Back to homepage

Data Processing Agreement

Language:

Language Note: This document was drafted in Polish. The Polish version is the legally binding version. This English translation is provided for informational purposes only.

Last updated: March 2026 | Version: 1.0

Version: 1.0 Date: 10.03.2026


PARTIES TO THE AGREEMENT

This Data Processing Agreement (hereinafter: the "Agreement") is concluded between:

THE CONTROLLER:

The entity (natural person conducting business activity, legal person, or organizational unit) that registered an Account on the Guestivo Platform and accepted the Terms of Service for Electronic Service Provision. The Controller's data (name, registered address, Tax ID, representative details) are identical to the data provided during registration and available in the Administration Panel.

hereinafter referred to as the "Controller" or the "Hotel"

and

THE PROCESSOR:

Guestivo sp. z o.o. ul. Łęczycka 4/3, 53-632 Wrocław Tax ID (NIP): 8952299447 REGON: 543938450 KRS: 0001221700

hereinafter referred to as the "Processor" or "Guestivo"

collectively referred to as the "Parties", and individually as a "Party".


PREAMBLE

Whereas:

  1. The Controller uses the Guestivo platform for hotel service management;
  2. In the course of providing services, Guestivo processes personal data of hotel guests on behalf of the Controller;
  3. The Parties intend to regulate the terms of data processing entrustment in accordance with Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR);

The Parties agree to conclude this Agreement.

Conclusion of the Agreement: This Agreement is concluded upon the Controller's acceptance of the Terms of Service for Electronic Service Provision during Account registration on the Guestivo Platform. Acceptance of the Terms of Service constitutes acceptance of this Agreement, which forms an integral part thereof (§ 16.4 of the Terms of Service). The documentary form of concluding the Agreement (Article 77² of the Polish Civil Code) is satisfied through electronic acceptance with registration of the date, IP address, and document version.


§ 1. DEFINITIONS

  1. Personal data – any information relating to an identified or identifiable natural person, processed within the Guestivo Platform.

  2. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

  3. Personal data breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data.

  4. Sub-processor – another processor to whom the Processor entrusts the processing of personal data.

  5. Platform – the Guestivo information system used for hotel service management.

  6. Main Agreement – the service agreement for the Guestivo platform concluded between the Parties.


§ 2. SUBJECT MATTER OF THE AGREEMENT

  1. The Controller entrusts the Processor with the processing of personal data under the terms set out in this Agreement.

  2. Data processing is carried out in connection with the performance of the Main Agreement concerning the use of the Guestivo Platform for hotel service management.

  3. This Agreement constitutes an integral part of the Main Agreement.


§ 3. SCOPE OF PROCESSING

3.1. Nature and Purpose of Processing

The Processor processes personal data solely for the purpose of:

  • Providing Platform services to the Controller
  • Handling hotel guest orders
  • Fulfilling service requests
  • Handling communication between guests and staff
  • Handling online check-ins
  • Processing guest payments (via Tpay or Stripe Connect, depending on the Hotel's configuration)
  • Recording transaction values for commission settlements between Guestivo and the Hotel
  • Integration with external systems (PMS, digital locks)

3.2. Type of Processing

Processing includes the following operations:

  • Collection
  • Storage
  • Modification
  • Deletion
  • Disclosure (to the extent necessary for service provision)

3.3. Types of Personal Data

The following categories of personal data are processed:

CategoryExamples of Data
Identification dataFirst name, last name
Contact dataEmail address, phone number
Stay dataCheck-in/check-out dates, room number
Order dataOrder contents, preferences
Communication dataChat messages
Document data (optional)Identity document photos, OCR data
Payment data (metadata)Transaction identifiers, payment status

3.4. Categories of Data Subjects

  • Hotel guests using Guest Pages
  • Persons accompanying guests (in the case of group check-in)

3.5. Duration of Processing

Processing lasts for the duration of the Main Agreement and for the period necessary to:

  • Complete ongoing processes
  • Fulfill legal obligations
  • Delete or return data in accordance with § 10

§ 4. OBLIGATIONS OF THE PROCESSOR

The Processor undertakes to:

4.1. Processing in Accordance with Instructions

a) Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law.

b) Inform the Controller if, in its opinion, an instruction constitutes a violation of the GDPR or other data protection provisions.

4.2. Confidentiality

a) Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

b) Grant access to personal data only to persons who need it to perform their duties.

