General Data Protection Regulation (GDPR) compliance of Booking Factory

Created by Snorri Valsson, Modified on Thu, 4 Jul at 10:25 AM by Snorri Valsson

How Booking Factory complies with General Data Protection Regulation (GDPR)


Booking Factory saves data from the use of it´s products. This is in principle the cloud-based PMS (Property Management System). This also includes the booking engine provided for homepage bookings which feeds the data to the PMS. All users (hospitality entities) of the PMS require 2 factor authentication to access the system and do need to re-authenticate to access sensitive data such as clients' credit card details. 

Please note that users (hospitality entities) have their Terms & Conditions and Privacy Policies that may conflict with the policies of the Booking Factory software for whatever reason. They may have 3rd party services connected with the software that can retrieve data relevant to their services. This is outside the scope of Booking Factory´s responsibility.  It is incumbent upon prospective clients to ensure they agree with such policies independent of the software policies as Booking Factory is only responsible for how it handles its database. 



What Personal Data is Processed?
The Personally Identifiable Data stored in the system if the user sets it as mandatory is the following: 

1.Name
2.Date of Birth
3.Address
4.Nationality
5.Phone number (home/work)
6.ID Number (i.e. Social Security Number)
7.E-mail address



Other information that would be considered sensitive is credit card information. If the user requires a credit card to confirm a booking, this is tokenized and stored with PCI services in the system. This information is automatically deleted 7 days after checkout of the last booking within a reservation. This is not stored with the customer profile at any point.


The only data needed to confirm a reservation in the software is a last name for a guest. All other criteria are mandatory only if the user owning the account sets it as such. 



Bases for Processing: 

As a transactional software, Booking Factory does not permit users (hospitality entities) to automatically communicate to clients outside of the purposes of existing data. This means that communication has to be relevant to an upcoming, ongoing or past reservation in the system. Whether implied or not, users are not permitted to add their clients to mailing lists or contact them without previous consent and outside the purview of the system. 



In case of a breach: 
Out of an abundance of caution, Booking Factory reserves the right to shut down the access of any user that may, purposefully or inadvertently, be jeopardizing the integrity of client data or system security as a whole. No resumption of service will be made without full assurance of this integrity being intact. 


While Booking Factory does all it can to safeguard client data, in the event of a breach in security making personally identifiable information available to non-permitted persons, the owners of that data will be informed within 2 days of the breach and all necessary action will be taken towards ensuring system integrity once more. 


Withdrawing Consent (Right to be forgotten): 

If a client (guest/booker) would like their personally identifiable information to be restricted or deleted from the Booking Factory database, all that is needed is for them to inform Booking Factory or the user property and it will be deleted and confirmed within the required 2 days as stipulated by articles 17 and 18 in the GDPR. 



For more detailed information on these matters, please refer to the product Privacy Policy here

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article