HotelPulseHotelPulse
Home

Data Security

As of: 4 May 2026

1. Overview

HotelPulse takes the security of your data seriously. This page describes our technical and organizational measures to protect your data. Full legal documentation is available in our Privacy Policy.

2. Hosting and Infrastructure

HotelPulse runs on Vercel (EU region Frankfurt, SOC 2 Type 2 certified). The PostgreSQL database is operated by Supabase in an EU region. All connections are encrypted with TLS 1.3. Core data does not leave the EU.

3. Encryption

OAuth tokens are encrypted with AES-256-GCM in the database. Sessions use signed HTTP-Only cookies (Secure, SameSite=Lax). All data transmission is via TLS 1.3. Sensitive data is never stored in plaintext.

4. Apaleo Integration

The Apaleo connection uses OAuth 2.0 Authorization Code Flow — no password is stored. HotelPulse has read-only access (reservations.read, folios.read, account.read, rateplans.read, reports.read). Token refresh occurs automatically with rotation. The connection can be revoked at any time via Apaleo or HotelPulse settings.

5. Data Minimization

In line with GDPR Art. 5(1)(c), we only store data necessary for the service. Core analytics processes reservation and financial data per property and uses pseudonymized or hashed contact identifiers where possible. Guest first and last names plus country codes may be stored where required for repeat-guest recognition and dashboard notes. Optional Email and WhatsApp modules process message content, drafts and contact identifiers (email/phone) only when explicitly enabled by the hotel. We do not store passport data, birth dates or postal addresses unless a future enabled module explicitly requires it.

6. Access Control and Multi-Tenancy

HotelPulse uses role-based access control (OWNER, ADMIN, VIEWER). Multi-tenancy ensures strict data separation per organization. Every database query filters by propertyId or orgId — cross-tenant access is technically excluded. All admin accesses are protected by two-factor authentication (2FA).

7. Third-Party Providers and Sub-Processors

EU/EEA providers

  • Apaleo GmbH (Munich, Germany) — PMS data source, OAuth 2.0, read-only
  • Supabase Inc. (EU region) — PostgreSQL database hosting
  • Vercel Inc. (EU region Frankfurt) — application hosting, SOC 2 Type 2

Third-country providers (USA)

Transfers are based on EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) and/or the EU-US Data Privacy Framework.

  • Stripe Inc. — payment processing (PCI DSS Level 1, DPF certified)
  • Anthropic PBC — AI analysis via Claude API; dashboard metrics and, for enabled Email/WhatsApp AI features, the message context required to generate draft replies (transfer basis: SCC)
  • Google LLC — Google Analytics 4 (consent only), Google OAuth, SMTP via Gmail Workspace (DPF)
  • Functional Software Inc. (Sentry) — error tracking + session replay with PII masking (consent only; DPF)
  • Meta Platforms Inc. — marketing intelligence feature (consent only, optional; DPF)

8. Data Backup and Deletion

Retention periods per data category:

  • Account and reservation data: up to 30 days after cancellation
  • Server and security logs: 30 days
  • Sentry error logs: 90 days (only with consent)
  • Google Analytics: 14 months (only with consent)
  • Database backups: 35 days rolling, encrypted

Immediate deletion of your data is possible at any time on request: start@aiautomationagency.de

9. Cookies

HotelPulse sets cookies in two categories:

Strictly necessary (no consent required):

  • hp-session — authentication (HTTP-Only, Secure, SameSite=Lax, 7 days)
  • NEXT_LOCALE — language preference (1 year)

Consent-based (after active consent in the cookie banner):

Google Analytics 4 (reach measurement with IP anonymization) and Sentry Session Replay (error diagnostics with PII masking). Both can be revoked at any time via the Cookie Settings link in the footer.

10. Technical and Organizational Measures (TOMs)

Additional security measures:

  • Role-based access control (RBAC: OWNER / ADMIN / VIEWER)
  • Two-factor authentication (2FA) for all admin accounts
  • Employees are bound by written confidentiality agreements
  • Regular vulnerability scans and dependency updates (Dependabot)
  • Documented incident-response processes
  • Encrypted database backups, 35 days rolling

11. Contact for Security Inquiries

For data security questions or suspected security incidents, contact us at start@aiautomationagency.de. Full legal details: Privacy Policy.

Data Security | HotelPulse