Tracking and Analytics for CASABLANCA Booking Engine
The CASABLANCA Booking Engine is a highly secure SaaS solution for hotel distribution through which personal data and payment information are processed. As the operator of the platform, we ensure that data security, system integrity, and compliance with international security and data protection standards are technically guaranteed at all times.
The option to use your own custom domain with the CASABLANCA Booking Engine will be available starting with the ’26 Spring Release (April 2026). If you are reading this documentation before the Spring release, please note that the feature will become active automatically once the update is deployed.
Architectural and Legal Framework
Our booking flow is subject to several overlapping legal and contractual frameworks: the EU Payment Services Directive 2 (PSD2), transposed into Austrian law as the Zahlungsdienstegesetz 2018 (ZaDiG 2018), which mandates Strong Customer Authentication; the EU General Data Protection Regulation (GDPR) together with the Austrian Datenschutzgesetz (DSG); the Austrian Telekommunikationsgesetz 2021 (TKG 2021), in particular § 165 (3) governing consent for cookies and tracking technologies; and, as a contractual requirement imposed by our acquirer and payment service provider, the Payment Card Industry Data Security Standard (PCI DSS) v4.0.1, mandatory since 31 March 2025.
Under PCI DSS v4.0.1, requirements 6.4.3 and 11.6.1 do not prohibit dynamically loaded scripts on payment pages outright. Rather, they require that every script executed on a payment page be inventoried, justified as necessary, authorised, and protected against unauthorised modification, and that a change- and tamper-detection mechanism monitor the payment page for unauthorised changes at least once every seven days. These controls are designed to mitigate e-skimming (Magecart-style) attacks by ensuring that any script - whether first- or third-party - cannot be silently altered to exfiltrate cardholder data.
For this reason, the use of the Google Tag Manager (GTM) or other external script containers is technically excluded on the CASABLANCA Booking Engine. Such tools inject code at runtime (DOM injection) and thereby directly endanger PCI certification and data security.
The use of the Meta Pixel or similar tracking solutions, which transfer personal data to jurisdictions outside the European Union or operate without explicit and legally valid consent, is likewise excluded. The current decision of the Austrian Supreme Court (OGH) from December 2025 confirms that Meta’s personalised advertising model is permissible only under extremely specific opt in conditions.
Native Google Analytics 4 (GA4) Integration
To meet the highest security and data protection requirements, we exclusively offer a native, fully integrated GA4 connection.
This integration is:
- fully compliant with GDPR and TKG,
- compatible with Consent Mode V2 (Strict Mode),
- implemented without third party code or dynamically loaded scripts. The system blocks all tracking libraries until the user has given explicit consent, and only then loads the gtag.js library, taking into account all consent signals.
Through the automatic GA4 integration, all relevant e commerce and booking events (e.g. view_item_list, add_to_cart, purchase) are transmitted securely and in a structured manner. In addition, all common UTM parameters are supported, allowing campaigns (for example, from Google Ads or Meta Ads) to be fully tracked even without GTM or external scripts.
Our Commitment
As a technology provider, it is our foremost goal and responsibility to reliably protect hoteliers and their guests from data protection breaches, penalties, and data leaks.
We understand the desire for maximum marketing flexibility, but our highest priority is the legal compliance and trustworthiness of the booking flow.
The detailed technical specification of the GA4 integration can be found in the document ‘Tracking Factsheet – Technical Specification: Google Analytics 4 (GA4) Integration’