art. 1.Definitions
1.1. Hotel.One - the trade name of Hospitality in Bits Ltd. Where "we" or "Hotel.One" is used in this Agreement, it refers to Hospitality in Bits Ltd., VAT 207902884, registered office: Sofia, Lozenets district, "Chervena stena" str., bl. 4.
1.2. SaaS - Software as a Service. Covers all software products developed by Hotel.One, including HotelOne BI, HotelOne Documents AI and HotelOne Sync, unless a specific product is expressly referenced.
1.3. Client - the legal entity (hotel/chain, tour operator, etc.) using Hotel.One's services.
1.4. The terms "personal data", "processing", "controller", "processor" and "data subject" have the meanings given to them in Art. 4 of Regulation (EU) 2016/679 (GDPR).
1.5. "Sub-processor" - a third party authorised by Hotel.One to access personal data to the extent necessary to provide part of Hotel.One's service or technical support.
1.6. Data controller - the Client is the data controller in relation to the use of Hotel.One's services for its own business. The Client determines the categories of data, purposes, retention periods and legal bases for processing. Personal data processed through the Provider's services is owned by the Client.
1.7. Processor - Hotel.One acts as a processor on behalf of the Client to provide the Hotel.One service. Processing is carried out solely for the purposes of providing the services under the Main Agreement and/or technical support.
1.8. Data subjects - end-customers, employees, contractors and other individuals whose data the Client processes via the Provider's services.
art. 2.Introduction
This Data Processing Agreement (the "Agreement") governs how Hotel.One processes personal data on behalf of its Client (the data controller) in connection with the SaaS services provided, as well as the conditions for technical support and security. Entering into a main agreement between the parties ("Main Agreement / Subscription") constitutes acceptance of this Agreement; using any of Hotel.One's services likewise constitutes agreement to its terms.
art. 3.Scope of processing
3.1. Categories of data
Depending on the Client's configuration and sources integrated with the platform, the following types of data may be processed: full name, nationality, date of birth, reservation identifiers, check-in/check-out dates, room type, contact information and other data included by the Client within the integration configuration. Hotel.One does not require and does not intend to process special categories of data under Art. 9 GDPR.
3.2. Purposes of processing
- Hotel.One BI: consolidation, modelling and visualisation of the Client's operational and financial data; reports and analysis for planning and decision-making (revenue, occupancy/efficiency, budgets, etc.).
- Hotel.One Documents AI: automated ingestion, extraction (OCR/AI), structuring and transfer of data from incoming documents to the Client's systems (BI, accounting, ERP, etc.).
- Hotel.One Sync: transferring hotel reservations on behalf of and for the account of the Controller to the hotel software specified in the Main Agreement; providing availability and special-offer information.
- Integrations and operational automation: synchronisation with PMS, POS and other systems as instructed by the Client.
- Support, quality and security: performance and security monitoring, issue diagnostics and extraction-accuracy improvements - only to the extent necessary to provide the service.
3.3. Duration of processing
Data provided by the Client is processed for the term of the Main Agreement. Upon termination, Hotel.One deletes the data from its systems no later than 3 months after expiry (unless law or a written agreement with the Client provides otherwise).
art. 4.Duty of non-disclosure
4.1. Without prior written approval from the Client, Hotel.One will not: (a) disclose information about the processed personal data to third parties; (b) use the data for purposes other than providing the service, unless disclosure is required by a competent authority under law.
4.2. Data may be disclosed to sub-processors, consultants and suppliers provided they are bound by adequate data-protection policies and contractual obligations.
4.3. Notwithstanding clause 4.2, Hotel.One may not disclose personal data to sub-processors whose servers are not located within the EEA or in countries recognised by the European Commission as providing an adequate level of protection.
art. 5.Security measures
5.1. Infrastructure and data centres: Hotel.One hosts all client data on servers in Amazon Web Services (AWS). AWS applies international security standards (ISO 27001/27017/27018, SOC 1/2/3, PCI DSS, etc.). Data of EU clients is processed and stored within the EU or in countries with an adequate level of protection.
5.2. Personnel: Hotel.One has internal policies and training in place; access to data is granted only to authorised staff according to their duties; contractual confidentiality clauses apply; a security-monitoring and incident-response team is in place.
5.3. Physical controls: controlled access to premises/hardware; electronic keys; CCTV; visitor identification.
5.4. Encryption and data transfer: access to records is granted only via GUI/API after valid authentication (username/password, PIN, MFA, API key); transfer is encrypted. Hotel.One applies strong cryptographic standards and key management.
5.5. Payment-card data: Hotel.One is not a payment processor and does not require entry or processing of card data in its services. If the Client chooses to enter or transfer such data (e.g. in documents), the Client is responsible for compliance with all applicable standards/contracts.
