HospitalityFlow

Authorised Sub-Processors - HospitalityFlow

Current list of third-party providers engaged to process personal data on behalf of clients.

Last Updated: March 2026

Version: 1.0

This document lists all third-party sub-processors engaged by HospitalityFlow to process personal data on behalf of hotel clients. It is maintained in accordance with HospitalityFlow's Data Processing Agreement and applicable data protection law (GDPR, PDPA).

HospitalityFlow will provide at least 14 days' written notice to affected clients before adding or replacing any sub-processor. Clients may object to new sub-processors on reasonable data protection grounds within that notice period.

This list is current as of the date above. The most recent version is always available at hospitalityflow.ai/subprocessors or upon written request to legal@hospitalityflow.ai.

Authorised Sub-Processors

Hetzner Online GmbH

Purpose: Cloud infrastructure, VPS hosting, compute
Data Processed: All data stored and processed on platform
Processing Location: Germany & Finland (EU)
GDPR Transfer Basis: Yes - SCCs + EU entity
PDPA Compliance: Yes - equivalent protection via contractual safeguards
Data Retention: Per client DPA; no independent retention
Certifications: ISO/IEC 27001
DPA / Privacy Policy: hetzner.com/legal/privacy

Notes: Primary infrastructure provider. All data remains in EU data centres.

Supabase, Inc.

Purpose: Database (PostgreSQL), authentication, storage
Data Processed: Hotel operational data, user accounts, workflow state
Processing Location: AWS eu-central-1, Frankfurt (EU)
GDPR Transfer Basis: Yes - SCCs
PDPA Compliance: Yes - equivalent protection via contractual safeguards
Data Retention: Per client DPA; deleted on contract termination + 30 days
Certifications: SOC 2 Type II
DPA / Privacy Policy: supabase.com/privacy

Notes: EU region explicitly selected. Row-Level Security enforced per tenant.

OpenRouter, Inc.

Purpose: LLM API gateway - routes AI inference requests
Data Processed: Any data submitted to the platform that requires AI processing, including but not limited to email content, review text, and operational data
Processing Location: EU endpoint: eu.openrouter.ai (data stays in EU)
GDPR Transfer Basis: Yes - Zero Data Retention enforced; DPA available
PDPA Compliance: Yes - ZDR policy provides equivalent protection
Data Retention: Zero - prompts and completions not stored after processing
Certifications: SOC 2 (in progress); GDPR-compliant EU routing
DPA / Privacy Policy: openrouter.ai/privacy

Notes: ZDR enforced via zdr:true parameter on all API calls. EU endpoint mandatory. Prompt logging is disabled.

Excluded from Sub-Processor Status

Ollama (on-premise): Where clients opt for on-premise AI processing, Ollama runs locally on the client's own infrastructure (e.g. Mac Mini M4). No data is transmitted to any external party. Ollama is not a sub-processor as no data leaves the client's environment.

Change Log

Version Date Change
1.0 March 2026 Initial version. Sub-processors: Hetzner, Supabase, OpenRouter.

Contact

For questions regarding subprocessors or data protection, contact legal@hospitalityflow.ai.