Guesto

Data Processing Agreement

Last updated: January 30, 2026

Who is this for? This Data Processing Agreement (DPA) applies to Hosts who use Guesto to collect and process guest data. By using Guesto, you automatically agree to this DPA.

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Guesto ("Processor", "we", "us") and you ("Controller", "Host", "you") and governs the processing of personal data by Guesto on your behalf.

This DPA is designed to ensure compliance with Article 28 of the General Data Protection Regulation (GDPR) and reflects the data processing relationship between Guesto and its Host customers.

2. Definitions

  • "Controller" means you (the Host) who determines the purposes and means of processing guest personal data.
  • "Processor" means Guesto, which processes personal data on behalf of the Controller.
  • "Personal Data" means any information relating to an identified or identifiable natural person (guest/traveler).
  • "Processing" means any operation performed on personal data, including collection, storage, use, and deletion.
  • "Guest Data" means personal data of travelers/guests submitted through inquiry forms, contact forms, request forms, reviews, or other means on property pages.
  • "Sub-processor" means any third party engaged by Guesto to process Guest Data.

3. Roles and Responsibilities

3.1 Controller (Host)

As the Controller, you are responsible for:

  • Determining the purposes for which Guest Data is collected and processed
  • Ensuring a valid legal basis exists for processing (e.g., legitimate interest, consent)
  • Providing appropriate privacy notices to guests
  • Responding to data subject requests (access, deletion, etc.)
  • Ensuring compliance with applicable data protection laws
  • Notifying us promptly if processing instructions may violate data protection laws

3.2 Processor (Guesto)

As the Processor, Guesto will:

  • Process Guest Data only on your documented instructions
  • Ensure personnel authorized to process data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Assist you in responding to data subject requests
  • Assist you with data protection impact assessments when required
  • Delete or return Guest Data upon termination (subject to legal retention requirements)
  • Provide information necessary to demonstrate compliance with GDPR

4. Subject Matter and Purpose of Processing

Guesto processes Guest Data for the following purposes on behalf of the Controller:

  • Storing and displaying guest inquiries and requests
  • Facilitating communication between Hosts and guests
  • Managing booking information and guest records
  • Storing and displaying guest reviews
  • Providing analytics and insights about property performance
  • Enabling compliance with local tax and registration requirements

5. Types of Personal Data Processed

The following categories of Guest Data may be processed:

  • Identity Data: Name, nationality (for compliance purposes)
  • Contact Data: Email address, phone number
  • Booking Data: Check-in/check-out dates, number of guests, special requests
  • Communication Data: Messages, inquiries, review content
  • Technical Data: IP address, browser type, device information

6. Data Subject Categories

The data subjects whose personal data is processed under this DPA are:

  • Guests and travelers who submit inquiries or make bookings
  • Individuals who submit reviews or feedback
  • Visitors who interact with property pages

7. Duration of Processing

Guesto will process Guest Data for the duration of the service agreement. Upon termination:

  • Guest Data will be retained for 90 days to allow for account reactivation
  • After 90 days, Guest Data will be deleted unless legally required to retain it
  • Certain data may be retained for up to 7 years for tax compliance purposes
  • You may request earlier deletion through our GDPR portal

8. Security Measures

Guesto implements appropriate technical and organizational measures to protect Guest Data, including:

  • Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Control: Role-based access, multi-factor authentication for staff
  • Secure Infrastructure: Hosted on SOC 2 compliant cloud providers
  • Monitoring: Security monitoring, intrusion detection, audit logging
  • Incident Response: Documented procedures for security incidents
  • Employee Training: Regular security and privacy awareness training
  • Penetration Testing: Regular security assessments and vulnerability scanning

9. Sub-processors

Guesto uses the following sub-processors to provide the service:

Sub-processorPurposeLocation
Vercel Inc.Application hostingEU (Frankfurt)
Neon Inc.Database hostingEU (Frankfurt)
Stripe Inc.Payment processingEU/US
Resend Inc.Email deliveryUS
Cloudflare Inc.CDN and securityGlobal

You authorize us to engage these sub-processors. We will notify you of any changes to sub-processors with at least 30 days notice, allowing you to object.

10. International Data Transfers

Guest Data is primarily stored within the European Economic Area (EEA). When data is transferred outside the EEA (e.g., to US-based sub-processors), we ensure adequate protection through:

  • EU-US Data Privacy Framework certification of the recipient
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Supplementary measures where required

11. Data Subject Rights

When we receive a data subject request from a guest regarding their data:

  • We will promptly notify you (the Controller) of the request
  • We will not respond directly to the guest unless you instruct us to
  • We will provide reasonable assistance to help you respond within GDPR timelines
  • We offer self-service tools for guests at /gdpr

12. Data Breach Notification

In the event of a personal data breach affecting Guest Data:

  • We will notify you without undue delay (and within 48 hours where feasible)
  • We will provide information about the nature of the breach, categories of data affected, and remedial measures taken
  • We will cooperate with you in notifying data protection authorities and affected individuals as required
  • We will document all breaches and our response actions

13. Audit Rights

To demonstrate compliance with this DPA:

  • We maintain documentation of our processing activities and security measures
  • We provide security certifications and audit reports upon reasonable request
  • We permit audits by you or an independent auditor with reasonable notice (costs borne by you)
  • We cooperate with supervisory authority investigations

14. Liability

Each party remains liable for its own breaches of data protection laws. Guesto's total liability under this DPA is subject to the limitations in our Terms of Service.

15. Amendments

We may update this DPA to reflect changes in law or our processing activities. Material changes will be notified with at least 30 days notice. Continued use of the service after changes take effect constitutes acceptance.

16. Contact

For questions about this DPA or data processing matters:

See also: Privacy Policy · Terms of Service · Exercise Your Data Rights