Privacy Policy
Last updated: April 2026
1. Data Controller & DPO
Data Controller: HostMasters Costa Tropical S.L. ("HostMasters"), Almuñécar, Granada, Spain. CIF pending registration.
Data Protection Officer (DPO): A formal DPO is not currently required under GDPR Art. 37 given our scale (no core large-scale monitoring or processing of special categories). For all privacy matters, including exercising rights or filing complaints, contact: privacy@hostmasters.es.
We will appoint a designated DPO if mandated by future scale or regulatory change and publish the contact here.
2. Data We Collect
- Account data: name, email, phone, language preference
- Property data: address, photos, house rules, Smart Lock codes
- Financial data: Stripe customer ID, payout history (we never store card numbers)
- Guest data: name, nationality, ID number, check-in/out dates (required by Spanish law — SES/Registro de Viajeros)
- Usage data: pages visited, feature usage, AI assistant conversations
- Crew data: task completion records, photos, scores, payout history
3. Legal Basis (GDPR Art. 6)
- Contract performance: account management, payout processing, property management
- Legal obligation: guest registration (SES), tax reporting (Modelo 179, IRNR)
- Legitimate interest: platform security, fraud prevention, service improvement
- Consent: marketing communications, AI-powered features, cookies
4. Data Processors
| Processor | Purpose | Location |
|---|---|---|
| Stripe Payments Europe Ltd. | Card payments, Stripe Connect payouts | EU (Ireland) |
| Vercel Inc. | Application hosting + CDN | EU (Frankfurt) |
| Neon Inc. | PostgreSQL database (Neon serverless) | EU |
| Resend Inc. | Transactional email delivery | EU |
| Anthropic PBC | AI features (Claude — assistants, pricing, monitoring, broadcast translation) | US (SCCs in place) |
| ElevenLabs Inc. | Voice AI for post-stay guest feedback (VAGF) | US (SCCs in place) |
| Nuki Home Solutions GmbH | Smart Lock integration (rotating guest codes, entry logs) | EU (Austria) |
| Twilio Ireland Ltd. | SMS notifications (optional) | EU (Ireland) |
| Google LLC | Google Analytics 4 — only if you accept analytics cookies | US (SCCs, IP anonymisation) |
| Meta Platforms Inc. | Meta Pixel — only if you accept marketing cookies | US (SCCs) |
| Sentry Inc. | Error tracking + performance monitoring | EU |
A formal Data Processing Agreement (Art. 28 GDPR) is in place with each processor. Property owners acting as data controllers for guest data can request the HostMasters Owner DPA as an addendum to their service agreement — email privacy@hostmasters.es.
5. Data Retention
- Account data: until account deletion + 30 days
- Financial records: 6 years (Spanish fiscal obligation)
- Guest registration data: as required by SES regulations
- AI conversation logs: 90 days
- Notifications: 90 days (read) / 180 days (unread)
6. Your Rights
Under GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your data ("right to be forgotten")
- Restrict or object to processing
- Data portability
- Withdraw consent at any time
To exercise these rights, email privacy@hostmasters.es. You may also file a complaint with the Spanish Data Protection Authority (AEPD).
7. Automated Decision-Making (GDPR Art. 22)
The platform uses automated systems with significant operational impact. We disclose them here so you can exercise your right to information, contest decisions, and request human review.
- AI Pricing engine: recommends nightly rates per property using your historical data, competitor scraping, and seasonality signals. Recommendations are advisory only — owners and Managers can override every price.
- Crew Score system: assigns an automated score (0–500+) to Crew based on task completion, photo verification, owner reviews, and timeliness. The score affects task allocation and per-task rate (level bonus 0/+5/+10/+15 %). Crew may request human review of any score change by contacting their Captain or Admin.
- AI Monitor: runs 21 daily checks on reservations, payouts, and listings to flag anomalies. Findings trigger admin alerts; no automatic punitive action is taken against owners or Crew without human review.
- Lead Triage: classifies inbound leads by likely fit. The classification is informational — final outreach is performed by a human Manager.
You have the right to obtain human intervention, express your point of view, and contest any automated decision affecting you. Email privacy@hostmasters.es.
8. Children's Data
The platform is not intended for users under 18. We do not knowingly process personal data of minors. Guest registration data may include minors (e.g., children traveling with families) only when required by SES regulations and is retained only for the minimum legal period.
9. Cookies
We use essential cookies for authentication and language preference. Analytics (Google Analytics) and marketing (Meta Pixel) cookies are only set with your consent. See our Cookie Policy for the full list.
10. International Transfers
Some processors (Anthropic) are based outside the EU. Transfers are covered by Standard Contractual Clauses (SCCs) and/or adequacy decisions where available.
11. Security
We implement TLS encryption, bcrypt password hashing, CSRF protection, rate limiting, and Content Security Policy headers. Access to personal data is restricted by role-based access control.
12. Changes
We may update this policy. Material changes will be communicated via email and in-app notification.