Privacy Policy

Effective Date: 11 August 2025

1. Purpose and Scope

At Hotelinking, S.L. (“Hotelinking”, “we”, “us”, or “our”), we respect your privacy and are committed to protecting the personal data entrusted to us. This Privacy Policy explains how we collect, use, store, disclose, and protect personal data in the context of our operations and our suite of software-as-a-service (SaaS) solutions:

GuestMaker – Marketing Cloud Captive Portal for Hotel Groups.
WiFiBot – Proactive Network Guardian for Hotel Networks.
Deskforce – Front Desk Automation System for Hotel Groups.

This Privacy Policy applies to the processing of personal data concerning the following categories of individuals:

Customers and authorized users of our SaaS solutions (“Customers”).
Hotel guests whose personal data is collected via Customer use of GuestMaker or Deskforce.
Website visitors, job applicants, marketing leads, and event participants.
End users of customer hotel networks monitored by WiFiBot (technical metadata only).
Any other individuals whose personal data is processed in the course of providing our services.

This Policy is intended to comply with the European Union’s General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable national laws within Spain and the European Economic Area (EEA).

Hotelinking acts as a:

Data Processor when processing personal data on behalf of our Customers (e.g., hotel guest data captured through GuestMaker or Deskforce).
Data Controller when processing personal data for our own purposes (e.g., website analytics, prospect engagement, account management, employment applications).

For all data protection matters, you may contact us at:

Hotelinking, S.L.
Parc Bit – Edificio Disset, 3rd floor, D9
Palma de Mallorca, Illes Balears, España
CIF: ESB57843185
Email: admin@hotelinking.com
For privacy-related requests: dataprotection@hotelinking.com

2. What Personal Data We Collect

The personal data we collect depends on the nature of your relationship with Hotelinking and the specific Services used. We categorize the data as follows:

a) Hotel Guests (via GuestMaker and Deskforce)

Collected directly through guest interactions with WiFi captive portals, digital check-in flows, or via integrations with the Property Management System (PMS) of the hotel.

Data Categories:

Identifiers: Full name, verified email address, nationality, language.
Device Information: IP address, MAC address, device type, operating system, browser type.
Reservation Metadata: Check-in and check-out dates, booking channel (e.g. OTA, direct), board type, room type, number of companions.
Official Documentation: Scanned ID or passport images (via OCR – Deskforce).
Biometric & Signature Data: Handwritten digital signatures (Deskforce).
Payment Information: Credit card data processed via PCI-DSS compliant third-party gateways (Deskforce).

Note: Hotelinking does not store payment card details. Sensitive data is handled via secure, tokenized channels with authorized payment processors.

b) Hotel IT Staff, Customer Admins, and Users (via WiFiBot or Admin Dashboards)

Collected during account setup and usage of our SaaS platforms for network monitoring, user management, or service operations.

Data Categories:

Identifiers: Name, business email address, phone (if provided), role/title.
Network Metadata: Device MAC addresses, AP/Switch/Gateway identifiers, network performance logs, bandwidth usage, uptime, and connectivity diagnostics.
Account Usage Logs: Login timestamps, IP, browser version, changes made.

Note: WiFiBot processes technical metadata related to hotel infrastructure only and does not process identifiable data about guests.

c) Website Visitors, Prospective Customers, and Event Participants

Collected via our website, landing pages, emails, or events (online and in person).

Data Categories:

Identifiers: Name, email address, company, job title (when provided).
Device & Web Data: IP address, browser type, device type, operating system, language, referring URL.
Behavioral Data: Pages visited, forms submitted, links clicked, cookie identifiers.
Communication Data: Email preferences, campaign opens/clicks, event attendance.

d) Job Applicants and Contractors

When you apply for a role with us or work with us as a service provider.

Data Categories:

Identifiers: Name, contact information.
Professional Data: CV/resume, education history, employment history, references.
Optional Sensitive Data: National ID, work permit, or other eligibility documentation, where required by law.

Note: Any special category data (e.g., health-related accommodations) is collected only when strictly necessary and with your explicit consent.

3. How and Why We Use Personal Data

Hotelinking processes personal data for various purposes, depending on the context of collection. The table below outlines the key purposes, categories of data subjects, and the lawful basis under the GDPR.

