GuestPad
Terms of ServiceLog In

Privacy Policy

Last updated: February 21, 2026

1. Introduction

GuestPad ("we", "us", "our") operates the guestpad.is platform, providing in-room guest concierge services for accommodation providers. This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with the General Data Protection Regulation (GDPR) and Icelandic data protection law.

2. Data Controller

GuestPad is the data controller for personal data processed through the platform. For questions about your data, contact us at privacy@guestpad.is.

3. What Data We Collect

Property Owners (Account Holders)

  • Name and email address (for account creation and communication)
  • Property details (name, location, amenities, house rules)
  • Content you upload (photos, descriptions, local recommendations)
  • Subscription and billing information (processed by Stripe)

Guests (Tablet Users)

  • Messages sent through the contact feature (content and timestamps)
  • Aurora sighting submissions (photos, descriptions, approximate location)
  • Page view analytics (aggregated, not personally identifiable)
  • Tour booking interactions (click tracking for commission attribution)

We do not collect: Guest names, email addresses, phone numbers, payment card details, or any personally identifiable information from tablet users. Guest interactions are anonymous by design.

4. How We Use Your Data

  • Providing and operating the GuestPad platform
  • Displaying property content to guests on tablets
  • Delivering messages between guests and property owners
  • Processing subscription payments
  • Generating analytics for property owners (page views, tour clicks)
  • Moderating user-submitted content (aurora sightings)
  • Sending transactional emails (account confirmation, password reset)
  • Improving the platform based on aggregate usage patterns

5. Legal Basis for Processing

  • Contract performance: Processing necessary to provide the service you signed up for
  • Legitimate interest: Analytics, platform improvement, fraud prevention
  • Consent: Aurora sighting sharing (opt-in per property)
  • Legal obligation: Tax and accounting records for billing

6. Third-Party Services

We use the following third-party services to operate the platform. Each processes data only as necessary to provide their service:

Supabase (Database & Authentication)

Stores account data, property content, and messages. Hosted in EU (Frankfurt). GDPR compliant.

Vercel (Hosting & CDN)

Hosts the web application. Processes web requests and serves static assets. Privacy Shield certified.

Stripe (Payment Processing)

Processes subscription payments. We do not store payment card details. Stripe is PCI-DSS Level 1 certified and GDPR compliant.

Google Cloud Vision (Content Moderation)

Scans uploaded aurora sighting photos for inappropriate content (SafeSearch). Images are processed but not stored by Google.

Resend (Transactional Email)

Sends account-related emails (confirmation, password reset). Processes email addresses only for delivery.

7. Data Retention

  • Account data: Retained while your account is active. Deleted upon account deletion request.
  • Guest messages: Retained for up to 90 days, then anonymized. Property owners can export messages before anonymization.
  • Aurora sightings: Retained for up to 90 days, then anonymized. Photos are deleted.
  • Analytics data: Aggregated and anonymized. Retained according to your subscription tier (90 or 365 days).
  • Billing records: Retained as required by Icelandic tax law (7 years).

8. Your Rights

Under GDPR, you have the following rights:

  • Right of access: Request a copy of your personal data
  • Right to rectification: Correct inaccurate data
  • Right to erasure: Request deletion of your data ("right to be forgotten")
  • Right to data portability: Receive your data in a machine-readable format
  • Right to restrict processing: Limit how we use your data
  • Right to object: Object to processing based on legitimate interest

To exercise any of these rights, contact us at privacy@guestpad.is. We will respond within 30 days.

Property owners can delete their account and all associated data directly from the dashboard Settings page.

9. Cookies

GuestPad uses only essential cookies required for the platform to function:

  • Authentication cookies: Maintain your login session (property owners)
  • Tablet identity cookie: Links the tablet device to a property (guest tablets)

We do not use tracking cookies, advertising cookies, or any third-party analytics cookies. We do not participate in cross-site tracking.

10. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • All data transmitted via HTTPS/TLS encryption
  • Database-level Row Level Security (RLS) ensuring tenant isolation
  • Authentication via Supabase Auth with secure password hashing
  • Regular security reviews and dependency updates
  • Minimal data collection principle (we only collect what we need)

11. International Data Transfers

Your data is primarily stored in the EU (Supabase Frankfurt region). Some processing may occur in the United States through our hosting provider (Vercel) and payment processor (Stripe), both of which maintain appropriate safeguards under GDPR.

12. Children's Privacy

GuestPad is not directed at children under 16. We do not knowingly collect personal data from children. Guest tablet interfaces are designed for general use by accommodation guests and do not collect personal information.

13. Changes to This Policy

We may update this privacy policy from time to time. We will notify property owners of significant changes via email. The "last updated" date at the top of this page indicates when the policy was last revised.

14. Contact

If you have questions about this privacy policy or your personal data, contact us:

You also have the right to lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd) at www.personuvernd.is.