HotelPulseHotelPulse
Home

Data Security

Last updated: April 2026

1. Overview

HotelPulse takes the security of your data seriously. This page describes our technical and organizational measures to protect your data.

2. Hosting & Infrastructure

Our application is hosted on Vercel (EU Region) — SOC 2 Type 2 certified. The PostgreSQL database is also located in the EU. All connections are encrypted with HTTPS/TLS 1.3. No data transfer outside the EU.

3. Encryption

OAuth tokens are encrypted with AES-256-GCM in the database. Sessions use signed HTTP-Only cookies (Secure, SameSite=Lax). All data transmission uses TLS 1.3 (HTTPS). Sensitive data is never stored in plain text.

4. Apaleo Integration

The connection to Apaleo uses OAuth 2.0 Authorization Code Flow — no password is stored. HotelPulse has read-only access to reservations, financial data, and property configuration. Token refresh is automatic with rotation. The connection can be revoked at any time via Apaleo or HotelPulse.

5. Data Minimization

In accordance with GDPR Art. 5(1)(c), we only store data necessary for the service. No personal guest data is stored — no email addresses, phone numbers, or addresses of hotel guests. We only process aggregated reservation and financial data. Guest scoring is based on anonymized booking characteristics.

6. Access Control

HotelPulse uses a role-based access control system (Owner, Admin, Viewer). Multi-tenancy ensures strict data separation per organization. Every database query filters by propertyId or orgId — cross-tenant access is technically impossible.

7. Third Parties & Sub-Processors

  • Apaleo GmbH — PMS data source
  • Stripe Inc. — Payment processing (PCI DSS Level 1)
  • Anthropic PBC — AI analysis (Claude API, aggregated KPI data only, no PII)
  • Vercel Inc. — Hosting (EU Region, SOC 2 Type 2)

8. Data Backup & Deletion

The database is backed up daily. Upon cancellation, all data is completely deleted within 30 days. Immediate deletion is available upon request. Contact: start@aiautomationagency.de

9. Cookies

HotelPulse uses only technically necessary cookies — no tracking.

  • session — Authentication (HTTP-Only, Secure, 7 days)
  • NEXT_LOCALE — Language preference (1 year)

10. Security Contact

For questions about data security, contact us at start@aiautomationagency.de. Our complete privacy policy is available at Privacy Policy.