Governs how Grevon processes personal data on your behalf as a data processor under applicable data protection laws.
This Data Processing Agreement ("DPA") is incorporated into and forms part of the Grevon Terms of Service. It applies where Grevon processes personal data on behalf of Customers who are subject to the GDPR, UK GDPR, Australian Privacy Act, or other applicable data protection legislation. By accepting the Terms of Service, the Customer also agrees to this DPA.
In this DPA, the following terms have the meanings set out below. Terms not defined here have the meanings given in the Grevon Terms of Service or applicable data protection law.
This DPA applies to Grevon's processing of personal data on behalf of the Customer in connection with the Services, as described in Annex 1. The Customer is the Controller and Grevon is the Processor in respect of such personal data. Where Grevon processes personal data for its own purposes (such as account management and billing), Grevon acts as an independent Controller and the Privacy Policy applies.
Grevon shall process personal data only on documented instructions from the Customer, including the instructions set out in these Terms and this DPA. If Grevon is required by applicable law to process personal data other than in accordance with the Customer's instructions, Grevon shall notify the Customer of such requirement before processing (unless prohibited from doing so by law).
The Customer warrants that it has the right to instruct Grevon to process personal data in accordance with this DPA and applicable law, and that it has obtained all necessary consents, rights, and authorisations from data subjects where required.
Grevon shall ensure that personnel authorised to process personal data are bound by appropriate confidentiality obligations and receive adequate data protection training. Access to personal data is restricted on a need-to-know basis using role-based access controls.
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, Grevon shall implement and maintain appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include, without limitation:
The Customer grants Grevon general written authorisation to engage sub-processors to assist in providing the Services, subject to the conditions in this Section 6. Grevon maintains a current list of approved sub-processors, available at privacy@grevon.ai upon request.
Grevon shall impose data protection obligations on each sub-processor that are equivalent to those set out in this DPA. Grevon remains responsible for the acts and omissions of its sub-processors to the same extent as if it performed the processing directly.
Grevon will provide the Customer with at least 14 days' prior written notice of any intended addition or replacement of sub-processors. The Customer may object on reasonable data protection grounds within 14 days of notification. If objection cannot be resolved, the Customer may terminate the affected Services without penalty.
Grevon shall, to the extent technically feasible, assist the Customer in responding to data subject requests (access, correction, deletion, restriction, portability, and objection) within timescales required by applicable law. If Grevon receives a data subject request directly in relation to the Customer's processing, Grevon shall promptly forward it to the Customer without response (unless otherwise required by law).
Grevon shall notify the Customer without undue delay, and in any event within 72 hours of becoming aware, of a personal data breach affecting personal data processed under this DPA. Notification shall include, to the extent known: the nature of the breach, categories and approximate number of data subjects affected, categories and approximate volume of personal data records affected, likely consequences, and measures taken or proposed to address the breach.
Where required by applicable law, Grevon shall provide reasonable assistance to the Customer in carrying out data protection impact assessments (DPIAs) and, where necessary, prior consultations with supervisory authorities, in relation to processing activities under this DPA.
Where Grevon transfers personal data outside the EEA, UK, or other jurisdictions with adequacy requirements, such transfers shall be subject to appropriate safeguards as required by applicable law, including Standard Contractual Clauses (Module 3: Processor to Processor) where applicable. Grevon's current transfer mechanisms are documented in its Transfer Impact Assessment, available upon request.
Upon termination of the Services, and at the Customer's option and instruction, Grevon shall either delete or return all personal data processed under this DPA, including copies held by sub-processors, within 60 days. Where deletion is required by applicable law to be deferred, Grevon shall continue to protect the data and shall delete it as soon as legally permissible.
Grevon shall provide all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits conducted by the Customer or its authorised auditor. Audits shall be conducted on reasonable prior notice (minimum 30 days), no more than once per year unless required by a supervisory authority, and at the Customer's cost. Grevon may satisfy audit requests through the provision of current third-party certifications (e.g., SOC 2 report) in lieu of an on-site audit, at its reasonable discretion.
| Item | Details |
|---|---|
| Subject matter | Processing of personal data in connection with the provision of Grevon's AI-powered hospitality booking and search optimisation platform. |
| Duration | For the duration of the Customer's subscription to the Services, plus any retention period required by applicable law. |
| Nature of processing | Collection, storage, retrieval, transmission, analysis, and use to provide booking intelligence, AI search optimisation, and property representation. |
| Purpose of processing | Enabling AI agents to understand, recommend, and book properties on behalf of guests; direct booking facilitation; revenue optimisation. |
| Categories of data subjects | Hotel guests, prospective guests, and Customer's authorised staff members. |
| Categories of personal data | Name, email address, phone number, booking history, stay preferences, payment reference tokens (no raw card data), IP address, device identifiers. |
| Special categories | Not processed by default. Any processing of special category data (e.g., accessibility requirements, dietary restrictions) requires explicit Customer configuration and appropriate legal basis. |
For DPA-related enquiries, please contact our Privacy Team at privacy@grevon.ai. Customers requiring a countersigned DPA for their records may request one through their account manager.