Privacy Policy
Easy RFP ("we", "us", "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use the Easy RFP platform, website (easyhotelrfp.com), and all related services (the "Service"). This policy is compliant with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), and applicable European data protection laws.
1. Data Controller
The data controller responsible for your personal data is:
Easy RFP
Email: contact@easyhotelrfp.com
Website: https://easyhotelrfp.com
For any data protection inquiries, please contact our Data Protection contact at contact@easyhotelrfp.com.
2. Data We Collect
We collect and process the following categories of personal data:
| Category | Data Types | Legal Basis (GDPR Art. 6) |
|---|---|---|
| Account Data | Name, email address, company name, job title, password (hashed) | Contract performance (Art. 6(1)(b)) |
| Event Data | Event details, dates, attendee counts, venue preferences, budget ranges | Contract performance (Art. 6(1)(b)) |
| Communication Data | RFP content, hotel correspondence, support messages | Contract performance (Art. 6(1)(b)) |
| Payment Data | Billing address, payment method (processed by Stripe; we do not store full card numbers) | Contract performance (Art. 6(1)(b)) |
| Usage Data | Pages visited, features used, session duration, device type, browser, IP address | Legitimate interest (Art. 6(1)(f)) |
| Marketing Data | Email subscription preferences, marketing consent status | Consent (Art. 6(1)(a)) |
3. How We Use Your Data
We use your personal data for the following purposes:
- Service delivery: Creating your account, generating RFPs, sending RFPs to hotels, processing hotel responses, and enabling proposal comparison.
- Payment processing: Processing subscription payments and managing billing through our payment processor, Stripe.
- Service improvement: Analysing usage patterns to improve features, fix bugs, and optimise the user experience. This includes anonymised and aggregated analytics.
- Communication: Sending transactional emails (account confirmation, RFP status updates, proposal notifications), responding to support requests, and sending service announcements.
- Marketing: With your explicit consent, sending promotional emails about new features, industry insights, and relevant content. You can withdraw consent at any time.
- Legal compliance: Meeting our legal and regulatory obligations, including tax reporting, fraud prevention, and responding to lawful requests from authorities.
4. Data Sharing
We share your personal data only with the following categories of recipients and only to the extent necessary:
4.1 Hotel Partners
When you send an RFP through the Service, the following data is shared with the selected hotels: your name, email address, company name, and the event/RFP details you have provided. This sharing is essential to the core functionality of the Service and is based on your explicit action of sending the RFP.
4.2 Service Providers (Sub-Processors)
We use the following third-party service providers who process data on our behalf:
| Provider | Purpose | Data Location |
|---|---|---|
| Supabase | Database hosting, authentication | EU (Frankfurt) |
| Stripe | Payment processing | EU/US (with SCCs) |
| Cloudflare | CDN, DDoS protection, hosting | Global (edge network) |
| PostHog | Product analytics | EU |
| MailerLite | Email marketing (with consent) | EU (Lithuania) |
| Google Analytics | Website analytics | EU/US (with SCCs) |
| Anthropic (Claude API) | AI text generation for RFPs | US (with SCCs) |
All sub-processors are bound by Data Processing Agreements (DPAs) that ensure GDPR-compliant data handling. For transfers outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.
4.3 Legal Requirements
We may disclose your data if required to do so by law, court order, or government authority, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
We do not sell your personal data to third parties. We do not share your data with advertisers. We do not use your data for automated decision-making that produces legal effects without human review.
5. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:
- Active account data: Retained for the duration of your account plus 30 days after deletion request.
- Event and RFP data: Retained for the duration of your account. Historical event data is retained for up to 24 months to enable annual reporting features.
- Payment records: Retained for 7 years as required by EU tax and accounting regulations.
- Usage analytics: Anonymised after 26 months. Anonymised data is no longer personal data and may be retained indefinitely.
- Marketing consent records: Retained for 3 years after last interaction or until consent is withdrawn.
- Support correspondence: Retained for 3 years after resolution.
Upon account deletion, we will delete or anonymise your personal data within 30 days, except where retention is required by law (e.g., tax records).
6. Your Rights Under GDPR
Under the GDPR and UK GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15): You can request a copy of all personal data we hold about you. We will respond within 30 days.
- Right to rectification (Art. 16): You can request correction of inaccurate or incomplete personal data.
- Right to erasure (Art. 17): You can request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
- Right to restrict processing (Art. 18): You can request that we limit how we use your data in certain circumstances.
- Right to data portability (Art. 20): You can request your data in a structured, commonly used, machine-readable format (JSON or CSV).
- Right to object (Art. 21): You can object to processing based on legitimate interests, including profiling and direct marketing.
- Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you can withdraw consent at any time without affecting the lawfulness of prior processing.
- Right to lodge a complaint: You have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk. In Spain, the Agencia Espanola de Proteccion de Datos (AEPD) at aepd.es.
To exercise any of these rights, contact us at contact@easyhotelrfp.com. We will respond within 30 days. No fee is charged for the first request; subsequent requests may incur a reasonable administrative fee.
7. Cookies and Tracking Technologies
We use cookies and similar technologies on the Service. Here is a summary of the cookies we use:
| Cookie Type | Purpose | Duration | Consent Required |
|---|---|---|---|
| Essential | Authentication, security, session management | Session | No (strictly necessary) |
| Analytics | PostHog, Google Analytics -- usage patterns | Up to 26 months | Yes |
| Preferences | Language, UI settings | 1 year | No (legitimate interest) |
We do not use advertising cookies or tracking pixels for ad targeting. You can manage cookie preferences through your browser settings. Note that blocking essential cookies may prevent the Service from functioning correctly.
8. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Secure password hashing (bcrypt)
- Access controls and role-based permissions for internal staff
- Regular security reviews and vulnerability assessments
- DDoS protection via Cloudflare
- Automated backup and disaster recovery procedures
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify affected individuals without undue delay.
9. International Data Transfers
Some of our sub-processors operate outside the European Economic Area (EEA). For any transfer of personal data outside the EEA, we ensure adequate protection through one or more of the following mechanisms:
- European Commission adequacy decisions (for countries deemed to provide adequate protection)
- Standard Contractual Clauses (SCCs) approved by the European Commission
- The EU-US Data Privacy Framework (for US-based processors that are certified)
You may request a copy of the safeguards we have in place by contacting us at contact@easyhotelrfp.com.
10. Children's Privacy
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will delete that data promptly. If you believe a child has provided us with personal data, please contact us immediately.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated via email or prominent notice on the Service at least 14 days before taking effect. The "Last updated" date at the top of this page indicates the most recent revision. We encourage you to review this policy periodically.
12. Contact Us
For any questions, concerns, or requests related to this Privacy Policy or your personal data, please contact us at:
Easy RFP
Data Protection Contact
Email: contact@easyhotelrfp.com
Website: https://easyhotelrfp.com
You also have the right to contact your local supervisory authority if you are not satisfied with our response.