Data Processing Agreement
Last updated: 29 May 2026. This Data Processing Agreement ("DPA") is entered into by and between the Host using the GuestIdenty service ("Controller") and Zenyon s.r.o., a company incorporated in the Czech Republic ("Processor"), and forms part of the GuestIdenty Terms of Service. It governs the Processor's processing of Personal Data on behalf of the Controller under Regulation (EU) 2016/679 ("GDPR").
1. Subject matter and duration
The Processor processes Personal Data submitted by guests through the GuestIdenty verification flow on behalf of the Controller for as long as the Controller's account is active.
2. Nature and purpose of processing
Remote identity verification of accommodation guests: capture of identity-document images and a selfie, extraction of legally required fields (name, date of birth, nationality, document number, expiry), biometric face match between selfie and document, document-authenticity and liveness checks, and delivery of the verification result to the Controller.
3. Types of Personal Data and categories of data subjects
- Data subjects: guests checking in with the Controller.
- Personal Data: identity document images and selfie (transient); extracted document fields; biometric match and liveness scores; verification outcome; timestamps and technical metadata.
4. Processor obligations
- Process Personal Data only on documented instructions from the Controller, including the configuration of delivery method, retention, and sub-processors made through the Service.
- Ensure persons authorised to process the Personal Data are bound by confidentiality.
- Implement appropriate technical and organisational measures (Annex A).
- Assist the Controller in meeting its obligations under Articles 32–36 GDPR taking into account the nature of processing.
- Notify the Controller without undue delay after becoming aware of a Personal Data breach.
- At the Controller's choice, delete or return all Personal Data after the end of the provision of services and delete existing copies unless storage is required by law.
- Make available to the Controller information necessary to demonstrate compliance and allow for and contribute to audits.
5. Sub-processors
The Controller grants general authorisation to engage sub-processors. The current sub-processors are:
- Innovatrics s.r.o. (Slovakia) — identity-document inspection, face match, liveness and deepfake detection.
- Supabase (EU region) — managed database, authentication, and storage.
- Stripe Payments Europe Ltd. — payment processing for credit purchases.
We give at least 30 days' notice of any intended change of sub-processor. You may object on reasonable data-protection grounds; if we cannot accommodate the objection you may terminate the Service.
6. International transfers
Personal Data is processed within the European Economic Area. Where a sub-processor processes Personal Data outside the EEA, transfers rely on the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914) together with supplementary measures as appropriate.
7. Retention
Document images and selfies are deleted within seconds of the verification result being delivered to the Controller. Extracted fields and the verification outcome are retained until the Controller removes the verification link or deletes its account, subject to any statutory retention obligation that applies to the Controller.
8. Liability and term
The liability provisions of the GuestIdenty Terms of Service apply. This DPA remains in force for the duration of the Controller's use of the Service and continues to apply for as long as the Processor processes Personal Data on behalf of the Controller.
Annex A — Technical and organisational measures
- Encryption in transit (TLS) for all client and inter-service traffic.
- Encryption at rest on managed database and storage.
- Role-based access control with least privilege; access scoped per Host via Row-Level Security.
- Automatic deletion of document images and selfies after result delivery.
- Audit logging of administrative actions.
- Vendor security review of sub-processors prior to engagement.
Contact
Data-protection questions: guestidenty365@gmail.com.