Privacy Policy
Effective Date: 11 August 2025
1. Purpose and Scope
At Hotelinking, S.L. (“Hotelinking”, “we”, “us”, or “our”), we respect your privacy and are committed to protecting the personal data entrusted to us. This Privacy Policy explains how we collect, use, store, disclose, and protect personal data in the context of our operations and our suite of software-as-a-service (SaaS) solutions:
- GuestMaker – Marketing Cloud Captive Portal for Hotel Groups.
- WiFiBot – Proactive Network Guardian for Hotel Networks.
- Deskforce – Front Desk Automation System for Hotel Groups.
This Privacy Policy applies to the processing of personal data concerning the following categories of individuals:
- Customers and authorized users of our SaaS solutions (“Customers”).
- Hotel guests whose personal data is collected via Customer use of GuestMaker or Deskforce.
- Website visitors, job applicants, marketing leads, and event participants.
- End users of customer hotel networks monitored by WiFiBot (technical metadata only).
- Any other individuals whose personal data is processed in the course of providing our services.
This Policy is intended to comply with the European Union’s General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable national laws within Spain and the European Economic Area (EEA).
Hotelinking acts as a:
- Data Processor when processing personal data on behalf of our Customers (e.g., hotel guest data captured through GuestMaker or Deskforce).
- Data Controller when processing personal data for our own purposes (e.g., website analytics, prospect engagement, account management, employment applications).
For all data protection matters, you may contact us at:
Hotelinking, S.L.
Parc Bit – Edificio Disset, 3rd floor, D9
Palma de Mallorca, Illes Balears, España
CIF: ESB57843185
Email: admin@hotelinking.com
For privacy-related requests: dataprotection@hotelinking.com
2. What Personal Data We Collect
The personal data we collect depends on the nature of your relationship with Hotelinking and the specific Services used. We categorize the data as follows:
a) Hotel Guests (via GuestMaker and Deskforce)
Collected directly through guest interactions with WiFi captive portals, digital check-in flows, or via integrations with the Property Management System (PMS) of the hotel.
Data Categories:
- Identifiers: Full name, verified email address, nationality, language.
- Device Information: IP address, MAC address, device type, operating system, browser type.
- Reservation Metadata: Check-in and check-out dates, booking channel (e.g. OTA, direct), board type, room type, number of companions.
- Official Documentation: Scanned ID or passport images (via OCR – Deskforce).
- Biometric & Signature Data: Handwritten digital signatures (Deskforce).
- Payment Information: Credit card data processed via PCI-DSS compliant third-party gateways (Deskforce).
Note: Hotelinking does not store payment card details. Sensitive data is handled via secure, tokenized channels with authorized payment processors.
b) Hotel IT Staff, Customer Admins, and Users (via WiFiBot or Admin Dashboards)
Collected during account setup and usage of our SaaS platforms for network monitoring, user management, or service operations.
Data Categories:
- Identifiers: Name, business email address, phone (if provided), role/title.
- Network Metadata: Device MAC addresses, AP/Switch/Gateway identifiers, network performance logs, bandwidth usage, uptime, and connectivity diagnostics.
- Account Usage Logs: Login timestamps, IP, browser version, changes made.
Note: WiFiBot processes technical metadata related to hotel infrastructure only and does not process identifiable data about guests.
c) Website Visitors, Prospective Customers, and Event Participants
Collected via our website, landing pages, emails, or events (online and in person).
Data Categories:
- Identifiers: Name, email address, company, job title (when provided).
- Device & Web Data: IP address, browser type, device type, operating system, language, referring URL.
- Behavioral Data: Pages visited, forms submitted, links clicked, cookie identifiers.
- Communication Data: Email preferences, campaign opens/clicks, event attendance.
d) Job Applicants and Contractors
When you apply for a role with us or work with us as a service provider.
Data Categories:
- Identifiers: Name, contact information.
- Professional Data: CV/resume, education history, employment history, references.
- Optional Sensitive Data: National ID, work permit, or other eligibility documentation, where required by law.
Note: Any special category data (e.g., health-related accommodations) is collected only when strictly necessary and with your explicit consent.
3. How and Why We Use Personal Data
Hotelinking processes personal data for various purposes, depending on the context of collection. The table below outlines the key purposes, categories of data subjects, and the lawful basis under the GDPR.
