Privacy Policy
Last updated: April 11, 2026
This Privacy Policy describes how Simple PMS ("we", "us", "our") collects, uses, and protects personal data when you use the Simple PMS platform ("Service") at app.simple-pms.com.
1. Data Controller vs. Data Processor
- We are the Data Controller for your account data (name, email, authentication, payment information).
- You are the Data Controller for guest personal data collected through the Service. We act as your Data Processor, processing guest data solely on your instructions and in accordance with this Privacy Policy.
2. Data We Collect
2.1 Account Data
Name, email address, and authentication credentials (managed by Clerk). Payment information (processed by Stripe — we do not store credit card numbers on our servers).
2.2 Property and Booking Data
Property details, unit configurations, booking records, calendar data, expense records, and todo items. This data is owned and controlled by you.
2.3 Guest Data
Names, nationality, date of birth, gender, contact information (phone, email), ID document images, and ID numbers. You are the Data Controller for this data and are responsible for establishing a lawful basis for its collection (e.g., legal obligation for guest registration).
2.4 AI-Processed Data
Booking screenshots, ID document images, and WhatsApp messages are sent to Google Gemini for processing. This data is used solely for providing the Service features and is not used by Google for AI model training.
2.5 Usage and Technical Data
IP addresses, browser type, device information, and general usage patterns for maintaining security and improving the Service.
3. Purpose of Processing
- Service delivery: Managing your properties, bookings, guests, expenses, and door access codes
- AI features: Booking data extraction, ID scanning, check-in message generation, WhatsApp chatbot
- Notifications: Check-in reminders, checkout alerts, low battery warnings, todo deadlines
- Payments: Subscription billing and invoicing via Stripe
- Legal compliance: Guest registration as required by local law
4. Legal Basis (GDPR)
- Contract performance: Processing necessary to provide the Service you subscribed to
- Legitimate interests: Security monitoring, service improvements, fraud prevention
- Legal obligations: Tax record keeping, guest registration compliance
- Consent: Push notifications, marketing communications (you may withdraw consent at any time)
5. Data Storage and Location
- Database: MongoDB Atlas (data may reside in EU and US regions)
- File storage: Cloudflare R2 (encrypted at rest)
- Application hosting: Vercel
Data may be transferred between EU and US regions. We ensure appropriate safeguards are in place for any international data transfers in compliance with GDPR.
6. Data Sharing
We share data only with the following service providers, and only to the extent necessary to deliver the Service:
- Clerk — Authentication and user management
- Stripe — Payment processing
- Google Gemini — AI data extraction and chatbot
- Meta WhatsApp Business API — Guest messaging
- Seam — Smart lock integration
- Cloudflare — File storage and CDN
- Resend — Email delivery
We do not sell personal data. We do not share data with advertisers.
7. ID Document Handling
ID document images uploaded through the Service are stored with encryption on Cloudflare R2. Each organisation can configure automatic deletion periods for ID images to comply with local data protection regulations. Access to ID images is restricted to authorised members of the organisation that uploaded them.
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | 30 days after account deletion |
| Booking and property data | While account is active |
| ID document images | Per organisation settings (configurable auto-deletion) |
| WhatsApp conversation logs | Duration of associated booking + 30 days |
| Payment records | As required by applicable tax law |
| Usage/technical data | 12 months |
9. Your Rights (GDPR)
Under the General Data Protection Regulation, you have the right to:
- Access — Request a copy of your personal data
- Rectification — Correct inaccurate personal data
- Erasure — Request deletion of your personal data
- Portability — Receive your data in a structured, machine-readable format
- Restriction — Request limitation of processing
- Objection — Object to processing based on legitimate interests
- Withdraw consent — Where processing is based on consent
To exercise any of these rights, contact us at info@simple-pms.com. We will respond within 30 days.
10. Cookies
We use essential cookies only for authentication and session management (provided by Clerk). We do not use tracking cookies, advertising cookies, or any analytics cookies.
11. Children's Privacy
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.
12. Supervisory Authority
If you are in the European Economic Area, you have the right to lodge a complaint with a supervisory authority. For Albania, the relevant authority is the Commissioner for Information and Data Protection (IDP), Tirana, Albania.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will provide at least 14 days' notice of material changes via email or in-app notification. The "Last updated" date at the top of this page indicates when this policy was last revised.
14. Contact
For questions or requests regarding this Privacy Policy, contact us at: info@simple-pms.com