Zum Hauptinhalt springen

SECURITY & PRIVACY

Built for Europe. GDPR from day one.

Valooro was built privacy-first from the ground up — not compliance bolted on afterwards, but data protection as a design principle.

CORE COMMITMENTS

What you should know.

EU hosting

All data is stored and processed exclusively on servers within the European Union. No transfer to third countries without standard contractual clauses.

GDPR compliant

Valooro is built in accordance with GDPR (EU 2016/679). We conclude a data processing agreement (DPA) with every hotel under Art. 28.

Role-based access

Every hotel sees only its own data. Row Level Security (RLS) at the database level ensures no cross-hotel data access is possible.

Data deletion

Guest data can be fully deleted at any time upon request. Hotels can export their data and close their account.

TECHNICAL DETAILS

Under the hood.

Infrastructure
Supabase (PostgreSQL) on AWS Frankfurt (eu-central-1) + Vercel Edge Network with EU routing
Encryption
TLS 1.3 for all connections. Data at rest encrypted with AES-256.
Authentication
JWT-based with short-lived access tokens. Passwords are never stored in plain text (bcrypt).
Row Level Security
Database-level enforcement of hotel_id scoping on all tables — no code bug can break isolation.
Backups
Daily automatic backups with 30-day retention. Point-in-time recovery available.
DPA
Data Processing Agreement under GDPR Art. 28 is concluded with every hotel.

GUEST PRIVACY

What is stored — and what is not.

STORED

Photos (only during the stay, deletable afterwards)
Email address (optional, only if provided by the guest)
Insights survey answers (anonymised in aggregate)
AI Concierge chat requests (anonymous, no personal reference)

NOT STORED

No cookies without consent
No sharing with third parties for advertising
No biometric data or facial recognition
No tracking beyond Valooro

Security questions & DPA

For security questions, vulnerability reports or to conclude a Data Processing Agreement, contact us directly.

security@valooro.com

DPA requests via the contact form

Security & Privacy — Valooro