Familiar

Product

ScenariosAudiencesCampaignsSurveysAgentSoon

Solutions

For IndependentsFor GroupsFor Enterprise

Resources

PricingManifestoBlogDocs
Start for free

Data Processing Agreement

By logging into your Familiar account you agree to be bound by our Data Processing Agreement.

Last updated: March 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Familiar SAS (“Familiar”, “Processor”) and the Client (“Data Controller”) and governs the processing of Personal Data by Familiar on behalf of the Client in connection with the provision of the Services. This DPA is entered into in compliance with Regulation (EU) 2016/679 (the “GDPR”) and applicable national data protection legislation.

1. Scope

This DPA applies to all processing of Personal Data carried out by Familiar as a Data Processor on behalf of the Client as Data Controller in the context of providing the Services. The terms “Personal Data”, “Data Controller”, “Data Processor”, “Data Subject”, “processing”, and “personal data breach” shall have the meanings ascribed to them in the GDPR.

This DPA supplements and is subject to the Terms of Service. In the event of a conflict between this DPA and the Terms of Service regarding data protection matters, this DPA shall prevail.

2. Processing Details

2.1 Services

Familiar provides a SaaS platform designed for the hospitality industry, enabling hotel and property management, guest communications, survey management, scenario automation, and related operational features. The processing of Personal Data is necessary for the performance of these Services.

2.2 Nature of Processing

The processing activities carried out by Familiar include the collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, alignment, combination, restriction, erasure, and destruction of Personal Data, as required to provide the Services.

2.3 Purposes of Processing

Personal Data is processed for the following purposes:

  • Providing and operating the Services as described in the Terms of Service and applicable Order Form.
  • Managing guest profiles, reservations, and communications on behalf of the Client.
  • Sending transactional and marketing emails as configured by the Client through the platform.
  • Executing automated scenarios and workflows defined by the Client.
  • Generating analytics, reports, and insights for the Client.
  • Providing technical support and troubleshooting.
  • Ensuring the security, integrity, and availability of the Services.

2.4 Categories of Personal Data

The categories of Personal Data processed may include:

  • Identity data: first name, last name, title, date of birth, nationality.
  • Contact data: email address, phone number, postal address.
  • Reservation data: booking dates, room preferences, stay history, special requests.
  • Communication data: email content, survey responses, messaging history.
  • Technical data: IP address, browser type, device information, usage logs.
  • Preference data: language preferences, communication preferences, loyalty program information.

2.5 Data Subjects

The Data Subjects whose Personal Data may be processed include:

  • Guests and customers of the Client’s hospitality properties.
  • Employees, agents, and representatives of the Client who use the Services.
  • Prospective guests and leads managed through the platform.
  • Any other individuals whose Personal Data is uploaded to the Services by the Client.

2.6 Duration

Personal Data will be processed for the duration of the Subscription Period and for such additional period as may be necessary for Familiar to comply with its obligations under this DPA, the Terms of Service, and applicable law, including data retention and deletion obligations.

3. Obligations of Familiar

Familiar shall:

  • Process Personal Data only on documented instructions from the Client, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by European Union or Member State law to which Familiar is subject. In such a case, Familiar shall inform the Client of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
  • Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR.
  • Respect the conditions for engaging sub-processors as set out in Section 4 of this DPA.
  • Assist the Client, taking into account the nature of the processing, by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Client’s obligation to respond to requests for exercising Data Subject rights.
  • Assist the Client in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Familiar.
  • At the choice of the Client, delete or return all Personal Data to the Client after the end of the provision of the Services, and delete existing copies unless European Union or Member State law requires storage of the Personal Data.
  • Make available to the Client all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client.
  • Immediately inform the Client if, in Familiar’s opinion, an instruction from the Client infringes the GDPR or other European Union or Member State data protection provisions.

4. Sub-processors

4.1 Authorization

The Client provides general written authorization for Familiar to engage sub-processors for the processing of Personal Data. Familiar shall maintain an up-to-date list of sub-processors, which is set out in the Appendix to this DPA. Familiar shall inform the Client of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Client the opportunity to object to such changes. The Client shall have 8 days from the date of notification to raise a reasoned objection. If the Client objects and the parties cannot reach a resolution, the Client may terminate the affected Services in accordance with the Terms of Service.