Purpose | Who It Applies To | Types of Data | Legal Basis (GDPR) |
---|---|---|---|
Provision of our services (GuestMaker, WiFiBot, Deskforce) | Customers, Hotel Guests, Hotel Staff | Contact info, device data, login info, network metrics, reservation metadata | Contractual necessity (Art. 6(1)(b)) |
Guest identity verification and reservation matching | Hotel Guests | ID/passport, name, reservation data | Legitimate interest (Art. 6(1)(f)); Legal obligation (Art. 6(1)(c)) where required by law |
Processing digital check-in/out flows | Hotel Guests | Personal ID data, signatures, reservation info | Contractual necessity (Art. 6(1)(b)) |
Payment authorization and transaction processing | Hotel Guests | Tokenized payment data, billing metadata | Contractual necessity (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c)) |
Email marketing and communication | Customers, Prospects, Event Participants | Contact info, marketing preferences, engagement metrics | Consent (Art. 6(1)(a)); or Legitimate interest (Art. 6(1)(f)) for B2B |
Product improvement and analytics | All Users | Platform usage logs, support interactions, behavioral data | Legitimate interest (Art. 6(1)(f)) |
Network diagnostics and issue resolution (WiFiBot) | Hotel IT Staff | Infrastructure metadata, MAC addresses, device metrics | Legitimate interest (Art. 6(1)(f)) |
Compliance with legal obligations | All | Any data required by law or regulation (e.g., guest registrations, tax records) | Legal obligation (Art. 6(1)(c)) |
Security monitoring and incident response | All | System access logs, event traces, audit trails | Legitimate interest (Art. 6(1)(f)); Legal obligation (Art. 6(1)(c)) |
Responding to data subject rights requests | All | Identity data, communications | Legal obligation (Art. 6(1)(c)) |
Notes on Special Categories of Data
Hotelinking does not intentionally collect or process Special Category Data under Article 9 GDPR (e.g., health, biometrics, religion), except where:
- Required for legal compliance (e.g., ID for check-in verification), or
- Explicit consent is obtained (e.g., reasonable accommodation for applicants)
4. Data Sharing and Disclosure
Hotelinking does not sell personal data under any circumstances.
However, in the course of delivering our services, we may disclose personal data to carefully selected third parties. Disclosures are limited to what is strictly necessary and are governed by written agreements that ensure compliance with GDPR and applicable data protection laws.
a) Cloud Infrastructure Providers
We use secure hosting and cloud storage services to operate our platform. These providers have no access to the contents unless required for maintenance or under legal obligation.
- Amazon Web Services (AWS) – Primary hosting in Ireland (EU region).
- Data remains within the European Economic Area (EEA) by default.
b) Technology Integration Partners
We integrate with trusted systems to enable functionality for our customers.
Integration Type | Examples | Purpose |
---|---|---|
Property Management Systems (PMS) | Avalon, Opera, Mews, etc. | To verify reservations and match guest records |
Customer Relationship Management (CRM) | Cendyn, HubSpot, etc. | To enrich guest profiles and execute campaigns |
Identity Verification Services | (e.g., OCR-based tools) | To validate ID documents during digital check-in |
Email Delivery Platforms | Mandrill | To send transactional and marketing communications |
These systems process data strictly under our instructions and cannot use it for any independent purpose.
c) Payment Processors
For Deskforce’s digital payment capabilities, we integrate with PCI-DSS-compliant third-party payment gateways. Payment credentials are tokenized and never stored on Hotelinking systems.
- Examples: Redsys, Stripe, Adyen (as applicable).
- All payment data is encrypted and transmitted directly from the guest’s device to the processor.
d) Customer Support Platforms
We may use tools to manage inquiries and support tickets.
- Example: Zendesk.
- Used for email support, chat support, and ticket resolution.
Support interactions may include name, contact info, log data, or technical metadata when relevant.
e) Legal, Regulatory, and Law Enforcement Authorities
We may disclose personal data when:
- Required by applicable law (e.g., guest registration with local authorities).
- Necessary to comply with judicial or regulatory proceedings.
- Required to protect rights, safety, or property of Hotelinking, its customers, or the public.
All such disclosures are reviewed by legal counsel and recorded where appropriate.
f) Authorized Hotel Group Personnel (Customers)
In the case of guest data, Hotelinking acts as a Data Processor, and personal data is shared with the respective Hotel (Data Controller) under a data processing agreement.
g) Sub-Processors
We maintain a current list of sub-processors which is made available to Customers upon request. All sub-processors are contractually bound to:
- Follow Hotelinking’s documented instructions only.
