Platform 24/7 Butler Pricing Case Studies About Contact

Privacy Policy

Effective Date: April 6, 2026  |  Last Updated: April 6, 2026

CloudReef Technologies ("CloudReef", "we", "our", "us") operates the CloudReef Property Management System, a cloud-based hospitality platform. This Privacy Policy describes how we collect, process, store, and protect personal data in connection with the CloudReef platform and related services.

This policy applies to all users of the CloudReef platform, including property operators (our direct clients), their staff members, and guests whose data is processed through the platform on behalf of property operators.

Table of Contents
  1. Data Controller & Data Processor Relationship
  2. Categories of Personal Data Collected
  3. Legal Basis for Processing
  4. Data Processing Activities
  5. Data Storage & Infrastructure
  6. Data Retention
  7. Data Sharing & Sub-Processors
  8. Data Subject Rights
  9. International Data Transfers
  10. Children's Data
  11. Updates to This Policy
  12. Contact

1. Data Controller & Data Processor Relationship

CloudReef operates under a dual-role model:

Data Processor: When handling guest personal data (names, identity documents, contact information, booking details), CloudReef acts as a data processor on behalf of the property operator (the data controller). We process this data solely according to the property operator's instructions and applicable service agreements.

Data Controller: For staff account data (names, email addresses, roles, authentication credentials), CloudReef acts as the data controller, determining the purposes and means of processing.

Data Processing Agreements (DPAs) are available upon request for all property operators.

2. Categories of Personal Data Collected

2.1 Staff Account Data

2.2 Guest Data (Processed on Behalf of Property Operators)

2.3 Operational Data

2.4 Technical Data

4. Data Processing Activities

4.1 Reservation Management

Guest booking data is received from property operators (manually entered or synced via channel manager integration) and stored in the CloudReef database. Each booking record is associated with a specific property and isolated at the database level via Row Level Security policies.

4.2 Point of Sale & Kitchen Display

Food and beverage orders are processed in real-time using Supabase Realtime channels. Order data includes menu items, quantities, room/table assignment, and payment status. Orders are linked to guest profiles when a booking association exists.

4.3 Guest Communication

The platform facilitates communication between property staff and guests through an integrated messaging system. Messages are stored in the database and associated with specific conversations, bookings, and guest profiles.

4.4 Error Tracking & Diagnostics

Client-side and server-side errors are automatically captured and logged for platform stability monitoring. Error logs include: error message (truncated to 2,000 characters), stack trace (truncated to 5,000 characters), error source classification, page URL at time of error, and browser user agent. Error logs are deduplicated within a 5-second window to prevent log flooding. A pattern-matching system classifies known errors and suggests automated remediation actions.

4.5 File Storage

Property operators may upload images (menu item photos, property assets) to the platform. Files are processed (resized, compressed to JPEG format) before storage and served via authenticated CDN endpoints.

5. Data Storage & Infrastructure

ComponentProviderLocationCertification
Application hostingVercel Inc.Edge network (global)SOC 2 Type II
Database & authenticationSupabase (AWS)EU (Frankfurt, eu-central-1)SOC 2 Type II
Edge network & DDoS protectionCloudflare Inc.Global edge (250+ cities)SOC 2 Type II, ISO 27001
Payment processingStripe Inc.Regional processingPCI DSS Level 1
Transactional emailResend Inc.US-EastSOC 2
Video CDNCloudflare WorkersGlobal edgeSOC 2 Type II

Data Residency: Primary database is hosted in the European Union (AWS Frankfurt region). Edge caching through Cloudflare and Vercel does not persistently store personal data outside the primary region.

6. Data Retention

Data TypeRetention PeriodDeletion Method
Active guest recordsDuration of client contractCascading delete on contract termination
Resolved error logs30 days after resolutionAutomated purge
Unresolved error logs90 daysManual review + automated purge
Booking recordsDuration of client contract + 7 years (regulatory)Anonymization after regulatory period
Staff accountsUntil deactivated by property operatorSoft delete (is_active = false), hard delete on request
File uploadsDuration of client contractBucket-level deletion on contract termination
Authentication sessionsAutomatic expiry (JWT-based)Token invalidation on sign-out

Upon contract termination, all property data is permanently deleted within 30 calendar days upon written request.

7. Data Sharing & Sub-Processors

CloudReef does not sell, rent, or trade personal data. Data is shared only with the following sub-processors, strictly for platform operation:

Sub-ProcessorPurposeData SharedDPA Status
Supabase (Supabase Inc.)Database hosting, authentication, real-time data syncAll platform dataIn place
Vercel (Vercel Inc.)Application hosting, serverless functionsRequest metadata, rendered pagesIn place
Cloudflare (Cloudflare Inc.)CDN, DNS, DDoS mitigation, WAFRequest metadata, static assetsIn place
Stripe (Stripe Inc.)Payment processingPayment tokens, transaction amountsIn place
Resend (Resend Inc.)Transactional email deliveryRecipient email, email contentIn place

Property operators are notified of any changes to this sub-processor list at least 30 days in advance.

8. Data Subject Rights

Under GDPR, CCPA, and applicable data protection legislation, individuals have the following rights:

For Guest Data: Requests should be directed to the property operator (data controller) in the first instance. The property operator may then instruct CloudReef to fulfill the request.

For Staff Data: Requests should be directed to [email protected]. We respond to all requests within 30 calendar days.

Supervisory Authority: You have the right to lodge a complaint with your local data protection supervisory authority.

9. International Data Transfers

When personal data is transferred outside the European Economic Area (EEA), CloudReef ensures adequate protection through:

10. Children's Data

CloudReef does not knowingly collect personal data from children under 16 years of age. Guest records for minors are the responsibility of the property operator and must be associated with an adult guardian's booking.

11. Updates to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated to property operators via email at least 30 days before taking effect. The "Last Updated" date at the top of this policy reflects the most recent revision.

12. Contact

Data Protection Contact

Email: [email protected]


Company Address

CloudReef, distributed by SwiftSyncIT Philippines

Marnella Townhouse, Casanta Soong Road

Brgy Mactan

Cebu City, Philippines