Beta privacy notice

Privacy Policy

Last updated: 22 May 2026

Status: Beta / early-stage project

In short

  • Boravio helps guests send requests and messages to accommodation staff.
  • Boravio does not require guests to create an account.
  • Boravio does not require guest names, email addresses or phone numbers for the guest request workflow.
  • Guest requests are linked to a room/apartment identifier and stay period, not to a named guest profile.
  • Boravio does not process payments, store payment methods, issue invoices, handle refunds, charge guests, sell personal data, use guest data for advertising or act as the accommodation provider.
  • The accommodation provider remains responsible for the guest relationship, services offered, prices, payments, invoices, refunds, taxes and any offline or external arrangements with the guest.
  • Boravio is designed to support GDPR principles such as data minimization, purpose limitation, limited retention, access control and security by design.

Boravio is an early-stage software project that provides a web-based guest request and reception management application for accommodation providers. This Privacy Policy explains how personal data is processed when you use the Boravio website, the reception application, a property-specific guest portal such as boravio.app/guest/<hotel-code>, and related beta, support, backup and security features.

By using Boravio, you acknowledge that you have read this Privacy Policy and understand how personal data may be processed when using the service. If you do not want your data to be processed as described, please do not use Boravio or contact the accommodation provider for another way to submit your request.

1. Operator and contact

Boravio is currently operated as an early-stage project by an individual based in Croatia.

Operator
Boravio project operator
Location
Croatia
Contact
hello@boravio.com

This policy may be updated as Boravio develops, especially if the project becomes a registered business, adds donation tooling, analytics, or additional service providers.

2. Who is responsible for the data?

When a guest uses a property-specific guest portal, the accommodation provider, hotel, apartment, villa or similar property usually decides how guest data is used in relation to the stay and request handling. In that context, the accommodation provider is usually the data controller and Boravio provides the technical tool used to process guest requests and messages.

For the Boravio website, beta access, support, demo communication, security and service operation, Boravio may act as the data controller.

If you are a guest, you may contact either the accommodation provider or Boravio regarding privacy questions. The accommodation provider is usually the best first contact for requests related to a specific stay.

3. What Boravio does not do

Boravio does not:

  • require guest accounts;
  • require or store guest names for the guest request workflow;
  • require or store guest email addresses or phone numbers for the guest request workflow;
  • process card payments;
  • store payment methods;
  • issue invoices;
  • handle refunds or deposits;
  • charge guests;
  • sell personal data;
  • use guest request data for advertising;
  • profile guests;
  • share guest data with unrelated third parties;
  • act as the accommodation provider.

4. Data Boravio may process

Property and reception data

  • property name and property/hotel code;
  • manager name, email or phone, if entered by the property;
  • reception access key metadata;
  • authorized device ID, device name and last-seen information;
  • app version and sync status;
  • portal settings, service items, prices and descriptions.

Guest access data

  • room or apartment identifier;
  • check-in and check-out dates and hours;
  • access status;
  • PIN/access verification records;
  • access expiry and cleanup information.

Guest requests and messages

  • selected service, order or contact option;
  • optional message written by the guest or staff;
  • request status;
  • quantity, price, quote and payment-related operational status, where used;
  • conversation messages between guest and staff;
  • timestamps and read/unread state.

Technical and operational data

  • server and security logs;
  • audit/history records;
  • backup metadata and backup snapshots;
  • browser/device information needed to run the application;
  • local browser storage and standard browser cache data.

5. Data minimization

Boravio is designed to collect only the data needed to operate guest requests, reception workflows, access control, synchronization, backup and security features.

For the guest request workflow, Boravio does not require guests to create an account and does not require guest names, email addresses or phone numbers. Requests and messages are linked to a room/apartment identifier and stay period so authorized accommodation staff can handle them during the stay.

The system is not designed to build guest profiles, collect unnecessary guest information, track guests for advertising or use guest request data for marketing. Boravio is not intended for processing sensitive personal data. Guests and staff should not enter sensitive information unless it is necessary for handling a specific request.

6. Why Boravio processes data

Boravio processes data to:

  • provide the guest portal and reception application;
  • allow guests to send requests, orders and messages;
  • allow reception staff to respond to and manage requests;
  • verify guest PIN/access records;
  • keep request status and unread indicators in sync;
  • maintain backup and restore functionality;
  • secure the service and prevent unauthorized access;
  • provide beta testing, support and troubleshooting;
  • improve reliability and stability of the application;
  • comply with legal obligations where applicable.