4.3. Security

a) Take all measures required under Article 32 of the GDPR, including:

  • Pseudonymization and encryption of personal data
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems
  • The ability to restore the availability of and access to personal data in a timely manner in the event of an incident
  • Regular testing of the effectiveness of technical and organizational measures

b) Apply the security measures specified in Annex A to this Agreement.

4.4. Sub-processing

a) Comply with the conditions for engaging another processor as set out in § 5.

4.5. Assistance to the Controller

a) Assist the Controller in fulfilling the obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR.

b) Taking into account the nature of processing and the information available, assist the Controller in ensuring compliance with the obligations pursuant to Articles 32-36 of the GDPR (security, breach notification, impact assessment, consultation).

4.6. Deletion or Return of Data

a) Upon termination of the service provision, depending on the Controller's decision, delete or return all personal data and delete existing copies thereof, unless Union or Member State law requires storage of the data.

4.7. Audits and Inspections

a) Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR.

b) Allow and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to § 8.


§ 5. ONWARD TRANSFER (SUB-PROCESSING)

5.1. General Authorization

The Controller grants general authorization for the Processor to engage Sub-processors to the extent necessary for the provision of the Guestivo Platform services.

5.2. List of Sub-processors

The current list of Sub-processors is available at: https://guestivo.pl/pl/subprocessors

As of the date of this Agreement, the list includes:

Sub-processorPurpose of ProcessingLocation
Microsoft Azure (Microsoft Corporation)Cloud infrastructure, data storage, email communication, monitoringEU (Poland Central, West Europe, North Europe)
Auth0 (Okta, Inc.)Admin Panel user authenticationUSA (with SCCs)
Stripe, Inc.Subscription payment processing, commission settlements, guest payments (Stripe Connect)USA (with SCCs)
Tpay (Krajowy Integrator Płatności S.A.)Online guest payment processing (alternative to Stripe Connect)Poland
Meta Platforms, Inc. (WhatsApp Business)Guest communication via WhatsAppUSA (with SCCs)
Twilio, Inc.Sending SMS messages to guestsUSA (with SCCs)
Resend, Inc.Alternative transactional email providerUSA (with SCCs)
OpenRouter, Inc.AI Concierge, menu digitizationUSA (with SCCs)
Seam Labs, Inc.Digital lock integrationUSA (with SCCs)
Apaleo GmbHPMS integration (reservation sync, folio)EU (Germany)
Cloudbeds Inc.PMS integration (reservation sync)USA (with SCCs)
Mews Systems B.V.PMS integration (reservation sync, folio)EU (Netherlands)

5.3. Notification of Changes

a) The Processor shall inform the Controller of any intended addition or replacement of a Sub-processor with reasonable advance notice, unless an urgent change is necessary for security or legal compliance reasons.

b) Notification shall be sent to the email address specified in the Controller's Account.

5.4. Objection

a) The Controller may raise a reasoned objection to a new Sub-processor within a reasonable period from receipt of the notification.

b) In the absence of an objection, the change shall be deemed accepted.

c) In the event of an objection, the Parties shall negotiate in good faith to find a resolution. If no resolution is found within 30 days, the Controller may terminate the Main Agreement.

5.5. Agreements with Sub-processors

The Processor shall ensure that each Sub-processor is bound by a contract containing data protection obligations at least equivalent to those set out in this Agreement.

5.6. Liability for Sub-processors

The Processor shall be liable for the acts of its Sub-processors in accordance with Article 28(4) of the GDPR.


§ 6. TRANSFERS OF DATA OUTSIDE THE EEA

6.1. General Principle

Transfers of personal data to third countries (outside the European Economic Area) may only take place: a) To countries for which the European Commission has issued an adequacy decision b) On the basis of Standard Contractual Clauses (SCCs) c) On the basis of other mechanisms provided for in the GDPR

6.2. Current Transfers

The Processor confirms that transfers to the USA are carried out on the basis of Standard Contractual Clauses approved by Commission Decision (EU) 2021/914.

6.3. Supplementary Measures

The Processor applies appropriate supplementary measures, including:

  • Encryption of data in transit
  • Encryption of data at rest
  • Minimization of data transferred
  • Pseudonymization where possible

§ 7. PERSONAL DATA BREACHES

7.1. Notification

a) Upon becoming aware of a personal data breach, the Processor shall notify the Controller without undue delay.

b) Notification shall be sent to the email address specified in the Controller's Account.