Purpose	Who It Applies To	Types of Data	Legal Basis (GDPR)
Provision of our services (GuestMaker, WiFiBot, Deskforce)	Customers, Hotel Guests, Hotel Staff	Contact info, device data, login info, network metrics, reservation metadata	Contractual necessity (Art. 6(1)(b))
Guest identity verification and reservation matching	Hotel Guests	ID/passport, name, reservation data	Legitimate interest (Art. 6(1)(f)); Legal obligation (Art. 6(1)(c)) where required by law
Processing digital check-in/out flows	Hotel Guests	Personal ID data, signatures, reservation info	Contractual necessity (Art. 6(1)(b))
Payment authorization and transaction processing	Hotel Guests	Tokenized payment data, billing metadata	Contractual necessity (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c))
Email marketing and communication	Customers, Prospects, Event Participants	Contact info, marketing preferences, engagement metrics	Consent (Art. 6(1)(a)); or Legitimate interest (Art. 6(1)(f)) for B2B
Product improvement and analytics	All Users	Platform usage logs, support interactions, behavioral data	Legitimate interest (Art. 6(1)(f))
Network diagnostics and issue resolution (WiFiBot)	Hotel IT Staff	Infrastructure metadata, MAC addresses, device metrics	Legitimate interest (Art. 6(1)(f))
Compliance with legal obligations	All	Any data required by law or regulation (e.g., guest registrations, tax records)	Legal obligation (Art. 6(1)(c))
Security monitoring and incident response	All	System access logs, event traces, audit trails	Legitimate interest (Art. 6(1)(f)); Legal obligation (Art. 6(1)(c))
Responding to data subject rights requests	All	Identity data, communications	Legal obligation (Art. 6(1)(c))

Notes on Special Categories of Data

Hotelinking does not intentionally collect or process Special Category Data under Article 9 GDPR (e.g., health, biometrics, religion), except where:

Required for legal compliance (e.g., ID for check-in verification), or
Explicit consent is obtained (e.g., reasonable accommodation for applicants)

4. Data Sharing and Disclosure

Hotelinking does not sell personal data under any circumstances.

However, in the course of delivering our services, we may disclose personal data to carefully selected third parties. Disclosures are limited to what is strictly necessary and are governed by written agreements that ensure compliance with GDPR and applicable data protection laws.

a) Cloud Infrastructure Providers

We use secure hosting and cloud storage services to operate our platform. These providers have no access to the contents unless required for maintenance or under legal obligation.

Amazon Web Services (AWS) – Primary hosting in Ireland (EU region).
Data remains within the European Economic Area (EEA) by default.

b) Technology Integration Partners

We integrate with trusted systems to enable functionality for our customers.

Integration Type	Examples	Purpose
Property Management Systems (PMS)	Avalon, Opera, Mews, etc.	To verify reservations and match guest records
Customer Relationship Management (CRM)	Cendyn, HubSpot, etc.	To enrich guest profiles and execute campaigns
Identity Verification Services	(e.g., OCR-based tools)	To validate ID documents during digital check-in
Email Delivery Platforms	Mandrill	To send transactional and marketing communications

These systems process data strictly under our instructions and cannot use it for any independent purpose.

c) Payment Processors

For Deskforce’s digital payment capabilities, we integrate with PCI-DSS-compliant third-party payment gateways. Payment credentials are tokenized and never stored on Hotelinking systems.

Examples: Redsys, Stripe, Adyen (as applicable).
All payment data is encrypted and transmitted directly from the guest’s device to the processor.

d) Customer Support Platforms

We may use tools to manage inquiries and support tickets.

Example: Zendesk.
Used for email support, chat support, and ticket resolution.

Support interactions may include name, contact info, log data, or technical metadata when relevant.

e) Legal, Regulatory, and Law Enforcement Authorities

We may disclose personal data when:

Required by applicable law (e.g., guest registration with local authorities).
Necessary to comply with judicial or regulatory proceedings.
Required to protect rights, safety, or property of Hotelinking, its customers, or the public.

