Skip to content

Privacy policy

Last updated : 03 / 06 / 2026

This privacy policy describes how Heroes PMS SAS ("Heroes PMS", "we") collects, uses, shares and protects personal data in connection with the platform at www.heroespms.com (the "Service"). It applies to visitors of the website, prospects and customers of Heroes PMS.

1. Data controller

The data controller is Heroes PMS SAS, a French company headquartered at — rue de l'Hospitalité, 75000 Paris. For any question regarding your data: hello@heroespms.com.

2. Controller vs. processor: an essential distinction

Two situations must be distinguished:

  • Data of our customers (the hoteliers) — account, billing, browsing: we are the controller. This policy covers it.
  • Guest data entered by our customers into the Service (reservations, guest records): our customer is the controller and we act as a processor, in accordance with the Data Processing Agreement (DPA).

3. Data we collect

  • Identity & account data: first and last name, business email, phone (optional), property name and address, login credentials (hashed password).
  • Billing data: company name, billing address, VAT number, payment history. Card details are handled directly by our provider Stripe and do not transit through our servers.
  • Usage & technical data: access logs, IP address, device and browser type, pages viewed, actions performed (audit log), for security, support and improvement.
  • Communication data: exchanges with our support and sales teams, messages via contact forms.
  • Cookies & trackers: see our cookie policy.

4. Purposes & legal bases

  • Provision of the Service & account management — basis: performance of the contract (T&Cs).
  • Billing & collection — basis: performance of the contract and legal obligation (accounting).
  • Support & customer relations — basis: performance of the contract and legitimate interest.
  • Security, fraud and abuse prevention — basis: legitimate interest.
  • Service improvement & statistics — basis: legitimate interest (audience measurement) or consent (non-essential cookies).
  • Marketing communications (newsletter, offers) — basis: consent (prospects) or legitimate interest for similar products (customers), with the ability to unsubscribe at any time.

5. Recipients & subprocessors

Your data is accessible only to our authorised staff and to the technical subprocessors strictly necessary to provide the Service, notably: hosting provider (European datacenters), Stripe (payments), transactional email provider, and support tools. Each is bound by a contract compliant with article 28 of the GDPR. The current list is set out in the DPA. We do not sell or rent your data to third parties for advertising purposes. Data may be disclosed where required by law or to assert our rights.

6. Transfers outside the European Union

We favour hosting and processing within the European Union. Where a subprocessor involves a transfer outside the EU, it is framed by appropriate safeguards: an adequacy decision of the European Commission or standard contractual clauses (SCCs), with supplementary measures where necessary.

7. Retention periods

  • Account & operational data: for the duration of the contract, then archived for 5 years for evidential and accounting purposes.
  • Billing data: 10 years in accordance with accounting obligations.
  • Prospects (no contractual relationship): 3 years from the last contact.
  • Technical logs: 12 months maximum.
  • Cookies: see the cookie policy.

8. Your rights

In accordance with the GDPR and the French Data Protection Act, you have the rights of access, rectification, erasure, restriction, objection and portability, as well as the right to set instructions regarding your data after your death. You may exercise these rights, or withdraw your consent at any time, by writing to hello@heroespms.com (proof of identity may be requested). We respond within one month. You may also lodge a complaint with the French supervisory authority, the CNIL, or your local data-protection authority.

9. Security

We implement state-of-the-art technical and organisational measures: encryption in transit (TLS), encryption at rest, password hashing, strong authentication, logging of access and changes, data segregation per property, regular encrypted backups, and hosting in certified datacenters. Access to data is limited to authorised personnel, on a need-to-know basis.

10. Minors

The Service is intended for professionals and is not directed at minors. We do not knowingly collect data of minors through our forms.

11. Data protection contact

For any request relating to the protection of your data, you may contact our representative at hello@heroespms.com.

12. Mailbox integration (IMAP)

Heroes PMS offers an optional integration that lets a customer connect their mailbox (for example Gmail) via IMAP/SMTP, using an app password they generate themselves with their email provider. When enabled, we access their mailbox only to provide the messaging feature: fetch incoming emails to show them in the Heroes inbox, and send replies from their own address.

  • The app password is stored encrypted and is never shared with third parties.
  • We use email content only for this user-facing feature; we do not use it for advertising and do not sell it.
  • Content is not read by any human, except with the customer's explicit consent, for security reasons, or to comply with the law.
  • The customer can revoke access at any time: by disconnecting the mailbox in Heroes PMS (the password is then deleted) and/or by removing the app password in their email account's security settings.

13. Changes

We may update this policy. Any material change is notified by email and/or via the Service at least 30 days before it takes effect. The date of last update appears at the top of this page.