Privacy Policy
1. Data controller
In accordance with Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), Organic Law 3/2018 (LOPDGDD), the rules derived from Directive 2002/58/EC (ePrivacy), the LSSI-CE (where applicable to cookies/electronic communications), Regulation (EU) 2024/1689 (Artificial Intelligence Act) where applicable, and other applicable European and Spanish law, the data controller is:
Company: HERMANOS VARELA LUIS SL
Tax ID (CIF): B67073320
Registered office: Travessera de les Corts 356, Local 2, 08029 Barcelona, Spain
Commercial Registry: Barcelona Commercial Registry, Section 8, Sheet B-509004, entry 4 (I/A 4); background: Volume 46087, Folio 53
Legal and privacy email: legal@hostelella.com
HOSTELELLA has not formally appointed a Data Protection Officer where this is not mandatory under Article 37 GDPR and Article 34 LOPDGDD. If this becomes mandatory in the future or one is appointed voluntarily, the corresponding contact will be published and the AEPD notified where applicable.
2. Scope, recipients and B2B nature
HOSTELELLA is a professional digital platform (SaaS and, where applicable, marketplace features and business-to-business interactions) intended exclusively for business and commercial use (B2B), offering tools for operational management, document processing, team and shift management, and analytical assistance.
The Service is not intended for personal, household or consumer use. Users act in a professional or business context. When a user contracts, configures a business or accepts terms on behalf of a company, they must have sufficient authority to do so.
3. Exclusion of minors as users
Access to and use of the Service as a user is reserved for adults. Users must be at least 18 years old. HOSTELELLA does not deliberately collect or process the personal data of minors acting as users.
Important clarification: the 18-year restriction applies to whoever uses the platform. By contrast, the data of persons managed by the business Customer (e.g., employees included in shift planning) may, where applicable, relate to minor workers lawfully employed. In that case, the Customer acts as Controller and is solely responsible for the legality of employing minors and for complying with labor rules protecting minors (working hours, rest, night work, etc.). Any access to or use of the platform by a minor is unauthorized and contrary to the intended scope of the Service.
4. Categories of data subjects
- End users of business customers (owners, administrators, managers and employees).
- Customer workers whose data is managed in the Service (e.g., for shifts, team and planning), including, where applicable, lawfully employed minors.
- Persons requesting information, diagnosis, support or commercial contact via the website.
- Professional contacts of suppliers, distributors or partners (if applicable).
- Legal representatives and contact persons of customers (billing/commercial relationship).
5. Categories of personal data processed
Depending on the use of the Service, the following categories of data may be processed:
- Identification and contact data (e.g., name, email, professional phone).
- Authentication and account data (e.g., login identifiers, role, business membership, invitations).
- Business and operational information entered into the Service.
- Documents and financial, accounting and commercial data (invoices, receipts, expenses, sales, delivery notes, equivalent documents).
- Labor and workforce-planning data entered or configured by the Customer: contract hours and type, department or operational area, minimum rest, shift-band preferences, declared availability, minor-age indicator, assigned shifts, clock-ins/attendance and absences or time off (holidays, leave, public holidays, sick leave).
- Personal data of employees, suppliers or customers included in documents uploaded by business customers.
- Technical, security and usage data (e.g., IP, logs, device/browser info, timestamps, security events).
- Data derived from communications (e.g., incidents, support, transactional messages, notifications, team chat).
- Data entered in commercial or diagnostic forms (e.g., contact, business, needs and messages).
- Prompts, queries, content sent to AI features and generated results when the user decides to use such features.
5.1 Data that may reveal sensitive information (absences)
Managing absences and time off may include categories such as “sick leave”. Where an absence is linked to sick leave, that information may reveal data concerning health (a special category under Article 9 GDPR). In these cases:
- The business Customer is the Controller and must have an adequate legal basis (typically Article 9.2.b GDPR, in connection with employment and social-security obligations) and apply the required safeguards.
- HOSTELELLA applies minimization: for shift planning only the unavailability period is needed. The reason or type of absence is not transmitted to AI providers.
