🇪🇺 GDPR

GDPR Compliance

Last updated: March 18, 2026 · Applicable to EEA, UK, and global users

Our GDPR Commitment

EasyBeds HMS is fully compliant with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR. As both a Data Controller (for platform users) and a Data Processor (for hotel guest data), we take our data protection obligations seriously and have implemented comprehensive safeguards to protect personal data.

1. About GDPR

The General Data Protection Regulation (GDPR) is a European Union regulation that gives individuals greater control over their personal data and imposes obligations on organizations that collect and process that data. The UK has adopted equivalent legislation ("UK GDPR") following Brexit.

GDPR applies to EasyBeds HMS because we:

Process personal data of individuals in the EU and UK
Offer goods and services to individuals in the EU
Monitor the behavior of individuals in the EU

2. Data Controller vs. Data Processor

EasyBeds HMS operates in two distinct roles under GDPR:

As Data Controller

When processing data about our own customers (hotel owners, managers, and staff using EasyBeds HMS):

We determine the purposes and means of processing
We are responsible for lawful processing
We must respond to your rights requests
Contact: [email protected]

As Data Processor

When processing data about hotel guests on behalf of our hotel operator customers:

We act under instructions from the hotel operator
The hotel operator is the Data Controller
We have a Data Processing Agreement (DPA) in place
Hotel operators must comply with GDPR for their guests

3. Your Rights Under GDPR

GDPR grants individuals a comprehensive set of rights regarding their personal data. Here is how each right applies to your use of EasyBeds HMS:

📋

Right of Access (Article 15)

You can request a copy of all personal data we hold about you. We will provide this within 30 days in a commonly used electronic format.

How to exercise: Email [email protected] with subject "Data Access Request"

✏️

Right to Rectification (Article 16)

If we hold inaccurate or incomplete personal data about you, you can request that we correct it. You can also update most information directly within your account settings.

How to exercise: Update in Account Settings, or email [email protected]

🗑️

Right to Erasure — "Right to be Forgotten" (Article 17)

You can request deletion of your personal data. We will comply unless we have a legitimate legal reason to retain it (e.g., financial records required by law). Guest data will be anonymized or deleted upon request.

How to exercise: Email [email protected] with subject "Erasure Request"

⏸️

Right to Restriction of Processing (Article 18)

You can request that we restrict how we process your data while a dispute is being resolved or while you verify the accuracy of your data.

How to exercise: Email [email protected] with subject "Restriction Request"

📦

Right to Data Portability (Article 20)

You can receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and transmit it to another service provider.

How to exercise: Use the "Export My Data" option in Account Settings, or email [email protected]

🚫

Right to Object (Article 21)

You can object to processing based on legitimate interests, including profiling and direct marketing. Upon receiving an objection to marketing, we will stop immediately.

How to exercise: Unsubscribe from emails or email [email protected]

🤖

Rights Related to Automated Decision-Making (Article 22)

EasyBeds HMS does not make fully automated decisions that produce significant legal effects. Our AI pricing suggestions always require human approval before they are applied.

How to exercise: Contact [email protected] if you have concerns

🔙

Right to Withdraw Consent (Article 7)

Where processing is based on your consent (e.g., marketing emails), you can withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.

How to exercise: Unsubscribe link in any marketing email, or email [email protected]

4. Legal Bases for Processing

EasyBeds HMS processes personal data under the following GDPR legal bases:

Contract Performance (Art. 6(1)(b))

Processing necessary to provide the EasyBeds HMS service to you, including account management, billing, and core platform features.

Legitimate Interests (Art. 6(1)(f))

Service improvement, security monitoring, fraud prevention, customer support, and product analytics — where our interests don't override your rights.

Legal Obligation (Art. 6(1)(c))

Processing required to comply with laws, such as retaining financial records, responding to legal requests, or tax obligations.

Consent (Art. 6(1)(a))

Marketing communications, analytics cookies, and advertising — only where you have given clear, informed, freely given, and revocable consent.

5. Data Processing Agreement (DPA) for Hotel Operators

As a hotel operator using EasyBeds HMS to manage your guests' personal data, GDPR requires a Data Processing Agreement (DPA) between you (as Data Controller) and EasyBeds HMS (as Data Processor). This DPA:

Defines the scope, nature, and purpose of the data processing
Commits EasyBeds HMS to process data only on your documented instructions
Sets out security and confidentiality obligations
Addresses sub-processor management and notification requirements
Provides for data breach notification (we notify you within 24 hours of discovery)
Covers data subject rights assistance — we will help you respond to your guests' rights requests
Covers data deletion upon termination of the service relationship

Request your DPA

Our standard DPA is automatically incorporated into our Terms of Service for all paying subscribers. If you require a signed copy or a custom DPA for compliance purposes, contact us at [email protected].

6. Sub-Processors

EasyBeds HMS uses the following sub-processors to deliver the service. All sub-processors are bound by contractual obligations to protect personal data at least as stringently as required by GDPR:

Sub-Processor	Purpose	Location	Safeguard
AWS / Cloud Hosting	Infrastructure and data storage	EU (Ireland)	Adequacy
Stripe	Payment processing	EU / USA	SCCs + PCI-DSS
Channex.io	OTA channel connectivity	EU	DPA
SendGrid / Postmark	Transactional email delivery	USA	SCCs
Google Analytics	Website analytics (anonymized)	USA	SCCs + Consent
Sentry	Error monitoring and debugging	USA	SCCs

We will notify subscribers of material changes to our sub-processor list at least 30 days in advance.

7. International Data Transfers

When we transfer personal data outside the European Economic Area (EEA) or UK, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs): We use the European Commission's approved SCCs for transfers to countries without an adequacy decision
Adequacy Decisions: We prefer sub-processors located in countries with EU adequacy decisions where possible
UK International Data Transfer Agreements (IDTAs): Used for UK data transfers where required

8. Data Breach Response

EasyBeds HMS has a documented data breach response procedure:

Within 1 hourIncident triage — assess severity, scope, and affected data

Within 24 hoursNotify affected hotel operators (Data Controllers) if guest data is involved

Within 72 hoursReport to the relevant Supervisory Authority (ICO for UK, relevant DPA for EU) if required by GDPR Article 33

Without undue delayNotify affected individuals if there is a high risk to their rights and freedoms (Article 34)

9. Privacy by Design

EasyBeds HMS implements privacy by design and by default principles throughout our product development:

Data Minimization: We collect only the data necessary for the specific purpose
Purpose Limitation: Data collected for one purpose is not repurposed without justification
Storage Limitation: Data is retained only as long as necessary
Integrity & Confidentiality: Data is protected with appropriate technical and organizational measures
Accountability: We maintain records of processing activities (Article 30 register)
Data Protection Impact Assessments (DPIAs): Conducted for high-risk processing activities

10. Supervisory Authority & Complaints

If you believe EasyBeds HMS has violated your data protection rights, you have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO). In EU member states, the relevant national data protection authority applies.

UK ICO: ico.org.uk · 0303 123 1113

EU DPAs: EDPB Members list

We ask that you first contact us at [email protected] before lodging a formal complaint, so we have an opportunity to resolve your concern directly.

11. Contact Our Data Protection Team

Data Protection Contact: [email protected]

DPA / Legal requests: [email protected]

Company: EasyBeds HMS Ltd

We will acknowledge your request within 5 business days and respond fully within 30 days as required by GDPR Article 12.

Related Policies