Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Vioma is a German hospitality software vendor that provides booking engines (IBE), channel managers, and website tools for hotels and resorts. Its widgets load on hotel websites, set first party cookies for the booking flow, and exchange reservation data with Vioma servers in Germany.
Vioma GmbH, based in Freiburg im Breisgau, builds booking and distribution software for the hotel industry, including its internet booking engine (IBE), channel manager, website CMS, and email marketing tools. Hotels embed the Vioma booking widget into their site so visitors can search availability, configure room and rate options, and place reservations. The widget loads JavaScript and assets from Vioma domains, persists session and search state in first party cookies, and posts booking and guest data to Vioma servers in Germany. Because Vioma services run on hotel websites that target EU travelers, deployments fall under GDPR, the ePrivacy Directive, and German TTDSG.
Vioma typically sets first party cookies on the hotel domain to manage the booking session, store the current search (dates, guests, room type), and remember the locale and currency. It processes guest data entered in the booking form, including names, email addresses, phone numbers, billing details, special requests, and payment tokens forwarded to a payment service provider. Server logs capture IP addresses, user agents, and timestamps for fraud prevention and operational diagnostics. Optional analytics and marketing modules can send aggregated event data to GA4, Meta, or other tools selected by the hotel.
When the booking engine is needed to process a reservation that the visitor has explicitly initiated, processing of guest data and the related strictly necessary cookies can rest on contract performance under GDPR Art. 6(1)(b) and the strict necessity exemption of ePrivacy Art. 5(3). Optional analytics, A/B testing, retargeting, and cross site tracking layered on top of Vioma require prior, freely given, specific, informed, and unambiguous consent from EU and UK guests. German hotels must also comply with TTDSG Section 25, which mirrors the ePrivacy rules and is enforced by the Länder data protection authorities.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Vioma core services run from Germany, which keeps booking data inside the EEA. However, hotels typically integrate payment providers, distribution channels, and analytics that may transfer data outside the EEA. Each integration must be reviewed: payment service providers like Adyen or Stripe rely on Standard Contractual Clauses, OTAs may host data in multiple jurisdictions, and Google Analytics involves transfers to the United States under the EU US Data Privacy Framework. Document each sub processor in the record of processing and run a transfer impact assessment for non EEA flows.
Hotels using Vioma act as controllers of guest data and must publish a clear privacy notice covering booking, marketing, and analytics. Configure the cookie banner so the booking engine can load when the user starts a reservation, but block optional analytics and advertising scripts until consent is given. Update the data processing agreement with Vioma, list it as a processor, and verify the chain of sub processors. Ensure that retention periods for booking data follow tax and accommodation tax laws while applying minimization for marketing profiles.
Sign a written data processing agreement with Vioma and obtain its current sub processor list. Map the data flow from the booking widget through Vioma to the PMS, channel manager, payment provider, and any marketing or analytics tools. Configure the cookie banner so optional categories are off by default and only fire when the user actively consents. Document retention rules for guest profiles, marketing consents, and audit logs. Train front office staff on data subject rights and review the cookie audit and DPIA at least once per year and after major Vioma releases.
Websites using Vioma must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Vioma is combined with extensive marketing automation, profiling of guest preferences, or large scale processing across many properties. Document the categories of guest data collected, the chain of processors (payment, channel manager, analytics), retention rules, and any non EEA transfers. Reference EDPB guidelines, German DSK position papers on cookie consent, and Bavarian or Baden Württemberg DPA guidance on hotel processing.
Sample consent text
We use Vioma to power the online booking engine on this site. Strictly necessary cookies allow you to search availability, complete a reservation, and process payment. Optional analytics and marketing cookies help us improve the experience and send relevant offers, and only run with your consent. You can change your choices at any time in the cookie settings.
Third-party domains contacted
vioma.devioma.comsecure.vioma.deibe.vioma.decdn.vioma.deCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| vm_session | first_party | Session | Maintains the active booking session and links the user to their search and selection. |
| vm_search | first_party | 1 day | Stores the current search criteria such as arrival, departure, guests, and room type to allow returning to the search. |
| vm_locale | first_party | 1 year | Remembers the selected language and currency for the booking engine. |
| vm_csrf | first_party | Session | Protects booking and contact forms from cross site request forgery. |
Vioma places tracking cookies for advertising — comply with GDPR using FlowConsent.
Vioma sets first party cookies on the hotel domain to maintain the booking session, store the current search criteria, remember the selected language and currency, and protect form submissions against cross site request forgery. Optional analytics or marketing cookies depend on which integrations the hotel activates and on the consent the guest gives.
Strictly necessary booking engine functions can load without prior consent because they deliver a service the guest actively requested. Optional analytics, retargeting, and marketing scripts attached to the booking flow require prior opt in consent in the EU, UK, and Switzerland.
Booking processing rests on contract performance under GDPR Art. 6(1)(b) for the reservation itself, on legal obligation under Art. 6(1)(c) for invoicing and accommodation taxes, and on consent under Art. 6(1)(a) plus ePrivacy Art. 5(3) for optional analytics and marketing. Document each purpose separately rather than collapsing them.
Vioma core processing happens in Germany, so the booking data stays inside the EEA. Some integrations such as payment providers, OTA channels, or analytics tools can trigger non EEA transfers, in which case the hotel must rely on SCCs, the EU US Data Privacy Framework, or another lawful mechanism and run a transfer impact assessment.
Run a DPIA when Vioma is combined with large scale guest profiling, automated marketing, multi property analytics, or processing of vulnerable guests. Document data flows, processors, retention, and safeguards. German DPAs expect a DPIA whenever the risk to data subjects is non trivial.
Configure the consent management platform so the Vioma booking widget loads when the user actively starts a reservation, while optional analytics, marketing, and chat widgets remain blocked until explicit opt in. Test that, when consent is denied, no marketing pixels fire and no profile is built.
Alternatives include SiteMinder, Cloudbeds, Mews, Apaleo, hotelbird, and IBE platforms from Channel Manager vendors. They differ in hosting locations, sub processor lists, and pricing. The compliance assessment remains structurally the same: cookies, processors, transfers, and lawful bases.
Review the cookie policy at least quarterly, after each Vioma module update, and whenever you add or remove integrations such as analytics, channel managers, or payment providers. List name, purpose, duration, and first or third party status for each cookie.