5.6. Access control and admin functions: role-based models and access levels, admin/user authentication, options to anonymise/mask fields in interfaces and reports, to the extent applicable to the Hotel.One SaaS modules.
art. 6.Data deletion
6.1. Unless otherwise agreed in writing, Hotel.One deletes all client personal data from its systems no later than 3 (three) months after expiry of the Main Agreement.
6.2. During the term, the Client can erase and delete/anonymise data in the platform without affecting related records where technically possible.
6.3. On the Client's express written request, Hotel.One may carry out early deletion of data within a reasonable period (up to 1 month from receipt of the request).
6.4. Retention beyond this period is permitted only to the extent required by EU or Bulgarian law, or by order of a competent state authority.
art. 7.Data incidents
7.1. If Hotel.One becomes aware of a data incident, it notifies the Client without undue delay and takes reasonable steps to minimise the impact.
7.2. The Client is solely responsible for statutory notifications to supervisory authorities and/or data subjects; Hotel.One provides reasonable assistance.
art. 8.Client (Controller) obligations
8.1. This Agreement does not relieve the Client of its controller obligations: maintaining internal policies, legal bases, retention periods and risk-minimisation for data incidents.
8.2. The Client applies general IT-security measures (antivirus protection, network-security policies, periodic password rotation, etc.).
8.3. The Client is responsible for: (a) determining the nature of the data; (b) appropriate use of security features; (c) safeguarding authentication credentials/devices; (d) maintaining backups of data stored outside Hotel.One's systems; (e) assessing the adequacy of Hotel.One's measures against its own obligations.
art. 9.Data-subject requests
When a data-subject request is received, Hotel.One directs the person to the Client. The Client is responsible for the response to the data subject; Hotel.One provides assistance to the extent possible and practical for the specific case.
art. 10.Sub-processors
10.1. The Client grants Hotel.One a general authorisation to engage sub-processors. Up-to-date information on sub-processors is maintained in this Agreement (Appendix 1) and/or on Hotel.One's website/portal.
10.2. Hotel.One ensures by contract that each sub-processor accesses and uses personal data only to the extent necessary for the assigned activities and under equivalent data-protection obligations.
10.3. On a justified objection from the Client to a new sub-processor, the parties discuss reasonable alternatives; failing that, the Client may terminate the relevant service with up to 3 (three) months' notice at no cost or penalty.
art. 11.Technical support
Routine technical support typically does not require processing of personal data. Hotel.One does not start support activity without a request from the Client. If personal data becomes visible during support, it is not copied/stored/modified/transmitted by Hotel.One. Only authorised personnel participate in support.
art. 12.Temporary access to Client systems
If the Client provides temporary access to a database/file/device containing personal data (e.g. via remote-access tools), Hotel.One is deemed a processor for the duration of the access/storage and the provisions of Part II apply automatically.
art. 13.Liability
Hotel.One's liability under this Agreement follows the liability clauses of the Services Agreement.
art. 14.Notices
Notices under this Agreement are sent to the official correspondence/email addresses of the parties specified in the Services Agreement. Each party is responsible for maintaining up-to-date addresses and notifying the other in writing of changes.
art. 15.Governing law
This Agreement is governed by Regulation (EU) 2016/679 (GDPR) and the laws of the Republic of Bulgaria. All disputes are settled by mutual agreement and, failing that, by the competent court in Sofia.
In accordance with art. 10.1 of this Agreement, Hospitality in Bits Ltd. maintains an up-to-date register of sub-processors authorised to process personal data on behalf of the Client. All sub-processors are contractually bound by equivalent data-protection obligations under GDPR. For sub-processors outside the EEA, transfers are carried out on the basis of Standard Contractual Clauses (SCC).
| Sub-processor | Role | Location | Data categories | Purpose of processing | DPA |
|---|---|---|---|---|---|
| Amazon Web Services | Cloud infrastructure | EU · Ireland / Frankfurt | All client data, including personal data of guests and reservations | Hosting, storage and processing of all data in the Hotel.One platform | View DPA → |
| Hotel2Sejour (Paximum) | Sejour integration | EU | Reservation data from tour-operator channels using the Sejour system | Synchronisation of reservations from TO channels to Hotel.One Sync | On request |
| Anthropic PBC | AI model (Claude API) | USA · SCC (art. 46) | Text content of reservations and documents - names, identifiers, dates, contacts, supplier/counterparty and employee data | Automated recognition and extraction of structured information with data minimisation | View DPA → |
| OpenAI LLC | AI model (OpenAI API) | USA · SCC (art. 46) | Text content of reservations and documents - names, identifiers, dates, contacts, supplier/counterparty and employee data | Automated recognition and extraction of structured information with data minimisation | View DPA → |
All AI sub-processors are committed to data minimisation and a no-training policy - submitted data is not used to train the models. Please check this register regularly for up-to-date information.
-Contact
VAT 207902884
Sofia, Lozenets district, "Chervena stena" str., bl. 4
Email: office@hotel.one