Data processing addendum

For the purposes of the GDPR, the customer is the controller of personal data submitted to HostRev, and HostRev Solutions (sole proprietorship, Dutch Handelsregister, KvK number 42073239; 2e Wormenseweg 75, 7331 VD Apeldoorn, NL; VAT ID: NL003627894B03) is the processor. HostRev processes that data only on the customer's documented instructions as set out in this DPA and the underlying terms of service.

contact@hostrev.io is HostRev's single canonical address for all support, legal, privacy, data-protection (including DPA inquiries and data subject access requests), and DMCA / Notice-and-Action communications. Notices are acknowledged within 5 business days.

Subject matter

AI-based optimisation of Airbnb listing photos, copy, and performance audits.

Duration

For as long as the customer maintains an active HostRev account, plus any retention period required by applicable law.

Purpose

Delivering the contracted service: photo enhancement, copy generation, listing audit, billing, support.

Categories of data

Account email, listing URLs, public listing content (titles, descriptions, photos), credit balances, billing records, support correspondence.

Data subjects

The customer's employees and authorised users; the property owners and managers represented by the customer; individuals visible in listing photos (where any).

Sensitive data

HostRev does not knowingly process special-category data (GDPR Art. 9). Customers must not submit such data.

• Process personal data only on the customer's documented instructions, including transfers to a third country, unless required to do otherwise by EU or member-state law.
• Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organisational measures (see section 6) to ensure a level of security appropriate to the risk.
• Engage another processor (sub-processor) only with the customer's prior general authorisation under section 4.
• Assist the customer in responding to data-subject requests and in fulfilling its obligations under GDPR Articles 32–36 (security, breach notification, impact assessments, consultation).
• At the choice of the customer, delete or return all personal data after the end of the provision of services within the 7-day SLA in section 9.
• Make available to the customer all information necessary to demonstrate compliance with GDPR Art. 28 and allow for and contribute to audits, as scoped in section 8.
• Not use the customer's personal data, uploaded photos, AI outputs, or listing text to train any AI model — see the no-AI-training commitment in the privacy policy.

The customer grants HostRev general authorisation to engage the sub-processors listed in our privacy policy. We will notify customers of any intended addition or replacement at least 30 days in advance, giving the customer the opportunity to object on reasonable grounds. If the customer has a reasonable objection that we cannot accommodate, the customer may terminate the affected services for cause within 30 days of notification.

HostRev imposes on its sub-processors data-protection obligations that are at least as protective as those in this DPA, and remains liable to the customer for the acts and omissions of its sub-processors as if they were HostRev's own.

Where personal data is transferred to a country outside the EU/EEA for which the European Commission has not issued an adequacy decision, HostRev relies on the Standard Contractual Clauses (Module 2 or Module 3 as applicable) adopted by Commission Decision 2021/914, with appropriate supplementary measures: encryption in transit and at rest, data-minimisation, and access logging.

Where a sub-processor is certified under the EU-US Data Privacy Framework, HostRev may additionally rely on that framework as a safeguard. HostRev does not rely on the deprecated EU-US Privacy Shield (invalidated 16 July 2020 by Schrems II, replaced by the DPF on 10 July 2023).

HostRev implements at least the following technical and organisational measures (GDPR Art. 32):

Access control

• passwordless authentication (magic-link only — no shared passwords),
• row-level-security policies in the database (per-user data isolation),
• least-privilege service credentials, scoped per environment,
• two-factor authentication on all operator accounts.

Encryption

• TLS 1.3 for data in transit,
• AES-256 at rest on Supabase Postgres and storage,
• signed short-lived URLs (≤ 1 hour) for private images.

Resilience

• daily point-in-time backups of the database,
• multi-region edge network for the application layer,
• rate-limiting and abuse detection on public endpoints.

Monitoring

• structured audit logs of authentication and billing events,
• error monitoring on all production routes,
• quarterly review of access privileges.

HostRev will, taking into account the nature of the processing, assist the customer by appropriate technical and organisational measures in fulfilling its obligation to respond to requests for exercising the data subject's rights under GDPR Articles 12–23. Standard support is included; substantial assistance may be charged at our then-current professional rate, agreed in writing in advance.

HostRev will notify the customer without undue delay — and in any case within 72 hours of becoming aware — of any personal-data breach affecting the customer's data, providing at minimum:

• the nature and scope of the breach,
• the categories and approximate number of data subjects affected,
• the likely consequences,
• the measures taken or proposed to address it.

Audits

HostRev will respond to reasonable written audit requests no more than once per 12 months, by providing copies of relevant certifications, third-party audit reports (e.g. SOC 2, ISO 27001 — once obtained), and answers to a reasonable security questionnaire. On-site audits are not permitted by default and require advance written agreement.

Upon termination of the service, HostRev will, at the customer's choice, delete or return all personal data processed on the customer's behalf within 7 days of the termination date.

• On the termination date, all affected account records are marked for deletion in the production database.
• A nightly background job hard-deletes records (photos in object storage, generations, listing metadata, personal data of natural persons depicted in uploads) within 7 calendar days of marking.
• Backups containing the affected personal data are aged out in line with HostRev's standard backup retention (maximum 30 days), and are not restored except in the case of a security incident requiring point-in-time recovery — in which case the data is re-deleted immediately upon restoration.

Where retention is required by applicable law — in particular Dutch fiscal law (Algemene Wet inzake Rijksbelastingen Art. 52, 7-year retention of invoice records) — the affected records are archived in anonymised form (user identity replaced with a "deleted_user" marker) and are not used for any other purpose.

Liability arising out of or in connection with this DPA is governed by the limitation-of-liability clauses in the underlying terms of service (which include separate caps for consumer and B2B customers). Nothing in this DPA modifies those caps, except as required by mandatory provisions of the GDPR.

This DPA is governed by the laws of the Netherlands. Disputes are submitted to the competent court of the District of Amsterdam, in line with the terms of service.

For most customers, accepting the terms of service when creating an account is sufficient to bring this DPA into force. If your organisation requires a counter-signed copy, email contact@hostrev.io and we will provide one within 5 business days.

Sections 4, 6, 7, 9, and any clauses required by GDPR Art. 28(3) to continue applying, survive termination of this DPA.