Data Usage

What we collect, what we do with it, what we never do, and your rights under the EU General Data Protection Regulation.

Last updated: 2026-05-29 · Version 1.0

Plain-English summary. We collect the data you give us when you use Easy RFP — your account details, the hotel briefs you create, and the RFP responses hotels send back. We use it to run the product, to improve features, and to build anonymous market benchmarks. We never sell your data, never share named hotel or agency data with third parties, and never identify an individual hotel inside a benchmark. Your data lives in EU data centres. You have the full set of GDPR rights — access, correction, deletion, portability — and we respond inside 30 days.

1. What we collect

We collect three categories of data:

Account data. Your name, work email, company name, country, and the password hash we use to sign you in. If you sign in with Google or Microsoft, the only fields we receive are name, email and a unique account identifier.
Workflow data. The briefs you write, the hotels you shortlist, the questions you send, the responses you receive, the comparison sheets you build, and the contract drafts you upload. This is the operational heart of the Platform and exists because the product cannot work without it.
Usage data. Pages you visit inside the Platform, features you click, error logs from your browser, and the IP address of each session. Usage data is retained for 90 days for security and product-quality purposes, then aggregated and anonymised.

We do not knowingly collect special-category personal data (such as health, biometric, or political-opinion data) and we do not ask for it. If you accidentally upload such data inside a brief or attachment, contact us and we will delete it from our systems.

2. What we use it for

Each piece of data has a specific purpose and we do not use it for anything else without your written consent:

Running the product. Account data and workflow data are used to provide you with the Platform — to log you in, to send your RFPs, to store your shortlists, and to power your comparison views.
Product improvement. Usage data tells us which screens are slow, which buttons are misunderstood, and which workflows lose people. We use this to prioritise the product roadmap.
Anonymised benchmarks. We aggregate response rates, rate ranges, BAFO savings, and similar fields across hundreds of RFPs to publish public benchmarks ("Average European hotel RFP response time", "BAFO savings by city"). Individual hotels and individual agencies are never identified inside a benchmark; the smallest cohort we will publish is 25 distinct contributors.
Customer support. When you email us, we read the email and any data you share to help you. Support emails are retained for 24 months for quality and continuity.

3. Hotel data sources

We build our hotel database from three sources, and the sources are mixed transparently:

Public Convention Bureau and tourism-board listings. National and city-level convention bureaus publish hotel inventory for MICE use. We index these listings and link back to the source.
Commercial relationships. Hotels that have onboarded as Easy RFP Hotel Partners share their meeting-space inventory, rate cards, and contact data directly. These hotels are flagged as "Partner" inside the Platform.
Explicit consent capture. When a hotel receives an RFP through Easy RFP and responds, they are told in the response form that their reply is stored on the Platform. They can request deletion at any time.

We do not scrape personal data from social networks, professional networks, or paywalled databases.

4. What we never do

We do not sell your data.

Not to advertisers. Not to data brokers. Not to lead-generation vendors. Not "anonymised". Not under any framing.

We do not identify individual hotels in benchmarks.

Published benchmarks are aggregate-only with a minimum cohort size of 25 contributors. A hotel that responded slowly will never be named in our content.

We do not share named agency data with hotels.

A hotel that receives your RFP sees your brief, your contact details and your company name — because that is how an RFP works. They do not see your other briefs, your shortlist for other hotels, or your aggregate sourcing volume.

We do not train third-party AI models on your data.

Workflow data is not sent to OpenAI, Anthropic, Google, or any other model provider for training purposes. Where we use AI features inside the product, we use no-retention API tiers that contractually forbid the provider from training on our payloads.

5. Your rights under GDPR

If you are in the EU, EEA or UK, you have the rights granted by Articles 15 to 22 of the General Data Protection Regulation. In plain English:

Access (Art. 15)Ask for a copy of all the personal data we hold on you.

Rectification (Art. 16)Correct any data that is wrong or incomplete.

Erasure (Art. 17)Ask us to delete your data ("right to be forgotten").

Restriction (Art. 18)Tell us to stop using your data while we sort out a dispute.

Portability (Art. 20)Receive your data in a machine-readable format (CSV/JSON) and move it elsewhere.

Objection (Art. 21)Object to a specific processing purpose, including any direct marketing.

Automated decisions (Art. 22)Ask for a human to review any decision that was made about you by an algorithm alone.

To exercise any of these rights, email [email protected] with the subject line "GDPR request" and tell us which right you are exercising. We will acknowledge within 5 working days and respond fully within 30 calendar days, free of charge. If the request is unusually complex we may extend by a further 60 days and will tell you why.

If you are unhappy with our response you have the right to complain to your national data protection authority. For Estonia, where Easy RFP OÜ is registered, the supervisory authority is the Andmekaitse Inspektsioon (aki.ee).

6. Marketing consent

We send three types of email:

Service emails (RFP notifications, password resets, billing updates) — required to operate your account and always sent.
Product updates (new features, scheduled maintenance) — sent to active accounts; you can opt out from the link in every email.
Marketing emails (industry reports, newsletters, webinars) — opt-in only, and you can unsubscribe from the link in every email.

We never sell or rent our email list. We never share it with third parties for their marketing.

7. Data residency

Your account data and workflow data are stored in the European Union, in our Supabase database hosted in the eu-west-2 region (Ireland). Backups are encrypted and stored in the same region. Static assets are served from Cloudflare's global edge network, which terminates TLS at the closest point of presence; the underlying data store is EU-only.

When a sub-processor needs to handle data outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) as the cross-border transfer mechanism. The current list of sub-processors and the basis for any cross-border transfer is published in the Data Processing Agreement.

8. Data Processing Agreement

If your organisation requires a signed Data Processing Agreement (DPA) before using Easy RFP, a pre-signed DPA is available at /legal/dpa/. The DPA covers the GDPR Article 28 obligations, the sub-processor list, the breach notification timeline, and the Standard Contractual Clauses for cross-border transfers.

9. Contact the DPO

At our current size, the data protection officer function is held by the founder, Gustavo Borges. Email [email protected] with the subject line "DPO" for anything data-protection-related. When revenue justifies a dedicated DPO appointment, we will publish the change here and contact existing customers by email.

10. Updates to this page

If we change the way we use your data in a material way — for example, by adding a new processing purpose or a new sub-processor — we will email you at the address on your account at least 30 days before the change takes effect. The "Last updated" date at the top of this page is always current.

Honest note. The cheapest way to fund a free SaaS is to sell user data. We refuse to operate that way. Easy RFP is funded by the founder's savings during the promotional period and will be funded by paid subscriptions afterward. If we ever change that model, you will hear about it in writing first.