Privacy Policy

Last updated: 25 September 2025

This Privacy Policy explains how Plan4Host (operated by BOA DIGITAL SOLUTIONS SRL) (“we”, “us”) collects and uses your personal data on plan4host.com and www.plan4host.com(the “Website”) and within our application (after login). We comply with the EU General Data Protection Regulation (GDPR).

1. Controller & contact

Data controller: BOA DIGITAL SOLUTIONS S.R.L., CIF/CUI 51680505. Registered office: BUZĂU, Mun. Buzău, Str. Pietroasele 24, Romania. For privacy questions or rights requests, contact office@plan4host.com.

2. What data we collect

  • Account data: email address, password (hash only, never plaintext), profile details you provide (e.g., display name), organization/property information.
  • Authentication/session data: session tokens handled by Supabase (HTTP-only cookies), login timestamps, basic security logs.
  • Billing & subscription data: plan, subscription status, invoices and payment identifiers. Card data is processed by Stripe; we do not store full card numbers.
  • Usage & logs: server logs (IP address, timestamps, user agent), application events (e.g., iCal import/export jobs) for security and troubleshooting.
  • Communications: messages you send to office@plan4host.com.
  • Cookies & similar: see our Cookie Policy for details.

2.1. Web Push notifications

If you enable Web Push notifications, the application stores a subscription record in our database so we can deliver messages to your device. This record includes: the push endpoint (a URL generated by your browser), cryptographic keys (p256dh, auth) required to send messages, youruser_id, the account_id the device is associated with, optionalproperty_id context, the user agent and OS string, and timestamps.

2.2. Check‑in data & consents

When you complete the online check‑in form for a property, we process only the data needed to provide the service and to meet legal requirements for guest registration. The form typically includes:

  • Identification & contact: first/last name, email, phone.
  • Stay details: property, check‑in/check‑out dates, room/room type.
  • Address & nationality (as requested by the property/locale).
  • ID document image (photo/PDF) used to verify identity at arrival.
  • Acknowledgements: that you have read the Privacy Policy and accept the House Rules for the stay.
  • Operational logs: confirmation email status and technical metadata (IP/UA) for security/audit.

Legal bases. We process check‑in data primarily to perform the accommodation contract and to comply with local lodging/registration laws (GDPR Art. 6(1)(b) & (c)). We may use limited logs for security and service reliability (legitimate interests, Art. 6(1)(f)). We do not rely on consent for core check‑in processing.The checkbox stating “I have read and understood the Privacy Policy” is an acknowledgement of information, not a consent to processing.

Retention. Reservation and guest records are retained for the duration of the contractual relationship and for the statutory/accounting periods required by law. Acknowledgement records (privacy/house rules) are kept for the stay and for a reasonable audit period thereafter (typically 3–5 years). ID document images are retained only as strictly necessary to verify identity—by default, they are scheduled for deletion shortly after check‑out (e.g., within 24–72 hours), unless a longer period is required by applicable law. Extracted data required by law (e.g., name, document number) may be kept per those legal obligations.

Your choice. If you prefer not to submit data through the online form, please contact the property directly to arrange an alternative check‑in method. You can also exercise your privacy rights (access, erasure, restriction, etc.) as described in this policy; some requests may be limited by legal retention obligations.

Purpose: deliver account-related notifications (e.g., new reservations). Legal basis: consent— you allow notifications in your browser. Retention: until you unsubscribe or revoke permission; invalid endpoints are cleaned up automatically. Control: you can turn notifications Off from the app (Notifications → Turn Off) and/or revoke permission from your browser/device settings at any time.

3. Why we process your data (purposes)

  • Provide and operate the service (accounts, calendar, iCal sync, billing).
  • Authenticate and secure access, prevent fraud/abuse, maintain reliability.
  • Customer support & communications you initiate.
  • Legal compliance (tax/accounting, regulatory obligations).
  • Improvements (troubleshooting, quality, performance). We currently do not use analytics or advertising cookies.

4. Legal bases (GDPR Art. 6)

  • Contract — to provide the service you requested (Art. 6(1)(b)).
  • Legitimate interests — security, fraud prevention, service reliability and improvement (Art. 6(1)(f)).
  • Legal obligation — e.g., tax and accounting records (Art. 6(1)(c)).
  • Consent — for any future non-essential cookies or optional communications (Art. 6(1)(a)).

5. Sharing & processors

We use vetted service providers (“processors”) to run Plan4Host:

ProviderRoleData categoriesLocation/Transfer
SupabaseAuthentication, database, storageAccount data, session tokens, app dataEU/EEA regions where available; may involve transfers with safeguards (SCCs)
VercelHosting and edge deliveryUsage logs (IP, UA), content deliveryGlobal infrastructure; transfers protected by SCCs
StripePayments & subscriptionsBilling identifiers, invoices; card data processed by StripeGlobal infrastructure; transfers protected by SCCs and other safeguards
Microsoft 365 (via GoDaddy)Email serviceSupport communicationsGlobal infrastructure; transfers protected by SCCs

We do not sell your personal data. We currently do not use analytics or advertising networks.

6. International transfers

When data is transferred outside the EU/EEA by our processors, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) and complementary measures where necessary.

7. Retention

  • Account data: for the life of your account and up to 24 months after closure, unless we must retain it to meet legal obligations or resolve disputes.
  • Billing records: retained for statutory periods required by tax/accounting laws (typically 5–10 years).
  • Support communications: typically up to 24 months.
  • Routine server logs: typically up to 90 days unless needed for security investigations.

8. Security

We implement technical and organizational measures including TLS encryption in transit, encryption at rest provided by our cloud providers, access controls, and least-privilege practices. No method of transmission or storage is 100% secure, but we work to protect your data.

9. Your rights

  • Access your data and obtain a copy.
  • Rectify inaccurate or incomplete data.
  • Erase your data (“right to be forgotten”).
  • Restrict or object to processing in certain cases.
  • Data portability.
  • Withdraw consent at any time for processing based on consent.
  • Lodge a complaint with your local supervisory authority (EU/EEA).

To exercise your rights, contact office@plan4host.com. We may need to verify your identity before fulfilling your request.

10. Children

The service is not directed to children under 16. If you believe a child provided us with personal data, contact us and we will take appropriate steps.

11. Automated decision-making

We do not perform automated decision-making or profiling that produces legal effects about you.

12. Cookies

For details about cookies we use, see our Cookie Policy.

13. Changes to this policy

We may update this Privacy Policy to reflect operational, legal, or regulatory changes. We encourage you to review it periodically.

14. Contact

For questions about this policy or your privacy rights, contact office@plan4host.com.