SmallPMSSmallPMS
Sign inGet started

Data Processing Agreement (DPA)

Last Updated: 29. 03. 2026

This Data Processing Agreement ("DPA") is an addendum to the small-pms Terms of Service. It governs the processing of personal data by small-pms ("Processor") on behalf of the registered user/host ("Controller") under the European General Data Protection Regulation (GDPR).

By using small-pms to manage reservations and guest communications, you agree to the terms of this DPA.

1. Roles and Scope

  • The Controller: You, the property host. You decide why and how your guests' personal data is collected.

  • The Processor: Us, small-pms. We only process this data based on your instructions (which are executed via your configuration and use of our software).

  • The Subject Matter: The provision of the small-pms SaaS platform, including reservation management, automated communications, and guest forms.

2. Details of Processing

  • Nature and Purpose: We process personal data solely to provide the service. This includes storing reservations, executing your automated pipeline configurations, sending emails via Resend, and hosting public guest forms/surveys.

  • Duration: Data is processed for as long as you maintain an active account with small-pms.

  • Types of Personal Data: Guest names, email addresses, phone numbers (if collected), booking dates, financial transaction records (excluding raw credit card numbers), and any custom data you collect via our survey/guest forms.

  • Categories of Data Subjects: Your prospective, current, and past guests.

3. Controller's Obligations

As the Controller, you represent and warrant that:

  • You have a lawful basis (e.g., a contract or explicit consent) to collect and process your guests' data.

  • You will not use small-pms to collect highly sensitive data (e.g., medical records, criminal history) that the platform is not designed to secure.

4. Processor's Obligations

As the Processor, small-pms agrees to:

  • Confidentiality: Ensure that any personnel authorized to process the data are bound by confidentiality obligations.

  • Data Subject Requests: If a guest contacts us directly to delete or access their data, we will promptly forward the request to you, as you are responsible for handling it. Our app provides you with the tools to delete or export guest records.

5. Approved Subprocessors

To operate the software, we use third-party infrastructure providers. You grant us general authorization to use the following Subprocessors. We will notify you of any intended changes to this list:

  • Supabase: Database hosting and data storage.

  • Netlify: Application hosting and cron job execution.

  • Resend: Delivery of automated transactional and guest emails.

  • Sentry: Application error and crash tracking.

  • Stripe: Processing of your subscription payments.

6. Security Measures

We take the security of your guests' data seriously and utilize modern infrastructure to protect it. However, small-pms is actively evolving, fast-moving Beta software. We explicitly cannot and do not guarantee absolute data security. By using this service, you acknowledge and accept the inherent risks of early-stage software. We will try to do our best to secure your data, which currently includes:

  • Best-Effort Data Isolation: We use Supabase Row Level Security (RLS) to logically separate your guest data (bound to your tenant_id) so it cannot be accessed by other users.

  • Standard Encryption: Data is encrypted in transit (HTTPS/TLS) and at rest by our database provider.

  • Audit Logs: We maintain internal event_logs to track significant data modifications to help us debug issues and attempt data recovery if something goes sideways.

7. Personal Data Breaches

Because we are shipping updates frequently in this Beta phase, there is an elevated risk of bugs, accidental data exposure, or unauthorized access. If the worst happens and we become aware of a confirmed personal data breach affecting your guest data (e.g., a database compromise or a critical routing bug), we will not hide it.

We will notify you without undue delay. Once notified, it is entirely your responsibility (as the Data Controller) to fulfill any regulatory obligations you may have under the GDPR to notify your guests and relevant data protection authorities.

8. Deletion or Return of Data

Upon termination of your small-pms account, we will, at your choice, delete or return all personal guest data to you, unless European or local laws require us to retain specific records (e.g., for tax or legal audit purposes).