Skip to main content

Privacy Policy

Last updated: May 2026

By using the Rapid Hotel System app ("App" and/or "Service"), or any other services of visibleIT GmbH ("visibleIT"), you are consenting to our policies regarding the collection, use and disclosure of personal information set out in this privacy policy.

Roles under the GDPR

Rapid Hotel System is a B2B platform. Two distinct relationships exist:

  • Account data (email, password, name, language, login logs, push tokens): visibleIT GmbH is the controller.
  • Hotel-managed data stored inside a hotel workspace (logbook entries, guest interactions, repair records, room inspections, personnel files, sales inquiries, uploaded documents): the hotel that operates the workspace is the controller; visibleIT GmbH is the processor acting on the hotel's instructions under a Data Processing Agreement (DPA). Hotels are responsible for the lawful basis, retention, and rights handling of data they enter into their workspace.

Information from Users with Accounts

If you create an Account, we require some basic information at the time of account creation. You will create your own password, and we will ask you for a valid email account. You also have the option to give us more information if you want to, and this may include "User Personal Information."

"User Personal Information" is any information about one of our users which could, alone or together with other information, personally identify him or her. Information such as a user name and password, an email address, a real name, and a photograph are examples of "User Personal Information." User Personal Information includes Personal Data as defined in the General Data Protection Regulation.

User Personal Information does not include aggregated, non-personally identifying information. We may use aggregated, non-personally identifying information to operate, improve, and optimize our website and service.

Why We Collect This Information

  • We need your User Personal Information to create your account, and to provide the services you request.
  • We use your User Personal Information, specifically your user name, to identify you on Rapid Hotel System.
  • We use it to fill out your profile and share that profile with other users if you ask us to.
  • We will use your email address to communicate with you, if you've said that's okay, and only for the reasons you've said that's okay.
  • We use User Personal Information and other data to make recommendations for you, and to understand how you use our service to make recommendations for you.
  • We may use your User Personal Information if it is necessary for security purposes or to investigate possible fraud or attempts to harm Rapid Hotel System or our users.
  • We may use your User Personal Information to comply with our legal obligations, protect our intellectual property, and enforce our Terms of Service.
  • We limit our use of your User Personal Information to the purposes listed in this Privacy Statement. If we need to use your User Personal Information for other purposes, we will ask your permission first.

Data Categories Processed in Hotel Workspaces

When a hotel uses the Service, the following categories of personal data may be processed inside that hotel's workspace, depending on the modules they have enabled. The hotel acts as controller; visibleIT processes on its behalf.

  • Personnel File (HR module): employee master data (full legal name, date of birth, address, emergency contact), employment data (position, department, salary, contract type, hire date), tax identifiers (Steuer-ID, Sozialversicherungsnummer, US SSN, US filing status, German Steuerklasse), banking details (IBAN, BIC, US ABA routing, account number), health insurance details (insurer, member number), work-permit and I-9 documentation, citizenship, marital status, number of children, and uploaded PDF documents (contracts, ID copies, certificates).
  • Special categories (GDPR Art. 9): the German "Religion" field used for Kirchensteuer assessment is a special category. It is collected only where the hotel needs it for payroll-tax processing and only with appropriate legal basis under Art. 9(2)(b) GDPR (employment law). Health insurance information is processed under Art. 9(2)(b) for the same employment-context purpose.
  • Audit logs: every action on a personnel file is logged with actor, timestamp, before/after values, retained for 7 years (German Personalakte retention requirement).
  • Sales / CRM (when the module ships): inbound and outbound emails between the hotel and prospective guests, including names, contact details, and any data the customer included in their inquiry.
  • Operational modules (Logbook, Repairs, Tasks, Inspections, Lost & Found, Parcel, Surveys, Files): may include guest names, room numbers, photos of items, comments by staff, file attachments uploaded by hotel staff.
  • User-account telemetry: sign-in IP address, device fingerprint for inactivity logout, push notification tokens, language preference. Held by visibleIT as controller.

Retention

  • Active accounts: account data is retained while the account is active.
  • Account deletion: when a user deletes their own account, account-level personal data is removed within 30 days. Hotel workspaces in which the user was a member retain the user's personnel record for up to 3 years (German legal retention requirement for Personalakten), then automatically purge — file content, uploaded documents, and storage objects all included.
  • Audit logs: 7 years (Personnel File audit), 2 years (general superadmin audit log).
  • Hotel-managed data: the hotel acting as controller defines retention for data inside its workspace. visibleIT does not delete hotel-managed records except when instructed by the hotel or required by law.
  • Inactive hotels: hotels can be marked inactive; data persists until the hotel admin requests deletion or 90 days after a final closure notice.

