Plan4Host

Privacy Policy

Last updated: 12 November 2025

This Privacy Policy explains how Plan4Host (operated by BOA DIGITAL SOLUTIONS SRL) (“we”, “us”) collects and uses your personal data on plan4host.com and www.plan4host.com(the “Website”) and within our application (after login). We comply with the EU General Data Protection Regulation (GDPR).

1. Roles & contact

For the website and our own account/billing/ops data, BOA DIGITAL SOLUTIONS SRL acts as data controller.

For guest data processed on behalf of properties (online check‑in, rooming lists, iCal, etc.), we act as a data processor, and the property (hotel/host) is the data controller.

Controller contact for website/account matters: BOA DIGITAL SOLUTIONS S.R.L., CIF/CUI 51680505, Str. Pietroasele 24, Buzău, Romania. Email: office@plan4host.com. (No DPO appointed.)

2. What data we collect

  • Account data: email address, password (hash only, never plaintext), profile details you provide (e.g., display name), organization/property information.
  • Authentication/session data: session tokens handled by Supabase (HTTP-only cookies), login timestamps, basic security logs.
  • Billing & subscription data: plan, subscription status, invoices and payment identifiers. Card data is processed by Stripe; we do not store full card numbers.
  • Usage & logs: server logs (IP address, timestamps, user agent), application events (e.g., iCal import/export jobs) for security and troubleshooting.
  • Communications: messages you send to office@plan4host.com.
  • Cookies & similar: see our Cookie Policy for details.

2.1. Web Push notifications

If you enable Web Push notifications, the application stores a subscription record in our database so we can deliver messages to your device. This record includes: the push endpoint (a URL generated by your browser), cryptographic keys (p256dh, auth) required to send messages, youruser_id, the account_id the device is associated with, optionalproperty_id context, the user agent and OS string, and timestamps.

Purpose: deliver account‑related notifications (e.g., new reservations). Legal basis:consent (GDPR Art. 6(1)(a)). Retention: until you unsubscribe or revoke permission; invalid endpoints are cleaned up automatically. Control: you can turn notifications Off from the app (Notifications → Turn Off) and/or revoke permission from your browser/device settings at any time.

2.2. Check‑in data & consents

When you complete the online check‑in form for a property, we process only the data needed to provide the service and to meet legal requirements for guest registration. The form typically includes:

  • Identification & contact: first/last name, email, phone.
  • Stay details: property, check‑in/check‑out dates, room/room type.
  • Address & nationality (as requested by the property/locale).
  • Other guests / companions: the property may ask you to provide details for other guests in your group (e.g., first/last name, date of birth, citizenship, country of residence, whether they are a minor, guardian name where applicable, and document type/series/number where required by law).
  • ID document image (photo/PDF) used only to verify identity for self check‑in. Auto‑deleted at reservation confirmation (room assignment).
  • Acknowledgements: that you have read the Privacy Policy and accept the House Rules for the stay.
  • Operational logs: confirmation email status and technical metadata (IP/UA) for security/audit.

ID image purpose & masking. We request an ID image solely to verify your self check‑in details under GDPR Art. 6(1)(f) (legitimate interests). The ID image is automatically deleted immediately when your reservation is confirmed and a room is assigned. You may redact sensitive fields before upload. Please keep your face and the fields you typed visible, and mask: personal numerical code (CNP/personal number), document series/number, full address, and the MRZ area on passports. We do not use the image for facial recognition or biometric profiling.

Legal bases. We process check‑in data primarily to perform the accommodation contract and to comply with local lodging/registration laws (GDPR Art. 6(1)(b) & (c)). We may use limited logs for security and service reliability (legitimate interests, Art. 6(1)(f)). We do not rely on consent for core check‑in processing.The checkbox stating “I have read and understood the Privacy Policy” is an acknowledgement of information, not a consent to processing.

