Sub-Processors

Last updated: 22 June 2026

Hostli provides a marketing and CRM platform to hotels. To deliver the service, we engage a small number of third-party providers (“sub-processors”) that process personal data on our behalf and under our instructions. This page lists every sub-processor currently engaged, the service it provides, the categories of data it processes, where the processing takes place, and the legal mechanism that safeguards any transfer of data outside the European Economic Area or Israel. We remain fully responsible to our customers for the acts and omissions of every sub-processor listed here.

Cloud hosting & infrastructure

  • Vercel Inc.

    Service
    Application hosting (serverless / Fluid Compute), edge network, background-job queue, and cron and workflow execution; cookieless, aggregated web analytics (Vercel Web Analytics).
    Data processed
    All application data in transit — hotel data and guest personal data — while the service runs. Web Analytics is cookieless and aggregated; no IP address is stored.
    Processing location
    United States (global edge network).
    Transfer safeguard
    Vercel Data Processing Addendum (Standard Contractual Clauses).
  • Cloudflare, Inc.

    Service
    Object storage (Cloudflare R2) for generated images, brand assets and media; content delivery network.
    Data processed
    Hotel media and generated creative assets; no guest contact details are stored here.
    Processing location
    United States / global.
    Transfer safeguard
    Standard Contractual Clauses (Modules 2 & 3) + UK and Swiss addenda; Global CBPR/PRP for U.S. transfers.

Database, cache & storage

  • Neon Inc.

    Service
    Managed PostgreSQL database — the primary store for hotel records, campaign data, analytics and search embeddings.
    Data processed
    Guest personal data (names, emails, phone numbers), hotel data and account records.
    Processing location
    United States (EU region available for EU customers on request).
    Transfer safeguard
    EU Standard Contractual Clauses (Modules 2 & 3) + UK IDTA; EU–U.S./Swiss/UK Data Privacy Framework (certified).
  • Upstash, Inc.

    Service
    Managed Redis (caching, request de-duplication, short-lived job state) and QStash (background-job queue).
    Data processed
    Personal data only transiently, as short-lived job payloads with automatic expiry; otherwise cache only.
    Processing location
    European Union (job queue) / United States.
    Transfer safeguard
    EU Standard Contractual Clauses (Modules 2 & 3) + UK IDTA; EU–U.S./Swiss/UK Data Privacy Framework (certified).

AI & Google services

  • Google LLC

    Hostli’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements.

    Service
    Hostli’s sole AI provider, via Google Cloud Vertex AI (Gemini): marketing copy, image generation, content classification and search embeddings, under terms that prohibit Google from training its models on the data. Also provides Google sign-in and, where a hotel connects its own Google account, access to its Google Business Profile, Google Ads, Google Analytics and Search Console data through Google’s APIs.
    Data processed
    Hotel content and guest-derived text (e.g. reviews and inbound messages) sent for AI processing; the hotel’s own Google-account data where connected. Customer data is not used to train generalised AI models; any retention of prompt data is limited to short-term abuse monitoring.
    Processing location
    European Union for text and embeddings; United States for image generation and the Google-account APIs.
    Transfer safeguard
    Google Cloud Data Processing Addendum; EU Standard Contractual Clauses (Modules 2 & 3).

Advertising & messaging

  • Meta Platforms Ireland Ltd. / Meta Platforms, Inc.

    For the customer-match (hashed-email) audience feature, Meta acts as Hostli’s processor on the hotel’s instructions, under Meta’s Customer List Custom Audiences Terms and Data Processing Terms; Meta deletes the uploaded list after the match. Meta’s subsequent delivery of ads is governed by Meta’s own advertising terms.

    Service
    WhatsApp Business API for guest messages and hotel notifications; Meta Ads delivery and reporting; customer-match (hashed-email) audience sync; retrieval of public comments via the Graph API.
    Data processed
    Guest phone numbers and messages, hashed guest emails, and public comments.
    Processing location
    Ireland / United States.
    Transfer safeguard
    EU, UK and Global Data Transfer Addenda incorporating EU Standard Contractual Clauses; EU–U.S. Data Privacy Framework where Meta is certified.

Transactional email

  • Resend, Inc.

    Service
    Transactional email — sign-in codes and system notifications.
    Data processed
    Recipient email address and the contents of the transactional message.
    Processing location
    United States.
    Transfer safeguard
    Standard Contractual Clauses (incorporated via Resend’s terms).

Changes to this list

We give active customers at least 30 days’ advance notice by email before we add or replace a sub-processor, so they have an opportunity to object. To receive change notifications, request more detail, or ask a question about this list, contact [email protected].

This list is provided for transparency and is kept current as our service evolves. The binding terms governing our processing are set out in our Data Processing Agreement; where this page and the DPA differ, the DPA prevails. See also our Privacy Policy.