Data Protection

GDPR Compliance

At Hotelys, we take data protection seriously. We are fully committed to complying with the UK General Data Protection Regulation (UK GDPR) and helping our customers do the same.

Our Commitment to Data Protection

Hotelys Ltd is registered with the UK Information Commissioner's Office (ICO) and processes personal data in accordance with the UK GDPR and Data Protection Act 2018.

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption, access controls, and regular security assessments.

  • ICO registered data controller
  • Data Processing Agreements available
  • Regular security audits
  • Staff data protection training
  • Dedicated Data Protection Officer

Data Processing Agreement

All customers are covered by our standard Data Processing Agreement (DPA), which outlines our responsibilities as a data processor.

Request DPA

Your Data Rights

Under UK GDPR, you have comprehensive rights over your personal data. Here's what you can request from us.

Right to Access

You can request a copy of all personal data we hold about you.

Right to Rectification

You can request correction of inaccurate or incomplete data.

Right to Erasure

You can request deletion of your personal data in certain circumstances.

Right to Restrict Processing

You can limit how we use your data while we verify concerns.

Right to Data Portability

You can receive your data in a structured, machine-readable format.

Right to Object

You can object to processing based on legitimate interests or direct marketing.

For Hotel Operators

When you use Hotelys, you are the data controller for your guests' data. Here's how we help you stay compliant.

Data Processing Agreement

We provide a comprehensive DPA that outlines our role as your data processor and our obligations under UK GDPR.

Data Export Tools

Export guest data at any time to respond to data subject access requests or for your own records.

Data Deletion

Our platform supports the right to erasure. Delete guest records when legally permitted or required.

Consent Management

Capture and record guest consent for marketing communications and data processing activities.

Breach Notification

In the unlikely event of a data breach, we will notify you within 72 hours as required by UK GDPR.

Sub-Processor List

We maintain a transparent list of all sub-processors and notify you of any changes.

Questions about data protection?

Our Data Protection Officer is available to answer your questions about how we handle personal data.

Contact DPOView Privacy Policy