Legal

Data Processing Agreement

This Data Processing Agreement (DPA) governs the processing of personal data by HotelBee on behalf of its customers. It is incorporated by reference into the Terms of Service and applies whenever HotelBee processes personal data as a processor for the customer.

Last updated 29 April 2026Effective from 01 May 2026

1. Parties and scope

This DPA is entered into between Strowberry Code ("HotelBee", "Processor") and the customer that has entered into a subscription with HotelBee ("Customer", "Controller"). It applies to all personal data that HotelBee processes on behalf of the Customer in providing the platform.

In this DPA, terms such as "personal data", "processing", "data subject", "controller" and "processor" have the meanings given in the EU General Data Protection Regulation (Regulation 2016/679, "GDPR").

2. Roles of the parties

For Customer Data processed under the Terms, the Customer is the Controller and HotelBee is the Processor. Where the Customer is itself acting as a Processor for one of its own customers, HotelBee acts as a Sub-processor and the same protections apply.

3. Processing on documented instructions

HotelBee will process personal data only on documented instructions from the Customer. The Terms, the Customer's configuration of the platform and this DPA constitute such instructions. HotelBee will not process personal data for any other purpose, except where required by law.

If HotelBee considers that an instruction infringes applicable data protection law, HotelBee will inform the Customer without undue delay and may suspend the relevant processing pending clarification.

4. Subject matter, duration and nature

Subject matter

The provision of the HotelBee platform and related services as described in the Terms.

Duration

The duration of the Customer's subscription, plus any return or deletion period set out in section 11.

Nature and purpose

Hosting, processing, transmitting and otherwise handling personal data so that the Customer can run its hotel operations using the platform.

Categories of personal data

Typically: identification data, contact details, reservation and stay data, communication content, payment metadata, employee operational data, and any other data the Customer chooses to upload.

Categories of data subjects

Typically: hotel guests, prospective guests, the Customer's staff and contractors, and other individuals whose personal data is uploaded by the Customer.

5. Sub-processors

The Customer authorises HotelBee to engage sub-processors to provide the platform, subject to written agreements containing data protection obligations no less protective than this DPA. A current list of sub-processors is maintained at hotelbee.co/legal/sub-processors.

HotelBee will give the Customer at least thirty (30) days notice of any new or replacement sub-processor. The Customer may object on reasonable data protection grounds during that period, in which case the parties will work in good faith on a resolution.

6. Security measures

HotelBee implements appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage. These measures include, without limitation:

  • encryption of personal data in transit (TLS 1.2+) and at rest (AES-256);
  • role-based access control with least-privilege defaults and multi-factor authentication for HotelBee personnel;
  • segregation of customer environments at the data layer;
  • regular vulnerability scanning and a coordinated disclosure programme;
  • comprehensive audit logging of administrative actions;
  • documented incident response and business continuity processes.

7. Confidentiality

HotelBee ensures that personnel authorised to process personal data are bound by appropriate written obligations of confidentiality, and that access is granted on a need-to-know basis.

8. Personal data breach notification

HotelBee will notify the Customer without undue delay, and in any event within seventy-two (72) hours, of becoming aware of a personal data breach affecting Customer Data. The notification will include the information available at the time and will be supplemented as further details become known.

9. Assistance to the Customer

Taking into account the nature of the processing, HotelBee will assist the Customer with appropriate technical and organisational measures, insofar as this is possible, to fulfil the Customer's obligation to respond to data subject rights requests, to carry out data protection impact assessments, and to consult supervisory authorities where required.

10. International data transfers

Where personal data is transferred outside the European Economic Area, HotelBee relies on appropriate safeguards including the EU Standard Contractual Clauses (Module Two. Controller to Processor) and supplementary measures where required, in accordance with applicable case law and guidance.

11. Return or deletion of data

On expiry or termination of the subscription, HotelBee will, at the Customer's choice, return or delete all personal data within thirty (30) days, unless retention is required by applicable law. Backups will be deleted in accordance with HotelBee's standard retention schedule.

12. Audits

HotelBee will make available to the Customer all information necessary to demonstrate compliance with this DPA. Once per year, the Customer may request an audit conducted by an independent third-party auditor under appropriate confidentiality, at the Customer's expense and on reasonable notice.

13. Governing law

This DPA is governed by the same law that governs the Terms, except where overriding mandatory data protection law applies.

14. Contact

For DPA-related questions, write to privacy@hotelbee.co. To request a counter-signed copy of this DPA on your company's template, email management@hotelbee.co.

Questions about this document? Write to management@hotelbee.co or contact our team.