Data Processing Agreement (DPA)

GDPR Article 28 addendum to the HostMasters Service Agreement. Last updated: May 2026. Version: v1-2026.

1. Parties and Roles

• Controller: the Property Owner who is party to the Main Agreement.
• Processor: HostMasters Costa Tropical S.L., Almuñécar, Granada, Spain.

For Owner account data (name, billing, dashboard), HostMasters acts as an independent controller — see the Privacy Policy.

2. Subject Matter and Duration

Subject matter: processing of guest personal data and Owner property data as necessary to deliver the property-management services under the Main Agreement.

Duration: for the term of the Main Agreement, plus the legally mandated retention period for fiscal and SES records.

3. Nature, Purpose, Categories of Data, Data Subjects

Nature of processing: collection, storage, organisation, transmission, restriction, erasure, and disclosure to authorities where legally required.

Purpose: reservation management, guest registration (SES — RD 933/2021), access control (Smart Lock), check-in/out coordination, communication, fiscal reporting, dispute resolution.

Categories of personal data:

• Guest: name, email, phone, nationality, date of birth, government ID number, ID type, gender, address, stay dates.
• Owner: name, email, phone, language preference, billing data, property data.
• Crew: name, contact, score, task history, payout data.

Special categories (Art. 9): not processed by default. Owner must not upload special-category data without separate written agreement.

Data subjects: property owners, guests of those properties, Crew members assigned to those properties.

4. Processor Obligations (Art. 28(3))

HostMasters shall:

1. Documented instructions. Process personal data only on the Controller's documented instructions. The configuration of the platform and the terms of the Main Agreement constitute the Controller's documented instructions. Out-of-scope processing requires prior written authorisation.
2. Confidentiality. Ensure that persons authorised to process the data are bound by appropriate confidentiality obligations.
3. Security (Art. 32). Implement appropriate technical and organisational measures: TLS encryption in transit, encrypted backups, bcrypt password hashing, CSRF protection, rate limiting, role-based access control, audit logging, IP-based 2FA available, EU-based hosting for all primary processing (Vercel Frankfurt, Neon EU).
4. Sub-processors. Engage sub-processors only after at least 30 days' written notice to the Controller, who may object on reasonable grounds. The current list of sub-processors is published at /privacy §4.
5. Assistance with data-subject rights. Assist the Controller in responding to requests for access, rectification, erasure, restriction, portability, and objection. Where a data subject contacts HostMasters directly, we forward the request to the Controller without delay.
6. Breach notification. Notify the Controller without undue delay and at the latest within 72 hours of becoming aware of a personal data breach affecting guest data, providing all information reasonably available to enable the Controller to notify the AEPD (Art. 33) and data subjects (Art. 34) as required.
7. DPIA assistance. Assist the Controller with Data Protection Impact Assessments (Art. 35) and prior consultation with the AEPD (Art. 36) where required.
8. Termination. On expiry or termination of the Main Agreement: delete or return all guest personal data within 90 days, at the Controller's choice, except where Spanish or EU law requires longer retention (SES records, fiscal obligations — 6 years).
9. Audits. Make available all information necessary to demonstrate compliance with this DPA. Audits are conducted via written information requests; on- site audits require 30 days' notice and may be performed by an independent third-party auditor at the Controller's expense, no more than once per year.

5. International Transfers

Processing occurs primarily within the EU. Where sub-processors are located outside the EU (Anthropic, ElevenLabs, Google, Meta — all USA), transfers are governed by the European Commission's 2021 Standard Contractual Clauses (Module 2 — Controller to Processor or Module 3 — Processor to Sub-Processor as applicable) and supplementary measures (encryption in transit, contractual no-government-access clauses where available, IP anonymisation for analytics).

6. Liability and Indemnity

Liability under this DPA is governed by the limitation clauses of the Main Agreement. Each party indemnifies the other for damages arising from its own non-compliance with GDPR or this DPA.

7. Controller Obligations

The Owner (Controller) acknowledges and agrees to:

• Provide guests with a clear privacy notice and obtain any necessary consent or establish another lawful basis (Art. 6 GDPR) before submitting their data to the platform.
• Ensure data submitted is accurate and up to date.
• Not upload special categories of personal data (Art. 9), data relating to criminal convictions (Art. 10), or children's data beyond what is strictly required for SES.
• Comply with all applicable Spanish hospitality regulations (VUT, NRU, SES, Modelo 179, IRNR).

8. Term and Termination

This DPA enters into force on the date the Main Agreement is signed (electronically) and remains in force for the duration of the Main Agreement. Sections 4.8 (return/deletion), 4.9 (audits), 6 (liability) survive termination.

9. Governing Law

This DPA is governed by Spanish law and the courts of Granada. The Spanish Data Protection Authority (AEPD, www.aepd.es) is the competent supervisory authority.

10. Contact

HostMasters privacy contact: privacy@hostmasters.es
Postal: HostMasters Costa Tropical S.L., Almuñécar (Granada), Spain

By signing the Main Service Agreement, the Owner is deemed to have signed this DPA as an addendum. A separate countersigned PDF can be requested by email.