All such disclosures are reviewed by legal counsel and recorded where appropriate.

f) Authorized Hotel Group Personnel (Customers)

In the case of guest data, Hotelinking acts as a Data Processor, and personal data is shared with the respective Hotel (Data Controller) under a data processing agreement.

g) Sub-Processors

We maintain a current list of sub-processors which is made available to Customers upon request. All sub-processors are contractually bound to:

Follow Hotelinking’s documented instructions only.
Maintain equivalent or stronger security standards.
Notify of any data breaches or sub-subprocessing.

Hotelinking remains fully responsible for the actions of its sub-processors.

5. International Data Transfers

Hotelinking ensures that personal data is stored and processed in compliance with the General Data Protection Regulation (GDPR) and applicable international data transfer mechanisms under Articles 44–50 of the regulation.

a) Primary Hosting Location

All personal data processed through Hotelinking’s platform is securely hosted in the European Economic Area (EEA):

Amazon Web Services (AWS) infrastructure located in Dublin, Ireland.
All data, including guest, customer, and network information, is processed and stored in data centers within the EU.
AWS Dublin complies with ISO/IEC 27001, ISO/IEC 27018, and SOC 2 standards.

No personal data is routinely transferred outside the EEA during the regular operation of our services.

b) Transfers Outside the EEA (When Applicable)

In limited circumstances, data may be transferred outside the EEA (e.g., use of sub-processors or technical support services). In these cases, we apply one of the following safeguards:

Adequacy Decisions

Transfers are made only to countries that the European Commission has deemed to provide an adequate level of data protection (e.g., United Kingdom, Japan, Canada).

Standard Contractual Clauses (SCCs)

Where an adequacy decision is not available, we rely on the latest version of the Standard Contractual Clauses (SCCs) approved by the European Commission to govern the transfer.

We supplement these clauses with technical and organizational measures, including:

End-to-end encryption.
Access control.
Data minimization.
Regular security audits.

Explicit Consent

In rare and exceptional cases, we may rely on your explicit consent (Article 49 GDPR) for a specific transfer, but only when no other lawful basis is available.

c) Sub-Processors Located Outside the EEA

Some of our ancillary service providers (e.g., for transactional email delivery, threat monitoring, or logging services) may operate infrastructure outside the EEA.

Hotelinking performs strict due diligence before engaging any sub-processor.
All such vendors are contractually bound via SCCs and monitored for GDPR compliance.
A detailed list of active sub-processors and their geographic locations is available upon request or as part of the Customer Data Processing Agreement (DPA).

Hotelinking remains fully liable for the compliance of all sub-processors with data protection laws.

6. Data Retention

Hotelinking retains personal data only for as long as necessary to fulfill the purpose for which it was collected — or to comply with legal, regulatory, or contractual obligations.

The retention periods differ depending on the category of data and applicable context:

a) Hotel Guest Data (GuestMaker, Deskforce)

Data Type	Retention Period	Purpose / Justification
Contact details, reservation metadata, device info	Up to 12 months after end of contractual relationship with hotel customer	Operational use, analytics, and support
ID/passport images, digital signatures	Up to 30 days post check-in (unless local law requires longer)	Identity verification during check-in
Payment metadata (non-cardholder data)	Up to 12 months or as defined in the hotel’s DPA	Proof of transaction or dispute resolution
Pseudonymized analytical data	Indefinitely, in aggregated form	Product improvement and benchmarking

Note: Data processing for guests is performed under instructions from our hotel customers (Data Controllers), and final retention policies may be contractually defined in the Data Processing Agreement (DPA).

b) Hotel Staff and Customer Admin Data (WiFiBot, dashboards)

Data Type	Retention Period	Purpose
User credentials, login data, configuration history	For the duration of the account and up to 12 months after deactivation	Operational continuity, audit trails
Network monitoring metadata	Rolling 30–90 days, depending on customer plan	Issue diagnosis, uptime monitoring

c) Website Visitors, Leads, and Marketing Contacts

Data Type	Retention Period	Purpose
Contact form data, newsletter opt-ins	Until withdrawal of consent or 24 months of inactivity	Direct marketing, lead nurturing
Website analytics & cookies	26 months (e.g., Google Analytics default)	Behavioral analysis, product improvement

d) Job Applicants and Recruitment Data

Data Type	Retention Period	Purpose
CVs, applications, interview records	12 months from conclusion of recruitment process	Future consideration, legal defense
Onboarding documentation (if hired)	Retained under employment file	Employment law compliance

e) Backups and Disaster Recovery

Backups are encrypted and stored in AWS (Ireland) for a default of 30 days, unless a longer retention is required by law or contract.
Backups are automatically deleted after expiration using secure lifecycle policies.
Disaster recovery tests are performed regularly to validate data integrity and availability.