Retention. Reservation and guest records (including details of companions/other guests) are retained for the duration of the contractual relationship and for the statutory/accounting periods required by law. Acknowledgement records (privacy/house rules) are kept for the stay and for a reasonable audit period thereafter (typically 3–5 years). ID document images are retained only as strictly necessary to verify identity and are automatically deleted when a reservation is confirmed and a room is assigned (the storage file is deleted, while metadata such as document type/series/number may remain if required by law), consistent with GDPR Art. 5(1)(e) (storage limitation). Where required by local lodging laws, certain government‑issued identifiers (e.g., Romanian CNP) or document series/number may be retained for statutory periods. We do not store ID images beyond room assignment.

Your choice. If you prefer not to submit data through the online form, please contact the property directly to arrange an alternative check‑in method. You can also exercise your privacy rights (access, erasure, restriction, etc.) as described in this policy; some requests may be limited by legal retention obligations.

3. Why we process your data (purposes)

  • Provide and operate the service (accounts, calendar, iCal sync, billing).
  • Authenticate and secure access, prevent fraud/abuse, maintain reliability.
  • Customer support & communications you initiate.
  • Legal compliance (tax/accounting, regulatory obligations).
  • Improvements (troubleshooting, quality, performance). We currently do not use analytics or advertising cookies.

4. Legal bases (GDPR Art. 6)

  • Contract — to provide the service you requested (Art. 6(1)(b)).
  • Legitimate interests — security, fraud prevention, service reliability and improvement (Art. 6(1)(f)).
  • Legal obligation — e.g., tax and accounting records (Art. 6(1)(c)).
  • Consent — for any future non-essential cookies or optional communications (Art. 6(1)(a)).

5. Sharing & processors

We use vetted service providers (“processors”) to run Plan4Host:

ProviderRoleData categoriesLocation/Transfer
SupabaseAuthentication, database, storageAccount data, session tokens, app dataEU/EEA regions where available; may involve transfers with safeguards (SCCs)
VercelHosting and edge deliveryUsage logs (IP, UA), content deliveryGlobal infrastructure; transfers protected by SCCs
StripePayments & subscriptionsBilling identifiers, invoices; card data processed by StripeGlobal infrastructure; transfers protected by SCCs and other safeguards
Microsoft 365 (via GoDaddy)Email serviceSupport communicationsGlobal infrastructure; transfers protected by SCCs

We do not sell your personal data. We currently do not use analytics or advertising networks.

6. International transfers

When data is transferred outside the EU/EEA by our processors, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) and complementary measures where necessary.

7. Retention

  • Account data: for the life of your account and up to 24 months after closure, unless we must retain it to meet legal obligations or resolve disputes.
  • Billing records: retained for statutory periods required by tax/accounting laws (typically 5–10 years).
  • Support communications: typically up to 24 months.
  • Routine server logs: typically up to 90 days unless needed for security investigations.

8. Security

We implement technical and organizational measures including TLS encryption in transit, encryption at rest provided by our cloud providers, access controls, and least-privilege practices. No method of transmission or storage is 100% secure, but we work to protect your data.

9. Your rights

  • Access your data and obtain a copy.
  • Rectify inaccurate or incomplete data.
  • Erase your data (“right to be forgotten”).
  • Restrict or object to processing in certain cases.
  • Data portability.
  • Withdraw consent at any time for processing based on consent.
  • Lodge a complaint with your local supervisory authority (EU/EEA).

To exercise your rights, contact office@plan4host.com. We may need to verify your identity before fulfilling your request.

10. Children

The service is not directed to children under 16. If you believe a child provided us with personal data, contact us and we will take appropriate steps.

Guest data for minors may be provided by the property/controller (guardian responsibility). We process such data only to provide the service on the controller’s instructions.

11. Automated decision-making

We do not perform automated decision-making or profiling that produces legal effects about you.

12. Cookies

For details about cookies we use, see our Cookie Policy.

13. Changes to this policy

We may update this Privacy Policy to reflect operational, legal, or regulatory changes. We encourage you to review it periodically.

14. Contact

For questions about this policy or your privacy rights, contact office@plan4host.com.