← Back to HotelOS

Privacy Policy

This Privacy Policy explains how HotelOS ("HotelOS", "we", "us", "our") collects, uses, shares and protects personal data in connection with our website (hotelos.org) and our hotel management software (together, the "Service"). We are committed to processing personal data lawfully, fairly and transparently in line with the EU General Data Protection Regulation (GDPR) and the data-protection law of Bosnia and Herzegovina.

1. Our Two Roles: Controller and Processor

It is important to understand in which capacity we act:

• As a data controller — for personal data of website visitors, sales leads, and the staff/contact persons of our business customers (e.g. account holders, billing contacts). For this data we decide the purposes and means of processing, and this Policy applies directly.
• As a data processor — for the personal data that a customer (a hotel, pansion or B&B) enters about its own guests and operations (the "Customer Data"). In that case the customer is the data controller and we process Customer Data only on the customer's documented instructions, under a Data Processing Agreement (DPA). The customer is responsible for having a lawful basis and for informing its guests.

2. Data We Collect

From website visitors and leads (we are controller)

• Information submitted via contact/signup forms: hotel name, contact name, email, phone, country, message
• Technical and usage data: IP address, browser type, pages visited, approximate location, collected for security and to improve the Service

From customers using the Service (we are controller for account data)

• Account and billing data: business name, address, tax/VAT number, staff usernames, hashed passwords, roles, subscription and payment status

Customer Data you enter into the Service (we are processor)

• Guest information you choose to record (e.g. names, contact details, nationality, identity/passport numbers, stay history)
• Operational data (reservations, invoices, payment records, housekeeping notes)

Identity/passport numbers can be sensitive. You should only enter such data where you have a lawful basis and a genuine business or legal need (e.g. local guest-registration requirements), and you remain responsible for that data as its controller.

3. Legal Bases for Processing (GDPR Art. 6)

• Performance of a contract — to create accounts, provide and operate the Service, and process payments
• Legitimate interests — to secure the Service, prevent fraud and abuse, and improve our product (balanced against your rights)
• Consent — where you submit a form or opt in to communications; you may withdraw consent at any time
• Legal obligation — to keep financial/tax records and respond to lawful requests

4. How We Use Data

• To provide, operate, secure and improve the Service
• To process subscriptions and payments via third-party payment processors
• To send service-related communications (notifications, subscription reminders, support)
• To comply with legal, tax and accounting obligations

We do not sell or rent personal data, and we do not share it with third parties for their own marketing.

5. Sub-processors and Sharing

We share data only with vetted service providers ("sub-processors") who process it on our behalf under contractual data-protection obligations, and with authorities where legally required. Our current sub-processors include:

Sub-processor	Purpose	Location
Hostinger (hosting / VPS)	Application hosting, database, backups	EU (Frankfurt, Germany)
Cloudflare	DNS, CDN, TLS, security	EU / global edge
Payment processor (e.g. Stripe), when card payments are enabled	Subscription billing	EU / USA
Email/SMTP provider, when email is enabled	Transactional emails	EU

We will keep this list current and notify active customers of material changes.

6. International Data Transfers

Our primary hosting is in the EU (Frankfurt). Where a sub-processor processes data outside the European Economic Area (for example a payment processor in the USA), such transfers are protected by appropriate safeguards, such as the EU Standard Contractual Clauses (SCCs) or an adequacy decision.

7. Storage and Security

Data is stored on EU servers in Frankfurt, Germany. We apply industry-standard safeguards including:

• Encryption of data in transit (TLS/HTTPS)
• Passwords hashed with bcrypt; signed (JWT) session tokens
• Per-hotel data isolation (each customer's data is logically separated)
• Server-side validation, access controls and daily encrypted backups

No method of transmission or storage is 100% secure, but we work to protect your data and to continually improve our safeguards.

8. Data Breach Notification

If we become aware of a personal-data breach likely to result in a risk to individuals, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours, and we will inform affected customers as required by law so that controllers can meet their own obligations.

9. Data Retention

We retain account and Customer Data for as long as the account is active. After termination, data is kept for 30 days to allow recovery, then permanently deleted, except where longer retention is required by law (e.g. invoices and financial records, typically up to 10 years). Lead/contact-form data is kept only as long as needed to respond and follow up.

10. Your Rights

Subject to applicable law, you have the right to: access your personal data; correct inaccurate data; request erasure ("right to be forgotten"); export your data in a portable format; object to or restrict processing; and withdraw consent at any time. You also have the right to lodge a complaint with a supervisory authority — in Bosnia and Herzegovina, the Personal Data Protection Agency (AZLP), or your local EU data-protection authority.

To exercise your rights, contact us using the details below. If we act as processor for your guests' data, please direct guest requests to the relevant hotel (the controller); we will assist that hotel as required.

11. Cookies

The website uses only essential cookies/local storage (session and language preference). We do not use third-party advertising or cross-site tracking cookies. The Service stores authentication tokens in your browser to keep you signed in.

12. Children's Privacy

HotelOS is a business tool not intended for individuals under 16, and we do not knowingly collect their personal data.

13. Automated Decision-Making

We do not carry out automated decision-making or profiling that produces legal or similarly significant effects on individuals.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to active customers, and the "Last updated" date above will reflect the latest revision.

15. Contact

For privacy questions or to exercise your rights, contact us:

• Email: [email protected]
• Phone: 062 229 466
• Operator / registered details: [legal entity name, registration number and registered address — to be completed]