1. Who we are
This Privacy Policy describes how HOSPITALITY OPTIMAL MANAGEMENT ENGINEERING ltd, The Whispers Floor 3 Office 6, Triq Ross Paceville, St Julian’s, STJ 3109, Malta — VAT No. MT29286701 ("we", "us", the "Provider") processes personal data in connection with the Optimal Management platform (the "Service"), a revenue-management software for hospitality businesses. For any privacy matter you can contact us at privacy@ho-me.consulting.
2. Our two roles under the GDPR
We process personal data in two distinct capacities:
- As a data controller for the personal data of our clients’ representatives and platform users — account data, billing data, support communications and usage logs. This Policy governs that processing.
- As a data processor on behalf of our clients for the personal data of their guests (e.g. names and contact details contained in reservations synchronized from the client’s property management system). That processing is governed by the Data Processing Agreement annexed to the client’s service contract; the client remains the data controller of guest data. Guests should direct requests to the accommodation provider they booked with.
3. Personal data we collect
| Category |
Examples |
Source |
| Account data |
Username, email address, phone, role, organization |
Provided by your organization or by you |
| Authentication data |
Password (stored as a bcrypt hash), optional two-factor authentication secret (encrypted), recovery codes (hashed) |
Provided by you |
| Billing data |
Company name, VAT number, address, IBAN for SEPA debit |
Provided by your organization |
| Usage and security logs |
IP address, timestamps, actions performed on the platform (audit log) |
Generated by the Service |
| Support communications |
Emails and messages you exchange with us |
Provided by you |
| Guest data (processed on behalf of clients) |
Guest name, email, phone, reservation details |
Synchronized from the client’s PMS/channel manager |
4. Purposes and legal bases
We do not use your personal data for marketing profiling, we do not sell personal data, and we do not transfer it to third parties for their own purposes.
| Purpose |
Legal basis (GDPR) |
| Providing the Service, managing accounts and authentication |
Art. 6(1)(b) — performance of a contract |
| Invoicing and payment collection |
Art. 6(1)(b) and 6(1)(c) — contract and legal obligations |
| Security: audit logging, access control, fraud and abuse prevention |
Art. 6(1)(f) — legitimate interest in securing the Service |
| Support and communications about the Service |
Art. 6(1)(b) — performance of a contract |
| Compliance with legal obligations (tax, accounting) |
Art. 6(1)(c) — legal obligation |
| Service improvement using aggregated, anonymized statistics |
Art. 6(1)(f) — legitimate interest (no identification possible) |
5. Administrative access and support impersonation
Authorized Provider staff (the platform master account) can access organization accounts for support and administration, including a "sign in as" function used to reproduce and resolve issues. Every such access is recorded in a tamper-evident audit log, and actions performed during impersonation are attributed to the administrator, not to the user.
6. Recipients and sub-processors
Personal data is processed on our behalf by the following categories of providers, under data processing agreements:
| Provider |
Purpose |
Location |
| Render Services, Inc. (Frankfurt region) |
Cloud hosting, database, application infrastructure |
EU (Germany) |
| Brevo (Sendinblue SAS) |
Transactional email (password resets, notifications) |
EU (France) |
| Microsoft Ireland Operations Ltd |
Compliance archival of audit evidence (SharePoint) |
EU |
PMS and channel manager platforms (e.g. Smoobu, WuBook, KrossBooking) are connected at the client’s direction under the client’s own agreements with those providers.
7. International transfers
The Service is hosted in the European Union (Frankfurt, Germany). If any transfer of personal data outside the EU/EEA becomes necessary, it will only take place with appropriate safeguards under Chapter V of the GDPR (e.g. adequacy decisions or Standard Contractual Clauses).
8. Retention
- Account data: for the duration of the contract and up to 60 days after termination, when client data is exported on request and then deleted or anonymized.
- Billing data: 10 years, as required by tax and accounting law.
- Audit logs: retained in de-identified form (keyed on account identifier only) for accountability purposes; archived copies are kept as compliance evidence.
- Guest data: processed for as long as instructed by the client; the client may request anonymization or deletion at any time.
9. Security
We apply appropriate technical and organizational measures, including: encryption in transit (TLS) and at rest for stored credentials (AES-256-GCM with per-organization keys), bcrypt password hashing, optional two-factor authentication (TOTP), short-lived session tokens with rotation, per-organization data isolation, role-based access, rate limiting, and a tamper-evident (hash-chained) audit log with weekly off-site archival within the EU.
10. Your rights
Under Articles 15–22 GDPR you have the right to access, rectify, erase, restrict or object to the processing of your personal data, and the right to data portability. You can exercise these rights by writing to privacy@ho-me.consulting. We respond within one month. You also have the right to lodge a complaint with a supervisory authority — in Malta, the Information and Data Protection Commissioner (idpc.org.mt); in Italy, the Garante per la protezione dei dati personali (gpdp.it).
11. Cookies and local storage
The Service uses only technical session storage strictly necessary for authentication and application functionality. We do not use advertising or third-party profiling cookies.
12. Changes to this Policy
We may update this Policy from time to time. Material changes will be notified to clients by email or through the platform before they take effect. The date at the top indicates the latest revision.