7.2. Content of Notification

The notification shall contain, to the extent available at the time of reporting: a) A description of the nature of the breach b) Information on the categories and approximate number of data subjects concerned (where possible) c) The likely consequences of the breach d) Remedial measures taken or proposed

Additional information may be provided progressively as the investigation proceeds.

7.3. Cooperation

The Processor shall cooperate with the Controller in order to: a) Determine the full scope of the breach b) Minimize the effects of the breach c) Prepare notifications to the supervisory authority and data subjects d) Document the breach

7.4. Documentation

The Processor shall maintain documentation of all personal data breaches, including the circumstances of the breach, its effects, and remedial actions taken.


§ 8. AUDITS AND INSPECTIONS

8.1. Right to Audit

The Controller or an auditor mandated by the Controller shall have the right to conduct an audit of the Processor regarding compliance with this Agreement and data protection regulations.

8.2. Audit Conditions

a) The Controller shall notify the Processor of the intention to conduct an audit with reasonable advance notice.

b) The audit shall be conducted during business hours and in a manner that minimizes disruption to the Processor's operations.

c) The auditor shall be bound by confidentiality obligations regarding the information obtained.

8.3. Alternative Forms of Audit

Instead of an on-site inspection, the Controller may accept: a) Audit certificates issued by an independent body b) Compliance certifications (e.g., SOC 2, ISO 27001) c) Responses to a standard security questionnaire

8.4. Costs

The costs of the audit shall be borne by the Controller.


§ 9. LIABILITY

9.1. Liability for Breaches

Each Party shall be liable for breaches of data protection regulations resulting from its acts or omissions.

9.2. Joint Liability

If the Processor infringes the GDPR by determining the purposes and means of processing, it shall be considered a controller in respect of that processing in accordance with Article 28(10) of the GDPR.

9.3. Right of Recourse

A Party that has paid compensation for the entire damage shall be entitled to claim from the other Party the portion of the compensation corresponding to its share of responsibility for the damage.


§ 10. TERMINATION OF THE AGREEMENT AND DATA DELETION

10.1. Termination of Processing

Upon termination of the Main Agreement, the Processor shall:

a) At the Controller's request – return personal data in a readable format within a reasonable timeframe.

b) In the absence of a return request – delete all personal data and copies thereof within a reasonable timeframe from the termination of the Main Agreement.

10.2. Confirmation of Deletion

At the Controller's request, the Processor shall issue confirmation of data deletion.

10.3. Exceptions

The obligation to delete data shall not apply where storage is required by Union or Polish law.


§ 11. DURATION OF THE AGREEMENT

11.1. Term

This Agreement shall remain in force for the entire duration of the Main Agreement.

11.2. Termination

This Agreement shall terminate upon termination of the Main Agreement.

11.3. Survival

Provisions regarding confidentiality, liability, and data deletion shall survive the termination of this Agreement.


§ 12. FINAL PROVISIONS

12.1. Amendments

Any amendments to this Agreement must be made in documentary form under pain of invalidity.

12.2. Governing Law

This Agreement shall be governed by Polish law.

12.3. Disputes

Any disputes arising from this Agreement shall be resolved by the court having jurisdiction over the registered office of the Processor.

12.4. Severability

If any provision of this Agreement is found to be invalid, the remaining provisions shall remain in force.

12.5. Annexes

The following constitute an integral part of this Agreement:

  • Annex A: Technical and Organizational Measures
  • Annex B: List of Sub-processors (current version available online)

ANNEX A: TECHNICAL AND ORGANIZATIONAL MEASURES

The Processor applies appropriate technical and organizational measures in accordance with Article 32 of the GDPR, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.

A.1. Technical Measures

Technical measures include in particular:

  • Encryption of data in transit and at rest
  • Access control systems
  • Authentication mechanisms
  • Secure storage of credentials
  • Architecture ensuring data separation between clients
  • Backups
  • Security event monitoring and logging

A.2. Organizational Measures

Organizational measures include in particular:

  • Staff training in data protection
  • Principle of least privilege
  • Incident response procedures
  • Maintenance of required documentation
  • Regular security reviews

A.3. Measures for Special Categories of Data

In the case of processing data requiring special protection, additional appropriate security measures are applied.


Document version: 1.0 Publication date: 10.03.2026 Last updated: March 2026