Privacy Policy - HotelOne

Privacy Policy

How HotelOne collects, uses and protects the personal data of users of the hotel.one website and the SaaS platform.

Last updated:April 2026
Administrator:Hospitality in Bits Ltd.
VAT ID:207902884
Download PDF

1.Who we are

HOSPITALITY IN BITS LTD. (trading as Hotel.One), VAT 207902884, Sofia, Lozenets district, "Chervena stena" str., bl. 4, is the controller of personal data collected via the hotel.one website and the SaaS services we provide.

For any privacy or data-protection enquiries, contact us at office@hotel.one.

2.What personal data we collect

2.1. Website visitors

  • IP address and technical device data (browser, operating system)
  • Navigation data (pages visited, time on page)
  • Cookies and similar technologies - see section 7

2.2. Demo requests and contact forms

  • Name, surname, email
  • Company and job title
  • Message content

2.3. Clients (platform users)

  • Account data (email, hashed password, salt)
  • Hotel data and operational data uploaded by the Client
  • Activity logs in the system

The processing of personal data of the Client's end-customers (guests, employees, etc.) is governed by a separate Data Processing Agreement (DPA) - hotel.one/gdpr.

3.Legal bases for processing

We process personal data only where there is a legal basis under Art. 6 GDPR:

  • Contract performance - to provide SaaS services to clients who have entered into a contract with Hotel.One.
  • Legitimate interest - to analyse website usage, improve services, ensure system security and prevent abuse.
  • Consent - for marketing communications and non-essential cookies (where applicable).
  • Legal obligation - under applicable law (accounting, regulatory requirements, etc.).

4.Purposes of processing

  • Providing, maintaining and improving Hotel.One services
  • Handling demo requests and responding to enquiries
  • Sending technical notices, updates and support communications
  • Analysing use of the website and platform to improve user experience
  • Ensuring system security and preventing abuse
  • Complying with legal obligations

5.Recipients and sub-processors

Hotel.One does not sell or share your personal data with third parties for their commercial purposes. We may share data only in the following cases:

  • Sub-processors - technical providers necessary for the operation of the service (e.g. cloud infrastructure, AI tools). A full list is available in the DPA (hotel.one/gdpr).
  • Legal obligations - on a binding request from a competent authority under applicable law.
  • Protection of rights - where necessary to establish, exercise or defend legal claims.

6.International transfers

Hotel.One's core infrastructure is hosted within the EU/EEA (AWS EU regions). Some sub-processors (e.g. Anthropic PBC, OpenAI LLC) may process data in the USA. In such cases the transfer is carried out on the basis of the Standard Contractual Clauses (SCC) approved by the European Commission, or another valid transfer mechanism under GDPR.

7.Cookies

The hotel.one website uses cookies for the following purposes:

  • Functional cookies - required for the site to work (language preferences, session). Legal basis: legitimate interest.
  • Analytics cookies - to analyse traffic and user behaviour in order to improve the site. Legal basis: consent.

You can manage cookies via your browser settings. Disabling functional cookies may limit the functionality of the site.

8.Retention periods

  • Data from contact forms and demo requests - up to 2 years from the last contact or until consent is withdrawn.
  • Client accounts - for the duration of the contract and up to 5 years after its termination (accounting and legal obligations).
  • Logs and technical data - up to 12 months.
  • Marketing consents - until consent is withdrawn.

9.Your rights

Under GDPR you have the following rights regarding your personal data:

  • Right of access - to obtain a copy of the data we process about you.
  • Right to rectification - to have inaccurate or incomplete data corrected.
  • Right to erasure - to have your data deleted in certain circumstances ("right to be forgotten").
  • Right to restriction - to restrict processing when contesting accuracy or lawfulness.
  • Right to portability - to receive your data in a structured, machine-readable format.
  • Right to object - to object to processing based on legitimate interest.
  • Right to withdraw consent - at any time, without affecting the lawfulness of processing before withdrawal.

To exercise your rights, send a request to office@hotel.one. We will reply within 30 days.

10.Right to lodge a complaint

If you believe that the processing of your personal data infringes GDPR, you have the right to lodge a complaint with the supervisory authority:

Commission for Personal Data Protection (CPDP)
2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
www.cpdp.bg

11.Changes to this policy

Hotel.One may update this Privacy Policy from time to time. For material changes we will notify users by publishing the new version on the website and updating the date in the heading.

12.Contact

HOSPITALITY IN BITS LTD.
VAT 207902884
Sofia, Lozenets district, "Chervena stena" str., bl. 4
Email: office@hotel.one