Features Pricing About Contact
Log in Start Free

Legal

Data Processing Addendum

Last updated: 13/04/2026

This Data Processing Addendum ("DPA") forms part of the agreement between Owners HQ Ltd ("Owners HQ", "Processor", "we") and the Owner ("Controller", "you") who has registered to use the Owners HQ platform (the "Agreement"). It governs our processing of personal data on your behalf when you use the Platform to manage bookings and related activity.

This DPA is incorporated into, and forms part of, our Terms and Conditions. If there is any conflict between this DPA and the Terms and Conditions in relation to data protection matters, this DPA prevails.

1. Definitions

Terms used in this DPA have the meanings given in the UK GDPR and the EU GDPR, as applicable. In particular:

  • "Applicable Data Protection Law" means the UK GDPR, the Data Protection Act 2018, and, where applicable, the EU GDPR and any implementing or successor legislation.
  • "Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Supervisory Authority" have the meanings given in Applicable Data Protection Law.
  • "Guest Data" means Personal Data relating to Guests that we process on your behalf through the Platform.
  • "Sub-processor" means any third party engaged by us to process Guest Data on your behalf.

2. Roles of the Parties

  • You are the Controller of Guest Data.
  • We are the Processor of Guest Data and process it only on your documented instructions, which are set out in the Agreement, this DPA, and any reasonable written instructions you subsequently give us through the Platform or in writing.
  • Where we process Personal Data for our own purposes (for example, Owner account data, billing, fraud prevention, service improvement), we act as a Controller in our own right. Our handling of that data is described in our Privacy Policy and is not governed by this DPA.

3. Scope and Subject Matter of Processing

The subject matter, nature, purpose, duration, types of Personal Data, and categories of Data Subjects are set out in Schedule 1.

4. Our Obligations as Processor

We will:

  1. Process on instructions. Process Guest Data only on your documented instructions, including with regard to international transfers, unless required to do otherwise by law. Where law requires us to process without your instructions, we will notify you before processing unless the law prohibits this on important grounds of public interest.
  2. Confidentiality. Ensure that personnel authorised to process Guest Data are bound by appropriate obligations of confidentiality.
  3. Security. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Schedule 2.
  4. Sub-processors. Only engage Sub-processors in accordance with Section 6.
  5. Assist you. Taking into account the nature of the processing, assist you by appropriate technical and organisational measures, insofar as this is possible, in responding to Data Subject rights requests.
  6. Assist with compliance. Assist you in ensuring compliance with your obligations relating to security of processing, notification of personal data breaches, data protection impact assessments, and prior consultation with Supervisory Authorities, taking into account the nature of processing and the information available to us.
  7. Return or deletion. At your choice, delete or return all Guest Data to you after the end of the provision of services, and delete existing copies unless law requires storage. See Section 9.
  8. Demonstrate compliance. Make available to you information reasonably necessary to demonstrate compliance with this DPA and allow for audits as described in Section 8.
  9. Notify of unlawful instructions. Inform you if, in our opinion, an instruction from you infringes Applicable Data Protection Law.

5. Your Obligations as Controller

You warrant and undertake that:

  1. You have a valid lawful basis under Applicable Data Protection Law to collect Guest Data and to share it with us for the purposes of the Platform.
  2. You have provided appropriate privacy information to Guests, including informing them that their data will be processed through a third-party platform (Owners HQ) for booking and payment purposes.
  3. Your instructions to us for the processing of Guest Data comply with Applicable Data Protection Law.
  4. You are responsible for the accuracy, quality, and legality of Guest Data and the means by which you acquired it.
  5. You will not instruct us to process Guest Data in a way that would cause us to breach Applicable Data Protection Law.

6. Sub-processors

6.1 General Authorisation

You grant us general authorisation to engage Sub-processors to assist in providing the Platform, subject to this Section 6.

6.2 Current Sub-processors

A list of our current Sub-processors is set out in Schedule 3 and is also available on request. Sub-processors typically include:

  • Cloud hosting and infrastructure providers;
  • Email delivery services;
  • Transactional messaging services;
  • Customer support tools;
  • Analytics providers.

Note on Stripe: Stripe processes payment data as an independent Controller for the purposes of payment processing, fraud prevention, and compliance with its own regulatory obligations. Stripe is therefore not a Sub-processor of ours in respect of that processing. Stripe’s role is governed by its own terms and privacy policy (https://stripe.com/legal).

6.3 Changes to Sub-processors

We will give you at least 30 days’ notice of any intended addition or replacement of Sub-processors, by email to your registered account address or by notification within the Platform. You may object to the change on reasonable data protection grounds within that notice period. If you object, we will work with you in good faith to find a solution. If no solution can be reached, you may terminate the affected part of the Agreement without penalty.

6.4 Sub-processor Obligations

We will impose on each Sub-processor data protection obligations that are no less onerous than those in this DPA, and we remain liable to you for each Sub-processor’s performance.

7. International Transfers

Some Sub-processors may be located outside the UK or EEA. Where Guest Data is transferred internationally, we will ensure an appropriate transfer mechanism is in place, including:

  • Reliance on a UK or EU adequacy decision for the recipient country; or
  • The UK International Data Transfer Addendum and/or the EU Standard Contractual Clauses, together with any supplementary measures required following a transfer risk assessment; or
  • Another lawful transfer mechanism recognised under Applicable Data Protection Law.

By entering into this DPA, you authorise us to enter into such transfer mechanisms on your behalf with Sub-processors where required. Copies or summaries of the mechanisms in place are available on request.

8. Audits

8.1 Information Rights

On reasonable written request (no more than once per year, unless required by a Supervisory Authority or following a personal data breach affecting your Guest Data), we will provide you with:

  • A description of our technical and organisational measures;
  • Summaries of any third-party audit reports, certifications, or assessments we hold (for example, relating to our hosting providers);
  • Responses to reasonable questions necessary to confirm our compliance with this DPA.

