AGUFY
Features Pricing FAQ
Log in Get started

Privacy Policy

Last updated: 1 March 2026

Agufy ("we", "us", "our") is a property management platform for hotels and vacation rental properties. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our platform at agufy.com.

Agufy is operated from Spain and complies with the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679) and the Spanish Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD).

1. Data Controller

The data controller responsible for your personal data is:

Agufy
Email: info@agufy.com
Location: Catalonia, Spain

2. What Data We Collect

2.1 Account Data

When a property administrator creates an account, we collect:

  • Username and display name
  • Email address
  • Password (stored as a bcrypt hash — we never store passwords in plain text)
  • Role (administrator, manager, or cleaner)

2.2 Booking and Guest Data (via Beds24)

When you connect your Beds24 account, we automatically sync the following booking information:

  • Guest first and last names
  • Arrival and departure dates and times
  • Number of adults and children
  • Room assignments
  • Booking status and special comments (check-in/check-out notes)

This data is used solely to generate and manage cleaning tasks. We do not use guest data for marketing, profiling, or any purpose unrelated to housekeeping operations.

2.3 Operational Data

  • Cleaning task records (room, date, status, assigned cleaner, completion time)
  • Assignment rules you configure
  • Audit log entries (login events, task status changes — for security and accountability)

2.4 Payment Data

Subscription payments are processed by Stripe, Inc.. We do not store credit card numbers, bank details, or other payment credentials on our servers. Stripe handles all payment data under their own Privacy Policy.

2.5 Technical Data

We collect standard server access logs, which may include IP addresses, browser type, and timestamps. These are retained for security purposes only.

3. Legal Basis for Processing

Data CategoryLegal Basis (GDPR Art. 6)
Account dataContract performance (Art. 6(1)(b)) — necessary to provide the service
Booking/guest data from Beds24Legitimate interest (Art. 6(1)(f)) — necessary for cleaning task management, which is the core purpose of the service
Payment data (via Stripe)Contract performance (Art. 6(1)(b)) — necessary to process subscriptions
Audit logs and security dataLegitimate interest (Art. 6(1)(f)) — necessary for security, fraud prevention, and accountability
Cookies (strictly necessary & functional)Legitimate interest (Art. 6(1)(f)) — all cookies are strictly necessary or functional; no consent required. See our Cookie Policy

4. How We Use Your Data

We use your data exclusively to:

  • Provide the cleaning management service (task creation, scheduling, assignment)
  • Synchronise booking information from your Beds24 account
  • Manage your account and authentication
  • Process subscription payments through Stripe
  • Maintain security through audit logging and brute-force protection
  • Send essential service communications (e.g., password resets)

We do not sell, rent, or share your data with third parties for marketing purposes. We do not engage in automated profiling or decision-making.

5. Data Sharing

We share personal data only with the following categories of recipients, and only to the extent necessary:

ServicePurposeData ProcessedLocation
Beds24Booking data synchronisation via APIGuest names, dates, booking detailsEU (Germany)
Stripe, Inc.Payment processing & subscription managementCustomer ID, subscription status (card details held only by Stripe)USA (EU Standard Contractual Clauses)
Hosting providerServer infrastructure & database storageAll application dataEU

Each sub-processor operates under its own privacy policy and GDPR commitments. We maintain data processing agreements with all sub-processors. For Stripe, data transfers to the USA are covered by EU Standard Contractual Clauses. Changes to our sub-processor list are communicated via our Data Processing Agreement.

6. Data Retention

  • Account data: retained while your account is active. Deleted within 30 days of account closure upon request.
  • Booking and guest data: cleaning tasks older than 90 days are automatically archived. Raw booking data is retained for up to 12 months for operational continuity, then deleted.
  • Audit logs: retained for 12 months for security purposes, then deleted.
  • Payment records: retained as required by Spanish tax law (minimum 4 years under Ley General Tributaria).
  • Server logs: retained for a maximum of 90 days.

7. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption in transit (HTTPS/TLS for all connections)
  • Encryption at rest for sensitive credentials (AES-256-CBC for API tokens)
  • Passwords hashed with bcrypt (cost factor 12)
  • CSRF protection on all state-changing operations
  • Brute-force lockout after repeated failed login attempts
  • Role-based access control (administrators, managers, cleaners see only relevant data)
  • Session management with secure, HTTP-only cookies
  • HTTP security headers (HSTS, CSP, X-Content-Type-Options, X-Frame-Options)

For a complete description of our security measures, see our Data Processing Agreement.

8. Your Rights (GDPR Articles 15–22)

Under GDPR, you have the right to:

  • Access (Art. 15) — request a copy of all personal data we hold about you
  • Rectification (Art. 16) — correct any inaccurate data
  • Erasure ("right to be forgotten") (Art. 17) — request deletion of your data, subject to legal retention obligations
  • Restriction of processing (Art. 18) — limit how we use your data in certain circumstances
  • Data portability (Art. 20) — receive your data in a structured, machine-readable format (CSV export is available for cleaning task data)
  • Objection (Art. 21) — object to processing based on legitimate interest

To exercise any of these rights, contact us at legal@agufy.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Spanish Data Protection Authority (Agencia Española de Protección de Datos — AEPD) at www.aepd.es.

9. Data Processor Responsibilities

When a property administrator uses Agufy to manage guest data from Beds24, the property administrator acts as the data controller for guest personal data, and Agufy acts as the data processor under GDPR Article 28. Property administrators are responsible for ensuring they have a lawful basis to process their guests' personal data and for informing guests accordingly.

The terms governing data processing — including sub-processor management, breach notification, data retention, audit rights, and international transfers — are set out in our Data Processing Agreement, which forms an integral part of our Terms of Service.

10. Children's Privacy

Agufy is a business-to-business service. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. The "Last updated" date at the top will be revised accordingly. For material changes, we will notify active users via email or an in-app notice.

12. Contact

For any privacy-related questions or requests:

Email: legal@agufy.com
Subject line: "Privacy Request — [your name]"

AGUFY

Cleaning management for hotels & properties.

Product
Features Pricing
Account
Log in Contact us
Legal
Aviso Legal Privacy Policy Terms of Service Data Processing Agreement Cookie Policy

© 2026 Agufy. All rights reserved.