- The Customer must avoid entering more health data than strictly necessary and must not record diagnoses or clinical details in free-text fields.
Other than the above, the Service is not designed to process special categories under Article 9 GDPR. The Customer must not upload them unless it has an adequate legal basis, it is necessary and sufficient safeguards are applied.
6. Source of the data
- Data provided by the user when creating the account or completing their profile.
- Data provided by other users/administrators of the same business (e.g., invitations, role assignment, user onboarding, team labor and shift configuration).
- Data included in documents and records uploaded by the business customer.
- Data collected automatically through use of the Service (technical, security, analytics).
- Data obtained from third parties when the customer integrates external services or a marketplace is used (if applicable), in accordance with applicable law.
7. Allocation of roles (Controller / Processor / Joint controller)
7.1 When HOSTELELLA acts as Controller
HOSTELELLA acts as Controller in respect of the data needed to operate the Service, such as: account administration, authentication, access control, security, fraud/abuse prevention, support, service communications and billing (where applicable).
7.2 When HOSTELELLA acts as Processor
When business customers upload business documents and records or configure staff data (including shift, team and absence management) containing personal data of employees, customers, suppliers or other third parties, HOSTELELLA acts as Processor on behalf of the business customer, in accordance with the corresponding Data Processing Agreement (DPA) under Article 28 GDPR.
In these cases, the business customer remains the Controller and is solely responsible for: (i) informing data subjects, (ii) having an adequate legal basis, (iii) handling rights and (iv) complying with applicable obligations, including labor obligations (working hours, rest, protection of minors and informing workers' legal representatives).
7.3 Joint controllership (if applicable)
In certain flows (e.g., marketplace features, business-to-business communications or exchange of orders/data between parties), HOSTELELLA and other entities may jointly determine the purposes and means of processing and act as joint controllers under Article 26 GDPR. In those cases, the applicable framework of responsibilities and the contact point for exercising rights will be defined. Joint controllership is not presumed by default and will only apply where an agreement, configuration or flow justifies it.
8. Purposes of processing
- Provision, operation, maintenance, improvement and evolution of the Service.
- User authentication, management of roles, permissions and access, and business administration on the platform.
- Processing, extraction and analysis of documents (including OCR/AI) at the user's express request.
- Team, working-time and shift-planning management, including AI-assisted generation of shift proposals at the Customer's request, as a support tool subject to human review.
- Generation of reports, metrics, insights and operational recommendations.
- Customer support and service communications (including security alerts and transactional notices).
- Security, fraud prevention, abuse detection, internal audit and incident response.
- Compliance with applicable legal, tax, accounting and audit obligations.
- Defense against legal claims and protection of rights and legitimate interests.
9. Legal bases
We process personal data on one or more of the following legal bases:
- Performance of a contract (Art. 6.1.b GDPR): to provide and operate the Service.
- Compliance with a legal obligation (Art. 6.1.c GDPR): to comply with applicable law (e.g., tax/accounting where applicable).
- Legitimate interest (Art. 6.1.f GDPR): security, fraud/abuse prevention, Service improvement, legal protection and business continuity.
- Consent (Art. 6.1.a GDPR): where required (e.g., device permissions, non-essential cookies, commercial communications if implemented).
For data processed on behalf of the Customer (including shift planning and team management), the legal basis vis-à-vis the workers is determined by the Customer as Controller (typically performance of the employment contract, compliance with labor obligations, or a legitimate interest in organizing work).
