Updated as of January 4, 2026
1.1. Who We Are ForHotel PMS (hereinafter referred to as "We", "Company", "System") is a cloud-based hotel management system (SaaS).
1.2. Our Roles in Data Protection. In accordance with GDPR and international standards, we act in two different roles depending on the circumstances:
We as Data Controller: With regard to the personal data of our direct Clients (hotel owners, managers), their staff, and visitors to our website. We determine ourselves why we need this data (for example, for billing or marketing purposes).
We as Data Processor: With regard to the personal data of Guests entered into the System by our Clients (hotels). We process this data solely on the Client's (hotel's) instructions, based on the Service Agreement and the Data Processing Agreement (DPA). The accommodation provider is the Data Controller of guest data.
1.3. ISO/IEC 27001 Compliance. Our Information Security Management System (ISMS) is built in accordance with the ISO 27001 standard. We ensure data integrity, confidentiality, and continuous availability through regular audits, access control, and encryption.
1.4. GDPR Compliance (European Union and United Kingdom) We ensure a high level of data protection for users from the EEA and the United Kingdom, guaranteeing the right to access, portability, and deletion of data, and using Standard Contractual Clauses (SCCs) for international data transfers.
1.5. CCPA Compliance (USA, California) We comply with the requirements of the California Consumer Privacy Act:
We do not sell personal data of Clients or Guests to third parties.
We provide users with the right to know which categories of data are collected and the right to request deletion.
We ensure non-discrimination of users who exercise their privacy rights.
1.6. LGPD Compliance (Brazil) In accordance with Brazil's General Data Protection Law, we:
Clearly define legal grounds for each processing activity.
Ensure data processing security throughout Brazil and during cross-border transfers.
Appoint a Data Protection Officer (DPO) to communicate with the Brazilian regulator (ANPD).
We collect and process data depending on your role in interacting with ForHotel PMS. We strictly adhere to the principle of data minimization: we collect only the information necessary to provide the service, ensure security, and fulfill legal requirements.
2.1. Marketing Site Visitors and Potential Clients We collect data when you visit our website, fill out forms to get demo access, or contact the sales department:
Contact Data: Name, personal or corporate email, phone number, address, accommodation name.
Business Data: Accommodation name, number of rooms, website.
Technical Data (automatically): IP address, unique device identifiers (UUID), page behavior data collected via Cookies.
2.2. Clients (Hoteliers) and Their Staff This is data of users who have access to the ForHotel PMS control panel (Administrators, Managers, Investors, and other hotel staff).
Account Data: Full name, work email, position (e.g., Administrator, Manager, Investors), avatar (profile photo).
Professional Activity: All data and actions generated when working with the system.
Financial and Transactional Data: Transaction history for ForHotel PMS SaaS services subscription.
Technical Data and Audit (ISO 27001 requirement): IP address of each login, browser data, and more.
Audit Logs: Detailed records of each user's actions in the system (who, when, and what action they took).
Communication Data: Records of technical support requests and correspondence within the System.
2.3. Hotel Guest Data (We as Data Processor) The System allows the Client to store the following about their guests:
Guest Profile: Full name, date of birth, gender, citizenship, residential address.
Documents: Passport data, ID cards, visa details.
Stay Details: Check-in and check-out dates, room number, booking history.
Services: Information about ordered breakfasts, SPA services, transfers, etc.
Guest Financial Data: Generated invoices, payment history, payment card tokens.
Special Requests: Comments regarding allergies, room preferences.
To ensure the stable operation of the ForHotel PMS System and to analyze the effectiveness of our marketing website, we use Cookies, web beacons, and similar tracking technologies.
3.1. What are Cookies? Cookies are small text files that are stored on your device (computer, tablet, or smartphone) when you visit a website. They allow us to recognize your device, ensure secure access, and improve the user experience.
3.2. Types of Cookies We Use We classify Cookies by their purpose:
Essential (Strictly Necessary): These files are critical for the operation of ForHotel PMS. They ensure secure user authorization, maintain an active session, and prevent fraudulent activities. Without these Cookies, using the System is technically impossible.
Functional (Preference): Allow the System to remember your choices (e.g., selected interface language, hotel time zone, or individual settings for the 'Calendar/Rack' display).
Statistical and Analytical (Performance): We use them to collect anonymous information about how Clients interact with the site and the System. This helps us optimize interface speed and popular features.
Marketing and Advertising (Marketing): Used on our marketing website to personalize advertising offers (retargeting) and evaluate the effectiveness of advertising campaigns.
3.3. Managing Cookies You have the right to manage the use of Cookies yourself:
On the site: You can choose the level of Cookie usage through the built-in Cookie banner (Consent Manager).
In the browser: You can configure your browser to refuse all or specific Cookies.
Please note: If you block all Cookies (including technical ones), you will not be able to use the ForHotel PMS control panel, as the System will not be able to identify your session and ensure secure login.
3.4. Third-Party Services and Tools For analysis and promotion, we use:
Analytics and Statistics: Google Analytics, Google Tag Manager, Hotjar, Mixpanel.
Advertising and Retargeting: Google Ads, Facebook (Meta) Pixel, LinkedIn Insight Tag, Twitter (X) Ads, TikTok Pixel.
Communications and Support: Intercom, Zendesk, HubSpot.
We process your data only when there is a legal basis. According to Article 6 of the GDPR and similar provisions in international law (UK GDPR, LGPD, CCPA), such bases for ForHotel PMS are:
4.1. Contractual Necessity We process data of Clients and their staff to provide ForHotel PMS services, namely:
Creating and maintaining your account.