- Maintain equivalent or stronger security standards.
- Notify of any data breaches or sub-subprocessing.
Hotelinking remains fully responsible for the actions of its sub-processors.
5. International Data Transfers
Hotelinking ensures that personal data is stored and processed in compliance with the General Data Protection Regulation (GDPR) and applicable international data transfer mechanisms under Articles 44–50 of the regulation.
a) Primary Hosting Location
All personal data processed through Hotelinking’s platform is securely hosted in the European Economic Area (EEA):
- Amazon Web Services (AWS) infrastructure located in Dublin, Ireland.
- All data, including guest, customer, and network information, is processed and stored in data centers within the EU.
- AWS Dublin complies with ISO/IEC 27001, ISO/IEC 27018, and SOC 2 standards.
No personal data is routinely transferred outside the EEA during the regular operation of our services.
b) Transfers Outside the EEA (When Applicable)
In limited circumstances, data may be transferred outside the EEA (e.g., use of sub-processors or technical support services). In these cases, we apply one of the following safeguards:
Adequacy Decisions
Transfers are made only to countries that the European Commission has deemed to provide an adequate level of data protection (e.g., United Kingdom, Japan, Canada).
Standard Contractual Clauses (SCCs)
Where an adequacy decision is not available, we rely on the latest version of the Standard Contractual Clauses (SCCs) approved by the European Commission to govern the transfer.
We supplement these clauses with technical and organizational measures, including:
- End-to-end encryption.
- Access control.
- Data minimization.
- Regular security audits.
Explicit Consent
In rare and exceptional cases, we may rely on your explicit consent (Article 49 GDPR) for a specific transfer, but only when no other lawful basis is available.
c) Sub-Processors Located Outside the EEA
Some of our ancillary service providers (e.g., for transactional email delivery, threat monitoring, or logging services) may operate infrastructure outside the EEA.
- Hotelinking performs strict due diligence before engaging any sub-processor.
- All such vendors are contractually bound via SCCs and monitored for GDPR compliance.
- A detailed list of active sub-processors and their geographic locations is available upon request or as part of the Customer Data Processing Agreement (DPA).
Hotelinking remains fully liable for the compliance of all sub-processors with data protection laws.
6. Data Retention
Hotelinking retains personal data only for as long as necessary to fulfill the purpose for which it was collected — or to comply with legal, regulatory, or contractual obligations.
The retention periods differ depending on the category of data and applicable context:
a) Hotel Guest Data (GuestMaker, Deskforce)
Data Type | Retention Period | Purpose / Justification |
---|---|---|
Contact details, reservation metadata, device info | Up to 12 months after end of contractual relationship with hotel customer | Operational use, analytics, and support |
ID/passport images, digital signatures | Up to 30 days post check-in (unless local law requires longer) | Identity verification during check-in |
Payment metadata (non-cardholder data) | Up to 12 months or as defined in the hotel’s DPA | Proof of transaction or dispute resolution |
Pseudonymized analytical data | Indefinitely, in aggregated form | Product improvement and benchmarking |
Note: Data processing for guests is performed under instructions from our hotel customers (Data Controllers), and final retention policies may be contractually defined in the Data Processing Agreement (DPA).
b) Hotel Staff and Customer Admin Data (WiFiBot, dashboards)
Data Type | Retention Period | Purpose |
---|---|---|
User credentials, login data, configuration history | For the duration of the account and up to 12 months after deactivation | Operational continuity, audit trails |
Network monitoring metadata | Rolling 30–90 days, depending on customer plan | Issue diagnosis, uptime monitoring |
c) Website Visitors, Leads, and Marketing Contacts
Data Type | Retention Period | Purpose |
---|---|---|
Contact form data, newsletter opt-ins | Until withdrawal of consent or 24 months of inactivity | Direct marketing, lead nurturing |
Website analytics & cookies | 26 months (e.g., Google Analytics default) | Behavioral analysis, product improvement |
d) Job Applicants and Recruitment Data
Data Type | Retention Period | Purpose |
---|---|---|
CVs, applications, interview records | 12 months from conclusion of recruitment process | Future consideration, legal defense |
Onboarding documentation (if hired) | Retained under employment file | Employment law compliance |
e) Backups and Disaster Recovery
- Backups are encrypted and stored in AWS (Ireland) for a default of 30 days, unless a longer retention is required by law or contract.
