Privacy Policy
Pursuant to Article 13 of Regulation (EU) 2016/679 (GDPR)
1. Data Controller
The Data Controller for personal data relating to the use of the SaaS PMS software is:
- Company name: ForGuest s.r.l.s.
- Registered office: Via Paolo Dettori, 13 - 07039 Valledoria (SS), Italy
- VAT / Tax code: IT02864920901
- Contact email: info@forguest.cloud
2. Roles in Data Processing (Fundamental Distinction)
For GDPR purposes, our company has two distinct roles:
- Data Controller: we act as controller for the personal data of Hosts (direct customers of the SaaS) collected for contract management, billing and account administration.
- Data Processor: we act as processor for the personal data of Guests of accommodation facilities entered by Hosts into the PMS. The Host remains the Data Controller of their guests' data. The details of this processing are governed by the Data Processing Agreement (DPA) attached to the General Terms of Service.
3. Categories of Data Processed (Host Data)
We collect and process the following personal data of Hosts. At their own discretion within the management system, Hosts may also upload data relating to their guests:
- Identification and contact data: first name, last name, email address, telephone number.
- Company and billing data: company name, tax code / VAT number, billing address, bank details or payment information (handled via a secure third-party payment gateway).
- Usage and technical data: IP address, log data, browser type, data on use of PMS features (required for security and service optimisation).
4. Purposes of Processing and Legal Bases
Host data are processed for the following purposes:
- A) Performance of the contract (Art. 6(1)(b) GDPR): account creation, provision of PMS features, technical support, management of synchronised channels (Channel Manager).
- B) Compliance with legal obligations (Art. 6(1)(c) GDPR): invoicing, accounting and mandatory tax obligations.
- C) Legitimate interest (Art. 6(1)(f) GDPR): IT security of the software, fraud prevention and service communications strictly related to use of the PMS.
- D) Marketing and newsletter (Art. 6(1)(a) GDPR — only with prior consent): sending commercial or promotional communications about new PMS features. This consent is optional and may be withdrawn at any time.
5. Recipients of the Data (Third Parties)
Host personal data will not be sold or transferred to third parties. They may be disclosed only to parties strictly necessary for the provision of the SaaS service:
- Cloud / hosting providers (e.g. Aruba Business, with servers located in the EU).
- Payment gateways (e.g. Stripe, PayPal) for subscription management.
- Tax and business advisors for accounting.
- Third-party platforms (OTAs) (e.g. Booking.com, Airbnb) only where the Host voluntarily activates synchronisation of calendars and bookings.
6. Transfers of Data Outside the EU
Data are stored and processed within the European Economic Area (EEA). If, for technical reasons, some third-party providers are established outside the EU (e.g. the United States), the transfer will take place exclusively to entities certified under the Data Privacy Framework or on the basis of Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an equivalent level of protection.
7. Data Retention Period
- Contractual and billing data will be retained for 10 years from the end of the relationship, in accordance with Italian civil and tax law obligations.
- Technical browsing and log data are retained for a maximum of 90 days, except where needed to investigate cybercrime; stay and guest data are retained according to each Host's management choices.
- Data processed for marketing purposes will be retained until the user withdraws consent (or for a maximum of 24 months from the last interaction).
8. Rights of the Data Subject (Host)
At any time, the Host may exercise the following rights by sending an email to info@forguest.cloud:
- Right of access to their personal data (Art. 15).
- Right to rectification of inaccurate or incomplete data (Art. 16).
- Right to erasure ("right to be forgotten") where there are no longer legal obligations to retain the data (Art. 17).
- Right to restriction of processing (Art. 18).
- Right to data portability in a structured, commonly used and machine-readable format (Art. 20).
- Right to object to processing based on legitimate interest or for marketing (Art. 21).
The data subject also has the right to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).
9. Data Security
The Controller adopts appropriate technical and organisational security measures (encryption of data in transit via HTTPS/TLS, regular backups, isolation of customer databases, administrative access controls) to protect data against unauthorised access, accidental loss or alteration.
Last updated: 16 July 2026