Manual / Legal

Privacy policy

Updated on 2026-04-27

1. Identification

This privacy policy applies to the processing of personal data by BedFlow, a Software-as-a-Service solution for B&Bs and boutique hotels.

  • Data controller: Fades Management EOOD
  • Address: Plovdiv 4000, Bulgaria
  • UIC / VAT number: BG208 607 050
  • Contact: info@fades-management.com
  • Phone: +359 878 289 024
  • Website: fades-management.com
  • Data Protection Officer (DPO): info@fades-management.com (if appointed)

This policy describes which personal data BedFlow processes, why, on what legal basis, for how long and with whom they are shared. We comply with the General Data Protection Regulation (GDPR), which applies across the EU, and Bulgarian privacy legislation.

2. What data do we process?

We process the following categories of personal data:

Account data of customers (B&B owners)

  • Name, email address, phone number
  • Company name, address, VAT number
  • Login credentials (hashed password, session tokens)
  • Preferences and settings

Guest data via booking widgets

  • Name, email address, phone number of the guest
  • Booking data (dates, room, price, remarks)
  • Address and billing data (if an invoice is requested)
  • Communication with the B&B owner

Payment data

  • Transaction ID and amounts (processed via Stripe)
  • We do not store full card numbers — these are processed and tokenized directly by Stripe

Communication

  • Emails, notifications and chat messages via the guest portal
  • Support tickets and chatbot conversations

Technical data

  • IP address, browser type, device info
  • Log files (access, errors, audit trail)
  • Cookies (see Cookie policy)

3. How do we collect this data?

  • Directly — when you register, fill in a form or contact us
  • Automatically — via cookies, server logs and analytics (see section 9)
  • Via third parties — Stripe webhooks (payment status), OTA bookings via Channex (Booking.com, Airbnb, …), accounting connections via Yuki

4. Why do we process this data?

| Purpose | Legal basis | |---|---| | Performance of the subscription | Contract performance (art. 6.1.b GDPR) | | Invoicing and accounting | Legal obligation (art. 6.1.c GDPR) | | Customer support and communication | Contract performance | | Product improvement and analytics | Legitimate interest (art. 6.1.f GDPR) | | Marketing emails about new features | Consent (art. 6.1.a GDPR) | | Fraud prevention and security | Legitimate interest | | Legal defence | Legitimate interest |

All amounts we invoice are expressed in EUR.

5. How long do we keep your data?

| Category | Retention period | |---|---| | Invoicing and accounting | 10 years (Bulgarian accounting law) | | Bookings | 3 years after check-out | | Account data | As long as the account is active + 90 days | | Marketing consent | Until withdrawal of consent | | Server logs | 90 days | | Backups | 30 days | | Support tickets | 3 years |

After these periods expire, the data is securely deleted or anonymized.

6. With whom do we share your data?

We only share data with sub-processors necessary to deliver the service. We have signed a Data Processing Agreement (DPA) with each sub-processor.

| Sub-processor | Purpose | Location | Privacy policy | |---|---|---|---| | Stripe | Payment processing | EU / US | stripe.com/privacy | | MyTourist | Legacy PMS integration | EU | available on request | | Channex | Channel manager (OTA connections) | EU | channex.io/privacy | | Yuki | Accounting integration | EU (NL) | yuki.nl/privacy | | SendGrid (Twilio) | Transactional emails | US | twilio.com/legal/privacy | | OpenAI / Anthropic | AI chatbot | US | openai.com/privacy / anthropic.com/privacy | | Google Analytics 4 | Anonymous usage statistics (opt-in) | US | policies.google.com/privacy |

We never sell your data to third parties.

7. International transfers

Some sub-processors (Google, OpenAI, Anthropic, SendGrid) process data in the United States. For these transfers, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable (e.g. EU–US Data Privacy Framework)
  • Additional technical and organisational measures

8. Your rights

You have the following rights under the GDPR:

  • Access — obtain a copy of your personal data
  • Rectification — have inaccurate data corrected
  • Erasure ("right to be forgotten")
  • Restriction of processing
  • Data portability — receive your data in a structured format
  • Objection to processing based on legitimate interest
  • Withdrawal of consent at any time

Send your request to info@fades-management.com. We respond within 30 days.

You also have the right to lodge a complaint with the Bulgarian supervisory authority, the Commission for Personal Data Protection (CPDP):

  • 2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria
  • www.cpdp.bg

If you reside in another EU Member State, you may also lodge your complaint with the supervisory authority of your own country.

9. Cookies

We use technical (essential) cookies and, after your consent, analytical cookies. See our Cookie policy for the full list and how to manage your preferences.

10. Security

We take appropriate technical and organisational measures to protect your data:

  • TLS encryption for all connections (HTTPS)
  • Encryption at-rest for databases and backups
  • Role-based access control and two-factor authentication for staff
  • Regular security audits and updates
  • Incident response procedure for data breaches (notification to the CPDP within 72 hours)

11. Changes to this policy

We may update this privacy policy at any time. The most recent version is always available on this page. For significant changes, we will notify you by email.

  • Version: 1.0
  • Last updated: 27 April 2026

12. Contact

Questions about this privacy policy? Reach out via:

  • Email: info@fades-management.com
  • Phone: +359 878 289 024
  • Post: Fades Management EOOD, Plovdiv 4000, Bulgaria
← Back to category