Data Processing Agreement

Version dated 1 May 2026. Signed by acceptance of the Terms of Service at checkout. Article 28 GDPR / Article 28 Regulation (EU) 2016/679.

1. Parties

This Data Processing Agreement ("DPA") is entered into between the Customer (the "Controller") and Weareplonet Retail d.o.o. (the "Processor") upon acceptance of the Weareplonet Terms of Service. The DPA governs personal data processed by the Processor on behalf of the Controller in the delivery of the subscribed modules.

2. Subject matter and duration

The Processor processes personal data on the Controller's behalf for the sole purpose of operating the subscribed Weareplonet modules. Processing continues for the duration of the Controller's subscription and ceases on termination.

3. Nature and purpose of processing

The Processor performs the technical operations required by each subscribed module: reading and writing data via the Protel API using the Controller's Protel Login, generating and delivering reports, sending notifications, and executing the module-specific workflows described in the module's documentation.

4. Categories of data subjects and personal data

Data subjects: the Controller's guests, the Controller's employees using the Weareplonet dashboard, and — for some modules — the Controller's negotiated corporate contacts. Personal data: names, contact details, reservation identifiers, room assignments, folio notes and folio balances, employment role. No special categories of personal data (Article 9 GDPR) are processed.

5. Processor obligations

6. Sub-processors

The current sub-processors are: our EU hosting provider (Frankfurt and Amsterdam data centres), our transactional email provider (EU), and our payment acquirer (EU, PCI DSS certified). A current list with entity names and location is available on request from dpo@weareplonet.org.

7. Cross-border transfers

Personal data is processed and stored in the European Economic Area. No cross-border transfer to a third country takes place under this DPA without appropriate safeguards (Standard Contractual Clauses or an adequacy decision).

8. Security

TLS 1.3 in transit, AES-256 at rest, per-property scoped API tokens, IP-restricted egress from Weareplonet infrastructure, role-based access control on internal systems, logged access to customer data, quarterly independent penetration testing, incident response process documented and rehearsed.

9. Data breach notification

The Processor notifies the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, and in any event within 48 hours, providing sufficient information for the Controller to meet its own obligations under Article 33 GDPR.

10. Liability

Liability is capped as per Clause 9 of the Terms of Service; nothing in this DPA limits liability that cannot be excluded under applicable law.

Data Protection Officer: dpo@weareplonet.org
Postal: Weareplonet Retail d.o.o., ul. Vaka Đurovića 14, 81000 Podgorica, Crna Gora
Regulator: Agencija za zaštitu ličnih podataka (AZLP), Podgorica, reg. no. 05-030/26-3427