- Backups are automatically deleted after expiration using secure lifecycle policies.
- Disaster recovery tests are performed regularly to validate data integrity and availability.
See also: Hotelinking’s [Operations Security Procedure & Backups Policy] for full technical details.
f) Data Disposal and Anonymization
At the end of the retention period, Hotelinking will:
- Securely delete personal data from live systems and backups.
- Or, where appropriate, irreversibly anonymize the data for statistical or product improvement purposes (e.g., guest engagement benchmarks).
7. Security Measures
Hotelinking implements a comprehensive, multi-layered Information Security Management System (ISMS) to ensure the confidentiality, integrity, and availability of all personal data processed.
We align with industry best practices, including ISO/IEC 27001 principles and SOC II control frameworks, and undergo regular internal and external audits.
a) Technical Security Controls
Control | Description |
---|---|
Data Encryption | – All data is encrypted in transit using TLS 1.2 or higher – All data is encrypted at rest using AES-256 (via AWS KMS with customer-managed keys) |
Authentication & Access Controls | – Role-based access control (RBAC) – Mandatory Multi-Factor Authentication (MFA) for all internal systems – Principle of least privilege enforced |
Logging & Monitoring | – Continuous monitoring of infrastructure – Audit trails maintained for all system and admin activity – Intrusion detection via tools like AWS GuardDuty |
Backup & Recovery | – Daily encrypted backups stored across multiple availability zones in AWS Ireland – Regular disaster recovery tests ensure RPO and RTO objectives are met |
Network Security | – Firewalls, VPC segmentation, and Web Application Firewall (WAF) protection – Continuous vulnerability scans and penetration testing cycles |
b) Organizational Security Measures
Control | Description |
---|---|
Security Policies | Defined and enforced policies for: Access Control, Incident Management, Data Breach Notification, Vendor Risk Management, Physical Security, and more |
Employee Training & Awareness | – Mandatory onboarding and annual security training for all staff – Specific training on data protection, phishing, and secure development practices |
Vendor Risk Management | – Sub-processors undergo security reviews and sign GDPR-compliant DPAs – SCCs or adequacy safeguards required for any non-EU vendor |
Secure Development Practices | – Code changes peer-reviewed and version-controlled (Git) – CI/CD pipelines include automated security checks and test coverage |
Incident Response Plan | – Tiered incident classification (low, medium, high, critical) – Immediate escalation to On-Call Engineers, ISO, and management as needed – Post-incident reviews and root cause analysis performed for all major events |
c) Certifications and Framework Alignment
- Hotelinking is actively aligned with SOC II Type II controls.
- ISMS framework is based on ISO/IEC 27001 standards.
- Backups and infrastructure comply with AWS Well-Architected Security Pillar.
8. Your Data Protection Rights (GDPR)
As a data subject under the General Data Protection Regulation (GDPR), you have a number of rights in relation to the personal data we process. Hotelinking is committed to enabling and honoring these rights in a transparent and timely manner, whether we act as Data Controller (e.g., for website visitors or prospects) or as Data Processor (e.g., when processing guest data on behalf of hotel customers).
You may exercise the following rights:
Right | Description |
---|---|
Right of Access (Art. 15) | You can request confirmation on whether we process your personal data, and receive a copy of that data along with details about how it is used. |
Right to Rectification (Art. 16) | You can request correction of inaccurate or incomplete personal data. |
Right to Erasure (Art. 17) | You can request deletion of your personal data (“right to be forgotten”) when it is no longer necessary or if you withdraw consent. |
Right to Restrict Processing (Art. 18) | You can request limitation of data use in certain cases (e.g., during a pending correction or dispute). |
Right to Data Portability (Art. 20) | You can request to receive your personal data in a structured, commonly used, machine-readable format and to have it transmitted to another provider. |
Right to Object (Art. 21) | You can object to data processing based on legitimate interests or for direct marketing purposes. |
Right to Withdraw Consent | Where data is processed based on your consent (Art. 6(1)(a)), you can withdraw it at any time, without affecting prior processing. |
Right to Lodge a Complaint (Art. 77) | You have the right to lodge a complaint with your local Data Protection Authority (in Spain, the AEPD – Agencia Española de Protección de Datos). |
How to Exercise Your Rights
You may exercise your rights by contacting us:
Email: dataprotection@hotelinking.com.
