PRIVACY POLICY
Last modified: May 20, 2026
At GuestAdmin.io, we are committed to protecting the privacy of our customers (Property Owners and Managers) and the travelers whose data we process. This policy describes how we collect, process, store, and protect personal information in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”), the UK General Data Protection Regulation (“UK GDPR”), and the Data Protection Act 2018.
1. Data Controller for Client Data & Data Processor:
Hub Connect Limited
WBASL, Sullivan Court
Wessex Business Park
Colden Common
Winchester, Hampshire
SO21 1WP. United Kingdom
Email: [email protected]
Website: www.guestadmin.io
Global Presence:
- EU Office: Malaga Central, Spain
- UK Office: Winchester, Hampshire
- US Office: San Francisco, California
2. PERSONAL DATA WE COLLECT
2.1 Client Data (Property Owners and Managers)
We collect data necessary to provide our services and manage your account:
- Contact Information: Name, email, phone number, company name.
- Account Credentials: Encrypted passwords and API keys.
- Billing Information: Payment details (processed via secure third-party providers like Stripe or PayPal).
- Property Information: Address and registration details for government platforms.
2.2 Travellers´ data (Processed on behalf of Clients)
In compliance with various national security and tourist laws (e.g., Spain’s Royal Decree 933/2021, Italy’s Alloggiati Web, Croatia’s eVisitor), we process:
- Identity Data: Full name, nationality, ID/Passport number, date of birth.
- Stay Details: Property address, arrival/departure dates, relationship between guests (for minors).
- Digital Signatures: Captured during the automated check-in process.
- Traveler Data: Stored securely for 3 to 5 years depending on the specific national legal requirements of the property location (e.g., 3 years for Spain), after which it is automatically deleted or anonymized.
- Client Data: Retained for the duration of the service agreement and for up to 6 years following termination to comply with tax and legal record-keeping obligations.
We implement advanced technical and organizational measures to protect your data, including:
- 2048-bit Encryption: For all data transfers.
- Encrypted Storage: Data is encrypted at rest.
- Access Controls: Strict internal access policies and multi-factor authentication (MFA).
- Regular Audits: Periodic security assessments and penetration testing.
As a global service, GuestAdmin may process data in the EU, UK, and USA.
- Transfers from the EEA to the UK/USA or vice versa are conducted using Standard Contractual Clauses (SCCs), the EU-U.S. Data Privacy Framework, or based on Adequacy Decisions where applicable, ensuring an equivalent level of protection.
We do not sell personal data. Data is shared only with:
- Government Authorities: Police and tourism bodies as required by law.
- Sub-processors: Trusted cloud providers (e.g., AWS), payment processors, and technical support tools, all bound by strict Data Processing Agreements (DPAs).
Under EU and UK GDPR, you have the right to:
- Access & Portability: Request a copy of your data.
- Rectification: Correct inaccurate data.
- Erasure (“Right to be Forgotten”): Request deletion of data (subject to legal retention requirements).
- Objection & Restriction: Object to processing based on legitimate interests.
- Withdraw Consent: At any time for marketing activities.
To exercise these rights, contact us at **[email protected]**.
If you believe your data has been mishandled, you have the right to lodge a complaint with a supervisory authority:
- UK (ICO): www.ico.org.uk
3. PURPOSES OF THE PROCESSING
3.1 Our clients´ data (property owners/managers)
- Regulatory compliance: In compliance with Royal Decree 933/2021, GuestAdmin transmits the identification data of property owners or legal entities managing the tourist accommodations to the Ministry of the Interior of Spain, through the SES.HOSPEDAJES platform.
- Administrative and customer management: Billing, technical assistance, support, and contact.
- Security and auditing: System monitoring to ensure proper functioning and security.
- Informative communications: Updates, service improvements, and, in some cases, commercial communications (with prior consent).
3.2 Travellers´ data
GuestAdmin.net processes guest data on behalf of the data controller, our clients, for the exclusive purpose of:
- Regulatory compliance: Mandatory registration and communication of travellers’ data to the Ministry of Interior’s SES.HOSPEDAJES platform (Royal Decree 933/2021).
- Service provision: Automated management of travellers´ entry forms for tourist accommodations.
4. LEGAL BASIS FOR PROCESSING
- Compliance with a legal obligation: The processing of personal data is carried out on the legal basis established in Article 6.1(c) of the General Data Protection Regulation (GDPR), as it is necessary for compliance with a legal obligation imposed by Royal Decree 933/2021, which requires the identification and reporting of both property owners and travellers to the Spanish Ministry of the Interior.
- Contract execution: The processing of personal data belonging to property owners or managers is carried out under Article 6.1(b) of the GDPR, as it is necessary for the performance of the service agreement, they have entered into with GuestAdmin.net.
