Privacy Policy

1. Who We Are

EasyBeds HMS Ltd ("EasyBeds HMS", "we", "us", "our") is the data controller for personal data collected through the EasyBeds HMS hotel management platform and website. We are committed to protecting your personal data and your rights under the General Data Protection Regulation (GDPR) and applicable data protection laws.

2. Information We Collect

2.1 Information You Provide Directly

• Account Information: Name, email address, phone number, and password when you register
• Property Information: Hotel name, address, room details, rates, and policies you enter into the system
• Billing Information: Payment method details (processed securely by our payment processors — we do not store full card numbers)
• Guest Data: Information about your hotel guests that you enter or that flows from OTA bookings (names, contact info, stay details)
• Communications: Messages you send to our support team

2.2 Information We Collect Automatically

• Usage Data: Pages visited, features used, time spent, clicks, and navigation patterns
• Device Information: IP address, browser type, operating system, and device identifiers
• Log Data: Server logs including access times, error logs, and API request logs
• Cookies: Session tokens, preference cookies, and analytics cookies (see our Cookie Policy)

2.3 Information from Third Parties

• OTA Booking Data: Reservation data from Booking.com, Expedia, Airbnb, and other connected channels via Channex.io
• Payment Processors: Transaction confirmation data from Stripe, Adyen, PayPal, and other connected gateways

3. How We Use Your Information

We use your information for the following purposes, relying on the following legal bases under GDPR:

4. How We Share Your Information

We do not sell your personal data. We share information only in these circumstances:

• Service Providers: Trusted third-party vendors who assist in operating our service (cloud hosting, payment processing, email delivery, analytics). They process data only on our instructions and under strict confidentiality agreements.
• OTA Channel Partners: Availability, rate, and booking data is exchanged with connected OTA channels (Booking.com, Expedia, etc.) and the Channex.io intermediary as necessary to provide the Channel Manager feature.
• Payment Processors: Your payment details are processed by our PCI-compliant payment partners (Stripe, Adyen, etc.). We do not store raw card numbers.
• Legal Requirements: We may disclose information where required by law, court order, or to protect the rights, property, or safety of EasyBeds HMS, our users, or the public.
• Business Transfer: In the event of a merger, acquisition, or sale of all or part of our assets, your data may be transferred as part of that transaction. We will notify you before your data is subject to a different privacy policy.

5. Guest Data — Important Notice for Hotel Operators

As a hotel operator using EasyBeds HMS, you input and manage personal data about your hotel guests. In this context:

• You are the Data Controller for your guests' personal data
• EasyBeds HMS acts as a Data Processor on your behalf
• You are responsible for informing your guests about how their data is used and for obtaining any necessary consents
• Our Data Processing Agreement (DPA) governs our responsibilities as your data processor

6. Data Retention

We retain your personal data for as long as necessary to:

• Provide the Service to you (for the duration of your subscription)
• Comply with legal obligations (e.g., financial records for 7 years)
• Resolve disputes and enforce our agreements

Upon account termination, we will retain your data for 30 days to allow data export, after which it will be securely deleted. Anonymized aggregate data may be retained indefinitely for analytics purposes.

7. Data Security

We implement industry-standard security measures to protect your data:

• All data in transit is encrypted using TLS 1.3
• All data at rest is encrypted using AES-256-GCM
• Payment credentials are stored with AES-256-GCM encryption
• Access controls and role-based permissions limit data access to authorized personnel
• Regular security audits and penetration testing
• We are PCI-DSS Level 1 compliant for payment data handling

Despite these measures, no method of transmission or storage is 100% secure. We will notify you of any data breach that affects your personal data within 72 hours of becoming aware of it, as required by GDPR.

8. International Data Transfers

Your data may be processed in countries outside your own, including countries outside the European Economic Area (EEA). When we transfer data internationally, we ensure appropriate safeguards are in place, such as EU Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission.

9. Your Rights

Under GDPR and applicable data protection laws, you have the following rights:

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

10. Cookies

We use cookies and similar technologies on our website and platform. For full details about the cookies we use and how to manage them, please see our Cookie Policy.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data without parental consent, please contact us and we will delete that information promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting a notice within the platform at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact Our Privacy Team