| Purpose | Main legal basis | Notes |
|---|---|---|
| Account, authentication, roles and provision of the Service | Contract or pre-contractual measures; legitimate interest in security | Necessary to operate a professional account. |
| Documents, OCR/AI, reports and business data uploaded by the Customer | Processing on behalf of the Customer; contract | The Customer decides the legal basis towards its employees, customers, suppliers or third parties. |
| Team, working-time, shifts and absences management (incl. AI-assisted generation) | Processing on behalf of the Customer; the Customer determines the labor basis towards its workers | Support tool with human review; the Customer retains the final decision. |
| Support, incidents, security notices and transactional communications | Contract and legitimate interest | Not commercial communications unless expressly stated. |
| Billing, accounting, tax obligations and legal defense | Legal obligation and legitimate interest | Statutory periods and blocking apply where relevant. |
| Non-essential web analytics | Consent | Google Analytics is loaded only after analytics/cookie acceptance. |
| B2B direct marketing | Consent or legitimate interest where the law allows | Always with an opt-out mechanism. |
10. Device permissions (Mobile app)
For certain features, the App may request optional device permissions:
- Camera / gallery access: to capture or upload photos and documents (e.g., invoices, receipts) for analysis.
- Attachment metadata: attached images are processed before upload to remove technical metadata, including EXIF/GPS, where the format allows. Documents uploaded by the Customer (e.g., PDF) may contain metadata embedded by the Customer or its authoring tools; HOSTELELLA processes them as part of the content/documentation provided for OCR, analysis and operations, and not as location data used for maps or proximity.
- Microphone access: for voice/dictation features (if enabled).
- Contacts access: to invite team members or suggest contacts (if enabled).
- Location access: the App does not currently request location permission. If proximity- or map-based features are enabled in the future, this will be disclosed and consent requested where appropriate.
These permissions are based on your consent and can be revoked at any time from your device settings. Revocation may limit the use of certain features but will not prevent basic use of the Service where possible.
11. Artificial Intelligence and automated processing
HOSTELELLA may use automated processing and artificial intelligence to extract information from documents, classify data, assist with queries and generate shift-planning proposals, and to resolve the applicable labor framework or collective agreement based on the business's location and sector.
These features are designed as assistance and productivity tools, not as a substitute for human review nor as a system intended by default to make labor, tax, accounting, credit, legal or significantly impactful decisions. AI-generated shift proposals require human review and approval (by a person with a manager role or above) before publication or application; the Customer and its managers retain the final decision at all times.
No solely automated decisions. HOSTELELLA does not make decisions based solely on automated processing that produce legal effects on individuals or similarly significantly affect them within the meaning of Article 22 GDPR. Shift generation is decision support subject to human intervention.
Artificial Intelligence Act (EU 2024/1689). AI features are conceived as support tools. Where a feature is used in the employment context (e.g., shift planning), the Customer acts as the deployer within its organization and must ensure lawful use, human oversight and information to affected persons. In particular, in Spain, the Customer must comply with the right of workers' legal representatives to be informed of the parameters, rules and instructions of the algorithms or AI systems that affect working conditions (Art. 64.4.d of the Workers' Statute).
To minimize processing, before sending information to AI providers measures such as pseudonymization are applied (e.g., the shift generator operates with initials and operational data, not full names) and unnecessary data is excluded (e.g., the reason for absences is not transmitted). Results may contain inaccuracies or limitations. The Service is not designed for biometric identification, social scoring, emotion recognition, recruitment, automated disciplinary assessment or other prohibited or high-risk purposes unless under specific contract, assessment and safeguards. HOSTELELLA does not use Customer Data to train its own or third parties' models unless under express authorization, specific contract or clear Customer configuration.
12. Cookies and tracking technologies (web/PWA)
On the website and/or PWA, HOSTELELLA may use cookies, pixels or similar technologies for:
- Essential: operation, security, load balancing, authentication and fraud prevention.
- Analytics/measurement: Google Analytics to understand aggregated usage of the public website and improve performance and experience, only with prior consent.
- Preferences: remembering user settings (if enabled).
Non-essential cookies will only be used where consent exists, in accordance with ePrivacy and applicable law. The specific Cookies Policy supplements this information and prevails for granular cookie management.
13. Recipients, processors and sub-processors
We do not sell personal data. Data may be accessible to selected providers acting as processors/sub-processors under contractual obligations of confidentiality, security and compliance, including providers of:
- Cloud infrastructure, hosting and storage.
- Databases and authentication.
- Email and communications.