7. Legal basis

Where Boravio is used by an accommodation provider, the accommodation provider is usually responsible for determining the legal basis for processing guest data.

Where Boravio acts as a controller, processing may be based on performance of a contract or steps before entering into a contract, legitimate interest in operating, securing and improving the service, compliance with legal obligations, or consent where consent is required.

8. Payments and transactions

Boravio is an operational communication tool only. It does not process payments, store payment methods, issue invoices, handle refunds, collect deposits, charge guests or complete transactions.

Any payment, invoice, refund, deposit, tourist tax, service charge or other financial arrangement is handled directly by the accommodation provider or by a payment provider chosen by the accommodation provider outside Boravio.

If Boravio displays prices, quotes, order values, paid/unpaid labels or payment-related statuses, this information is used only to help the accommodation provider manage guest requests. It does not mean that Boravio processes or completes a payment. Payment-related statuses are managed by the accommodation provider and are used only for operational request tracking.

9. Data sharing

Boravio does not sell personal data.

Guest request details, stay-related details and messages are visible to authorized staff of the relevant accommodation provider and to technical service providers where necessary to operate, secure or troubleshoot the service.

Data may also be shared with infrastructure and hosting providers needed to operate Boravio, technical service providers used for storage, backup, security or support, and public authorities, courts or regulators where legally required.

Boravio is currently designed to run on Cloudflare infrastructure, including Cloudflare Pages, Cloudflare Functions, D1 and R2, depending on deployment configuration.

10. Data retention and deletion

Boravio is designed to minimize how long operational guest request data is kept.

Current retention logic includes:

  • guest access records, linked guest requests and linked request messages are deleted after the configured post-checkout or expiry retention period, currently 48 hours;
  • backup snapshots are limited, currently up to 7 backup versions per property;
  • audit/history records are limited, currently up to 100 recent records per property;
  • authorized device records are kept while the device remains authorized, unless removed or revoked;
  • property configuration is kept while the property uses Boravio, unless deleted;
  • local browser data remains on the user’s device until it is cleared by the user, replaced by the application, or removed by browser settings.

Accommodation providers may request deletion of their property data, configuration, access records, guest request history and related messages, unless retention is required for security, legal compliance, backup integrity or dispute handling.

Guests may also request deletion of data related to their request. Because Boravio does not require named guest profiles, deletion requests may need to be identified by the accommodation provider, room/apartment identifier, stay period and request details.

11. Local storage, browser cache and cookies

Boravio uses browser storage and standard browser caching to make the application faster and more reliable. This may include app settings, access key and device information for reception users, cached operational state and local cache used to improve loading and stability.

At the time of this Privacy Policy, Boravio does not intentionally use advertising cookies, marketing pixels or third-party analytics scripts. If non-essential analytics, advertising or tracking cookies are added later, this policy will be updated and, where required, consent will be requested before those tools are used.

12. Security

Boravio applies technical and organizational measures intended to protect data, including HTTPS transport, access-key and PIN-based access control, hashed access key/PIN lookup mechanisms where applicable, device authorization and revocation, separation between the landing page, reception app and guest portal shells, limited retention for guest access and request data, and backup and deletion mechanisms.

No online service can guarantee absolute security. Users should keep access keys, PINs and authorized devices protected.

13. International transfers

Boravio may use infrastructure providers that process data outside the European Economic Area. Where this happens, Boravio will rely on appropriate safeguards such as data processing agreements, standard contractual clauses or other lawful transfer mechanisms where required.

14. Your rights

Depending on applicable law and the processing context, you may have the right to access your personal data, request correction, request deletion, request restriction of processing, object to processing, request data portability, withdraw consent where processing is based on consent, and lodge a complaint with a competent data protection authority.

If you are a guest using a property-specific portal, the accommodation provider is usually the best first contact because it manages the guest relationship and request handling. You may also contact Boravio at hello@boravio.com.

If you are in Croatia, the competent supervisory authority is the Croatian Personal Data Protection Agency — AZOP.

15. Children

Boravio is not intended for direct use by children. If a child’s personal data is submitted through a guest request, the accommodation provider is responsible for ensuring that it has an appropriate legal basis to process that data.

16. Automated decision-making

Boravio does not use guest request data for automated decision-making, profiling, advertising or sale of personal data.

17. Beta status and changes

Boravio is currently in beta. This means the service is still being improved, but privacy, data minimization and security are considered core parts of the project from the beginning.

Features, hosting setup, data handling, retention settings and third-party providers may be updated as the project develops. When material changes are made to this policy, the “Last updated” date will be changed.