Download on theApp StoreGet it onGoogle Play
OnlyVIP
Apply
NavigateRequest Access
Invite only · 18+
← Back to home

Legal Notice

Privacy Policy

This Privacy Policy explains how OnlyVIP Ltd. ("OnlyVIP", "we", "us") processes personal data of visitors, applicants, members, hosts and other users of the OnlyVIP platform (the "Service"). It is issued in accordance with Articles 12–14 of Regulation (EU) 2016/679 (General Data Protection Regulation — "GDPR"), the Austrian Data Protection Act (DSG), the Swiss Federal Act on Data Protection (revFADP) and, where applicable, the UK GDPR and the California Consumer Privacy Act ("CCPA").

Table of contents

  1. 1. Controller & Data Protection Officer
  2. 2. Scope of this Policy
  3. 3. Principles of Processing
  4. 4. Categories of Personal Data We Process
  5. 5. Purposes & Legal Bases
  6. 6. Sources of Data
  7. 7. Recipients & Processors
  8. 8. International Data Transfers
  9. 9. Retention Periods
  10. 10. Your Rights as a Data Subject
  11. 11. Automated Decision-Making & Profiling
  12. 12. Cookies & Similar Technologies
  13. 13. Security Measures
  14. 14. Children & Minors
  15. 15. Personal Data Breach Notification
  16. 16. Changes to this Policy
  17. 17. Contact

1. Controller & Data Protection Officer

The controller responsible for the processing of personal data within the meaning of Art. 4(7) GDPR is:

OnlyVIP Ltd.
123 Members Lane, 1010 Vienna, Austria
Email: privacy@onlyvip.com

We have appointed a Data Protection Officer (DPO) pursuant to Art. 37 GDPR. The DPO can be contacted at: dpo@onlyvip.com or by post (Attn.: Data Protection Officer) at the address above.

2. Scope of this Policy

This Policy applies to all processing carried out by OnlyVIP in connection with the Service, including the website, mobile applications, concierge channels, member events and related customer support. It does not apply to third-party websites, services or applications that we do not control.

3. Principles of Processing

We process personal data lawfully, fairly and transparently; for specified, explicit and legitimate purposes; limited to what is necessary; accurate and kept up to date; for no longer than necessary; and in a manner that ensures appropriate security (Art. 5 GDPR — "lawfulness, fairness and transparency", "purpose limitation", "data minimisation", "accuracy", "storage limitation", "integrity and confidentiality" and "accountability").

4. Categories of Personal Data We Process

4.1 Account & identity data

Name, salutation, date of birth, nationality, email address, telephone number, postal address, password (hashed), profile photograph, languages spoken.

4.2 Verification / KYC data

Government-issued identification documents, selfie/liveness check, proof of address, sanctions/PEP screening results, occupational background.

4.3 Membership & transaction data

Tier, application history, invitations sent and received, RSVPs, booking history, escrow records, invoices, two-way ratings, concierge correspondence.

4.4 Payment data

Billing address, payment instrument tokens, last four digits and brand of cards, IBAN where applicable, transaction IDs (we do not store full card numbers or CVV; these are processed by our PCI-DSS-certified payment service provider).

4.5 Technical & usage data

IP address, device identifiers, browser type and version, operating system, referrer, pages visited, timestamps, crash reports, approximate location derived from IP.

4.6 Communication data

Content of messages exchanged with our concierge, support tickets, email correspondence, recordings of phone calls (only with explicit prior consent and where legally permitted).

4.7 Special categories

We do not knowingly process special categories of personal data (Art. 9 GDPR) unless you voluntarily provide them in the context of accessibility requests, dietary requirements or comparable lifestyle preferences. Such data is processed strictly on the basis of your explicit consent (Art. 9(2)(a) GDPR).

5. Purposes & Legal Bases

We process personal data for the following purposes and on the following legal bases:

  • Provision of the Service (account creation, matching, bookings, concierge) — Art. 6(1)(b) GDPR (performance of contract).
  • Identity verification & KYC — Art. 6(1)(c) GDPR (legal obligation) and Art. 6(1)(f) GDPR (legitimate interest in preventing fraud and abuse).
  • Payment processing and accounting — Art. 6(1)(b) and (c) GDPR (contractual and tax/commercial-law obligations).
  • Marketing communications — Art. 6(1)(a) GDPR (consent) or Art. 6(1)(f) GDPR (legitimate interest) where lawfully permitted; you may opt out at any time.
  • Security, fraud prevention and platform integrity — Art. 6(1)(f) GDPR (legitimate interest in protecting the Service and its members).
  • Compliance with legal obligations — Art. 6(1)(c) GDPR (e.g. AML, tax, DSA reporting).
  • Establishment, exercise or defence of legal claims — Art. 6(1)(f) GDPR; Art. 9(2)(f) GDPR for any special categories.

6. Sources of Data

We obtain personal data primarily from you when you register, communicate with our concierge or use the Service. We may also receive data from (i) referees who invite you to apply, (ii) identity-verification providers, (iii) sanctions/PEP screening services, (iv) payment service providers, and (v) publicly accessible sources where this is necessary for our legitimate interest in preventing fraud.