4.2 Guarantees

Familiar shall ensure that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA, by way of a written contract. Familiar shall remain fully liable to the Client for the performance of each sub-processor’s obligations. Familiar shall carry out appropriate due diligence on sub-processors prior to engagement and on an ongoing basis to ensure they provide sufficient guarantees to implement appropriate technical and organizational measures.

5. Data Subject Rights

Familiar shall assist the Client in responding to requests from Data Subjects exercising their rights under the GDPR, including the right of access, rectification, erasure, restriction of processing, data portability, and the right to object. If Familiar receives a request directly from a Data Subject, it shall promptly forward the request to the Client and shall not respond to the Data Subject directly unless instructed to do so by the Client.

Familiar shall implement appropriate technical and organizational measures to enable the Client to fulfill Data Subject requests, including providing tools for data export and deletion within the Services where feasible.

6. Data Breach Notification

In the event of a personal data breach affecting Personal Data processed under this DPA, Familiar shall notify the Client without undue delay and in any event within 72 hours of becoming aware of the breach. The notification shall include:

  • A description of the nature of the personal data breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned.
  • The name and contact details of Familiar’s Data Protection Officer or other contact point where more information can be obtained.
  • A description of the likely consequences of the personal data breach.
  • A description of the measures taken or proposed to be taken by Familiar to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Familiar shall cooperate with the Client and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.

7. Compliance Assistance

Familiar shall assist the Client in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Familiar. This assistance includes:

  • Providing information and documentation necessary for the Client to carry out data protection impact assessments (DPIAs) where required.
  • Assisting with prior consultations with supervisory authorities where a DPIA indicates that processing would result in a high risk in the absence of measures taken by the Client to mitigate the risk.
  • Providing information about Familiar’s technical and organizational security measures upon reasonable request.

8. Security Measures

Familiar implements and maintains appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include, but are not limited to:

  • Encryption: Personal Data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption.
  • Access controls: Role-based access controls, multi-factor authentication for administrative access, and the principle of least privilege.
  • Network security: Firewalls, intrusion detection systems, and network segmentation.
  • Monitoring and logging: Continuous monitoring of systems, audit logging of access to Personal Data, and alerting for anomalous activity.
  • Vulnerability management: Regular vulnerability assessments, penetration testing, and timely patching of systems.
  • Business continuity: Regular backups, disaster recovery procedures, and tested incident response plans.
  • Employee security: Background checks for personnel with access to Personal Data, mandatory security awareness training, and confidentiality agreements.

Familiar shall regularly review and update these measures to ensure they remain appropriate in light of the evolving threat landscape and the state of the art.

9. Data Retention and Deletion

Familiar shall process Personal Data only for the duration necessary to provide the Services and fulfill its obligations under this DPA. Upon termination or expiry of the Services, the Client shall have a period of 30 days to provide instructions regarding the return or deletion of Personal Data. If the Client does not provide instructions within this period, Familiar shall securely delete all Personal Data in its possession, including any copies, unless retention is required by applicable European Union or Member State law.

Upon request, Familiar shall provide the Client with written certification confirming the deletion of Personal Data.

10. Data Protection Officer

Familiar has appointed a Data Protection Officer (DPO) who can be contacted at hello@familiarhq.com. The DPO is responsible for monitoring Familiar’s compliance with the GDPR and this DPA, advising on data protection obligations, and serving as a point of contact for Data Subjects and supervisory authorities.

If the DPO identifies areas of non-compliance, Familiar shall implement corrective measures within 60 days of the identification.

11. Records of Processing

Familiar shall maintain records of all categories of processing activities carried out on behalf of the Client, in accordance with Article 30(2) of the GDPR. These records shall include:

  • The name and contact details of Familiar and the Client.
  • The categories of processing carried out on behalf of the Client.
  • Where applicable, transfers of Personal Data to a third country or an international organization, including the identification of that third country or international organization and the documentation of suitable safeguards.
  • A general description of the technical and organizational security measures.

These records shall be made available to the Client and to the competent supervisory authority upon request.

