GDPR Compliance

How VertexStay complies with the General Data Protection Regulation.

GDPR

We take data protection seriously

The General Data Protection Regulation (GDPR) applies to our processing of personal data from individuals in the European Economic Area. VertexStay is designed to help you comply with GDPR in your hotel operations — and we hold ourselves to the same standard.

As a hotel operator, you are the data controller for your guests' personal data. VertexStay acts as a data processor on your behalf. This page explains the roles, your rights, and the measures we've implemented.

Quick reference

Data Controller (your hotel)
You determine the purpose and means of processing guest data
Data Processor (VertexStay)
We process data strictly on your documented instructions
Data Protection contact
dpo@vertexstay.com
EEA transfer mechanism
Standard Contractual Clauses (SCCs)
DPA available
Yes — request via email or in-app

Our GDPR principles

Lawful basis for processing

We process personal data only where we have a lawful basis: contractual necessity, legitimate interests, legal obligation, or explicit consent.

Data minimization

We collect only the data necessary for the specific purpose stated. We do not collect data "just in case."

Purpose limitation

Personal data collected for one purpose is not repurposed for another without your consent or a lawful basis.

Accuracy

We keep personal data accurate and up to date. You can update your account data at any time through the platform.

Storage limitation

Data is retained only for as long as necessary. Our retention schedule is documented and enforced automatically.

Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or disclosure.

Data subject rights

Under GDPR, individuals have the following rights. To exercise any of these rights, contact us at privacy@vertexstay.com.

Right of access (Art. 15)

Request a copy of all personal data we hold about you. We will respond within 30 days.

Right to rectification (Art. 16)

Request correction of inaccurate or incomplete personal data. Most account data can be updated directly in settings.

Right to erasure (Art. 17)

Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.

Right to restrict processing (Art. 18)

Request that we limit processing of your personal data in certain circumstances.

Right to data portability (Art. 20)

Receive your personal data in a structured, machine-readable format (JSON or CSV) for transfer to another service.

Right to object (Art. 21)

Object to processing based on legitimate interests, including direct marketing.

Rights related to automated decisions (Art. 22)

Not be subject to decisions made solely by automated processing that significantly affect you. We do not make such decisions.

For hotel guests whose data is stored in VertexStay, data subject requests should be directed to the hotel property, which is the data controller. Hotels can process guest deletion requests directly in the platform.

What we've implemented

Data Processing Agreement (DPA) available for all customers upon request

Standard Contractual Clauses (SCCs) for EEA data transfers to the US

Sub-processor list maintained and updated with 30 days notice of changes

Data Protection Impact Assessments (DPIAs) for high-risk processing activities

Designated Data Protection contact reachable at dpo@vertexstay.com

Breach notification to supervisory authorities within 72 hours if required

Employee GDPR training completed annually by all staff handling personal data

Privacy by design embedded in our product development process

Sub-processors

We engage the following sub-processors to deliver the VertexStay service. All sub-processors are contractually bound to GDPR-compliant data processing and, where applicable, covered by Standard Contractual Clauses.

Sub-processorPurposeLocation
Amazon Web ServicesCloud infrastructure and hostingUS / EU
StripePayment processingUS / EU
PostmarkTransactional email deliveryUS
IntercomCustomer support and live chatUS
PostHogProduct analytics (self-hosted)EU

We will notify you at least 30 days before adding or replacing a sub-processor.

GDPR questions or DPA request?

Contact our data protection team. We'll provide a signed DPA and answer any compliance questions within one business day.