GuestIdenty

Data Processing Agreement

Last updated: 29 May 2026. This Data Processing Agreement ("DPA") is entered into by and between the Host using the GuestIdenty service ("Controller") and Zenyon s.r.o., a company incorporated in the Czech Republic ("Processor"), and forms part of the GuestIdenty Terms of Service. It governs the Processor's processing of Personal Data on behalf of the Controller under Regulation (EU) 2016/679 ("GDPR").

1. Subject matter and duration

The Processor processes Personal Data submitted by guests through the GuestIdenty verification flow on behalf of the Controller for as long as the Controller's account is active.

2. Nature and purpose of processing

Remote identity verification of accommodation guests: capture of identity-document images and a selfie, extraction of legally required fields (name, date of birth, nationality, document number, expiry), biometric face match between selfie and document, document-authenticity and liveness checks, and delivery of the verification result to the Controller.

3. Types of Personal Data and categories of data subjects

4. Processor obligations

5. Sub-processors

The Controller grants general authorisation to engage sub-processors. The current sub-processors are:

We give at least 30 days' notice of any intended change of sub-processor. You may object on reasonable data-protection grounds; if we cannot accommodate the objection you may terminate the Service.

6. International transfers

Personal Data is processed within the European Economic Area. Where a sub-processor processes Personal Data outside the EEA, transfers rely on the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914) together with supplementary measures as appropriate.

7. Retention

Document images and selfies are deleted within seconds of the verification result being delivered to the Controller. Extracted fields and the verification outcome are retained until the Controller removes the verification link or deletes its account, subject to any statutory retention obligation that applies to the Controller.

8. Liability and term

The liability provisions of the GuestIdenty Terms of Service apply. This DPA remains in force for the duration of the Controller's use of the Service and continues to apply for as long as the Processor processes Personal Data on behalf of the Controller.

Annex A — Technical and organisational measures

Contact

Data-protection questions: guestidenty365@gmail.com.