Privacy Policy

Last updated: April 10, 2026

Bedly (“we”, “our”, “us”) operates the Bedly booking management platform (the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our Service, in compliance with the EU General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (nFADP/DSG), and other applicable data protection laws.

1. Data Controller

Bedly
Switzerland
Email: privacy@bedly.io

2. Data We Collect

2.1 Property Manager Data (Account Holders)

Account information: Name, email address, password (hashed), phone number
Property information: Property name, address, description, photos, settings
Usage data: Login timestamps, features used, pages visited
Payment data: Processed by Stripe — we do not store credit card details

2.2 Guest Data (Processed on Behalf of Property Managers)

Booking information: Name, email, phone, check-in/check-out dates, booking reference
Guest manifest (Italian properties): For stays in Italy, every overnight guest is registered as required by TULPS Art. 109 / Alloggiati Web. We collect full name, date of birth, place of birth, nationality, and (for adults) email. Minors do not require a document; their data is recorded for the manifest only.
Identity documents: Passport/ID photos uploaded by adult guests via a personal signed link. Stored encrypted in a private bucket; access is granted to the host (data controller) only. Retained for 6 months from check-out as required by Italian law, then automatically deleted.
Communication: Messages exchanged through the platform

2.2bis Roles for Guest Manifest Data

For the per-guest manifest collected to comply with Italian law (TULPS Art. 109), the property manager (host) is the data controller — they decide the purpose (compliance with municipal registration requirements) and remain responsible for transmission to the competent authorities. Bedly acts solely as a data processor(Art. 28 GDPR), providing the collection, storage, and export tools under documented instructions in the host's Data Processing Agreement.

2.3 Automatically Collected Data

IP address, browser type, device type
Cookies and similar technologies (see our Cookie Policy)

3. How We Use Your Data

Purpose	Legal Basis (GDPR)
Provide and maintain the Service	Contract performance (Art. 6(1)(b))
Process bookings and payments	Contract performance (Art. 6(1)(b))
Send transactional emails	Contract performance (Art. 6(1)(b))
AI-powered features (message suggestions, concierge)	Legitimate interest (Art. 6(1)(f))
Improve the Service and fix bugs	Legitimate interest (Art. 6(1)(f))
Comply with legal obligations (e.g., tax records)	Legal obligation (Art. 6(1)(c))
Marketing communications (only with consent)	Consent (Art. 6(1)(a))

4. AI Processing

Our Service uses AI for:

Generating suggested replies to guest messages (Anthropic Claude)
Answering guest questions through the AI concierge (Anthropic Claude)
Generating property descriptions and translations (Anthropic Claude)
Extracting compliance fields from identity documents at check-in (Anthropic Claude Vision)
Comparing the guest's selfie with the photo on their identity document for legal de visu verification — Italian TULPS Art. 109 (Didit face-compare + Anthropic Claude Vision)

AI processing is performed server-side. Data sent to AI providers is not used to train their models. We have Data Processing Agreements with both Anthropic and Didit that ensure GDPR compliance. Identity document photos and selfies used for face-match are processed in the EU and deleted from the AI provider after the response is returned (they are retained by Bedly only as required for compliance audit, encrypted at rest).

5. Data Sharing

We share personal data only with:

Recipient	Purpose	Location
Supabase	Data storage & authentication	EU (AWS Frankfurt)
Vercel	Application hosting	EU/US
Stripe	Payment processing	EU/US
Resend	Transactional emails	US
Anthropic	AI features (messaging, concierge, document field extraction, face-match)	US
Didit	Face-match and liveness detection for legal identity verification at check-in (TULPS Art. 109)	EU

For US-based processors, we rely on Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework where applicable.

6. Data Retention

Account data: Retained while account is active + 30 days after deletion
Guest booking data: Retained as required by tax law (typically 10 years for financial records)
Identity documents: Auto-deleted 6 months after check-out (as required by Italian law)
Messages: Retained while account is active
Demo accounts: Auto-deleted after 24 hours

7. Your Rights

Under GDPR and nFADP, you have the right to:

Access your personal data
Rectify inaccurate data
Delete your data (“right to be forgotten”)
Restrict processing
Port your data to another service
Object to processing based on legitimate interest
Withdraw consent at any time

To exercise your rights, email us at privacy@bedly.io. We will respond within 30 days.

8. Data Security

All data encrypted in transit (TLS 1.3) and at rest
Row Level Security (RLS) policies isolate data between tenants
Authentication via Supabase Auth with secure session cookies
Rate limiting on all API endpoints
Input validation with Zod schemas

9. International Transfers

Some of our processors are located outside Switzerland/EU. We ensure adequate protection through Standard Contractual Clauses, adequacy decisions, or the EU-US Data Privacy Framework.

10. Children's Privacy

Our Service is not directed to individuals under 16. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes via email or a notice in the Service.

12. Contact

For privacy inquiries: privacy@bedly.io

You also have the right to lodge a complaint with a supervisory authority:

Switzerland: FDPIC
Italy: Garante per la protezione dei dati personali