GDPR

Data Processing Addendum

Draft for review before customer signature.

Purpose

This draft describes how Roomrise processes customer data when providing the Roomrise SaaS service. It must be reviewed and completed with the final legal entity details before it is signed or attached to a customer contract.

Roles

The customer acts as data controller for data imported into Roomrise. Roomrise acts as processor for account, hotel and operating data processed to provide the service.

Processing

Category
Description
Purpose
Account data
Professional email, organization, role, session metadata
Authentication, access control, support
Hotel data
Hotel profile, room types, inventory, pricing guardrails
Configuration and recommendation generation
Operating data
Historical CSV rows, yield signals, recommendations, exports
Analysis, simulation and CSV export
Billing data
Subscription status and Stripe customer references
Billing, trial gating and account administration

Instructions

Roomrise processes customer data only to provide, secure, support and improve the service, or as required by law. The customer must not import unnecessary personal data, especially guest names or guest contact details, unless a signed contract expressly allows it.

Security

Roomrise uses account authentication, CSRF protection, rate limiting, scoped organization access, password hashing, export/delete controls, HTTPS in production and production backup procedures. Production backup, monitoring and hosting details must be completed before paid launch.

Subprocessors

The active subprocessors are listed in the privacy policy. Provider names, regions and data categories must be verified before this DPA is used commercially.

Deletion and export

Roomrise provides account export and owner-triggered organization deletion from the Account page. Backups may retain deleted data for a limited retention period defined in the production backup policy.

Open legal fields

Final company identity, registered address, applicable law, jurisdiction, liability cap, subprocessor table and breach contact must be completed by the operator and reviewed by counsel before paid customer signature.