This privacy policy describes how Heroes PMS SAS ("Heroes PMS", "we") collects, uses and protects your personal data when using the platform available at www.heroespms.com.
1. Who we are
Heroes PMS SAS is a French company headquartered at — rue de l'Hospitalité, 75000 Paris, France. We provide hospitality management software as a SaaS.
2. Data we collect
- Signup data: name, work email, optional phone, property name.
- Usage data: technical logs (access logs, IP, user-agent) for security and diagnostic purposes.
- Operational data: reservations, guests, invoices, messages — entered by you as part of your hospitality activity.
- Cookies: see our cookie policy.
3. Legal basis
Processing of your data is based on the performance of the service contract you signed with us (T&Cs), your consent (newsletter, analytics cookies) or our legitimate interest (security, fraud prevention).
4. Recipients
Your data is only shared with technical sub-processors needed to deliver the service (OVHcloud hosting in France, Stripe for payments, AWS for transactional email). No data is ever resold to third parties for advertising purposes.
5. Retention
Your operational data is kept for the duration of the contract, then for 5 years for accounting and legal purposes. You can request early deletion in writing at hello@heroespms.com.
6. Your rights
Under the GDPR, you have rights to access, rectify, erase, port and object to your data. You can exercise these rights at any time via hello@heroespms.com. You also have the right to lodge a complaint with the CNIL.
7. Security
We apply strict technical and organisational measures: TLS 1.3 encryption in transit, AES-256 at rest, two-factor authentication, full audit log, daily encrypted backups, hosting in ISO 27001-compliant European datacenters.
8. International transfers
Your data remains hosted in Europe. No transfer outside the EU occurs without Standard Contractual Clauses approved by the European Commission.
9. Changes
This policy may evolve; any material change will be notified to you by email at least 30 days before it comes into force.