Address: Hotelinking, S.L., Parc Bit – Edificio Disset, 3rd floor, D9, 07121 Palma de Mallorca, España.
Phone: Available upon request.
Please include the following in your request:
- Your full name and email address
- The specific right you wish to exercise
- Relevant context (e.g., guest at a specific hotel or website user)
We will respond to all valid requests within 30 days, as required by law. If we require additional time or clarification, we will notify you.
If we process your data as a Data Processor (e.g., you are a guest of one of our hotel customers), we will forward your request to the appropriate Hotel (Data Controller) for action.
9. Cookies and Tracking Technologies
When you visit Hotelinking’s websites or interact with our platform, we may use cookies and similar tracking technologies to enhance user experience, measure engagement, and personalize content.
A cookie is a small text file stored on your device that allows us to recognize your browser and remember certain information.
a) Types of Cookies We Use
Category | Description | Examples | Legal Basis |
---|---|---|---|
Strictly Necessary | Essential for basic functionality (e.g., session management, page navigation) | Session tokens, login authentication | Legitimate interest (Art. 6(1)(f)) |
Performance & Analytics | Help us understand how visitors interact with our website and improve performance | Google Analytics, Hotjar (anonymized) | Consent (Art. 6(1)(a)) |
Functionality | Enable enhanced features or preferences (e.g., language selection) | Remembered preferences, chat widgets | Consent (Art. 6(1)(a)) |
Marketing & Retargeting | Track browsing behavior for ad personalization and campaign measurement | LinkedIn Insight Tag, Meta Pixel, Google Ads | Consent (Art. 6(1)(a)) |
Analytics and marketing cookies are not activated unless you provide explicit consent via our cookie banner.
b) Managing Cookies
You may accept, reject, or customize cookie preferences at any time through our Cookie Settings panel, accessible on every page of our website.
You can also control or disable cookies via your browser settings. However, disabling essential cookies may impact your ability to use certain features.
c) Third-Party Services
Some cookies may be set by third-party services integrated on our site (e.g., embedded videos, social sharing tools). These third parties may collect usage data according to their own privacy policies.
d) Cookie Retention
- Session cookies are deleted once you close your browser.
- Persistent cookies may remain stored on your device for up to 24 months, unless deleted manually.
e) Cookie Policy
For more detailed information, including the full list of cookies we use and how to manage them, please refer to our:
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our business practices, services, technologies, legal requirements, or data protection obligations.
a) When We Make Changes
Updates to this Policy may be triggered by:
- Introduction of new features or products (e.g., a new module within Deskforce).
- Changes to applicable data protection laws or regulatory guidance (e.g., GDPR, ePrivacy Directive).
- Modifications to how we process or share personal data.
- Expansion into new territories with additional legal frameworks.
We maintain a version history at the bottom of this Policy to indicate when changes have been made.
b) How We Notify You
We are committed to transparency. If we make material changes to this Privacy Policy (e.g., changes in lawful basis, rights, or third-party disclosures), we will:
- Post a clear notice on our website and/or platform dashboard.
- Notify our Customers directly via email (to the account owner or data protection contact on file).
- Provide at least 30 days’ advance notice before material changes take effect, when legally required or appropriate
c) Your Continued Use
By continuing to use our services after an update becomes effective, you agree to the revised Privacy Policy. If you disagree with the changes, you may discontinue use and, if applicable, request the deletion of your data.
11. Contact Us
Hotelinking, S.L.
Parc Bit – Edificio Disset, 3rd floor, D9
07121 Palma de Mallorca, Illes Balears, España
CIF: ESB57843185
Privacy & Data Protection
- Email (General Inquiries): admin@hotelinking.com.
- Email (Privacy Requests & DPO Contact): dataprotection@hotelinking.com.
- Phone: Available upon request.
We will respond to all legitimate privacy-related inquiries within 30 days or sooner, as required by law.
Supervisory Authority Contact
If you believe that we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with the Spanish Data Protection Authority (Agencia Española de Protección de Datos – AEPD):
- Website: https://www.aepd.es.
- Phone (Spain): +34 901 100 099.
- Email: internacional@aepd.es.