CloudReef Technologies ("CloudReef", "we", "our", "us") operates the CloudReef Property Management System, a cloud-based hospitality platform. This Privacy Policy describes how we collect, process, store, and protect personal data in connection with the CloudReef platform and related services.
This policy applies to all users of the CloudReef platform, including property operators (our direct clients), their staff members, and guests whose data is processed through the platform on behalf of property operators.
CloudReef operates under a dual-role model:
Data Processor: When handling guest personal data (names, identity documents, contact information, booking details), CloudReef acts as a data processor on behalf of the property operator (the data controller). We process this data solely according to the property operator's instructions and applicable service agreements.
Data Controller: For staff account data (names, email addresses, roles, authentication credentials), CloudReef acts as the data controller, determining the purposes and means of processing.
Data Processing Agreements (DPAs) are available upon request for all property operators.
| Data Category | Legal Basis | Justification |
|---|---|---|
| Staff account data | Legitimate interest & contractual necessity | Required to provide platform access and enforce role-based permissions |
| Guest personal data | Contractual necessity (processor) | Processed on behalf of property operators to fulfill hospitality services |
| Guest identity documents | Legal obligation | Required by local hospitality regulations for guest registration |
| Booking & payment data | Contractual necessity | Required to manage reservations and billing |
| Error logs & technical data | Legitimate interest | Required to maintain platform stability, security monitoring, and incident response |
| Communication records | Contractual necessity | Required to facilitate guest-property communication |
Guest booking data is received from property operators (manually entered or synced via channel manager integration) and stored in the CloudReef database. Each booking record is associated with a specific property and isolated at the database level via Row Level Security policies.
Food and beverage orders are processed in real-time using Supabase Realtime channels. Order data includes menu items, quantities, room/table assignment, and payment status. Orders are linked to guest profiles when a booking association exists.
The platform facilitates communication between property staff and guests through an integrated messaging system. Messages are stored in the database and associated with specific conversations, bookings, and guest profiles.
Client-side and server-side errors are automatically captured and logged for platform stability monitoring. Error logs include: error message (truncated to 2,000 characters), stack trace (truncated to 5,000 characters), error source classification, page URL at time of error, and browser user agent. Error logs are deduplicated within a 5-second window to prevent log flooding. A pattern-matching system classifies known errors and suggests automated remediation actions.
Property operators may upload images (menu item photos, property assets) to the platform. Files are processed (resized, compressed to JPEG format) before storage and served via authenticated CDN endpoints.
| Component | Provider | Location | Certification |
|---|---|---|---|
| Application hosting | Vercel Inc. | Edge network (global) | SOC 2 Type II |
| Database & authentication | Supabase (AWS) | EU (Frankfurt, eu-central-1) | SOC 2 Type II |
| Edge network & DDoS protection | Cloudflare Inc. | Global edge (250+ cities) | SOC 2 Type II, ISO 27001 |
| Payment processing | Stripe Inc. | Regional processing | PCI DSS Level 1 |
| Transactional email | Resend Inc. | US-East | SOC 2 |
| Video CDN | Cloudflare Workers | Global edge | SOC 2 Type II |
Data Residency: Primary database is hosted in the European Union (AWS Frankfurt region). Edge caching through Cloudflare and Vercel does not persistently store personal data outside the primary region.
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Active guest records | Duration of client contract | Cascading delete on contract termination |
| Resolved error logs | 30 days after resolution | Automated purge |
| Unresolved error logs | 90 days | Manual review + automated purge |
| Booking records | Duration of client contract + 7 years (regulatory) | Anonymization after regulatory period |
| Staff accounts | Until deactivated by property operator | Soft delete (is_active = false), hard delete on request |
| File uploads | Duration of client contract | Bucket-level deletion on contract termination |
| Authentication sessions | Automatic expiry (JWT-based) | Token invalidation on sign-out |
Upon contract termination, all property data is permanently deleted within 30 calendar days upon written request.
CloudReef does not sell, rent, or trade personal data. Data is shared only with the following sub-processors, strictly for platform operation:
| Sub-Processor | Purpose | Data Shared | DPA Status |
|---|---|---|---|
| Supabase (Supabase Inc.) | Database hosting, authentication, real-time data sync | All platform data | In place |
| Vercel (Vercel Inc.) | Application hosting, serverless functions | Request metadata, rendered pages | In place |
| Cloudflare (Cloudflare Inc.) | CDN, DNS, DDoS mitigation, WAF | Request metadata, static assets | In place |
| Stripe (Stripe Inc.) | Payment processing | Payment tokens, transaction amounts | In place |
| Resend (Resend Inc.) | Transactional email delivery | Recipient email, email content | In place |
Property operators are notified of any changes to this sub-processor list at least 30 days in advance.
Under GDPR, CCPA, and applicable data protection legislation, individuals have the following rights:
For Guest Data: Requests should be directed to the property operator (data controller) in the first instance. The property operator may then instruct CloudReef to fulfill the request.
For Staff Data: Requests should be directed to [email protected]. We respond to all requests within 30 calendar days.
Supervisory Authority: You have the right to lodge a complaint with your local data protection supervisory authority.
When personal data is transferred outside the European Economic Area (EEA), CloudReef ensures adequate protection through:
CloudReef does not knowingly collect personal data from children under 16 years of age. Guest records for minors are the responsibility of the property operator and must be associated with an adult guardian's booking.
We may update this Privacy Policy periodically. Material changes will be communicated to property operators via email at least 30 days before taking effect. The "Last Updated" date at the top of this policy reflects the most recent revision.
Data Protection Contact
Email: [email protected]
Company Address
CloudReef, distributed by SwiftSyncIT Philippines
Marnella Townhouse, Casanta Soong Road
Brgy Mactan
Cebu City, Philippines