Data Processing Addendum

This Addendum governs how Porter processes guest personal data on your behalf. It forms part of, and is incorporated into, our Terms of Service. Last updated 3 June 2026.

1. Parties and roles

This Data Processing Addendum (“DPA”) is between the customer (the “Customer”, “you”) and Travel Global Limited trading as Porter (“Porter”, company number 12323610, registered in England and Wales). For personal data relating to your guests that is processed through the Porter service, you are the data controller and Porter is the data processor. This DPA applies to processing of such personal data and is governed by UK GDPR and the Data Protection Act 2018.

2. Processing on documented instructions

Porter will process personal data only on your documented instructions — including those set out in this DPA, the Terms, and your configuration and use of the service — unless required to do otherwise by law, in which case we will inform you where permitted.

3. Confidentiality

Porter ensures that personnel authorised to process the personal data are bound by appropriate confidentiality obligations.

4. Security

Taking into account the state of the art and the nature of the data, Porter implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in line with Article 32 UK GDPR — including encryption in transit, access controls, and logical data isolation between customers. A summary is set out in Annex 2.

5. Sub-processors

You provide general authorisation for Porter to engage sub-processors to deliver the service (for example: cloud hosting and database, authentication, AI-assisted content, maps and local data, website screenshot generation, payment processing, and email delivery). Porter imposes data protection terms on each sub-processor no less protective than this DPA, and remains responsible for their performance. We will make the current list available on request and give reasonable notice of intended changes so you may object on reasonable data-protection grounds.

6. Assistance with data subject rights

Taking into account the nature of the processing, Porter will assist you by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights (access, rectification, erasure, restriction, portability and objection). Where a guest contacts Porter directly, we will, where appropriate, refer them to you as the controller.

7. Personal data breaches

Porter will notify you without undue delay after becoming aware of a personal data breach affecting your data, and will provide information reasonably available to help you meet your own notification obligations.

8. Assistance with compliance

Porter will assist you, taking into account the nature of processing and the information available to us, in meeting your obligations relating to security, breach notification, data protection impact assessments, and prior consultation with the supervisory authority.

9. Return and deletion

On termination of the service, and at your choice, Porter will delete or return the personal data and delete existing copies, unless retention is required by law. Routine deletion timescales are described in our Privacy Policy.

10. Audits

Porter will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable confidentiality and scheduling conditions.

11. International transfers

Where personal data is transferred outside the UK or EEA, Porter relies on an appropriate transfer mechanism, such as an adequacy decision or the relevant standard contractual clauses / UK International Data Transfer Agreement.

12. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

Annex 1 — Details of processing

  • Subject matter: provision of the Porter service to the Customer.
  • Duration: for the term of the Customer’s use of the service.
  • Nature and purpose: hosting and operating branded guest guides, an online hotel store, and post-stay feedback, and related analytics.
  • Types of personal data: guest names and contact details (where provided), stay dates, feedback and ratings, purchase/transaction details, and technical/usage data such as IP address.
  • Categories of data subjects: the Customer’s guests and prospective guests.

Annex 2 — Security measures

  • Encryption of data in transit (TLS).
  • Role-based access controls and least-privilege access for personnel.
  • Logical isolation of customer data, including row-level security.
  • Use of reputable infrastructure providers with recognised security certifications.
  • Monitoring, logging and a documented incident-response process.

Contact

Data protection enquiries and requests for our sub-processor list: privacy@tryporter.co.uk.