Data Processing Agreement
In plain terms: When you use Channels Connect to manage guest bookings, you are the controller of that guest data and we are the processor. We only process it to run the platform, we protect it under the measures below, and we name the exact vendors, our subprocessors, who touch it. If EU or UK data leaves those regions, we rely on Standard Contractual Clauses.
1. Definitions
“Controller” means the party that decides why and how personal data is processed, which for booking and guest data is typically you, our customer. “Processor” means Channels Connect, processing personal data on the Controller’s documented instructions. “Personal Data” means information relating to an identified or identifiable individual. “Processing” covers any operation performed on personal data, including collection, storage, use, and disclosure. “Data Subject” means the individual the data is about, such as a guest or an employee. “Subprocessor” means a vendor Channels Connect engages to help process personal data on the Controller’s behalf.
2. Scope and Application
This DPA applies whenever Channels Connect processes personal data on your behalf, including guest names and contact details received through connected channels, employee data you enter for your own team, and booking and calendar records synchronized across platforms. It applies whether or not you or your guests are located in the EU or UK; we apply the same protections regardless of jurisdiction.
3. Controller and Processor Responsibilities
Your responsibilities as controller
You are responsible for having a lawful basis to process the personal data you handle, giving your guests and staff any privacy notice required by law, obtaining consent where needed, and responding to data subject rights requests, with our assistance under Section 8.
Our responsibilities as processor
We process personal data only on your documented instructions and for the purposes described in our Privacy Policy, keep it confidential, implement the technical and organizational measures in Section 5, assist with data subject rights requests, notify you of breaches under the timeline in Section 9, and return or delete data on termination under Section 11.
4. Categories of Data and Processing
Categories of personal data: guest data (name, contact details, booking details), property owner and staff data (contact details, account credentials), communication data (support messages, chat transcripts), and platform usage data.
Categories of data subjects: guests and prospective guests, property owners and their staff, and support contacts.
Processing purposes: synchronizing listings, calendars, and rates across booking channels; facilitating guest communication; providing customer support; and securing the platform against fraud.
5. Security Measures
Technical safeguards: encryption of data in transit and at rest, access controls tied to individual accounts, and reliance on Supabase’s authentication infrastructure rather than custom credential storage.
Organizational measures: access to production data limited to the staff whose role requires it, a documented incident response process, and review of vendor agreements before a new subprocessor is added.
6. Subprocessors
We name our subprocessors rather than describing them only by category, so you know exactly who touches your data.
| Subprocessor | Function | Location |
|---|---|---|
| Supabase | Authentication and database hosting | United States / European Union |
| Amazon Web Services | Hosting (CloudFront, S3) | United States |
| Hetzner | Application hosting | European Union |
| GoHighLevel (LeadConnector) | CRM, chat widget, customer communications | United States |
| Google Workspace | Company email and optional Google sign-in | United States |
Subprocessor requirements
Each subprocessor is bound by a written agreement requiring data protection safeguards equivalent to this DPA, and each is subject to review before onboarding.
Change notification
We will give at least 30 days notice before adding or replacing a subprocessor, at info@channelsconnect.com or through an in-app notice, so you can raise an objection before the change takes effect.
7. International Data Transfers
Where personal data moves from the European Union or United Kingdom to the United States, we rely on the European Commission’s Standard Contractual Clauses (SCCs) as the transfer mechanism, together with the technical safeguards in Section 5. We do not claim any third party security certification we have not actually obtained; if that changes, this page will say so.
8. Data Subject Rights Support
We will help you respond to access, rectification, erasure, restriction, portability, and objection requests from data subjects. Email info@channelsconnect.com with the request; we aim to provide the technical support you need within 72 hours.
9. Data Breach Notification
If we become aware of a personal data breach affecting your data, we will notify you without undue delay and no later than 72 hours after we learn of it, with an initial description of what happened. A fuller incident report, including the categories and approximate number of affected data subjects, the likely consequences, and the steps we have taken, will follow within 7 days, with updates until the matter is resolved.
10. Audit and Compliance
You may request evidence of our compliance with this DPA, including a summary of our security practices and confirmation of our current subprocessor list. Where a full audit is warranted, we will work with you in good faith on scope and timing rather than restrict you to a document review.
11. Term and Termination
This DPA stays in effect for as long as we process personal data on your behalf. On termination of your account, we will return or delete your personal data within 90 days, in a standard exportable format, and confirm deletion in writing on request.
12. Contact Information
Channels Connect, operated in affiliation with EroRentals Hollywood, Florida, United States
Email: info@channelsconnect.com Phone: +1 (305) 434-4076