Legal

Privacy Policy

Last updated: 29 June 2026

1. Who We Are

Nine Angels Villa ("we", "us", "our") operates the website at https://nineangelsvilla.com. We are the data controller for the personal data you provide to us.

Contact: info@christianopropertymanagement.com

2. Data We Collect

  • Booking data: guest name, email, phone, reservation code, check-in/check-out dates — synced from Guesty.
  • Gate access data: reservation code, email, IP hash, user agent, access timestamps.
  • Cleaner/staff data: name, email, phone, cleaner code.
  • Admin data: admin email, hashed IP, login timestamps.
  • Push notification tokens: browser subscription endpoints for web push.

3. Legal Basis (GDPR Art. 6)

  • Contract (6(1)(b)): processing booking data to fulfil your reservation.
  • Legitimate interest (6(1)(f)): security logging of gate access events.
  • Consent (6(1)(a)): push notification subscriptions (opt-in, revocable).
  • Legal obligation (6(1)(c)): retaining audit logs for security compliance.

4. How We Use Your Data

  • Verify guest identity at the property gate.
  • Send gate access links and check-in/check-out reminders.
  • Maintain an audit trail of all gate access events for security.
  • Sync reservations from Guesty to provide real-time access.

5. Data Retention

Booking data is retained for the duration of the reservation plus 90 days. Gate event audit logs are retained for 12 months. Push notification tokens are deleted on unsubscribe.

6. Your Rights (GDPR Art. 15–22)

  • Access: request a copy of your data via GET /api/gdpr/export?email=...
  • Erasure: request deletion via POST /api/gdpr/erase
  • Rectification: correct inaccurate data by contacting us.
  • Objection: opt out of non-essential processing.
  • Portability: receive your data in JSON format.

To exercise any right, email info@christianopropertymanagement.com. We respond within 30 days.

7. Data Security

All data is encrypted in transit (TLS 1.3) and at rest (AES-256-GCM for secrets). Passwords are hashed with bcrypt. Database access is via Prisma ORM with parameterized queries (no SQL injection). Admin authentication uses signed HttpOnly, SameSite=Strict, Secure cookies.

8. International Transfers

Data is stored on Supabase (AWS, eu-central-1 / us-east-1) and Vercel (global edge). We rely on Standard Contractual Clauses for transfers outside the EEA.

9. Cookies

We use only essential cookies: admin_session (admin auth) and gate_session (guest gate access). No tracking or advertising cookies. See our Cookie Policy.

10. Contact

For privacy questions or requests: info@christianopropertymanagement.com. For complaints, you have the right to lodge one with your local supervisory authority.