8.2 On-Site Audits

On-site audits are not generally necessary given the information made available under Section 8.1. Where Applicable Data Protection Law or a Supervisory Authority requires an on-site audit, we will cooperate in good faith. You will bear your own costs and we may charge our reasonable costs of facilitating the audit. Audits must be conducted during normal business hours, with at least 30 days’ written notice, subject to reasonable confidentiality undertakings, and must not unreasonably disrupt our operations or the confidentiality of other customers’ data.

9. Return and Deletion

On termination of the Agreement or at your written request:

  • We will, at your choice, return Guest Data to you in a commonly used format or delete it from our live systems;
  • Backup copies will be deleted in accordance with our normal backup rotation;
  • We may retain Guest Data where required by law or for the establishment, exercise, or defence of legal claims. Any retained data will continue to be protected in accordance with this DPA.

If you do not give us an instruction within 30 days of termination, we may delete Guest Data from our live systems.

10. Personal Data Breaches

We will notify you without undue delay and, in any event, within 72 hours of becoming aware of a personal data breach affecting Guest Data. The notification will include, to the extent known at the time:

  • The nature of the breach, including the categories and approximate number of Data Subjects and records concerned;
  • The likely consequences of the breach;
  • Measures taken or proposed to address the breach and mitigate its effects.

We will cooperate with you to investigate, remediate, and respond to the breach, including supporting any notifications you are required to make to Supervisory Authorities or Data Subjects.

11. Data Subject Requests

If we receive a request from a Data Subject relating to Guest Data we process on your behalf (for example, an access, erasure, or rectification request), we will:

  • Not respond directly to the Data Subject other than to acknowledge receipt and direct them to you, unless legally required to do so;
  • Forward the request to you without undue delay;
  • Assist you, taking into account the nature of the processing, in responding to the request by appropriate technical and organisational measures.

12. Liability

Each party’s liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement, save to the extent that Applicable Data Protection Law prohibits such limitation.

Nothing in this DPA limits either party’s liability to Data Subjects under Applicable Data Protection Law.

13. Term

This DPA takes effect on the date you accept the Agreement (or, if later, the date you first process Guest Data through the Platform) and continues until the later of:

  • Termination of the Agreement; and
  • The date on which all Guest Data has been returned or deleted in accordance with Section 9.

14. General

  • Amendments. We may amend this DPA from time to time where necessary to reflect changes in Applicable Data Protection Law, guidance from Supervisory Authorities, or changes to our Sub-processors. We will give reasonable notice of material changes.
  • Order of precedence. In the event of conflict between this DPA and the rest of the Agreement in respect of data protection matters, this DPA prevails.
  • Governing law. This DPA is governed by the laws of England and Wales.

Schedule 1 — Details of Processing

Subject matter: Provision of the Owners HQ booking and payment management platform.

Duration: For the term of the Agreement and any additional retention period required by law or agreed between the parties.

Nature and purpose of processing:

  • Storing and displaying booking information created by the Controller;
  • Sending transactional emails to Guests (booking confirmations, payment reminders, receipts, pre-check-in communications);
  • Facilitating Guest payments via Stripe;
  • Recording manual payments entered by the Controller;
  • Hosting rental agreements and capturing electronic signatures;
  • Providing Guests with access to their booking page;
  • Providing support to the Controller and, where relevant, to Guests in respect of their use of the Platform.

Types of Personal Data:

  • Guest name, email address, and (where provided by the Controller) phone number;
  • Booking details: property, stay dates, accommodation and service fees, payment schedule;
  • Payment transaction records (excluding full card or bank account details, which are handled by Stripe);
  • Rental agreement audit information (timestamp, IP address);
  • Correspondence between Guests, the Controller, and (where relevant) Owners HQ support.

Categories of Data Subjects:

  • Guests of the Controller and, where applicable, additional members of a Guest’s booking party whose details have been provided by the Controller or Guest.

Schedule 2 — Technical and Organisational Measures

We maintain technical and organisational measures appropriate to the risk, including:

  • Encryption of Personal Data in transit (TLS) and at rest where supported by our infrastructure providers;
  • Access controls restricting access to Personal Data to authorised personnel on a need-to-know basis, with individual user accounts and strong authentication;
  • Network security including firewalls, monitoring, and protection against common web application vulnerabilities;
  • Hosting with reputable infrastructure providers that maintain recognised security certifications (for example, ISO 27001, SOC 2);
  • Payment card data handled by Stripe under PCI-DSS standards; full card data is not stored on our systems;
  • Backups of production data, with encryption and restricted access;
  • Logging and monitoring of platform activity to detect and investigate security incidents;
  • Staff obligations including confidentiality undertakings and appropriate training;
  • Incident response procedures for identifying, assessing, and responding to personal data breaches;
  • Sub-processor management including due diligence and contractual safeguards.

We review these measures periodically and update them as appropriate.

Schedule 3 — Approved Sub-processors

A current list of Sub-processors is available on request and includes the providers we rely on for hosting, email delivery, analytics, and customer support. Categories include:

Category Purpose Sub-processor
Cloud hosting / infrastructure Hosting the Platform and storing data Amazon Web Services (AWS)
Transactional email delivery Sending booking confirmations, receipts, and reminders to Guests Postmark
Analytics Understanding how the Platform is used and improving it Google Analytics

We will update this list and notify you of material changes in accordance with Section 6.3.

Stripe is not listed here because Stripe processes payment data as an independent Controller, not as our Sub-processor. Stripe’s processing is governed by its own agreements with you (through Stripe Connect onboarding) and with Guests.