Agreement for the Processing of Personal Data
Data Processing Agreement (DPA) pursuant to art. 28 of Regulation (EU) 2016/679
Last update: January 30, 2026
1. Premises
This Agreement for the Processing of Personal Data (hereinafter "DPA") is stipulated between:
- The Data Controller (the "Controller"), identified as the User registered on the Rentevo platform;
- The Data Processor (the "Processor"), FEVEN S.R.L., as defined in the Privacy Policy.
This DPA is an integral part of the Terms and Conditions of Service and automatically applies to all users registered on the Rentevo platform. By registering for the Service, the Controller fully accepts this DPA.
2. Object and Duration
This DPA governs the processing of personal data carried out by the Processor on behalf of the Controller within the scope of providing the Rentevo service. The DPA is effective for the entire duration of the contractual relationship and automatically ceases upon deletion of the Controller's account.
3. Nature, Purpose and Object of the Processing
| Element | Description |
|---|---|
| Nature of processing | Collection, storage, organization, consultation, automated processing (AI), translation, communication, deletion |
| Purpose | Provision of the Rentevo service: automatic AI response to guest messages, synchronization with channel manager, WhatsApp communication, knowledge base construction, translation, notifications |
| Categories of data subjects | Guests of the accommodation facilities managed by the Controller |
| Categories of data | Name, email, phone number, booking codes, stay dates, language, message content |
4. Obligations of the Processor
The Processor undertakes to:
- Process personal data exclusively on the basis of documented instructions from the Controller, including those related to the transfer of data to third countries, unless required by Union law or the Member State;
- Ensure that the persons authorized to process have committed to confidentiality or have a legal obligation of confidentiality;
- Adopt all security measures required by art. 32 of the GDPR, including:
- Encryption of sensitive data at rest (Fernet) and in transit (TLS);
- Strong authentication (JWT/JWKS);
- Role-based access control;
- Verification of webhook signatures (HMAC-SHA256);
- Backup and recovery procedures;
- Continuous security monitoring.
- Respect the conditions for the use of sub-processors referred to in Section 6;
- Assist the Controller in responding to requests from data subjects for the exercise of the rights provided for by Chapter III of the GDPR;
- Assist the Controller in ensuring compliance with the obligations set out in articles 32-36 of the GDPR (security, breach notification, DPIA);
- At the choice of the Controller, delete or return all personal data at the end of the provision of the services. The platform allows for data export (portability) and account deletion with cascade deletion of all data;
- Make available to the Controller all the information necessary to demonstrate compliance with the obligations of this DPA and allow for audit activities, including inspections, conducted by the Controller or another subject authorized by them.
5. Breach Notification
In case of personal data breach (data breach), the Processor undertakes to:
- Notify the Controller without undue delay and in any case within 48 hours from the moment they become aware of the breach;
- Provide the Controller with all the information necessary for the notification to the Guarantor pursuant to art. 33 of the GDPR, including:
- Nature of the breach;
- Categories and approximate number of data subjects involved;
- Probable consequences of the breach;
- Measures adopted or proposed to remedy it.
- Cooperate with the Controller for the management of the incident and for communication to the data subjects, where necessary.
6. Sub-processors
The Controller authorizes the Processor to use the following sub-processors, with whom the Processor has entered into agreements compliant with art. 28 of the GDPR:
| Sub-processor | Service | Country | Transfer Guarantee |
|---|---|---|---|
| Hetzner Online GmbH | Infrastructure hosting, database, storage | Germany (EU) | Intra-EU transfer, no additional guarantees required |
| OpenAI, L.L.C. | AI response generation | USA | DPF + SCC |
| Google LLC (Gemini) | Translation, knowledge extraction, embeddings | USA / EU | DPF + SCC |
| Meta Platforms, Inc. | WhatsApp Business API | USA / EU | DPF + SCC |
| Stripe, Inc. | Payments and subscriptions | USA / EU | DPF + SCC |
| Telegram FZ-LLC | Operational notifications | UAE | SCC |
| Resend, Inc. | Transactional emails | USA | DPF + SCC |
| Comet ML, Inc. (Opik) | AI monitoring | USA | SCC |
| Google LLC (Serper) | Web search for guest questions | USA | DPF + SCC |
The Processor will inform the Controller with 30 days' notice in case of adding or replacing sub-processors, by communication to the email address associated with the account. The Controller has the right to object to the modification within 15 days from the communication. In case of motivated objection, the parties will consult in good faith to find an alternative solution. If an agreement is not reached, the Controller can withdraw from the contract without penalties.
7. International Transfers
The Processor can transfer personal data to third countries (extra-EEA) exclusively on the basis of:
- Adequacy decisions of the European Commission (e.g. EU-US Data Privacy Framework);
- Standard Contractual Clauses (SCC) adopted by the European Commission with Decision 2021/914;
- Appropriate supplementary technical measures (end-to-end encryption, pseudonymization).
The Processor has conducted a Transfer Impact Assessment (TIA) for each sub-processor located in third countries and maintains such documentation available to the Controller.
8. Audit Rights
The Controller has the right to verify the compliance of the Processor with this DPA through:
- Request for information and written documentation on compliance;
- Audits conducted by the Controller or a qualified third party, subject to reasonable notice of at least 30 days;
- Verification of security certifications and reports of sub-processors.
Audits will be conducted in a way that does not unreasonably interfere with the Processor's activities and in compliance with confidentiality obligations. Audit costs are borne by the Controller, unless the audit highlights a breach of this DPA.
9. Retention Periods by Data Category
Personal data processed on behalf of the Data Controller is kept for the following periods, unless otherwise instructed by the Data Controller or required by law:
| Data category | Retention period |
|---|---|
| Guest personal data (name, email, phone, language) | For the entire duration of the contract + 30 days from termination |
| Content of messages exchanged with guests | 24 months from receipt, then anonymization or deletion |
| Booking data (codes, dates, stay details) | For the entire duration of the contract + 30 days from termination |
| Knowledge base and documents uploaded by the Data Controller | For the entire duration of the contract, immediate deletion upon account closure |
| Technical and security logs (access log, audit log) | 6 months from registration |
| Database backups | 30 days rolling, then automatic overwrite |
| Billing data | 10 years (tax obligation pursuant to art. 2220 of the Italian Civil Code) |
10. Return and Deletion of Data
At the end of the contractual relationship:
- The Controller can export all their data from the platform in a structured format (ZIP containing JSON files) using the data export functionality;
- Upon account cancellation, the Data Processor will permanently delete all personal data processed on behalf of the Data Controller, via cascading deletion in the database, in compliance with the retention periods mentioned in the previous section;
- Data whose retention is required by law (e.g. billing) will be kept for the strictly necessary period and subsequently deleted;
- Data already transmitted to sub-processors will be deleted according to their respective storage policies (e.g. Meta/WhatsApp: 30 days).
11. Liability
Each party is responsible for damages caused by processing that violates the GDPR, in accordance with art. 82 of the GDPR. The Processor is responsible for damages caused by the processing only if it has not complied with the GDPR obligations specifically directed to processors or has acted in a way that is different or contrary to the Controller's instructions.
12. Applicable Law
This DPA is governed by Italian law and Regulation (EU) 2016/679. For what is not expressly provided, reference is made to the Terms and Conditions of Service.
13. Contacts
For any requests related to this DPA, the Controller can contact the Processor at:
- Email: privacy@rentevoai.com
- PEC: feven.srl@pec.it
- Address: FEVEN S.R.L. - Via Carlo Sigonio 16, 41043 Formigine (MO), Italy