Privacy & Security Policy
Last updated: December 17, 2025
1. Introduction
At Hotelierly ("we," "our," or "us"), we are committed to protecting the privacy and security of your hotel's data. This Privacy Policy explains how we collect, use, disclosure, and safeguard your information when you access our platform. We operate on a principle of Privacy by Design, ensuring that your operational data remains isolated and secure.
2. Data We Collect
- Account Information: Name, email address, hotel name, and billing details.
- Operational Data: Reports (PDF, Excel, CSV) that you upload or email to the platform.
- Usage Data: Information on how you interact with the dashboard, including pages viewed and features used.
- Cookies: Small data files stored on your device to manage sessions and preferences.
3. Data Isolation
We explicitly define how your data interacts with our systems:
- No Public Training: Your data is NEVER used to train public models.
- Data Isolation: Each hotel workspace is logically isolated.
- Ephemeral Processing: When our system analyzes a report.
4. Data Retention
We retain your operational data only as long as necessary to provide our services:
- Active Accounts: Data is retained while your subscription is active.
- Inactive Accounts: Data is retained for 365 days after the last activity to allow for re-activation.
- Deletion: Upon request or account termination, all data is permanently deleted within 30 days.
5. Legal Basis for Processing
Under GDPR Article 6, we process your personal data based on the following legal grounds:
- Contract Performance: Processing necessary to provide the services you signed up for.
- Legitimate Interests: Processing for service improvement, security, fraud prevention, and analytics.
- Consent: Where you have given explicit consent (e.g., marketing communications).
- Legal Obligation: Processing required to comply with applicable laws.
6. Your GDPR Rights
If you are accessing our services from the European Economic Area (EEA), you have the following rights:
Right to Access
Request copies of your personal data.
Right to Rectification
Correct any information you believe is inaccurate.
Right to Erasure
Request that we delete your personal data.
Right to Restrict Processing
Request that we restrict the processing of your data.
Right to Data Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests.
Right to Lodge a Complaint
You may lodge a complaint with your local data protection supervisory authority if you believe your rights have been violated.
7. International Data Transfers
Your data may be transferred to, and processed in, countries outside the European Economic Area (EEA), including the United States where our infrastructure providers operate.
When we transfer data outside the EEA, we ensure adequate protection through:
- Standard Contractual Clauses (SCCs): EU-approved contractual terms that provide safeguards for data transfers.
- Adequacy Decisions: Transfers to countries deemed adequate by the European Commission.
- Data Processing Agreements: Binding agreements with our sub-processors.
8. Data Protection Officer
For privacy-related inquiries, data subject requests, or to exercise your GDPR rights, please contact our Data Protection Officer:
We will respond to your request within 30 days.
9. General Contact
For general questions about this Privacy Policy or our services:
10. Sub-processors
We use the following third-party service providers to process your data:
| Provider | Purpose | Location |
|---|---|---|
| Neon | Database hosting | USA (AWS) |
| Cloudflare | File storage (R2) | Global |
| Vercel | Application hosting | USA |
| Google Cloud | AI processing (Gemini) | USA |
| Upstash | Caching (Redis) | Global |
| Sentry | Error monitoring | USA |
All sub-processors have entered into Data Processing Agreements with us and maintain appropriate security certifications.