HotelPulseHotelPulse
Home

Privacy Policy

As of: 4 May 2026

1. Data Controller

AI Automation Agency UG (haftungsbeschränkt) Querstraße 6, 14163 Berlin, Germany Email: start@aiautomationagency.de

Data Protection Officer

We have not appointed a DPO as we do not meet the legal thresholds (fewer than 20 persons with regular data processing, no extensive processing of special categories). For data protection inquiries: start@aiautomationagency.de

2. Data We Process

2.1 Data from Your Apaleo Account

HotelPulse processes the following data from your Apaleo account:

  • Reservation data (arrival, departure, room category, channel, revenue)
  • Financial data (revenue per room, total revenue)
  • Property data (name, city, room count)
  • Account data (email address of the connecting user)

Core analytics is data-minimized: reservation and financial data are analyzed per property, and contact identifiers are hashed or pseudonymized where possible. Guest first and last names plus country codes may be stored where required for repeat-guest recognition or dashboard notes. Optional Email and WhatsApp modules process message content, drafts and contact identifiers (email/phone) only after active setup by the hotel. We do not store passport data, birth dates or postal addresses unless a future enabled module explicitly requires it.

Apaleo OAuth scopes: Read-only access (reservations.read, folios.read, account.read, rateplans.read, reports.read). HotelPulse does not modify your Apaleo data.

2.2 Automatically Collected Server Data

When you access our platform, our hoster (Vercel) automatically logs: IP address (truncated after 7 days), timestamp, browser type, operating system, requested URL, HTTP status code. Legal basis: Art. 6(1)(f) GDPR. Legitimate interest: IT security, defense against attacks (brute-force, DDoS), error diagnostics, stability assurance. Retention: 30 days, then automatic deletion. No combination with other data sources, no profiling.

2.3 Data of Customer Contact Persons

In the context of business relationships, we process data of contact persons at hotel customers: first and last name, business email, phone number (if provided), role at the hotel. Purpose: contract initiation, demo appointments, support, account management. Legal basis: Art. 6(1)(b) GDPR (contract performance) or Art. 6(1)(f) GDPR (legitimate interest in maintaining the business relationship).

3. Purpose of Processing

  • Calculation of hotel KPIs (occupancy, ADR, RevPAR)
  • Display in dashboard and reports
  • AI-based insights and revenue forecasts
  • Notifications (email briefings, KPI alerts)

4. Legal Basis

Processing is based on the following legal grounds:

  • Art. 6(1)(b) GDPR (contract performance) — for the core service
  • Art. 6(1)(c) GDPR (legal obligation) — retention of invoice data per German HGB/AO (10 years)
  • Art. 6(1)(f) GDPR (legitimate interest) — specifically: IT security and abuse prevention (server logs), stability and performance monitoring, B2B business relationship management, direct marketing to existing customers (§ 7(3) UWG), assertion and defense of legal claims
  • Art. 6(1)(a) GDPR (consent) — analytics (Google Analytics 4), error tracking (Sentry), marketing features. You may withdraw consent at any time via ‘Cookie settings’ in the footer.

5. Necessity of Data Provision

The provision of the data listed under Section 2 is contractually required to use HotelPulse. Without the Apaleo OAuth connection and the account email, we cannot provide the service (no KPI calculation, no dashboard). There is no statutory obligation to provide the data. Consequence of non-provision: contract conclusion or service use is not possible.

6. Recipients and Processors

We use the following processors (Art. 28 GDPR). A data processing agreement (DPA) has been concluded with all of them.

EU/EEA providers

  • Apaleo GmbH (Munich, Germany) — PMS data source, OAuth 2.0 connection, read-only
  • Supabase Inc. (EU region) — PostgreSQL database hosting
  • Vercel Inc. (EU region Frankfurt) — application hosting

Third-country providers (USA)

Transfers are based on the safeguards listed per provider below (EU Standard Contractual Clauses per Art. 46(2)(c) GDPR and/or the EU-US Data Privacy Framework per Art. 45 GDPR).

