GDPR Compliance

1. Data Processing Agreements

SwiftGuest maintains Data Processing Agreements (DPAs) with all sub-processors. As a property manager, you are the data controller for guest data; SwiftGuest acts as the data processor under Article 28 GDPR. A DPA is available upon request at privacy@swiftguest.com.

2. Sub-Processors

We notify customers of sub-processor changes at least 30 days in advance.

3. Data Residency

SwiftGuest runs on Cloudflare's global edge network. Application data is stored in Cloudflare D1 with automatic replication. Cloudflare provides data locality controls, and we can configure regional restrictions for EU-only data residency upon request.

4. Right to Erasure

When a data subject or property manager requests erasure:

• Guest personal data is permanently deleted from all active systems within 30 days
• Anonymized booking records may be retained for aggregate analytics
• Financial records subject to legal retention (up to 7 years) are retained in encrypted form, then deleted
• Backups are purged on their normal rotation cycle (maximum 90 days)

Request erasure via your dashboard settings or by emailing privacy@swiftguest.com.

5. Breach Notification

In the event of a personal data breach, SwiftGuest commits to:

• Notifying the relevant supervisory authority within 72 hours of becoming aware of the breach, per Article 33 GDPR
• Notifying affected data controllers (property managers) without undue delay
• Providing a detailed incident report including scope, affected data, and remediation steps

6. Security Measures

• Encryption at rest and in transit (TLS 1.3)
• httpOnly, Secure, SameSite cookies
• Role-based access control
• Audit logging of data access
• Regular security reviews

7. Contact

GDPR inquiries: privacy@swiftguest.com. See also our Privacy Policy.