GDPR
Opally ApS complies with the EU General Data Protection Regulation (GDPR) and applicable data protection laws. This page describes our obligations and your rights as a user.
1. What is GDPR?
GDPR (General Data Protection Regulation, Regulation (EU) 2016/679) is the shared European legislation that protects the rights of natural persons when personal data is processed. GDPR sets requirements for how companies collect, process, store, and delete personal data - and gives data subjects a range of rights.
2. Opally ApS role and responsibilities
- Opally acts as a data processor for hotels using the platform and processes data according to the hotel's instructions. The hotel is the data controller.
- For our own users and contact persons, Opally acts as the data controller.
- Data Processing Agreements are entered into between Opally and each hotel in accordance with GDPR Article 28.
3. What data is processed?
- Guest information from PMS and booking systems (name, contact details, reservations, special requests, loyalty status, and similar data).
- Content of emails, messages, and correspondence between hotel and guest.
- Technical data (IP address, device, log files, usage patterns).
- User data for hotel staff (name, email, role, login information).
- Integration data (API keys, tokens, system access - encrypted).
- Support and error reports.
4. Purposes and legal bases
- Deliver, operate, and improve the Opally platform and AI features.
- Automate and personalize responses to guest inquiries.
- Comply with legal requirements, including accounting and security.
- Support, troubleshooting, and product development.
The legal basis is typically contract (GDPR Article 6.1.b), legal obligation (Article 6.1.c), legitimate interest (Article 6.1.f), or consent (Article 6.1.a) for specific purposes.
5. Integration partners and processors
Opally uses trusted sub-processors for hosting, email, integrations, and support. All sub-processors are subject to Data Processing Agreements and are continuously assessed for security and compliance. A list of sub-processors can be provided upon request.
6. Transfers to third countries
When data is transferred outside the EU/EEA, Opally only uses providers subject to valid transfer mechanisms, such as the European Commission's Standard Contractual Clauses.
7. Security and confidentiality
- Access control, encryption, continuous security assessments, and employee training.
- All personal data is treated confidentially and processed only by authorized persons.
- Regular backups and system monitoring.
8. Storage and deletion
Data is stored only for as long as necessary for the purpose or as required by law. Deletion or anonymization is carried out according to internal procedures and the applicable Data Processing Agreement.
9. Rights of data subjects
- Right of access to your own information.
- Right to rectification of inaccurate data.
- Right to erasure ("right to be forgotten").
- Right to restriction of processing.
- Right to data portability.
- Right to object to processing.
- Right to withdraw consent.
- Right to lodge a complaint with a data protection authority.
Requests to exercise these rights can be sent to info@opally.com. We respond to all requests as soon as possible and no later than within one month.
10. Complaints and contact
If you have questions about data protection or wish to make a complaint, you can contact Opally ApS at info@opally.com or write to:
Opally ApS
CVR: 45976904
Tyrolsgade 19, 4th
2300 Copenhagen S, Denmark
You may also lodge a complaint with your local data protection authority.
11. Changes and version
This page is updated regularly. Last updated: July 14, 2025.
