Data Processing Agreement
Our GDPR Data Processing Agreement. Clear terms for how we handle your data — and your guests' data.
Last updated: June 16, 2026
Parties
This Data Processing Agreement ("DPA") is entered into between:
Vexcore
The Host — you. You determine the purposes and means of processing personal data.
HostAssistant
Us. We process personal data on your behalf, strictly according to your instructions.
This DPA forms part of the Terms of Service between HostAssistant and the Data Controller. By using HostAssistant, you agree to the terms outlined in this agreement.
Data We Process
As part of providing the Service, we process the following categories of personal data on your behalf:
Host Personal Data
- Name and email address (account registration)
- Property details: addresses, photos, WiFi passwords, check-in instructions, house rules
- WhatsApp Business credentials (access tokens, phone numbers)
- Billing information (processed via Stripe — we do not store full card details)
Guest Data
- Phone numbers (via WhatsApp messages)
- Message content — guest questions, check-in requests, maintenance issues
- Language detected from messages (auto-detected, first 280 characters only)
- Booking references (if voluntarily shared by the guest)
Processing purpose: Facilitating guest communication on behalf of the Data Controller. All guest data processing is incidental to the core service — enabling hosts to communicate with their guests via WhatsApp.
Data Subjects
- Hosts — account owners who use the platform
- Guests — individuals who message hosts via WhatsApp
Sub-processors
We engage the following sub-processors to deliver the Service. Each is carefully vetted and bound by data processing terms at least as protective as this DPA.
Supabase
Database hosting & authenticationAll application data — host accounts, property details, guest messages — is stored in PostgreSQL on Supabase. Row-Level Security enforces data isolation between hosts.
EU (Frankfurt)OpenAI
AI reply generationGuest messages are sent to OpenAI's API to generate reply drafts. OpenAI does not retain this data or use it to train models. Covered by Standard Contractual Clauses.
US (with EU safeguards)Stripe
Payment processingStripe processes subscription payments and stores billing data. We never see full card numbers. Covered by Standard Contractual Clauses.
US (with EU safeguards)Twilio
WhatsApp message routingWhatsApp messages are routed through Twilio using the official WhatsApp Business API. Covered by Standard Contractual Clauses.
US (with EU safeguards)We will notify you of any changes to our sub-processor list at least 14 days in advance. You may object to a new sub-processor on reasonable grounds.
Security Measures
We implement and maintain appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and accidental loss, destruction, or damage.
Encryption at rest and in transit
All data is encrypted in transit via TLS 1.3. Data at rest is encrypted using AES-256. WhatsApp messages benefit from Meta's end-to-end encryption.
Role-based access control
Database access is governed by Row-Level Security (RLS). Every query is scoped to the authenticated host — enforced at the database level. Internal access is limited to essential personnel only.
Regular security audits
We conduct security assessments of our infrastructure and dependencies on an ongoing basis. Supabase maintains SOC 2 Type II certification for the underlying infrastructure.
Incident notification within 72 hours
In the event of a personal data breach, we will notify you without undue delay and no later than 72 hours after becoming aware of it. Our notification will describe the nature of the breach, the categories of data affected, and the measures taken to address it.
Annual security assessments
We review our security posture at least annually. This includes dependency audits, penetration testing of critical paths, and a review of access controls and encryption practices.
Data Subject Rights
Under the GDPR, data subjects have specific rights regarding their personal data. We assist you in fulfilling these obligations:
Right of Access
We provide tools for you to export all data associated with your account. Guest data can be retrieved from your message history.
Right to Rectification
Hosts can edit their profile and property details at any time through the dashboard. Contact us to update data that cannot be self-served.
Right to Erasure
Delete your account and all associated data permanently. Guest messages are automatically anonymized after 90 days.
Right to Portability
Export your data in a structured, commonly used format. We provide CSV and JSON exports for all host-owned data.
Right to Restrict Processing
Disable AI auto-reply, pause calendar sync, or limit integrations at any time through your dashboard settings.
Right to Object
Object to specific processing activities. Contact us at support@hostassistant.nl — we'll respond within 48 hours.
Guest Requests
Guest data subject requests are forwarded to the relevant host (Data Controller). As the host, you are responsible for responding to guest requests. We will assist you in fulfilling them — for example, by providing message exports or confirming deletion.
Data Retention
- Guest messages: retained for 90 days, then anonymized
- Host data: retained until account deletion
- Billing records: retained as required by applicable tax law (typically 7 years)
- Error logs: rotated after 30 days
Data Transfers
HostAssistant primarily stores and processes data within the European Union. Where international transfers are necessary, we ensure adequate protection:
EU-Based Infrastructure
All application data is stored in Supabase's Frankfurt (EU) region. This is our primary data storage location.
Standard Contractual Clauses (SCCs)
For sub-processors based in the United States (OpenAI, Stripe, Twilio), we rely on the European Commission's Standard Contractual Clauses as the legal transfer mechanism. These SCCs are incorporated into our data processing agreements with each sub-processor.
Transfer Impact Assessments
We conduct transfer impact assessments for all international data flows. Where necessary, we implement supplementary measures — including encryption, pseudonymization, and contractual safeguards — to ensure an essentially equivalent level of protection.
Our commitment: Regardless of where data is processed, we maintain GDPR-compliant protection standards for all personal data. No data is transferred to countries without adequate safeguards.
Audit & Compliance
Annual Compliance Audits
We conduct internal GDPR compliance reviews at least every 12 months. These reviews cover data processing activities, security measures, sub-processor compliance, and incident response readiness.
SOC 2 Type II — Supabase
Our primary infrastructure provider, Supabase, maintains SOC 2 Type II certification. This provides independent assurance over the security, availability, and confidentiality controls of the underlying database and authentication infrastructure.
Documentation & Records
We maintain written records of all processing activities carried out on behalf of the Data Controller. These records are available upon request and include: categories of processing, data transfers, security measures, and sub-processor agreements.
Your Right to Audit
Upon reasonable notice and no more than once per year, you may request evidence of our compliance with this DPA. We will provide our most recent audit summary, security documentation, and sub-processor agreements — redacted only to protect confidential information of other customers.
Termination
Upon termination of the Service agreement between the Data Controller and HostAssistant, the following data handling procedures apply:
Data Deletion Within 30 Days
All personal data processed on your behalf will be permanently deleted within 30 calendar days of contract termination. This includes host account data, property details, guest message history, and any backups containing personal data.
Export Option
Before deletion, you may request a full export of your data. We provide exports in structured formats (CSV, JSON) within 14 days of your request. This includes message history, property data, and booking records.
No Retention
After the 30-day deletion window, no personal data is retained. The only exception is billing records, which are retained as required by applicable tax law. These records are stored securely and are not used for any other purpose.
Early termination: You may terminate your account at any time through your dashboard. The data deletion timeline begins from the moment you confirm account deletion. We will confirm in writing once deletion is complete.
Execution & Contact
This DPA is effective as of the date the Data Controller accepts the HostAssistant Terms of Service. No separate signature is required — by creating a HostAssistant account, you enter into this agreement.
If your organization requires a separately signed DPA, or if you have questions about any part of this agreement, contact us. We respond to DPA-related inquiries within 48 hours.
Contact for DPA Inquiries
This DPA may be updated from time to time. Material changes will be notified via email at least 30 days in advance. Continued use of the Service after changes take effect constitutes acceptance of the updated DPA. The current version is always available at this page.