Hostli provides a marketing and CRM platform to hotels. To deliver the service, we engage a small number of third-party providers (“sub-processors”) that process personal data on our behalf and under our instructions. This page lists every sub-processor currently engaged, the service it provides, the categories of data it processes, where the processing takes place, and the legal mechanism that safeguards any transfer of data outside the European Economic Area or Israel. We remain fully responsible to our customers for the acts and omissions of every sub-processor listed here.
Cloud hosting & infrastructure
Vercel Inc.
Service
Application hosting (serverless / Fluid Compute), edge network, background-job queue, and cron and workflow execution; cookieless, aggregated web analytics (Vercel Web Analytics).
Data processed
All application data in transit — hotel data and guest personal data — while the service runs. Web Analytics is cookieless and aggregated; no IP address is stored.
Processing location
United States (global edge network).
Transfer safeguard
Vercel Data Processing Addendum (Standard Contractual Clauses).
Cloudflare, Inc.
Service
Object storage (Cloudflare R2) for generated images, brand assets and media; content delivery network.
Data processed
Hotel media and generated creative assets; no guest contact details are stored here.
Processing location
United States / global.
Transfer safeguard
Standard Contractual Clauses (Modules 2 & 3) + UK and Swiss addenda; Global CBPR/PRP for U.S. transfers.
Database, cache & storage
Neon Inc.
Service
Managed PostgreSQL database — the primary store for hotel records, campaign data, analytics and search embeddings.
Data processed
Guest personal data (names, emails, phone numbers), hotel data and account records.
Processing location
United States (EU region available for EU customers on request).
Transfer safeguard
EU Standard Contractual Clauses (Modules 2 & 3) + UK IDTA; EU–U.S./Swiss/UK Data Privacy Framework (certified).
Personal data only transiently, as short-lived job payloads with automatic expiry; otherwise cache only.
Processing location
European Union (job queue) / United States.
Transfer safeguard
EU Standard Contractual Clauses (Modules 2 & 3) + UK IDTA; EU–U.S./Swiss/UK Data Privacy Framework (certified).
AI & Google services
Google LLC
Hostli’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements.
Service
Hostli’s sole AI provider, via Google Cloud Vertex AI (Gemini): marketing copy, image generation, content classification and search embeddings, under terms that prohibit Google from training its models on the data. Also provides Google sign-in and, where a hotel connects its own Google account, access to its Google Business Profile, Google Ads, Google Analytics and Search Console data through Google’s APIs.
Data processed
Hotel content and guest-derived text (e.g. reviews and inbound messages) sent for AI processing; the hotel’s own Google-account data where connected. Customer data is not used to train generalised AI models; any retention of prompt data is limited to short-term abuse monitoring.
Processing location
European Union for text and embeddings; United States for image generation and the Google-account APIs.
Transfer safeguard
Google Cloud Data Processing Addendum; EU Standard Contractual Clauses (Modules 2 & 3).
Advertising & messaging
Meta Platforms Ireland Ltd. / Meta Platforms, Inc.
For the customer-match (hashed-email) audience feature, Meta acts as Hostli’s processor on the hotel’s instructions, under Meta’s Customer List Custom Audiences Terms and Data Processing Terms; Meta deletes the uploaded list after the match. Meta’s subsequent delivery of ads is governed by Meta’s own advertising terms.
Service
WhatsApp Business API for guest messages and hotel notifications; Meta Ads delivery and reporting; customer-match (hashed-email) audience sync; retrieval of public comments via the Graph API.
Data processed
Guest phone numbers and messages, hashed guest emails, and public comments.
Processing location
Ireland / United States.
Transfer safeguard
EU, UK and Global Data Transfer Addenda incorporating EU Standard Contractual Clauses; EU–U.S. Data Privacy Framework where Meta is certified.
Transactional email
Resend, Inc.
Service
Transactional email — sign-in codes and system notifications.
Data processed
Recipient email address and the contents of the transactional message.
Processing location
United States.
Transfer safeguard
Standard Contractual Clauses (incorporated via Resend’s terms).
Changes to this list
We give active customers at least 30 days’ advance notice by email before we add or replace a sub-processor, so they have an opportunity to object. To receive change notifications, request more detail, or ask a question about this list, contact [email protected].
This list is provided for transparency and is kept current as our service evolves. The binding terms governing our processing are set out in our Data Processing Agreement; where this page and the DPA differ, the DPA prevails. See also our Privacy Policy.