Security & Privacy

Your guests' data is safe with us

hoteo is built with security at its core — not bolted on as an afterthought. GDPR-compliant, encrypted end-to-end, with strict data isolation between every property.

Per-property data isolation

Every hotel on hoteo operates in a fully isolated data environment. Guest data, tickets, staff, and settings from one property are never visible to or shared with any other property — enforced at the database level, not just in the UI.

Encryption everywhere

All data is encrypted in transit using TLS 1.3 and encrypted at rest. Passwords are hashed with bcrypt and never stored in plain text. Sensitive credentials are stored in environment variables, never in source code.

Role-based access control

Every staff member gets only the permissions they need. Owners can do everything. Managers control operations. Staff see only their assigned tickets. Granular permission strings prevent privilege escalation.

GDPR compliance

hoteo is designed to be GDPR-compliant. Guest sessions can be deleted on request. We collect only the data required to operate the service. You control what data your property collects from guests.

Security checklist

TLS 1.3 encryption in transit

AES-256 encryption at rest

bcrypt password hashing

Per-property database isolation

Session-based authentication (NextAuth)

Role-based access control (RBAC)

GDPR-compliant data handling

Guest data deletion on request

No cross-property data leakage

Secrets managed via environment variables

Audit trail on every ticket event

Automatic QR code expiry (check-out date)

Have security questions?

We're happy to answer questions about our security architecture, data handling practices, or GDPR compliance.