Privacy Policy

Last updated: April 2026

1. Who we are

GuestDock (“we”, “us”, “our”) provides a white-label guest check-in platform for property managers. We act as a data processor on behalf of property managers (our customers), who are the data controllers for guest personal data.

2. What data we collect

2a. Property managers (customers)

• Account information: name, email, company name
• Billing information: processed by Mollie (we do not store card details)
• PMS credentials: encrypted at rest with AES-256-GCM

2b. Guests (end users)

On behalf of the property manager, we collect:

• Identity document image (passport, ID card, driving licence)
• Extracted identity data: name, date of birth, nationality, document number, sex
• Face images for liveness verification (when enabled)

Document images and face images are processed for identity verification and are not retained longer than necessary to complete the check-in and any legally required police registration.

3. Why we process this data

• Identity verification: To verify the guest's identity using AI-powered document analysis.
• Police registration: To submit guest data to government authorities as required by local law (e.g., SES Hospedaje in Spain, Alloggiati Web in Italy).
• PMS synchronisation: To sync verified guest data back to the property manager's PMS.

4. Legal basis

• Guest data: Legal obligation (police registration laws) and legitimate interest of the property manager.
• Customer data: Contract performance (providing the service) and legitimate interest (billing, support).

5. Data sharing

We share personal data only with:

• Government authorities: As required by police registration laws in the guest's destination country.
• Google (Gemini AI): Document images are sent to Google's Gemini API for identity extraction. Google's API data processing terms apply.
• PMS providers: Verified guest data is synced back to the property manager's PMS.
• Mollie: For payment processing. Mollie's privacy policy applies.

6. Data retention

• Guest identity data: Retained for the legally required period in the applicable jurisdiction (typically 3 years in Spain, 5 years in Italy), then deleted.
• Customer account data: Retained while the account is active, deleted within 30 days of account closure.

7. Your rights

Under GDPR, you have the right to access, rectify, erase, restrict processing, data portability, and object to processing. Contact us at privacy@guestdock.eu.

Guests should contact the property manager (data controller) to exercise their rights. We will assist the property manager in fulfilling these requests.

8. Security

All sensitive data (PMS credentials, police registration passwords) is encrypted at rest using AES-256-GCM. All data in transit is encrypted via TLS. We use Supabase for database hosting with row-level security enabled.

9. Contact

For privacy-related inquiries: privacy@guestdock.eu