Roles under GDPR
| Role | Entity | Meaning |
|---|---|---|
| Data Controller | The hotel | Decides what data is collected and why. Responsible for legal basis, consent, and privacy policy on their website |
| Data Processor | TinyBell | Processes data on behalf of the hotel. Follows the hotel’s instructions. Does not decide what data to collect |
What TinyBell is responsible for
- Providing a secure platform and pixel script
- Protecting data in transit (TLS) and at rest (encrypted storage)
- Maintaining the availability and integrity of the service
- Notifying hotel customers of security incidents affecting their data
- Complying with CRA requirements as a software manufacturer
- Providing security updates during the support period
What TinyBell is NOT responsible for
Specifically, TinyBell is not liable for:- Security of the hotel’s website: TinyBell does not control the hotel’s hosting, CMS, plugins, server configuration, or any other software running on the hotel’s domain
- Attacks on the hotel’s infrastructure: If a hotel website is compromised via vulnerabilities outside of TinyBell (SQL injection in their CMS, phishing attacks on staff, ransomware, etc.), TinyBell bears no responsibility
- Legal claims from hotel guests: Any legal action, complaint, or regulatory fine related to data privacy, cookie consent, or data breaches on the hotel’s website is the hotel’s responsibility as data controller
- Costs of security incidents: TinyBell will not assume any cost, compensation, or damages resulting from attacks, breaches, or legal proceedings affecting hotel customers or their guests
- Hotel’s compliance obligations: Each hotel is responsible for its own GDPR compliance, cookie policy, privacy policy, and any local data protection regulations
Sensitive data
TinyBell does not request, collect, store, or process any sensitive personal data (as defined by GDPR Article 9).
- Payment card numbers or financial data
- Government-issued IDs or passport numbers
- Health or biometric data
- Religious, political, or ethnic origin data
- Login credentials of hotel guests
- Having a valid legal basis for collection (consent, legitimate interest)
- Including this collection in their privacy policy
- Complying with data subject access requests
- Securing the collected data after export from TinyBell
Hotels must maintain their own security policy
Each hotel using TinyBell should:- Maintain an up-to-date privacy policy covering all tools and scripts on their website
- Implement cookie consent if required by their jurisdiction
- Have an incident response plan for their own infrastructure
- Keep their CMS, plugins, and hosting environment updated
- Not rely solely on TinyBell for their website’s security posture
Limitation of liability
TinyBell’s total aggregate liability under any claim related to the service is limited to the fees paid by the hotel customer during the 12 months preceding the claim. This applies to the maximum extent permitted by applicable law. TinyBell expressly excludes liability for:- Indirect, incidental, or consequential damages
- Loss of revenue, bookings, or business opportunities
- Reputational damage arising from third-party attacks
- Regulatory fines imposed on the hotel as data controller
- Any damages caused by the hotel’s failure to implement adequate security measures
Data Processing Agreement (DPA)
Hotels requiring a formal Data Processing Agreement for GDPR compliance can request one at info@thetinybell.com. The DPA covers:- Scope and purpose of data processing
- Data categories processed
- Sub-processor list
- Data breach notification obligations
- Data deletion upon contract termination