- Legitimate interest: In addition to processing based on contractual necessity or legal obligations, GuestAdmin.net also processes certain personal data under its legitimate interests, in accordance with Article 6.1(f) of the General Data Protection Regulation (GDPR). These legitimate interests include:
- Ensuring the security and stability of our platform and systems
- Detecting and preventing fraudulent or unauthorized activity
- Improving the performance, usability, and quality of our services
- Keeping internal logs for accountability and technical troubleshooting
- Communicating important non-commercial system or service updates to users
A Legitimate Interest Assessment (LIA) has been conducted to ensure that these processing activities are necessary, proportionate, and do not override the rights and freedoms of the data subjects.
Data subjects have the right to object to processing based on legitimate interests at any time by contacting us at: [email protected].
5. DATA RETENTION AND SECURITY MEASURES
Data retention is determined by the type of data and the legal or operational purpose for which it is collected:
- Travellers´ data is retained for a period of three (3) years in compliance with Royal Decree 933/2021, after which it is securely deleted or anonymized.
- Property owner and manager data is retained for the duration of the contractual relationship and, where applicable, for additional periods necessary to comply with legal obligations (e.g., tax or regulatory requirements).
- Platform usage logs and technical records may be retained for a reasonable period to ensure platform security, detect misuse, or resolve operational issues.
Once the applicable retention period has expired, the data is either securely deleted or, where possible, pseudonymized or anonymized for analytical purposes.
6. TRANSFERS AND ACCESS TO DATA BY THIRD PARTIES
GuestAdmin.net does not sell or share personal data with third parties for commercial purposes. However, access to and communication of data may occur in the following contexts, always under strict legal and contractual safeguards:
Legal obligations and public authorities
Personal data of both travellers and accommodation providers will be communicated to the Spanish Ministry of the Interior and competent law enforcement authorities through the SES.HOSPEDAJES platform, in strict compliance with Royal Decree 933/2021. This includes identity and booking information that must be registered and reported by law.
Service Providers (Data Processors)
To ensure the proper operation, security, and delivery of our services, GuestAdmin.net may engage trusted third-party providers who act as Data Processors on our behalf. These may include:
- Cloud infrastructure and hosting providers
- Electronic signature and identity verification platforms
- IT maintenance, cybersecurity, and communication tools
- Analytics and internal support systems
All processors are bound by written agreements pursuant to Article 28 of the GDPR, and process data solely under our instructions and with appropriate security measures.
International data transfers
As a rule, GuestAdmin does not carry out international transfers of personal data. If any processing involves data transfers outside the European Economic Area (EEA), such transfers will be conducted only with adequate safeguards, including:
- EU Commission adequacy decisions
- Standard Contractual Clauses (SCCs)
- Other lawful transfer mechanisms as provided by the GDPR
7. USER RIGHTS
In accordance with Articles 12 to 23 of the General Data Protection Regulation (GDPR), all individuals whose personal data is processed by [Company Name] — including property owners, managers, and guests — have the following rights:
Right of Access
You have the right to obtain confirmation as to whether or not your personal data is being processed, and, where applicable, access to such data and information regarding its use.
Right to Rectification
You have the right to request the correction of inaccurate or incomplete personal data.
Right to Erasure
You may request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, or if the processing is unlawful.
However, this right is limited in cases where we are required to retain data by law. In particular, Royal Decree 933/2021 obliges the storage of certain personal data (e.g. traveller and accommodation provider identification data) for a period of three (3) years, for public security purposes.
During this retention period, the data will be securely stored, access will be restricted, and it will not be processed for any purpose other than compliance with the applicable legal obligation.
Once the mandatory retention period expires, the data will be permanently erased or anonymized.
Right to Restriction of Processing
You may request that we restrict the processing of your data in certain cases, such as during the verification of accuracy or legality of the data processing.
Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another data controller, where technically feasible.
Right to Object
You may object at any time to processing based on legitimate interest (Article 6.1(f)), unless we demonstrate compelling legitimate grounds that override your interests.
Right to Withdraw Consent
Where processing is based on consent, you may withdraw it at any time, without affecting the lawfulness of the processing carried out before the withdrawal.
Right to Lodge a Complaint
You have the right to file a complaint with a supervisory authority, particularly in the EU Member State of your residence, place of work, or where the alleged infringement occurred. In Spain, this is the Agencia Española de Protección de Datos (AEPD): www.aepd.es
To exercise any of these rights, you may contact us at:
[email protected]
We may need to verify your identity before processing your request, in order to protect your privacy and the rights of others.
8. COOKIE POLICY
We use cookies to improve user experience. See our Cookie Policy for more details.
9. MODIFICATIONS TO THIS POLICY
GuestAdmin.net reserves the right to update or modify this Privacy Policy at any time, in order to reflect changes in our services, legal obligations, or data protection practices.
Any changes will be published on this page with an updated “Last modified” date at the top of the document. If the changes are significant or materially affect your rights, we will provide a more prominent notice or directly notify you, when required by applicable law.
We encourage you to review this policy periodically to stay informed about how we process and protect your personal data.
10. CONTACT
For any privacy-related questions:
Hub Connect Limited
WBASL, Sullivan Court
Wessex Business Park
Colden Common
Winchester, Hampshire
SO21 1WP. United Kingdom
Email: [email protected]
Website: www.guestadmin.io
© All rights reserved.