Legal
GDPR & Data Security Policy
How we protect financial and personal data entrusted to us by hotel and restaurant outsourcing clients.
Encryption
TLS 1.2+ in transit, AES-256 at rest. Client documents are stored in a private, non-listable bucket and decrypted only on authenticated access.
Access Control
Role-based access with least-privilege. Multi-factor authentication enforced for all Consultant personnel. Per-client workspaces are segregated.
EEA Hosting
Primary hosting in the European Economic Area. Any transfer outside the EEA is only performed under SCCs or an adequacy decision and notified in writing.
Breach Response
72-hour breach notification window with full forensic detail to enable the Client to meet its own GDPR obligations as Data Controller.
Lawful basis & roles
For finance outsourcing engagements the Client is the Data Controller and HospitalityFinance Consultancy is the Data Processor. Processing is based on contract performance (Art. 6(1)(b) GDPR) and, where applicable, on the Controller's legal obligations and legitimate interests (Art. 6(1)(c) and (f)).
Sub-processors
| Sub-processor | Purpose | Region |
|---|---|---|
| Cloud hosting (Lovable Cloud / Supabase) | Encrypted database, file storage and authentication | EU (Ireland / Frankfurt) |
| Email & document delivery | Transactional email and signed-link delivery | EU |
| Accounting / consolidation platform (per engagement) | Bookkeeping and reporting workspace agreed with the Client | EU by default |
Updates to this list are notified to active clients with thirty (30) days' notice.
Retention
Operational working files are deleted within ninety (90) days of engagement termination. Statutory accounting records retained on the Client's behalf follow the legal retention periods of the Client's jurisdiction (typically 7–10 years), then are securely destroyed.
Data subject rights
- •Right of access — confirmation and copy of personal data being processed.
- •Right to rectification — correction of inaccurate or incomplete data.
- •Right to erasure — deletion subject to statutory retention periods.
- •Right to restriction — temporary limitation of processing.
- •Right to portability — export in a structured, machine-readable format.
- •Right to object — to processing based on legitimate interests.
- •Right to lodge a complaint with a supervisory authority.
Requests are routed to the Client as Controller. We assist within five (5) business days.
Incident response
A documented incident response procedure governs detection, containment, forensic analysis and Client notification within seventy-two (72) hours. Post-incident reports include root cause, scope, mitigations and corrective actions.
Security contact
Send security questionnaires, audit requests or suspected incidents through the contact form. We respond within one (1) business day.