7. Recipients & Processors

We disclose personal data only where necessary and on a documented legal basis. Categories of recipients include:

  • Cloud and hosting providers (EU/EEA where reasonably possible).
  • Identity-verification and KYC providers.
  • Payment service providers and acquiring banks.
  • Communication and CRM providers used by our concierge team.
  • Professional advisors (lawyers, auditors, tax consultants) under statutory confidentiality.
  • Hosts and members where strictly necessary to confirm a booking (limited to name and the information you have elected to share).
  • Public authorities and courts where required by law.

All processors are bound by a data-processing agreement pursuant to Art. 28 GDPR. A list of our current sub-processors is available on request.

8. International Data Transfers

Where personal data is transferred outside the European Economic Area, we ensure an adequate level of protection through (i) adequacy decisions of the European Commission pursuant to Art. 45 GDPR, (ii) Standard Contractual Clauses adopted by the European Commission (Implementing Decision (EU) 2021/914) pursuant to Art. 46(2)(c) GDPR, (iii) certification under the EU-U.S. Data Privacy Framework where applicable, or (iv) other appropriate safeguards. Supplementary technical and organisational measures (e.g. encryption in transit and at rest) are applied where necessary following a transfer impact assessment.

9. Retention Periods

  • Account data: for the duration of the membership and up to 36 months thereafter to address residual claims.
  • KYC / AML records: 5 years after the end of the business relationship (Austrian FM-GwG, Directive (EU) 2015/849).
  • Invoices and accounting records: 7 years (§ 132 Austrian Federal Fiscal Code "BAO").
  • Concierge correspondence: up to 24 months unless required longer for evidentiary purposes.
  • Server logs: up to 14 days, anonymised or deleted thereafter.
  • Marketing data: until you withdraw consent or object.

Where data is needed for the establishment, exercise or defence of legal claims, retention may extend until the expiry of the applicable limitation period (generally up to 30 years for in-rem claims under Austrian law).

10. Your Rights as a Data Subject

You have the following rights, exercisable free of charge in accordance with Articles 15–22 GDPR:

  • Right of access (Art. 15) — to obtain confirmation as to whether your data is processed and a copy thereof.
  • Right to rectification (Art. 16) — to have inaccurate data corrected.
  • Right to erasure / "to be forgotten" (Art. 17) — subject to overriding legal retention duties.
  • Right to restriction of processing (Art. 18).
  • Right to data portability (Art. 20) — in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21), in particular to processing based on Art. 6(1)(f) and to direct marketing.
  • Right to withdraw consent at any time (Art. 7(3)), without affecting the lawfulness of processing prior to withdrawal.
  • Right to lodge a complaint with a supervisory authority (Art. 77), in particular in the EU member state of your habitual residence. The competent authority for OnlyVIP is the Austrian Data Protection Authority (Datenschutzbehörde), Barichgasse 40-42, 1030 Vienna, dsb.gv.at.

11. Automated Decision-Making & Profiling

Application decisions are reviewed by a human concierge committee. Where we use automated risk-scoring tools (e.g. fraud or sanctions screening), the result is treated as a decision-support signal and any adverse outcome is confirmed by a qualified employee, with a meaningful explanation and the right to contest the decision pursuant to Art. 22(3) GDPR.

12. Cookies & Similar Technologies

We use strictly necessary cookies to operate the Service (e.g. session, security, load balancing) on the basis of Art. 6(1)(f) GDPR and § 25(2) of the Austrian Telecommunications Act ("TKG"). Analytical and marketing cookies are set only on the basis of your prior explicit consent (Art. 6(1)(a) GDPR, § 25(1) TKG, § 25 TTDSG), which you can grant, refuse or withdraw at any time via our cookie banner. A detailed list of cookies, their purpose, provider and retention period is available in our cookie settings.

13. Security Measures

We implement appropriate technical and organisational measures pursuant to Art. 32 GDPR, including transport-layer encryption (TLS 1.2+), encryption of personal data at rest, role-based access control, least-privilege principles, multi-factor authentication for staff, segregated production environments, periodic penetration testing, employee training, a documented incident-response process and an information-security management system aligned with ISO/IEC 27001.

14. Children & Minors

The Service is not directed at persons under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected such data, we will delete it without undue delay.

15. Personal Data Breach Notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it (Art. 33 GDPR), and you directly without undue delay where the breach is likely to result in a high risk (Art. 34 GDPR).

16. Changes to this Policy

We may update this Policy from time to time to reflect changes in our processing activities, applicable law or supervisory guidance. Material changes will be notified to you in advance through the Service or by email. The "Last updated" date below indicates the version currently in force.

17. Contact

For any question or request regarding this Policy or the exercise of your rights, please contact us at privacy@onlyvip.com or write to OnlyVIP Ltd., Attn.: Data Protection Officer, 123 Members Lane, 1010 Vienna, Austria.

Version 3.0 — Last updated: June 2026. Document reference: OV-LEG-PRV-2026-06.