GDPR Compliance
How VertexStay complies with the General Data Protection Regulation.
We take data protection seriously
The General Data Protection Regulation (GDPR) applies to our processing of personal data from individuals in the European Economic Area. VertexStay is designed to help you comply with GDPR in your hotel operations — and we hold ourselves to the same standard.
As a hotel operator, you are the data controller for your guests' personal data. VertexStay acts as a data processor on your behalf. This page explains the roles, your rights, and the measures we've implemented.
Quick reference
- Data Controller (your hotel)
- You determine the purpose and means of processing guest data
- Data Processor (VertexStay)
- We process data strictly on your documented instructions
- Data Protection contact
- dpo@vertexstay.com
- EEA transfer mechanism
- Standard Contractual Clauses (SCCs)
- DPA available
- Yes — request via email or in-app
Our GDPR principles
Lawful basis for processing
We process personal data only where we have a lawful basis: contractual necessity, legitimate interests, legal obligation, or explicit consent.
Data minimization
We collect only the data necessary for the specific purpose stated. We do not collect data "just in case."
Purpose limitation
Personal data collected for one purpose is not repurposed for another without your consent or a lawful basis.
Accuracy
We keep personal data accurate and up to date. You can update your account data at any time through the platform.
Storage limitation
Data is retained only for as long as necessary. Our retention schedule is documented and enforced automatically.
Security
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or disclosure.
Data subject rights
Under GDPR, individuals have the following rights. To exercise any of these rights, contact us at privacy@vertexstay.com.
Right of access (Art. 15)
Request a copy of all personal data we hold about you. We will respond within 30 days.
Right to rectification (Art. 16)
Request correction of inaccurate or incomplete personal data. Most account data can be updated directly in settings.
Right to erasure (Art. 17)
Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
Right to restrict processing (Art. 18)
Request that we limit processing of your personal data in certain circumstances.
Right to data portability (Art. 20)
Receive your personal data in a structured, machine-readable format (JSON or CSV) for transfer to another service.
Right to object (Art. 21)
Object to processing based on legitimate interests, including direct marketing.
Rights related to automated decisions (Art. 22)
Not be subject to decisions made solely by automated processing that significantly affect you. We do not make such decisions.
For hotel guests whose data is stored in VertexStay, data subject requests should be directed to the hotel property, which is the data controller. Hotels can process guest deletion requests directly in the platform.
What we've implemented
Data Processing Agreement (DPA) available for all customers upon request
Standard Contractual Clauses (SCCs) for EEA data transfers to the US
Sub-processor list maintained and updated with 30 days notice of changes
Data Protection Impact Assessments (DPIAs) for high-risk processing activities
Designated Data Protection contact reachable at dpo@vertexstay.com
Breach notification to supervisory authorities within 72 hours if required
Employee GDPR training completed annually by all staff handling personal data
Privacy by design embedded in our product development process
Sub-processors
We engage the following sub-processors to deliver the VertexStay service. All sub-processors are contractually bound to GDPR-compliant data processing and, where applicable, covered by Standard Contractual Clauses.
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud infrastructure and hosting | US / EU |
| Stripe | Payment processing | US / EU |
| Postmark | Transactional email delivery | US |
| Intercom | Customer support and live chat | US |
| PostHog | Product analytics (self-hosted) | EU |
We will notify you at least 30 days before adding or replacing a sub-processor.
GDPR questions or DPA request?
Contact our data protection team. We'll provide a signed DPA and answer any compliance questions within one business day.