See also: Hotelinking’s [Operations Security Procedure & Backups Policy] for full technical details.

f) Data Disposal and Anonymization

At the end of the retention period, Hotelinking will:

Securely delete personal data from live systems and backups.
Or, where appropriate, irreversibly anonymize the data for statistical or product improvement purposes (e.g., guest engagement benchmarks).

7. Security Measures

Hotelinking implements a comprehensive, multi-layered Information Security Management System (ISMS) to ensure the confidentiality, integrity, and availability of all personal data processed.

We align with industry best practices, including ISO/IEC 27001 principles and SOC II control frameworks, and undergo regular internal and external audits.

a) Technical Security Controls

Control	Description
Data Encryption	– All data is encrypted in transit using TLS 1.2 or higher – All data is encrypted at rest using AES-256 (via AWS KMS with customer-managed keys)
Authentication & Access Controls	– Role-based access control (RBAC) – Mandatory Multi-Factor Authentication (MFA) for all internal systems – Principle of least privilege enforced
Logging & Monitoring	– Continuous monitoring of infrastructure – Audit trails maintained for all system and admin activity – Intrusion detection via tools like AWS GuardDuty
Backup & Recovery	– Daily encrypted backups stored across multiple availability zones in AWS Ireland – Regular disaster recovery tests ensure RPO and RTO objectives are met
Network Security	– Firewalls, VPC segmentation, and Web Application Firewall (WAF) protection – Continuous vulnerability scans and penetration testing cycles

b) Organizational Security Measures

Control	Description
Security Policies	Defined and enforced policies for: Access Control, Incident Management, Data Breach Notification, Vendor Risk Management, Physical Security, and more
Employee Training & Awareness	– Mandatory onboarding and annual security training for all staff – Specific training on data protection, phishing, and secure development practices
Vendor Risk Management	– Sub-processors undergo security reviews and sign GDPR-compliant DPAs – SCCs or adequacy safeguards required for any non-EU vendor
Secure Development Practices	– Code changes peer-reviewed and version-controlled (Git) – CI/CD pipelines include automated security checks and test coverage
Incident Response Plan	– Tiered incident classification (low, medium, high, critical) – Immediate escalation to On-Call Engineers, ISO, and management as needed – Post-incident reviews and root cause analysis performed for all major events

c) Certifications and Framework Alignment

Hotelinking is actively aligned with SOC II Type II controls.
ISMS framework is based on ISO/IEC 27001 standards.
Backups and infrastructure comply with AWS Well-Architected Security Pillar.

8. Your Data Protection Rights (GDPR)

As a data subject under the General Data Protection Regulation (GDPR), you have a number of rights in relation to the personal data we process. Hotelinking is committed to enabling and honoring these rights in a transparent and timely manner, whether we act as Data Controller (e.g., for website visitors or prospects) or as Data Processor (e.g., when processing guest data on behalf of hotel customers).

You may exercise the following rights:

Right	Description
Right of Access (Art. 15)	You can request confirmation on whether we process your personal data, and receive a copy of that data along with details about how it is used.
Right to Rectification (Art. 16)	You can request correction of inaccurate or incomplete personal data.
Right to Erasure (Art. 17)	You can request deletion of your personal data (“right to be forgotten”) when it is no longer necessary or if you withdraw consent.
Right to Restrict Processing (Art. 18)	You can request limitation of data use in certain cases (e.g., during a pending correction or dispute).
Right to Data Portability (Art. 20)	You can request to receive your personal data in a structured, commonly used, machine-readable format and to have it transmitted to another provider.
Right to Object (Art. 21)	You can object to data processing based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent	Where data is processed based on your consent (Art. 6(1)(a)), you can withdraw it at any time, without affecting prior processing.
Right to Lodge a Complaint (Art. 77)	You have the right to lodge a complaint with your local Data Protection Authority (in Spain, the AEPD – Agencia Española de Protección de Datos).

