Aura
Legal

Privacy Policy

Last updated: 24 April 2026

This policy describes how DT Software Ltd (“Aura”, “we”) collects, uses, and shares data when you use our hotel property management software. We wrote it to be readable — not to check a compliance box.

1. Who’s who

Aura is a business-to-business service. You (the hotel or property operator) are the data controller for the data you put into Aura — including your guests’ personal data. We are the data processor, acting on your instructions to operate the software.

2. What we collect

From you (the operator)

  • Name, email, password hash
  • Property details (name, address, timezone, currency)
  • Staff accounts and role assignments
  • Billing information when you subscribe (via Stripe)
  • Product usage — which pages you visit, which actions you take (for audit and improvement)

From your guests, via your workflows

  • Name, email, phone, country
  • Reservation data (dates, room, amount, source)
  • Digital check-in form submissions (ID documents, signatures)
  • Messages exchanged through the Aura inbox
  • Payment method details — tokenised via Stripe, full card numbers never touch our servers

3. Why we collect it

  • To operate the software you’re paying for
  • To send transactional emails (booking confirmations, password resets)
  • To push availability + rates to channel managers and OTAs you connect
  • To process payments you authorise
  • To keep an audit log of changes for compliance + security
  • To troubleshoot issues you report

We do not sell your data, we do not share your data with advertisers, and we do not train AI models on your or your guests’ data.

4. Who we share it with

Only the processors required to deliver the service you’re using:

  • Stripe — payment processing. Handles card data directly; we receive tokenised references.
  • Channel-management partner — brokers distribution to OTAs (Booking.com, Airbnb, Expedia, Agoda, etc.) when you enable it.
  • SMTP provider (your choice — Postmark, AWS SES, etc.) — transactional email delivery.
  • Hosting infrastructure — our cloud provider runs the servers + database.
  • Error tracking — anonymised crash reports so we can fix bugs.

Each processor is bound by a data processing agreement with us. A full, up-to-date list is available on request: hello@aurapms.io.

5. Where it’s stored

Data is stored in the European Union by default. If you’re on a plan that requires a specific region, we’ll note the location in your account settings.

6. How long we keep it

  • Active accounts: for as long as you use Aura.
  • Cancelled accounts: up to 90 days of grace, then deleted. Export your data before you cancel.
  • Audit logs + financial records: retained as long as required by applicable law (typically 7 years for tax records).
  • Guest ID documents uploaded via digital check-in: retained only as long as you (the operator) configure. Default is 30 days after check-out; you can shorten this in settings.

7. Your rights (and your guests’)

Under GDPR and similar regimes, a data subject can request:

  • A copy of the personal data we hold about them
  • Correction of inaccurate data
  • Deletion of their data (“right to be forgotten”)
  • Restriction or objection to processing
  • Data portability (export in a common format)

Operators: you can exercise these rights directly from your account. Guests should contact the operator they booked with (their data controller), who will pass the request through to us if needed.

8. Cookies & tracking

We use a session cookie (“pms_session”) to keep you logged in — that’s it. No third-party analytics, no advertising pixels, no cross-site tracking.

9. Security

We use industry-standard protections: TLS in transit, bcrypt for passwords, session tokens hashed at rest, per-tenant data isolation, encrypted database backups. We never store raw card numbers or Stripe secret keys in plain text. An audit log of every state-changing action is available in your account — we encourage you to use it.

10. Changes to this policy

We may update this policy. Material changes will be announced by email or in-product at least 30 days before they take effect.

11. Contact

Privacy questions: hello@aurapms.io.
Security issues: hello@aurapms.io.