آخر تحديث: 2026-05-23

Privacy notice

How iRevenue processes the personal data of its customers and visitors

Who we are

iRevenue is a software-as-a-service platform that provides property-management, booking-engine, and revenue-management tools to hospitality businesses (“Customers”). This notice explains how iRevenue processes personal data in its capacity as data controller — that is, the data we collect about our Customers' users (account holders, billing contacts) and about visitors to our marketing site.

When iRevenue processes personal data about hotel guests on behalf of a Customer hotel, iRevenue acts as a data processor under Article 28 GDPR — the guest's data controller is the hotel itself, and the applicable privacy notice is the one published on the hotel's booking site.

Data controller and contact

Data controller: iRevenue (the legal entity operating the Service — full legal name, registered office and VAT/Tax ID are published in the contractual documentation provided to Customers and will be added here as soon as registration formalities are completed).

Privacy contact: privacy@irevenue.cloud

What we process, why, and on what legal basis

a) Account creation and Service operation

Data: Name, work email, hashed password, organisation, property metadata, role within the organisation, locale, timezone.

Legal basis: Performance of the Service contract (Art. 6(1)(b) GDPR).

Retention: For the duration of the Service contract plus the periods required by tax, accounting and contractual-liability law.

b) Billing and subscription management

Data: Billing entity, VAT/Tax ID, billing address, invoice history. Card data is handled exclusively by our payment processor and is never stored on iRevenue infrastructure.

Legal basis: Performance of contract and compliance with legal obligations (Art. 6(1)(b) and (c) GDPR).

Retention: 10 years from invoice date, per tax legislation.

c) Support and incident response

Data: Support tickets, error logs, screenshots provided by the user, IP address and user-agent at the time of an incident.

Legal basis: Performance of contract and legitimate interest in operating a reliable, secure Service (Art. 6(1)(b) and (f) GDPR).

Retention: Up to 24 months from ticket closure; security logs up to 12 months.

d) Security, fraud prevention and audit logging

Data: Authentication events (sign-in, sign-out, password changes), IP address, user-agent, role changes, sensitive-data accesses (e.g. guest export, GDPR-rights actions).

Legal basis: Legitimate interest in detecting and preventing fraud and abuse, and compliance with security obligations (Art. 6(1)(c) and (f) GDPR).

Retention: 12 months for raw security logs; audit trails on sensitive actions are retained for the lifetime of the Customer contract.

e) Product analytics and improvement

Data: Aggregated usage metrics (which features are used, page-load times, error rates). Where possible, this data is pseudonymised before analysis.

Legal basis: Legitimate interest in improving the Service (Art. 6(1)(f) GDPR). On the marketing site, analytics cookies are loaded only with consent.

Retention: 26 months in aggregated form.

f) Marketing communications

Data: Email, name, organisation.

Legal basis: Your explicit consent, freely revocable via the unsubscribe link in every message (Art. 6(1)(a) GDPR), or — for existing Customers — legitimate interest in informing you about products similar to those you already use (Art. 6(1)(f) GDPR + soft opt-in).

Retention: Until you withdraw consent or unsubscribe.

Who we share data with

  • Sub-processors we use to deliver the Service: cloud infrastructure (EU regions), transactional email relay, payment processor (Stripe), error-monitoring (Sentry), document/file storage. A current list of sub-processors is available on request and is updated before any new sub-processor is engaged.
  • Payment service providers — to process subscription billing.
  • Professional advisors — legal, tax, accounting and audit firms, bound by confidentiality obligations.
  • Public authorities — only where compelled by valid legal process or where required to defend rights.

We do not sell personal data and do not share it with third parties for their own marketing purposes.

Transfers outside the EU/EEA

Customer data is hosted in EU/EEA data-center regions. Where a sub-processor transfers data outside the EU/EEA (for example certain support tools), transfers are protected by Standard Contractual Clauses approved by the European Commission, supplementary technical measures (encryption at rest and in transit), and an adequacy decision where applicable.

Security

We apply technical and organisational measures appropriate to the risk under Art. 32 GDPR: encryption in transit (TLS 1.2+), encryption at rest, strong password hashing (Argon2id), role-based access control, audit logging, rate-limiting, regular dependency security scanning, secret management, and backup encryption.

Your rights

Under Articles 15–22 GDPR you have the right to:

  • access the personal data we hold about you;
  • request correction of inaccurate or incomplete data;
  • request erasure where applicable;
  • request restriction of processing;
  • request data portability for data processed by automated means;
  • object to processing based on legitimate interest, including direct marketing;
  • withdraw consent where processing is based on consent.

To exercise these rights, email privacy@irevenue.cloud. We will reply within 30 days and may verify your identity before complying. You also have the right to lodge a complaint with the supervisory authority of the EU member state where you live or work (in Italy: Garante per la protezione dei dati personali).

Cookies

Cookies used on this site are listed in the cookie policy.