Definitions Regarding the GDPR

Personal Data: Any information relating to an identified or identifiable natural person (data subject).

Data Subject: An identified or identifiable natural person, being one who can be identified directly or indirectly.

Processing: Any operation or set of operations which is performed upon personal data.

Pseudonymisation: The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.

Controller: The natural or legal person which alone or jointly with others determines the purposes and means of the processing of personal data.

Processor: A natural or legal person which processes personal data on behalf of the controller.

Recipient: A natural or legal person to which the personal data are disclosed.

Third Party: A natural or legal person other than the data subject, the controller, the processor and the persons who are authorized to process the personal data under the direct authority of the controller or the processor.

Consent: Any freely given specific, informed and unambiguous indication of his or her wishes by which the data subject signifies agreement to personal data relating to them being processed.

Controller

visibleIT GmbH
Hunoldstr. 13
34479 Breuna
Germany

Email: [email protected]

Rights of the Data Subject

For account-level data (controlled by visibleIT) data subjects can exercise their rights directly with us. For workspace data (controlled by the hotel) requests should be addressed to the hotel; visibleIT will assist hotels in fulfilling such requests as required under the DPA.

Right of Access

Each data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and where that is the case, access to the personal data. The Personnel File module includes a built-in GDPR Article 15 / 20 export: a one-click ZIP archive containing the data subject's complete record (master data, employment, all uploaded documents, full audit log) in machine-readable form.

Right to Rectification

Each data subject shall have the right to obtain from the controller the rectification of inaccurate personal data concerning him or her without undue delay.

Right to Erasure (Right to be Forgotten)

Each data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, subject to retention requirements imposed by law (e.g. German Personalakte retention).

Right to Data Portability

Each data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format. The Personnel File ZIP export described above satisfies this right.

Right to Object

Each data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her.

Security Measures

  • Authenticated-only access: personnel-file documents and other sensitive media are fetched through Firebase Storage with the user's authenticated session — no shareable public URLs.
  • Encryption in transit: all communication uses TLS 1.2 or higher.
  • Encryption at rest: Google Cloud's default at-rest encryption applies to all Firestore and Cloud Storage data.
  • Audit trail: every Personnel File action is logged with actor, timestamp, and before/after values.
  • Access controls: granular per-module CRUD permissions, hotel-level kill switch, optional MFA (planned).
  • Secrets management: all third-party API tokens (Postmark, etc.) stored in Google Cloud Secret Manager.

International Transfers

Data is hosted in Google Cloud's europe-west3 (Frankfurt) region by default. Some operational metadata (logging, error reporting) may be processed in Google's global infrastructure, governed by Google's Standard Contractual Clauses for transfers outside the EEA.

Third Party Services (Sub-processors)

Google Cloud / Firebase

We use Firebase Authentication, Firestore, Cloud Storage, Cloud Functions, Cloud Scheduler, and Crashlytics for the operation of the Service. All Firebase services run on Google Cloud Platform. Data is stored in europe-west3 (Frankfurt) by default. Subject to Google's Data Processing Addendum.

Google Vertex AI (Gemini)

We use Google's Vertex AI Gemini models for AI-assisted features (survey template generation, inspection template generation, and — when shipped — sales-inquiry analysis). Prompts may include hotel content; outputs are returned as structured data. Data sent to Vertex AI is processed under Google Cloud's data processing terms and is not used by Google for model training. Hosted in Google Cloud's global Vertex AI infrastructure with EU data residency where available.

Postmark Email Services

We use Postmark for transactional email delivery (account verification, password reset, personnel-file digests, hotel notifications). Postmark processes email addresses and message content as necessary to deliver emails on our behalf. Postmark's EU privacy programme applies. Personnel-file digest emails contain only counts and a deep link — no names or field values.

Stripe Payment Processing

We use Stripe for payment, analytics, and other business services. Stripe collects identifying information about the devices that connect to its services. Stripe uses this information to operate and improve the services it provides to us, including for fraud detection.

Google Analytics

This website uses Google Analytics, a web analytics service. We use the "_anonymizeIp" function for IP anonymization. This means your IP address will be truncated by Google within member states of the European Union or other parties to the Agreement on the European Economic Area.

Third Party Privacy Policies

Data Processing Agreement (DPA)

Hotels using the Service to manage employee personnel records, sales inquiries, or guest data act as controller under the GDPR. We provide a Data Processing Agreement on request to formalise the processor relationship. Contact [email protected] to obtain a signed DPA before deploying the Service in a production environment.

Contact Us

If you have any questions about this Privacy Policy, please contact us at [email protected].