Privacy Policy & Data Protection

Last Updated: June 17, 2026 GDPR & PDPA Compliant

1. Introduction & Scope

FlowHub Hotel Technologies Inc. and our parent developer entity Solunex Co., Ltd. ("FlowHub", "we", "us", or "our") are committed to protecting the privacy and security of personal data. This Privacy Policy details how we collect, use, process, and disclose personal data in connection with your access to and use of the FlowHub suite, including:

  • FlowCM: Channel Manager for real-time inventory and rate updates.
  • FlowDesk: Property Management System (PMS) for front-desk operations.
  • FlowStay: Booking Engine for direct room reservations.
  • FlowConnect: CRM and guest communication inbox.

By accessing our website (flowhubhotel.com) or using any FlowHub services, you acknowledge that you have read and understood the terms of this Privacy Policy.

2. Data Roles (Controller vs. Processor)

Under global data protection laws (such as the General Data Protection Regulation - GDPR and the Thailand Personal Data Protection Act - PDPA), data processing roles are defined as follows:

  • Data Controller (For Hotels/Customers): We act as a Data Controller for the personal data of our direct clients (hotel staff, owners, administrators) who purchase and use our software services.
  • Data Processor (For Hotel Guests): When we process guest data (such as reservation files, payment credentials, guest names) pushed from Online Travel Agencies (OTAs like Booking.com, Agoda, Expedia) into FlowDesk PMS or FlowCM, we act strictly as a Data Processor. The hotel property remains the Data Controller. We process guest data solely based on the instructions of the hotel property to fulfill reservation management services.

3. Information We Collect

To deliver our hotel ecosystem services, we collect three categories of personal data:

A. Guest Reservation & Transaction Data (As a Processor)

When a guest books a room at a hotel using our services, or via third-party OTAs connected through FlowCM, we process:

  • Identification Info: Full name, nationality, passport details, gender, and language preference.
  • Contact Info: Email address, phone number, and physical billing address.
  • Stay Details: Arrival/departure dates, room types, rates, booking status, and special guest requests.
  • Financial Details: Cardholder name, credit card number, expiration date, and CVV (fully encrypted and handled in compliance with PCI-DSS standards).

B. Hotel Client Account Information (As a Controller)

We collect information to register and manage client accounts:

  • Full names, business email addresses, and contact numbers of hotel staff and administrators.
  • Property details: property name, address, tax registration number, and room inventory logs.
  • Billing and invoicing details.

C. Technical & Web Visitor Usage Logs (As a Controller)

Like most SaaS platforms, we automatically collect:

  • Device parameters: IP address, browser type, operating system version, and unique device identifiers.
  • Telemetry: Page views, clickstreams, duration of sessions, and API response logs.
  • Cookies and web beacons to save user sessions and language preferences.

4. How & Why We Process Data

We process personal data for the following lawful purposes:

  1. Contract Performance: To sync room inventory, rates, and bookings across channels; deliver reservations to the PMS; and calculate pricing parameters.
  2. Payment Processing: To securely facilitate card verification and billing between guests, payment gateways, and hotels.
  3. Customer Support: To troubleshoot technical API integrations, resolve booking mismatches, and manage customer inquiries.
  4. Regulatory & Legal Compliance: To comply with financial bookkeeping laws and assist hotel properties in reporting foreign guests (e.g. TM30 immigration files in Thailand).
  5. System Diagnostics & Security: To protect our system from fraud, unauthorized logins, and distributed denial-of-service (DDoS) attacks.

5. Data Sharing & Disclosures

We do not sell, rent, or lease personal data to marketing companies. We disclose data only in the following scenarios:

  • To Connected OTAs and Channel Partners: FlowCM transmits updates and reservation acknowledgments to platforms like Booking.com, Agoda, and Expedia to synchronize your inventory.
  • To Third-Party Sub-Processors: We utilize trusted hosting, database, and infrastructure providers (e.g. Supabase, Vercel, cloud computing servers) to execute our platform. All sub-processors are bound by strict Data Processing Addendums (DPAs).
  • Legal Compliance: If required by law, court order, or government regulation (such as anti-money laundering laws or immigration filing requirements).

6. Security & PCI Compliance

Security Measures: FlowHub employs industry-leading security practices to safeguard data. All communications between users, OTAs, and our database servers are encrypted using Secure Socket Layer (SSL) / Transport Layer Security (TLS) protocol (HTTPS).

PCI-DSS Compliance: Because reservation files contain sensitive credit card credentials, our systems align with the Payment Card Industry Data Security Standard (PCI-DSS). Card numbers are encrypted in transit and at rest, and access is strictly restricted to authorized staff.

7. International Data Transfers

Because hotels host international travellers, the data we process will inevitably cross national boundaries (for example, receiving booking details of a European resident booking a resort in Phuket, processed on cloud servers). We ensure all cross-border transfers comply with GDPR Chapter V and PDPA provisions using Standard Contractual Clauses (SCCs) and encryption.

8. Data Retention

We retain guest personal data only for as long as necessary to fulfill reservation contracts, resolve billing issues, or comply with local hotel bookkeeping laws. Generally:

  • Active guest booking profiles are retained through the duration of the reservation and checkout period.
  • Credit card credentials (CVV) are automatically purged or masked shortly after checkout or according to OTA integration specifications.
  • Client account profiles remain active as long as the subscription is in place.

9. Your GDPR & PDPA Rights

Under the GDPR and Thailand's PDPA, users and guests have substantial rights over their data. These rights include:

  • Right to Access: Ask for copies of your personal data held by us.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure (Right to be Forgotten): Request deletion of your data when it is no longer required for processing.
  • Right to Object/Restrict Processing: Object to processing based on legitimate interests or direct marketing.
  • Data Portability: Request transmission of your data in a structured, machine-readable format.
  • Right to Withdraw Consent: Withdraw consent at any time where processing was based on consent.

To exercise these rights, please contact our Data Protection Officer at the contact details below. If you are an individual guest, please contact the hotel property where you booked, as they are the Data Controller.

10. Contact & Support Details

If you have any questions about this Privacy Policy, our data protection practices, or wish to exercise your rights, please reach out to us at:

FlowHub Data Protection Team Entity: Solunex Co., Ltd.
Domain Support Email: connectivity@flowhubhotel.com
Company Email: admin@solunex.com
Address: 5/1 Moo 4, Sai Khao, Hua Sai, Nakhon Si Thammarat, Thailand