GDPR Compliance
Last updated:
This page outlines how StayDesk Ltd. complies with the EU General Data Protection Regulation (GDPR — Regulation (EU) 2016/679), the UK GDPR, and India's Digital Personal Data Protection Act (DPDPA) 2023. Our platform infrastructure is hosted on Microsoft Azure — Central India region (Pune). This means personal data of EU/EEA residents is transferred to and processed in India, a country without an EU adequacy decision. We rely on EU Standard Contractual Clauses (SCCs) and Microsoft's Azure Data Processing Addendum to safeguard such transfers. This document supplements our Privacy Policy and is intended for customers, hotel guests, and any data subject whose rights may be affected.
1. Our Role Under GDPR
GDPR distinguishes between data controllers (who determine the purposes and means of processing) and data processors (who process data on a controller's behalf). StayDesk operates in both capacities:
Data Controller
For personal data collected directly from visitors and customers — such as contact form submissions, business account details, and billing records — StayDesk is the data controller and is responsible for lawful processing.
Data Processor
For guest identity document data (passports, national ID cards) uploaded or captured within the platform, StayDesk acts as a data processor on the hotel's instructions. The hotel remains the data controller for its guests' data and must ensure it has a lawful basis to use our OCR services.
2. Data Processing Agreement (DPA)
In our role as data processor, GDPR Article 28 requires us to have a Data Processing Agreement in place with each hotel (data controller). Our DPA is embedded within our standard subscription agreement and covers:
- The subject matter, duration, nature, and purpose of processing.
- The type of personal data and categories of data subjects.
- Our obligations and rights as processor.
- Sub-processor management and notification procedures.
- Technical and organisational security measures.
- Assistance with data subject rights requests.
- Data deletion or return upon contract termination.
A standalone DPA is available on request at legal@staydesk.in.
3. Legal Bases for Processing
We only process personal data when we have a valid legal basis under GDPR Article 6 (and Article 9 for any special-category data). The legal basis depends on the type of data and purpose:
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Providing subscribed Services | Performance of contract | Art. 6(1)(b) |
| Invoice & tax compliance | Legal obligation | Art. 6(1)(c) |
| Responding to enquiries | Legitimate interests | Art. 6(1)(f) |
| Marketing emails (opt-in) | Consent | Art. 6(1)(a) |
| Platform security & fraud prevention | Legitimate interests | Art. 6(1)(f) |
| Guest document OCR (on behalf of hotel) | Legal obligation (national law) + contract | Art. 6(1)(b)(c) |
| Analytics & product improvement | Legitimate interests (anonymised data) | Art. 6(1)(f) |
4. Data Subject Rights
Under GDPR, individuals whose personal data we process as a controller have the following rights. We handle all requests within 30 days (extendable by a further 60 days for complex requests, with notification):
Right of Access (Art. 15)
Request a copy of the personal data we hold about you, along with information about how and why we process it.
Right to Rectification (Art. 16)
Ask us to correct inaccurate personal data or complete incomplete data.
Right to Erasure (Art. 17)
Request deletion of your personal data where there is no compelling reason for continued processing ("right to be forgotten"). Some data may be retained for legal compliance.
Right to Restriction (Art. 18)
Ask us to pause processing of your personal data in certain circumstances, for example while a correction request is pending.
Right to Data Portability (Art. 20)
Receive your personal data in a structured, commonly used, machine-readable format (JSON/CSV) and transmit it to another controller.
Right to Object (Art. 21)
Object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds.
Right to Withdraw Consent (Art. 7(3))
Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
Rights Related to Automated Decisions (Art. 22)
Not to be subject to solely automated decisions that produce significant legal effects. Our OCR outputs are always reviewed against guest-provided documents by hotel staff.
To exercise any right, email privacy@staydesk.in with "GDPR Request" in the subject line. We may need to verify your identity before processing the request. We do not charge a fee for legitimate requests.