- AI and document-processing technologies, including Azure OpenAI, Anthropic (Claude models) when shift/labor or assistant features are used, and OpenAI when configured as a non-Azure provider.
- Monitoring, analytics and security tools, including Google Analytics when the user accepts web analytics.
When HOSTELELLA acts as a processor, sub-processors are governed by the DPA, the Sub-processors Annex and the requirements of Article 28 GDPR. The up-to-date list of sub-processors is published in the Sub-processors Annex.
14. Authorities and defense of rights
We may disclose data to competent authorities where there is a legal obligation or legitimate request, and/or to defend rights, prevent fraud, ensure security or respond to claims, in accordance with the GDPR.
15. Corporate restructurings
In the event of a merger, acquisition, reorganization, sale of assets or equivalent procedures, data may be disclosed to third parties to the extent necessary and proportionate, with adequate safeguards.
16. International transfers
Where international transfers of data outside the European Economic Area occur, we apply adequate safeguards, including adequacy decisions, Standard Contractual Clauses (SCCs), the EU-US Data Privacy Framework where applicable and supplementary measures, in accordance with Articles 44–49 GDPR. Certain AI and communications providers are located in the United States; in such cases the above mechanisms and the minimization described in this Policy apply.
In certain cases there may be a risk of access by authorities of third countries. In such cases we will apply supplementary measures where appropriate and, where necessary, inform and/or obtain consent in accordance with applicable law.
17. Data retention
We retain personal data only for as long as necessary for the purposes described in this Policy and for the periods required by legal, tax, accounting, audit and security obligations. Thereafter, data will be deleted or anonymized, unless there is a retention obligation or a need to defend claims.
Retention is detailed in the Retention Policy. When HOSTELELLA acts as a processor, retention is governed by the DPA and the customer's instructions, without prejudice to legal obligations.
18. Security measures
HOSTELELLA applies appropriate technical and organizational measures (Art. 32 GDPR) to ensure a level of security appropriate to the risk. The Security Policy describes the main measures, including access control, least privilege, encryption where appropriate, activity logging, incident management and service continuity.
Nonetheless, no system can guarantee absolute security. Users are responsible for keeping access to their accounts and devices secure.
19. Personal data breaches
In the event of a personal data breach, HOSTELELLA will follow internal procedures to assess the risk and, where appropriate, notify the competent supervisory authority and/or affected persons in accordance with Articles 33 and 34 GDPR.
When HOSTELELLA acts as a processor, notifications to the controller will be handled in accordance with the DPA.
20. Rights of data subjects
Data subjects may exercise their rights of access, rectification, erasure, restriction, objection and portability, as well as withdraw consent where applicable, by contacting: legal@hostelella.com.
We may request reasonable information to verify identity or representation. We will respond within one month of receipt of the request; this period may be extended by up to two additional months where necessary due to complexity or number of requests, informing the requester in accordance with the GDPR.
If the request relates to data processed by HOSTELELLA as a processor on behalf of a business customer, we may refer the requester to the relevant controller, who is the party that must handle the request.
21. Complaints
You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD).
22. Communications
We may send communications necessary for the operation of the Service (e.g., security alerts, transactional notifications, account notices). Commercial communications, if implemented, will be sent only in accordance with applicable law and, where required, with consent (opt-in) and an opt-out mechanism.
23. Third-party links
The platform may contain links to third-party services (e.g., maps, integrations). HOSTELELLA is not responsible for the privacy practices of such third parties. We recommend reviewing their respective policies.
24. Changes to this Policy
This Privacy Policy may be updated to reflect legal, regulatory or operational changes. The current version will be available within the Service and will apply from its publication date.
25. Limitation of liability (Privacy)
Nothing in this Policy limits the mandatory rights provided by data-protection law. To the maximum extent permitted by law, HOSTELELLA will not be liable for damages arising from: (i) misuse of the Service, (ii) unlawful data uploads by customers/users, or (iii) actions taken solely on the basis of informational results, including AI proposals applied without the required human review.