12. International Transfers

Familiar primarily processes Personal Data within the European Economic Area (EEA). Where the provision of the Services requires the transfer of Personal Data to a country outside the EEA that has not been recognized by the European Commission as providing an adequate level of data protection, Familiar shall ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR. These safeguards may include:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission.
  • The EU-U.S. Data Privacy Framework, where the recipient is certified under the framework.
  • Binding Corporate Rules approved by a competent supervisory authority.
  • Other transfer mechanisms recognized under the GDPR as providing appropriate safeguards.

Details of current sub-processors and their locations are set out in the Appendix. Familiar shall inform the Client before making any new transfer of Personal Data outside the EEA and shall ensure that the appropriate safeguards are in place prior to such transfer.

13. Audit

The Client may audit Familiar’s compliance with this DPA once per year. The Client shall provide at least 4 weeks’ prior written notice of any audit. Audits shall be conducted during normal business hours and shall not unreasonably interfere with Familiar’s operations.

The audit may be conducted by the Client or by an independent third-party auditor appointed by the Client, provided that such auditor is bound by appropriate confidentiality obligations. Familiar shall cooperate with the audit and provide reasonable access to relevant documentation, systems, and personnel.

If the audit reveals any non-compliance with this DPA, Familiar shall implement corrective measures within 60 days of being notified of the findings. Familiar shall inform the Client of the corrective measures taken.

The costs of the audit shall be borne by the Client, unless the audit reveals a material breach of this DPA by Familiar, in which case the reasonable costs of the audit shall be borne by Familiar.

14. Client Obligations as Data Controller

The Client, as Data Controller, warrants and undertakes that:

  • It has a lawful basis for the processing of Personal Data as required by the GDPR, including where necessary the consent of the Data Subjects.
  • It has provided appropriate notices to Data Subjects regarding the processing of their Personal Data, including the involvement of Familiar as a Data Processor.
  • Its instructions to Familiar regarding the processing of Personal Data comply with applicable data protection laws.
  • It has implemented appropriate technical and organizational measures to protect Personal Data within its own systems and infrastructure.
  • It shall promptly notify Familiar of any changes to its processing instructions or of any circumstances that may affect Familiar’s ability to fulfill its obligations under this DPA.
  • It shall respond to Data Subject requests within the timeframes required by the GDPR and shall inform Familiar of any actions required on Familiar’s part.

15. Liability

Each party’s liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Familiar’s total aggregate liability arising out of or related to this DPA shall not exceed the total fees paid by the Client to Familiar during the twelve (12) months preceding the event giving rise to the claim.

Nothing in this DPA excludes or limits liability that cannot be excluded or limited under applicable law, including liability for intentional breaches of data protection obligations or for fines imposed by supervisory authorities to the extent that such fines are directly attributable to the liable party’s own actions or omissions.

16. Governing Law

This DPA is governed by and construed in accordance with the laws of France, without regard to its conflict of law provisions. Any dispute arising out of or in connection with this DPA that cannot be resolved amicably shall be submitted to the exclusive jurisdiction of the Paris Court of Appeal.

Appendix: Sub-processors

The following sub-processors are authorized to process Personal Data on behalf of the Client as of the date of this DPA:

Amazon Web Services (AWS)

  • Entity location: Seattle, United States
  • Processing location: Belgium, European Union
  • Data processed: User data and system data
  • Purpose: Application hosting, data storage, and infrastructure services

Trigger.dev

  • Entity location: United States
  • Processing location: European Union
  • Data processed: System messages
  • Purpose: Background job processing and task orchestration

Sentry

  • Entity location: San Francisco, United States
  • Processing location: Germany, European Union
  • Data processed: Error reports and performance traces
  • Purpose: Application monitoring, error tracking, and performance monitoring

SendGrid (Twilio)

  • Entity location: Denver, United States
  • Processing location: European Union
  • Data processed: Marketing and transactional email content, recipient email addresses
  • Purpose: Email delivery services

Beefree (BEE Content Design)

  • Entity location:San José, United States
  • Processing location: Ireland, European Union
  • Data processed: Email template content
  • Purpose: Email template creation and design

Put your marketing on autopilot

Join leading hotel groups and be ready for an AI-first world.

Start for freeTalk to sales