Back to homepage

Data Processing Agreement

Last updated: March 2026 — UK GDPR Article 28 compliant

1. Parties

This Data Processing Agreement (“DPA”) is entered into between:

  • Data Controller: You, the subscribing property host or management company (“Host” or “Controller”), who determines the purposes and means of processing personal data of guests, owners, and team members.
  • Data Processor: innbu Ltd, a company registered in England and Wales (“innbu” or “Processor”), providing the AI-powered short-term rental management platform.

By accepting these terms during onboarding, the Host agrees to this DPA which forms part of the innbu Terms of Service.

2. Subject Matter and Duration

innbu processes personal data on behalf of the Host for the purpose of providing AI-powered short-term rental (STR) management services. This includes automated guest communications, cleaning coordination, pricing optimisation, compliance tracking, and financial reporting.

This DPA is effective from the date the Host accepts it during onboarding and continues for the duration of the subscription. On termination, innbu will delete or return all personal data within 30 days, unless retention is required by law.

3. Nature and Purpose of Processing

innbu processes personal data for the following purposes on behalf of the Host:

  • Booking management — recording, confirming, and tracking guest reservations
  • Guest communications — automated messaging via WhatsApp, SMS, email, and OTA platforms
  • Check-in coordination — sending access codes, arrival instructions, and guidebook links
  • Cleaning and operations — coordinating cleaning teams and maintenance based on booking dates
  • Compliance tracking — storing licence numbers, safety certificates, and registration records
  • Financial reporting — generating owner statements and revenue summaries
  • AI agent operations — running trained agents that respond to guests and escalate issues

4. Types of Personal Data Processed

innbu processes the following categories of personal data:

  • Guest names, email addresses, and phone numbers
  • Guest booking details (dates, property, booking reference, payment amounts)
  • Guest communications content (messages sent and received)
  • Identity document references (where required by local law, stored by reference only)
  • Property owner names and contact details
  • Team member names, email addresses, and role information
  • Financial data (booking amounts, payout records — no full card numbers stored)

5. Categories of Data Subjects

  • Guests — individuals who book short-term rental properties through the Host
  • Property owners — individuals or entities who own properties managed by the Host
  • Team members — cleaning staff, maintenance contractors, and co-hosts added by the Host
  • Direct booking visitors — individuals who submit enquiries via the Host’s direct booking site

6. Obligations of the Processor

6.1 Processing instructions

innbu will process personal data only on documented instructions from the Host (as set out in this DPA and the Terms of Service), except where required by law. innbu will inform the Host if it believes any instruction infringes UK GDPR or other applicable data protection law.

6.2 Confidentiality

innbu ensures that all persons authorised to process personal data are bound by confidentiality obligations, whether by contract or statutory duty.

6.3 Security measures

innbu implements appropriate technical and organisational measures including:

  • Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256)
  • Per-tenant database isolation using PostgreSQL Row-Level Security (RLS)
  • Access controls and role-based permissions
  • Regular security reviews and penetration testing
  • Automatic session expiry and token rotation

6.4 Sub-processors

innbu uses sub-processors to provide its services. A current list of sub-processors is available at innbu.com/sub-processors. innbu will notify the Host of any intended changes to sub-processors, giving the Host the opportunity to object. Sub-processors are bound by data processing agreements with equivalent obligations to this DPA.

6.5 Data subject rights

innbu will assist the Host in responding to data subject rights requests (access, rectification, erasure, portability, restriction, objection) within the timescales required by law. The Host remains responsible for receiving and actioning such requests from data subjects.

6.6 Personal data breach notification

innbu will notify the Host without undue delay and no later than 72 hours after becoming aware of a personal data breach affecting the Host’s data. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address it.

6.7 Data Protection Impact Assessments

innbu will assist the Host with any data protection impact assessments (DPIAs) and prior consultations with supervisory authorities where required under Article 35 UK GDPR.

6.8 Data deletion on termination

Upon termination of the subscription, innbu will delete all personal data within 30 days, unless the Host requests return of the data or applicable law requires retention. innbu will provide written confirmation of deletion upon request.

7. Sub-Processor List

The current list of sub-processors used by innbu is maintained at innbu.com/sub-processors. This list identifies each sub-processor, their purpose, the types of data processed, and their location.

8. International Data Transfers

innbu’s primary data processing takes place within the United Kingdom and European Union (Supabase EU-Frankfurt, Upstash EU-Frankfurt). Where personal data is transferred to countries outside the UK/EEA (such as the United States for sub-processors including Anthropic, Railway, Clerk, Twilio, and SendGrid), innbu ensures transfers are protected by appropriate safeguards including:

  • UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs)
  • Adequacy decisions where applicable
  • Binding corporate rules where relevant

9. Audit Rights

innbu will make available to the Host all information necessary to demonstrate compliance with this DPA and will allow for, and contribute to, audits and inspections conducted by the Host or a mandated auditor. Audit requests must be submitted in writing with reasonable notice and conducted in a manner that minimises disruption to innbu’s operations. Audit costs are borne by the Host unless the audit reveals material non-compliance by innbu.

10. Termination and Data Return

On termination of the subscription for any reason, the Host may request a copy of their data in machine-readable format (JSON or CSV) within 30 days of termination. After this period, innbu will securely delete all personal data, unless retention is required by applicable law. innbu will provide written confirmation of deletion.

11. Governing Law

This DPA is governed by the laws of England and Wales. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

12. Contact

For data protection enquiries, please contact innbu’s data protection contact at privacy@innbu.com. For urgent breach notifications, please also email security@innbu.com.