EU data residency, GDPR by default, Stripe payments, encryption everywhere. Hosts run real businesses on BookBed — we treat it that way.
Our primary database lives in the Frankfurt region, behind a Supabase Postgres deployment with row-level security enabled by default. Backups stay inside the EU.
Every reservation, message, and payout is exportable as CSV or via the API at any time. Cancel and your data stays accessible for 90 days, then gets permanently deleted on a verifiable schedule.
Card data never touches BookBed servers. Stripe is PCI-DSS Level 1 — the highest tier. Your payouts and refund flow run through Stripe Connect with bank-level reconciliation.
Every request to bookbed.io uses HTTPS with HSTS. Sensitive fields (tokens, keys, guest PII) are encrypted at rest. Production secrets live in a managed vault, not in source control.
Role-based permissions inside the app. Engineering access to production is logged, time-bound, and requires a second-factor approval. We rotate credentials on departures, not annually.
If Airbnb or Booking.com lags, our two-way iCal sync surfaces the gap on your dashboard before a guest sees it. Conflict prevention layered on top eliminates double-bookings even when a feed goes silent.
Three documents cover the BookBed promise — read them or send them to your lawyer. We make changes infrequently, and we version every revision.
What data we collect, why, how long we keep it, and how you correct or delete it.
Read →The agreement between you and BookBed — host obligations, our responsibilities, payment, and termination.
Read →Step-by-step instructions to permanently remove your account and every byte of associated data.
Read →Need a security questionnaire, DPA, or sub-processor list? Email dusko@book-bed.com.