  • Stripe, Inc. — payment processing, PCI DSS Level 1 (transfer basis: EU-US Data Privacy Framework)
  • Anthropic PBC — AI analysis via Claude API; dashboard metrics and, for enabled Email/WhatsApp AI features, the message context required to generate draft replies (transfer basis: EU Standard Contractual Clauses)
  • Google LLC — Google Analytics 4 (consent only), Google OAuth (for GA4 connection), SMTP via Gmail Workspace (transfer basis: EU-US Data Privacy Framework)
  • Functional Software, Inc. (Sentry) — error tracking and session replay with PII masking (consent only; transfer basis: EU-US Data Privacy Framework)
  • Meta Platforms, Inc. — marketing intelligence feature (consent only, optional; transfer basis: EU-US Data Privacy Framework)

7. Relationship HotelPulse / Hotel as Controller

Depending on the enabled modules, HotelPulse processes personal data on behalf of the hotel, especially for Email, WhatsApp, support and export features. Where HotelPulse processes personal data on behalf of the hotel, we act as a processor within the meaning of Art. 28 GDPR and provide a Data Processing Agreement (DPA). For analytics-only use, processing remains data-minimized and, where possible, pseudonymized.

8. Storage Location and Security (TOMs)

All core data is stored in the EU (Vercel Frankfurt, Supabase EU region). OAuth tokens are encrypted with AES-256-GCM. Sessions use signed HTTP-Only cookies (SameSite=Lax, Secure). Data transmission is encrypted via TLS 1.3.

Technical and organizational measures (TOMs):

  • Two-factor authentication (2FA) for all admin accounts
  • Role-based access control (RBAC: OWNER / ADMIN / VIEWER)
  • Employees are bound by written confidentiality agreements
  • Regular vulnerability scans and dependency updates (Dependabot)
  • Documented incident-response processes
  • Encrypted backups, 35 days rolling

9. Retention and Deletion

We retain data only as long as necessary:

  • Account and reservation data: up to 30 days after cancellation
  • Invoice and payment data: 10 years (§ 257 HGB, § 147 AO)
  • Server and security logs: 30 days
  • Sentry error logs: 90 days (only with consent)
  • Google Analytics data: 14 months (only with consent)
  • Database backups: 35 days rolling

You may request immediate deletion of your data at any time.

10. Cookies and Similar Technologies

10.1 Strictly necessary cookies (§ 25(2) TDDDG, no consent required)

  • hp-session — authentication (HTTP-Only, Secure, SameSite=Lax, validity: 7 days)
  • NEXT_LOCALE — language preference DE/EN/FR/ES/IT (validity: 1 year)
  • hp-cookie-consent — local storage of your cookie selection (validity: 12 months)
  • hp-cookie-visitor-id — pseudonymous ID for consent evidence; server-side logs store only hashes of visitor ID, IP and user agent

10.2 Consent-based services (§ 25(1) TDDDG, Art. 6(1)(a) GDPR)

These services load only after active consent in the cookie banner:

  • Google Analytics 4 — reach measurement with IP anonymization (provider: Google LLC, USA; retention: 14 months)
  • Sentry Session Replay — error diagnostics with PII masking (provider: Functional Software, Inc., USA; retention: 90 days)
  • Marketing and campaign measurement — currently no marketing scripts are loaded; this remains a separate consent category for future features

You may withdraw consent at any time via the ‘Cookie settings’ link in the footer.

11. Your Rights

You have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and objection (Art. 21). For consent-based processing, you also have the right to withdraw at any time (Art. 7(3) GDPR).

Send requests regarding your rights to start@aiautomationagency.de. We respond within 30 days (Art. 12(3) GDPR).

12. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection authority (Art. 77 GDPR). The competent authority for us as a provider is:

Berlin Commissioner for Data Protection and Freedom of Information Alt-Moabit 59-61, 10555 Berlin, Germany Email: mailbox@datenschutz-berlin.de

Hotel customers may additionally contact their respective state data protection authority.

13. Automated Decision-Making

HotelPulse uses AI-supported forecasts (revenue forecasts, KPI insights, rate recommendations). These analyses are decision aids for hotel management and do not produce legal effects within the meaning of Art. 22 GDPR. No fully automated decision-making with effects on data subjects takes place. You may request human review of any AI-generated recommendation at any time.

14. Changes to This Privacy Policy

We update this privacy policy when the legal situation, processing purposes or service providers change. The current version is available at https://hotelpulse.app/privacy.

Privacy Policy | HotelPulse