1. Roles of the parties
The customer acts as data controller for its guests' data. Guest Intelligence acts as data processor and processes such data exclusively on documented instructions from the customer.
2. Categories of data and data subjects
Data processed: identity, contact details, stay history, preferences, written exchanges with the hotel. Data subjects: past, present and prospective guests of the property.
3. Processing location
Data is hosted and processed exclusively within the European Union (France and Germany). No transfer outside the EU occurs without appropriate contractual safeguards and prior notice to the customer.
4. Security measures
TLS 1.3 encryption in transit, AES-256 encryption at rest, role-based access control, access logging, encrypted daily backups, annual penetration tests.
5. Sub-processors
Guest Intelligence maintains an up-to-date list of sub-processors and notifies the customer of any change. The customer may object on legitimate grounds within 30 days.
6. Assistance to the controller
Guest Intelligence assists the customer in responding to data subject requests, conducting data protection impact assessments, and notifying breaches within statutory timeframes.
7. Breach notification
Any personal data breach is notified to the customer without undue delay and at the latest within 48 hours of discovery, with the information needed to assess and notify the supervisory authority.
8. End of service
At the end of the contract, the customer chooses between full data return and secure deletion. Unless required by law, all data is deleted within 30 days and a deletion certificate is provided on request.