacons, pixels, tags, SDKs and local storage) on the Platform. We distinguish between the following categories:
When you first visit the Platform, we will display a cookie banner through which you can give, refuse or configure your consent in respect of non-essential cookies. You can change your cookie preferences at any time by using the cookie management tool accessible from the footer of the Platform.
The Platform is not directed at children. We do not knowingly collect Personal Data from natural persons under the age of 18. Registration as a Guest is permitted only to natural persons who have reached the age of 18 and have legal capacity to enter into a binding contract with us.
The Platform does not permit bookings that include minors as occupants. Where you register a booking, you confirm that all occupants of the booked property will be aged 18 or over.
If you become aware that a person under the age of 18 has provided Personal Data to us, please contact our Data Protection Officer immediately and we will take steps to delete the relevant Personal Data without undue delay, unless we are required to retain it under applicable law.
We may amend this Policy from time to time to reflect changes in our business practices, in the services offered through the Platform, in applicable law or in the guidance of supervisory authorities.
Where we make material changes to this Policy, we will notify you in advance through one or more appropriate channels at least 30 days before the changes take effect, save where the changes are required to be implemented sooner by applicable law. Non-material changes may be made without prior notification.
Your continued use of the Platform after the effective date of an amended version of this Policy constitutes your acknowledgment of the amended Policy. Previous versions of this Policy can be obtained from our Data Protection Officer on request.
If you have any questions, concerns or requests in relation to this Policy or to the processing of your Personal Data, please contact us at:
Simple Management BV, attn. Data Protection Officer (Sebastiaan Kohnke)
Josef Israelskade 46, 1072SB, Amsterdam, The Netherlands
Email: support@uniek.ai
This Annex sets out the list of Sub-processors engaged by Simple Management BV as of the date of last update of this Policy. We update this list from time to time.
| Sub-processor | Location / Processing location | Service category | Transfer mechanism |
|---|---|---|---|
| Amazon Web Services EMEA SARL | Luxembourg / AWS EU regions (eu-central-1 Frankfurt, eu-west-1 Ireland) | Cloud object storage (Amazon S3) for property and listing images, and underlying cloud infrastructure | N/A within AWS EU regions; SCCs (Module 3) for onward transfers to AWS Inc. (US) |
| Anthropic, PBC | 548 Market Street, San Francisco, CA 94104, United States | AI assistant (Claude) for in-platform productivity, content generation and customer-support automation | EU-US DPF (Anthropic is DPF-certified) + EU SCCs (Module 2) as fallback |
| API Hero Ltd (trading as Trigger.dev) | Altrincham, Cheshire, United Kingdom (ICO registration ZB547039) | Orchestration of background and scheduled jobs (asynchronous task execution) | UK adequacy decision under Commission Implementing Decision (EU) 2021/1772 |
| Google Ireland Limited | Dublin 4, Ireland | Google Maps Platform (interactive maps, geocoding, Places API and image loading) | N/A within EEA; EU-US DPF + EU SCCs (Module 3) for onward transfers to Google LLC (US) |
| ImageKit Inc. / IMAGEKIT PRIVATE LIMITED | Delaware, United States / New Delhi, India / processing in AWS regions including the EU | Image processing, optimisation, transformation and content delivery network | EU-US DPF (ImageKit Inc. is DPF-certified); EU SCCs (Module 3) for transfers to India |
| Meta Platforms Ireland Ltd / Meta Platforms, Inc. | Dublin, Ireland / Menlo Park, United States | WhatsApp Business integration for user communications | EU-US DPF (Meta is DPF-certified) + SCCs as additional safeguard |
| Plus Five Five, Inc. (trading as Resend) | 2261 Market Street, San Francisco, CA 94114, United States | Transactional email delivery (account, booking and Article 14 Welcome Notice emails) | EU-US DPF (Plus Five Five, Inc. is DPF-certified, including UK Extension); EU SCCs (Module 3) as additional safeguard |
| Pusher Limited (a Bird / MessageBird group company) | 3 More London Riverside, London SE1 2AQ, United Kingdom | Real-time notifications and in-application messaging events | UK adequacy decision under Commission Implementing Decision (EU) 2021/1772 |
| Render Services, Inc. | 525 Brannan Street, San Francisco, CA 94107, United States / processing in Render's EU region (Frankfurt) where selected | Application hosting and Platform-as-a-Service for Uniek back-end services | EU SCCs (Module 3) for US transfers; where EU region is selected, processing remains within the EEA |
| Replit, Inc. | 767 Bryant Street #203, San Francisco, CA 94107, United States | Hosting of marketing pages, landing pages and prototyping environments | EU SCCs (Module 3) supplemented by the additional safeguards described in Section 9.4 |
| Twilio Ireland Limited / Twilio Inc. | Dublin 1, Ireland / San Francisco, CA, United States | SMS messaging and WhatsApp Business messaging (booking confirmations and one-time passwords) | N/A for processing by Twilio Ireland within the EEA; EU-US DPF + Twilio Binding Corporate Rules (Processor) + EU SCCs (Module 3) for Twilio Inc. |
This Annex sets out the essence of the arrangement between Simple Management BV and Property Owners in their capacity as joint controllers of certain Personal Data relating to Guests, as required by Article 26(2) GDPR. The full arrangement is set out in the Joint Controller Addendum that forms an integral part of the Property Owner Terms.
As explained in Section 4.2, the relationship between Simple Management BV and Property Owners in respect of Guest Personal Data consists of two stages: (i) Stage 1, in which the Parties act as separate independent controllers; and (ii) Stage 2, the Joint Processing on the Platform, in which the Parties act as joint controllers within the meaning of Article 26 GDPR.
The joint controllership covers the Personal Data of Guests that is processed in connection with: the publication of listings; the matching of Guests with properties and Service Providers; the management of bookings; in-Platform communication between the parties to a booking; the collection and publication of reviews; and the resolution of disputes arising out of bookings.
Simple Management BV is responsible for: (i) the operation of the Platform, including the technical infrastructure used to process Personal Data; (ii) the provision of information to Guests under Articles 13 and 14 GDPR through this Policy and through the Welcome Notice; (iii) the management of consent for marketing communications; (iv) the handling of data subject requests under Articles 15 to 22 GDPR; and (v) the notification of Personal Data breaches to the Autoriteit Persoonsgegevens under Article 33 GDPR.
Property Owners are responsible for: (i) the processing of Guest Personal Data outside the Platform, including for the performance of the rental relationship; (ii) ensuring that, before forwarding Guest Personal Data to Uniek, they have an appropriate lawful basis and have informed the Guest in accordance with Article 13 GDPR; (iii) the accuracy of any Personal Data they upload or forward to the Platform; (iv) the lawful use of any Personal Data they receive through the Platform; and (v) the timely communication to Simple Management BV of any data subject request they receive directly or any Personal Data breach of which they become aware.
The primary point of contact for data subjects in relation to the joint controllership is Simple Management BV, at the addresses set out in Section 4.4. Data subjects may, however, exercise their rights with respect to either joint controller, and the joint controllers will cooperate to provide a coordinated response in accordance with Article 26(3) GDPR.