5. Sub-Processors
We engage the following sub-processors to deliver our Services. All are bound by Data Processing Agreements and required to maintain GDPR-equivalent standards:
| Sub-Processor | Purpose | Data Location |
|---|---|---|
| Microsoft Azure (Central India) | Primary cloud infrastructure, storage, compute, and networking | India — Central India / Pune (Azure region) |
| Microsoft Azure CDN | Global content delivery & edge caching | Multi-region edge (SCCs for EU traffic) |
| OpenAI | AI language model for WhatsApp assistant | Central India (SCCs via Microsoft Azure OpenAI Service DPA) |
SCCs = EU Standard Contractual Clauses. Full sub-processor list available on request.
6. International Data Transfers
Important — Infrastructure in India
Our platform is hosted on Microsoft Azure — Central India (Pune). India does not currently hold a European Commission adequacy decision under GDPR. This means that transfers of EU/EEA personal data to our infrastructure constitute international transfers and require an appropriate safeguard.
We rely on the following safeguards for all international transfers:
- EU Standard Contractual Clauses (SCCs) — 2021 Module 2 & 3: All transfers of EU personal data to India (Azure Central India) are governed by the 2021 SCCs incorporated into Microsoft's Azure Data Processing Addendum (DPA) and into agreements with each sub-processor located outside the EEA.
- Microsoft Azure Data Processing Addendum: Microsoft's DPA, which covers Azure services, includes binding commitments on GDPR compliance, sub-processor obligations, international transfer safeguards, and security measures applicable to data stored or processed in the Central India region.
- Transfer Impact Assessments (TIAs): We have conducted TIAs for transfers to India and the United States (for OpenAI and Stripe). Copies are available to enterprise customers upon request.
- Indian DPDPA 2023: As a data processor operating infrastructure in India, we additionally comply with India's Digital Personal Data Protection Act 2023, which governs the processing of digital personal data within India.
If you require a copy of the applicable SCCs or the Azure DPA, contact legal@staydesk.in.
7. Security Measures
In accordance with GDPR Article 32, we implement appropriate technical and organisational security measures, including:
- TLS 1.3 encryption for all data in transit.
- AES-256 encryption for data at rest, enforced by Azure Storage Service Encryption.
- Role-based access control (RBAC) limiting data access to authorised personnel only.
- Multi-factor authentication (MFA) required for all platform and cloud console access.
- Microsoft Azure Central India region holds ISO 27001, ISO 27018, SOC 1 Type 2, SOC 2 Type 2 and PCI-DSS certifications relevant to data security.
- Azure Defender and Microsoft Sentinel used for real-time threat detection and security monitoring.
- Regular internal security audits and annual penetration tests by accredited third parties.
- Secure software development lifecycle (SSDLC) practices including dependency scanning and code review.
- Incident response plan with 72-hour EU supervisory authority notification procedures and alignment with DPDPA breach reporting obligations.
8. Data Breach Notification
In the event of a personal data breach (Article 33/34 GDPR), we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware, where the breach is likely to result in a risk to individuals' rights and freedoms.
- Notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
- Notify affected hotel customers (controllers) without undue delay where the breach involves Customer Data we process on their behalf.
9. Data Retention
We retain personal data only for as long as necessary. Specific retention periods:
- Customer account data: Duration of contract + 7 years (statutory accounting requirements).
- Guest OCR data: Deleted within 30 days of processing unless the hotel instructs a longer period required by national law (e.g., police registry regulations).
- Contact enquiries: 2 years from last communication.
- Marketing consent records: Until consent is withdrawn + 1 year.
- Server access logs: 90 days rolling.
10. Supervisory Authorities
Because our infrastructure is hosted in India, frameworks and authorities are relevant:
India — Data Protection Board of India (DPBI)
For matters relating to India's Digital Personal Data Protection Act (DPDPA) 2023, the competent authority is the Data Protection Board of India, established under Section 18 of the DPDPA:
Data Protection Board of India (DPBI)
Ministry of Electronics & Information Technology (MeitY)
Electronics Niketan, 6 CGO Complex, New Delhi — 110003, India
Website: dpboard.gov.in
11. Contact Our Data Protection Officer
For all GDPR-related queries, rights requests, or to review a copy of our Data Processing Agreement, contact our Data Protection Officer:
StayDesk Ltd. — Data Protection Officer
Email: dpo@staydesk.in
Please include "GDPR Request" in the subject line for fastest processing.