Skip to content
← Back to home

Data Processing Agreement

Last updated: April 2026

This is a courtesy translation. The Norwegian version prevails.

This agreement governs how Appit AS (the data processor) processes personal data on behalf of you as a host (the data controller) in accordance with Article 28 of the GDPR.

1. Parties

Data controller: You, as a host and user of Gjestfri. As a host, you are the data controller for your guests' personal data.

Data processor: Appit AS, org. no. 933 898 210, Kokstadveien 41, 5257 Kokstad, Norway.

2. Purpose and scope

Appit AS processes personal data on your behalf solely to deliver the Gjestfri services:

  • Receiving and syncing bookings
  • Communicating with guests through the platform
  • Payment processing through Stripe Connect
  • AI-powered guest messaging and price suggestions
  • Operating and maintaining your host site

3. Categories of personal data

The following categories of personal data are processed:

  • Guest data: Name, email, phone number, nationality
  • Booking data: Check-in/check-out, number of guests, special requests
  • Payment data: Transaction amounts, status, references (no card data)
  • Communication data: Messages between host and guest

The data subjects are guests who book stays with you as a host.

4. Obligations of the data processor

Appit AS undertakes to:

  • Only process personal data on documented instructions from you as the data controller
  • Ensure that persons with access to personal data are bound by confidentiality
  • Implement appropriate technical and organizational measures to ensure a suitable level of security
  • Assist you in fulfilling the data subjects' rights (access, rectification, erasure, and so on)
  • Assist you in the event of personal data breaches and with data protection impact assessments
  • Make available all information necessary to demonstrate compliance with the obligations in this agreement

5. Security measures

Appit AS has implemented the following measures to protect personal data:

  • Encryption of data in transit (TLS/SSL)
  • Encryption of data at rest
  • Access control based on the principle of least privilege
  • Regular backups
  • Logging of access to personal data
  • Secure authentication with password hashing

6. Sub-processors

Appit AS uses the following sub-processors to deliver the service:

Sub-processorPurposeLocation
ChannexChannel management and booking syncEU
StripePayment processingUSA (EU-US DPF)
Vercel / hostingPlatform operations and storageEU/USA
AI servicesText generation and pricing analysisUSA (EU-US DPF)

Appit AS will notify you at least 30 days before engaging new sub-processors. You have the right to object to new sub-processors. If the objection cannot be resolved, you may terminate the agreement.

7. Breach notification

Appit AS shall notify you without undue delay, and no later than within 48 hours, if a personal data breach is discovered. The notification shall include:

  • A description of the breach
  • Which categories of personal data are affected
  • The estimated number of data subjects affected
  • Measures taken or proposed to address the breach

8. Deletion on termination

When the agreement ends, Appit AS shall, at your choice, delete or return all personal data processed on your behalf. Deletion is completed within 30 days of termination.

An exception applies to data Appit AS is legally required to retain, such as accounting records under the Norwegian Bookkeeping Act.

9. Term

This agreement applies for as long as you use the Gjestfri services. It ends automatically when your account is deleted or your subscription is canceled.

Questions about data processing? Contact us at trond@appit.ai