GDPR & Privacy Policy

The data controller for the GuestToPhone service is the legal entity operating this platform ("we", "us", "our"). For any questions about this policy or your rights, contact us at [email protected].

2.1 Hotel account data

• Business email address and account name used for registration
• Billing information (processed by our payment provider, not stored by us)
• Hotel name and settings configured in the dashboard

2.2 Guest data (uploaded by hotels)

Hotels upload reservation data from their Property Management System (PMS). This typically includes:

• Guest first name and last name
• Guest phone number (mobile)
• Check-in and check-out dates
• Room number and booking reference
• Email address (optional)

Important: The hotel ("data controller" for their guests) is responsible for having the appropriate legal basis to upload and process guest personal data. GuestToPhone acts as a data processor on behalf of the hotel under Article 28 GDPR.

2.3 Usage data

• Login timestamps and IP addresses (security logs, retained 90 days)
• Sync operation logs (count of contacts pushed, errors)
• No behavioural tracking, no advertising pixels

• Guest contacts in CardDAV — automatically deleted from the sync address book after check-out + the hotel's configured retention period (default: 1 day after checkout). The hotel can adjust this window in Settings.
• Reservation records in our database — retained for 90 days after deletion from CardDAV for audit/sync purposes, then permanently deleted.
• Hotel account data — retained as long as the account is active. Deleted within 30 days of account cancellation on written request.
• Security logs — retained for 90 days.

We do not sell personal data. We share data only with the following sub-processors:

All EU-based processing. For USA sub-processors, Standard Contractual Clauses (SCCs) apply.

• All connections encrypted with TLS 1.2+ (HTTPS)
• Passwords stored using bcrypt hashing (never stored in plain text)
• CardDAV credentials unique per hotel account
• Access to production systems restricted to authorised personnel only
• Regular automated backups with encryption at rest

If you are an EU resident, you have the right to:

• Access — request a copy of personal data we hold about you
• Rectification — correct inaccurate data
• Erasure ("right to be forgotten") — request deletion of your data
• Restriction — limit processing in certain circumstances
• Portability — receive data in a machine-readable format
• Object — object to processing based on legitimate interests
• Complaint — lodge a complaint with your national supervisory authority

To exercise any right, email [email protected]. We will respond within 30 days.

We use only technically necessary session cookies (NextAuth.js) required for authentication. No tracking cookies, no analytics cookies, no advertising cookies.

Hotels processing EU guest data through GuestToPhone are required to sign a Data Processing Agreement as required by Article 28 GDPR. Contact us at [email protected] to obtain the DPA.

We may update this policy to reflect changes in law or our practices. Material changes will be notified by email to registered accounts at least 30 days before taking effect. The "last updated" date at the top of this page always shows the current version date.