Providing full access to the System's functional modules included in your current contract plan (tariff plan).
Providing technical support and handling user requests.
Processing payments for using the System.
4.2. Legitimate Interests We process data for purposes essential to the development and security of our business, provided this does not override your fundamental rights:
Ensuring Security (ISO 27001): Monitoring system logs, preventing cyberattacks, detecting suspicious activity, and protecting against fraud.
Product Improvement: Analyzing System usage to improve the interface and develop new features.
B2B Marketing: Sending offers and news to hoteliers who have shown interest in our product (where permitted by local law).
4.3. Legal Obligation We may process data when necessary to comply with legal requirements:
Retaining financial and tax records.
Responding to lawful requests from government or law enforcement agencies.
4.4. Consent In certain cases, we ask for your voluntary consent:
Using marketing Cookies on our website.
Subscribing to our hotel market newsletter.
4.5. Guest Data Processing (as Processor) For guest data entered by the Client into the System, the legal basis for processing is determined by the Accommodation Provider (e.g., fulfilling a hotel services contract or complying with immigration laws). ForHotel PMS provides the technical means for such processing according to the Hotel's instructions.
This section governs the relationship in which the Client (Accommodation Provider) acts as the Data Controller of their guests' data, and ForHotel PMS acts as the Processor.
5.1. Limitation of the System's Role We provide the Client solely with the digital infrastructure and tools to manage the property. We do not determine what guest data the Accommodation Provider collects, for what purpose they do it, and how long they retain it. All guest data is processed by us strictly based on the Client's instructions and within the technical functionality of the System.
5.2. Client's Obligations as Controller The Client guarantees and bears full responsibility for ensuring that they:
Have a legal basis for collecting and entering guest data into the System (e.g., fulfilling an accommodation contract, guest consent, or legal requirements).
Have provided guests with proper notice regarding how their data is processed within their Accommodation Provider.
Ensure the legality of collecting sensitive data (passport details, visas, etc.).
5.3. Exercising Data Subjects' Rights (Guests) Under GDPR and other regulations, guests have the right to access, update, or delete their data.
Guest Requests: If a guest contacts ForHotel PMS directly with a request regarding their data, we will forward such request to the Client within 3 (three) business days.
Technical Assistance: The System provides the Client with the functional capabilities to independently fulfill guest requests (profile deletion, data anonymization, or exporting information in a machine-readable format).
5.4. Use of Sub-processors To ensure the stable operation of the System, we engage trusted third-party service providers (e.g., cloud server providers). We guarantee that such Sub-processors adhere to security standards no lower than those described in this Policy and hold ISO 27001 certification.
5.5. Guest Data Security We implement technical and organizational measures to protect guest data from accidental destruction, loss, or unauthorized access; however, the Client bears responsibility for access to the System through the logins and passwords of the Accommodation Provider's staff.
In accordance with the ISO/IEC 27001 standard, we have implemented a comprehensive set of measures to protect data from unauthorized access, loss, or alteration.
6.1. Data Encryption
All data is transmitted over a secure connection using encryption protocols (TLS).
Sensitive information is stored in databases in an encrypted format.
6.2. Backup We regularly create data backups. This ensures that in the event of a technical failure, all information can be quickly and fully restored.
6.3. Access Control and Audit
Only authorized employees have access to data to perform their job duties.
The system records all key user actions in audit logs, allowing any changes to be tracked.
6.4. Infrastructure Security (AWS): We use Amazon Web Services (AWS) servers in the following regions:
Frankfurt, Germany (EU Central);
Ireland (EU West);
Northern Virginia, USA (US East). Locations may expand. All providers are ISO 27001 certified.
6.5. Incident Response In the event of any threat to data security, we act in accordance with GDPR protocols and immediately notify our Clients.
7.1. Data Retention We retain data only for the period necessary to fulfill the purposes described in this Policy:
Account and Professional Activity Data: Retained throughout the duration of the Client's contract (subscription).
After Contract Termination: We retain the Client's data for 30 days so you can download your information. After this period, the data is deleted or anonymized unless the law requires longer retention (e.g., for financial reporting).
Guest Data: The Client independently determines the retention period for this data in the System. When the Client deletes data, it is permanently removed from our active databases within a short technical period.
7.2. Your Rights (under GDPR, CCPA, LGPD) As a user (data subject), you have the following rights:
Right of Access: You can request a copy of your personal data that we store.
Right to Rectification: You can request the correction of inaccurate or outdated data.
Right to Erasure ('Right to be Forgotten'): You can request the deletion of your data if it is no longer needed for the purposes for which it was collected.
Right to Restriction of Processing: You can ask us to temporarily suspend the processing of your data.
Right to Data Portability: You have the right to receive your data in a structured electronic format to transfer to another service.
Right to Withdraw Consent: If processing is based on consent (e.g., marketing), you can withdraw it at any time.
7.3. How to Exercise Your Rights To exercise any of these rights, you can:
Independently change or delete data in your System profile settings.
Send an official request to our support team.
We will respond to your request within 30 days (or sooner, as required by local law).
7.4. Changes to this Policy We may periodically update this Policy in response to changes in the System or legislation. We will notify you of any material changes via email or through in-System notifications.
7.4. Changes to this Policy We may periodically update this Policy in response to changes in the System or legislation. We will notify you of any material changes via email or through in-System notifications.