How to Exercise Your Rights

You may exercise your rights by contacting us:

Email: dataprotection@hotelinking.com.
Address: Hotelinking, S.L., Parc Bit – Edificio Disset, 3rd floor, D9, 07121 Palma de Mallorca, España.
Phone: Available upon request.

Please include the following in your request:

Your full name and email address
The specific right you wish to exercise
Relevant context (e.g., guest at a specific hotel or website user)

We will respond to all valid requests within 30 days, as required by law. If we require additional time or clarification, we will notify you.

If we process your data as a Data Processor (e.g., you are a guest of one of our hotel customers), we will forward your request to the appropriate Hotel (Data Controller) for action.

9. Cookies and Tracking Technologies

When you visit Hotelinking’s websites or interact with our platform, we may use cookies and similar tracking technologies to enhance user experience, measure engagement, and personalize content.

A cookie is a small text file stored on your device that allows us to recognize your browser and remember certain information.

a) Types of Cookies We Use

Category	Description	Examples	Legal Basis
Strictly Necessary	Essential for basic functionality (e.g., session management, page navigation)	Session tokens, login authentication	Legitimate interest (Art. 6(1)(f))
Performance & Analytics	Help us understand how visitors interact with our website and improve performance	Google Analytics, Hotjar (anonymized)	Consent (Art. 6(1)(a))
Functionality	Enable enhanced features or preferences (e.g., language selection)	Remembered preferences, chat widgets	Consent (Art. 6(1)(a))
Marketing & Retargeting	Track browsing behavior for ad personalization and campaign measurement	LinkedIn Insight Tag, Meta Pixel, Google Ads	Consent (Art. 6(1)(a))

Analytics and marketing cookies are not activated unless you provide explicit consent via our cookie banner.

b) Managing Cookies

You may accept, reject, or customize cookie preferences at any time through our Cookie Settings panel, accessible on every page of our website.

You can also control or disable cookies via your browser settings. However, disabling essential cookies may impact your ability to use certain features.

c) Third-Party Services

Some cookies may be set by third-party services integrated on our site (e.g., embedded videos, social sharing tools). These third parties may collect usage data according to their own privacy policies.

d) Cookie Retention

Session cookies are deleted once you close your browser.
Persistent cookies may remain stored on your device for up to 24 months, unless deleted manually.

e) Cookie Policy

For more detailed information, including the full list of cookies we use and how to manage them, please refer to our:

Cookie Policy

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our business practices, services, technologies, legal requirements, or data protection obligations.

a) When We Make Changes

Updates to this Policy may be triggered by:

Introduction of new features or products (e.g., a new module within Deskforce).
Changes to applicable data protection laws or regulatory guidance (e.g., GDPR, ePrivacy Directive).
Modifications to how we process or share personal data.
Expansion into new territories with additional legal frameworks.

We maintain a version history at the bottom of this Policy to indicate when changes have been made.

b) How We Notify You

We are committed to transparency. If we make material changes to this Privacy Policy (e.g., changes in lawful basis, rights, or third-party disclosures), we will:

Post a clear notice on our website and/or platform dashboard.
Notify our Customers directly via email (to the account owner or data protection contact on file).
Provide at least 30 days’ advance notice before material changes take effect, when legally required or appropriate

c) Your Continued Use

By continuing to use our services after an update becomes effective, you agree to the revised Privacy Policy. If you disagree with the changes, you may discontinue use and, if applicable, request the deletion of your data.

11. Contact Us

Hotelinking, S.L.
Parc Bit – Edificio Disset, 3rd floor, D9
07121 Palma de Mallorca, Illes Balears, España
CIF: ESB57843185

Privacy & Data Protection

Email (General Inquiries): admin@hotelinking.com.
Email (Privacy Requests & DPO Contact): dataprotection@hotelinking.com.
Phone: Available upon request.

We will respond to all legitimate privacy-related inquiries within 30 days or sooner, as required by law.

Supervisory Authority Contact

If you believe that we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with the Spanish Data Protection Authority (Agencia Española de Protección de Datos – AEPD):

Website: https://www.aepd.es.
Phone (Spain): +34 901 100 099.
Email: internacional@aepd.es.

Go up