GDPR Compliance

Last updated: January 2026

Our Commitment to GDPR

Hotel Waitlist is fully committed to compliance with the General Data Protection Regulation (GDPR). We have implemented comprehensive measures to protect personal data and uphold the rights of data subjects.

1. Our Role Under GDPR

1.1 As Data Controller

Hotel Waitlist acts as a data controller for:

  • Hotel client account information
  • Website visitor data on hotelwaitlist.io
  • Marketing communications to prospective clients

1.2 As Data Processor

Hotel Waitlist acts as a data processor for:

  • Guest waitlist data collected on behalf of hotel clients
  • Email communications sent on behalf of hotels
  • Analytics and tracking data for hotel clients

2. Lawful Basis for Processing

We process personal data under the following lawful bases:

Processing Activity Lawful Basis
Providing our service to hotels Contract performance
Processing guest waitlist signups Consent (obtained by hotel)
Sending availability notifications Consent / Legitimate interest
Analytics and service improvement Legitimate interest
Marketing to prospective clients Consent / Legitimate interest
Legal compliance Legal obligation

3. Data Subject Rights

Under GDPR, individuals have the following rights:

Right of Access

Request a copy of your personal data we hold.

Right to Rectification

Request correction of inaccurate or incomplete data.

Right to Erasure

Request deletion of your personal data ("right to be forgotten").

Right to Restrict Processing

Request limitation of how we process your data.

Right to Data Portability

Receive your data in a structured, machine-readable format.

Right to Object

Object to processing based on legitimate interests or direct marketing.

How to Exercise Your Rights

To exercise any of these rights, please contact our Data Protection Officer at dpo@hotelwaitlist.io. We will respond within 30 days.

If you signed up for a hotel's waitlist, please contact the hotel directly as they are the data controller for your information.

4. Data Processing Agreement

We provide a Data Processing Agreement (DPA) to all hotel clients, which includes:

  • Details of processing activities
  • Technical and organizational security measures
  • Sub-processor list and notification procedures
  • Data breach notification commitments
  • Assistance with data subject requests
  • Data deletion and return procedures

Contact us at legal@hotelwaitlist.io to request a copy of our DPA.

5. International Data Transfers

When transferring data outside the European Economic Area (EEA), we ensure appropriate safeguards:

  • Standard Contractual Clauses (SCCs): We use EU-approved SCCs with service providers outside the EEA.
  • Adequacy Decisions: We transfer data to countries with EU adequacy decisions where applicable.
  • Data Localisation: Where possible, we process EU data within the EEA.

6. Security Measures

We implement comprehensive security measures including:

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256)
  • Regular security audits and penetration testing
  • Access controls with role-based permissions
  • Multi-factor authentication for all staff
  • Regular staff training on data protection
  • Incident response procedures
  • Business continuity and disaster recovery plans

7. Data Breach Procedures

In the event of a personal data breach:

  • We will notify affected hotel clients within 24 hours of becoming aware
  • We will assist hotels in meeting their 72-hour notification obligation to supervisory authorities
  • We will provide all necessary information about the breach
  • We maintain detailed breach logs and conduct post-incident reviews

8. Sub-Processors

We use the following sub-processors to deliver our service:

Sub-Processor Purpose Location
Google Cloud Platform Infrastructure hosting EU (Belgium)
Mailjet Email delivery EU (France)
Stripe Payment processing EU (Ireland)

We notify hotel clients of any changes to our sub-processor list.

9. Data Retention

We retain personal data only as long as necessary:

  • Guest waitlist data: As directed by the hotel client, typically up to 24 months
  • Hotel account data: Duration of the relationship plus 7 years for legal compliance
  • Analytics data: Aggregated and anonymised after 26 months
  • Support communications: 3 years after resolution

10. Contact Information

Data Protection Officer

Email: dpo@hotelwaitlist.io

Address: Hotel Waitlist Ltd, London, United Kingdom

11. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the UK Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Phone: 0303 123 1113