Sub-processors

📌 Legal precedence: this document is a courtesy translation of the Italian original. In case of any discrepancy between this translation and the Italian version, the Italian version shall prevail as the legally binding reference. Italian original available here: https://vezpa.it/subprocessors/.

Purpose of this page: it lists the providers (sub-processors) that Vezpa uses to deliver the service, each with location, purpose and legal basis for data transfer. The list is an integral part of the Data Processing Agreement.

    Prior notice of changes: any additions or replacements are communicated to Data Controllers (customer facilities) with at least 30 days' notice by email and dashboard, allowing exercise of the right to object (art. 28.2 GDPR).

1. Active sub-processors

1.1 Infrastructure and storage

Provider	Location	Purpose	Data processed	Transfer basis
DigitalOcean LLC 101 Ave of the Americas, New York, NY 10013, USA	EU servers (Frankfurt - FRA1) + USA headquarters	Hosting servers, PostgreSQL database, Redis, Spaces object storage, CDN	All platform data	EU DPF SCC as fallback

1.2 Payments

Provider	Location	Purpose	Data processed	Transfer basis
Stripe Payments Europe Ltd 1 Grand Canal Street Lower, Dublin, Ireland (with Stripe Inc., San Francisco, CA, USA)	EU (IE) + USA	Card payment processing, anti-fraud, guest payment links	Card data (managed by Stripe, not stored by Vezpa), email, amount, reference booking	EU DPF

1.3 Communications

Provider	Location	Purpose	Data processed	Transfer basis
IONOS SE Elgendorfer Str. 57, 56410 Montabaur, Germany	EU (DE)	Transactional emails, vezpa.it email server, PEC	Recipient email address, email content, metadata	EU
Google LLC - Firebase Cloud Messaging 1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA (via Google Ireland Ltd)	EU (IE) + USA	Sending push notifications to mobile and desktop devices	Device FCM token, technical identifiers, notification payload (booking metadata only, no sensitive PII)	EU DPF

1.4 OTA Channel Manager

Provider	Location	Purpose	Data processed	Transfer basis
STAAH Limited Auckland, New Zealand	New Zealand	Synchronisation of bookings, availability and rates with ~60 OTA channels	Booking data (guest name, dates, room, rate, contacts)	EU Adequacy (Decision 2013/65/EU)

1.5 In-app purchase and app distribution

Provider	Location	Purpose	Data processed	Transfer basis
Apple Distribution International Ltd Hollyhill Industrial Estate, Hollyhill, Cork, Ireland (with Apple Inc., Cupertino, CA, USA)	EU (IE) + USA	App Store distribution iOS/macOS, subscription management (StoreKit)	Store account ID, purchase token, subscription status	EU SCC — Apple does not participate in the DPF; USA transfers are governed by SCC 2021/914
Google Ireland Ltd / Google LLC Gordon House, Barrow Street, Dublin 4, Ireland (with Google LLC, USA)	EU (IE) + USA	Play Store Android distribution, subscription management (Play Billing)	Store account ID, purchase token, subscription status	EU DPF
Microsoft Ireland Operations Ltd / Microsoft Corp. One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland	EU (IE) + USA	Microsoft Store Windows distribution, subscription management	Store account ID, subscription status	EU DPF

1.6 Optional integrations (only if activated by the facility)

Provider	Location	Purpose	Data processed	Transfer basis
Tuya Smart (Hangzhou Tuya Information Technology Co., Ltd.) Hangzhou, China	China	Management of smart locks and home automation	Device identifiers, access events	SCC Optional

2. Independent Data Controller recipients

The following subjects are not sub-processors but independent Data Controllers that receive data for legal obligations or their own relationship with the data subject. They are listed here for transparency:

2.1 Public authorities (legal obligation of the Controller)

Italy: AlloggiatiWeb (State Police / Police Headquarters), ISTAT, Italian municipalities (via PayTourist), Italian Revenue Agency (Interchange System - SDI)
Austria: Feratel / Meldeamt (municipal guest registration)
Spain: SES.HOSPEDAJES (Ministerio del Interior)
Hungary: NTAK (Nemzeti Turisztikai Adatszolgaltato Kozpont)
Croatia: eVisitor
Portugal: SEF (Servico de Estrangeiros e Fronteiras)
Czech Republic: UbyPort
Slovenia: eTurizem / AJPES

Governmental connectors are activated only if the facility is located in the corresponding State. Connection credentials are configured by the facility itself; Vezpa does not store credentials in clear text.

2.2 OTAs and metasearch (contractual relationship with the traveller)

The OTA channels activated by the facility receive booking and inventory data. They fall into the category:

Main (legacy): Booking.com, Airbnb, Expedia, VRBO, Agoda
Other ~55 dynamic channels via STAAH: e.g. Hotels.com, Trip.com, Hostelworld, Despegar, etc.

Each OTA applies its own privacy notice. Transfers to extra-EU OTAs are governed by their direct contracts with the facility and/or with the traveller.

3. Legend

EU - Office or branch in the European Union
DPF - Active EU-U.S. Data Privacy Framework certification
EU Adequacy - Country with adequacy decision of the European Commission
SCC - EU Standard Contractual Clauses 2021/914
Optional - Activated only upon explicit choice of the facility

4. Change history

Date	Change
19 April 2026	First publication of the public list

Contacts

For questions about sub-processors or to object to a change:

[email protected]
PEC: [email protected]

1. Active sub-processors

1.1 Infrastructure and storage

1.2 Payments

1.3 Communications

1.4 OTA Channel Manager

1.5 In-app purchase and app distribution

1.6 Optional integrations (only if activated by the facility)

2. Independent Data Controller recipients

2.1 Public authorities (legal obligation of the Controller)

2.2 OTAs and metasearch (contractual relationship with the traveller)

3. Legend

4. Change history

Contacts