GDPR & data protection
1. Roles: controller vs processor
We are the controller for personal data we collect to run our business and the Service — for example website visitors, account holders’ registration details, billing records with our payment provider, and support interactions.
Organizations that subscribe to ResortStrata are typically the controller for personal data they enter about their contacts, owners, tenants, and staff (except our own relationship data). For that processing, Xegen Ltd acts as a processor on documented instructions. Commercial customers should ensure they have a suitable agreement with us (including DPA terms where required).
2. Lawful bases & transparency
We process controller data on the bases described in our Privacy policy. Organizations must identify and document their own lawful bases for contact and operational data they load into the Service and provide their own privacy notices to data subjects where required.
3. Subprocessors
We use infrastructure and service providers that may process personal data on our behalf, for example:
- Cloud hosting and database providers for the application and backups;
- Email and notification delivery;
- Payment processing (e.g. Stripe) for platform subscriptions;
- Analytics on the public marketing site (where enabled).
We assess subprocessors for appropriate safeguards and govern them by contract. Customers may request an up-to-date subprocessor list or notification of material changes in line with contractual commitments.
4. Security measures
We implement measures appropriate to the nature of the processing, including access control, encryption in transit, segregation of customer data by organization, logging, and vulnerability management. Details may be expanded in security documentation or a DPA for enterprise customers.
5. International transfers
Where personal data is transferred outside the UK or EEA, we rely on appropriate transfer mechanisms (such as the UK International Data Transfer Agreement / Addendum or EU Standard Contractual Clauses) and supplementary measures where required by case law and guidance.
6. Data subject rights
Individuals may contact us (see below) to exercise rights under UK GDPR / EU GDPR where we are controller. Where we are processor, we will forward requests to the relevant customer organization or assist them as required by contract and law.
Rights may include access, rectification, erasure, restriction, objection, portability, and the right not to be subject solely to automated decision-making with legal effect (we do not use such processing for ResortStrata in a way that produces legal effects by default).
7. Retention
Processor data is retained according to customer configuration, account status, and our backup and deletion practices. Controller data follows the retention principles in our Privacy policy. Customers may export or delete certain data through the Service where features allow; formal deletion timelines may be set out in a DPA.
8. Breach notification
We maintain procedures to detect and respond to personal data breaches. Where we act as processor, we will notify affected customers without undue delay after becoming aware of a breach in line with Article 33/34 workflows and contractual terms. Where we are controller, we will notify supervisory authorities and data subjects when required by law.
9. Data Protection Impact Assessments (DPIAs)
Customers whose processing is likely to result in high risk to individuals should carry out their own DPIAs and consult us for assistance specific to the Service where needed.
10. Supervisory authority & complaints
UK individuals may contact the Information Commissioner’s Office (ICO): ico.org.uk. EU residents may contact their local authority. We hope to resolve concerns directly first — please use Contact.
11. Contact & DPA requests
For GDPR questions, processor enquiries, or a copy of our Data Processing Agreement, contact us via Contact.