Legal
Privacy Policy
Effective June 7, 2026
This Privacy Policy describes how Openfolio collects, uses, stores, and shares personal data when you operate a Tenant on our platform or visit our marketing site. We comply with the Pakistan Electronic Crimes Act 2016 and the draft Personal Data Protection Bill 2023, and we apply GDPR-compatible processing standards to Tenants serving EU/UK guests.
1. Data We Collect
Tenant operator data
- Name, email, phone number, role, and profile photo of users you invite to your operations dashboard.
- Property details (name, address, room types, rate structure, photos).
- Billing contact, tax identification number (NTN), and bank details where supplied for payouts.
Guest data (on your behalf, as processor)
- Name, email, phone number, nationality, date of arrival/departure.
- CNIC or passport copy where local law requires identity verification.
- Booking history, folio charges, payment status, in-stay messages.
- Marketing preferences (opt-in / opt-out for promotional emails).
Technical data
- IP address, browser fingerprint, device type, locale.
- Audit log of every change to your tenant, including the user, action, and timestamp.
- Anonymised aggregate usage statistics (page hits, feature adoption).
2. How We Use Data
- Operate the Service and provide the features you signed up for.
- Process bookings, generate confirmations + folios, sync calendars with OTAs.
- Bill your subscription and produce invoices.
- Detect fraud + abuse (suspicious booking patterns, duplicate-card flags).
- Send transactional emails (booking confirmations, monthly billing snapshots, security alerts).
- Send product updates - opt-out available from any email footer.
- Comply with legal obligations including tax, accommodation-reporting, and law-enforcement requests.
3. Legal Bases (for EU/UK guest data)
- Contract performance - processing required to deliver a service the guest booked.
- Legal obligation - accommodation-reporting requirements (where applicable).
- Legitimate interest - fraud detection, security, basic analytics.
- Consent - marketing communications outside the booking lifecycle.
4. Data Sharing
We do NOT sell guest data. We share data only with: (a) sub-processors necessary to operate the Service (hosting, email delivery, error monitoring) - listed in the DPA; (b) your authorised tenant operators within your account; (c) law enforcement or regulators when legally compelled, with notice to you where lawful.
5. International Transfers
Our primary infrastructure is hosted in regions with adequacy decisions or equivalent safeguards. Where data is transferred to a sub-processor outside Pakistan / the EU, we use Standard Contractual Clauses as supplementary safeguards.
6. Retention
- Guest data tied to a booking - kept for 7 years (FBR record-keeping requirement) then anonymised.
- CNIC / passport copies - kept for 12 months unless local law requires longer, then deleted.
- Audit log entries - kept for 5 years.
- Marketing preference records - kept until you delete them or close the account.
- Backups - retained for 30 days on a rolling window, then overwritten.
7. Security
- TLS 1.3 in transit. AES-256 at rest for guest folio data and identity documents.
- Role-based access control with super-admin actions logged.
- Mandatory MFA available for all operator accounts; required by default on Enterprise.
- Annual penetration testing on the production stack.
- Documented incident response with 72-hour breach-notification commitment.
8. Your Rights
You can request access, correction, deletion, portability, or restriction of processing for personal data we hold about you as an operator. Guests should make these requests through the Tenant they booked with; the Tenant is the controller of that booking record and is contractually required to honour rights requests within 30 days.
9. Cookies + Tracking
Our marketing site uses essential cookies only (session, locale, theme preference). We do not use third-party advertising or analytics cookies on marketing pages. The operations dashboard uses an essential session cookie for authentication. See the Cookie Policy for full detail.
10. Contact + Complaints
Privacy queries: privacy@openfolio.app. We respond within one business day. If you believe we have not addressed your concern, you may complain to the Pakistan Telecommunication Authority (for PECA matters) or to your local data protection authority (for EU/UK residents).