Privacy policy

Parte-Listo converts CSV, XLS and XLSX files into SES.Hospedajes XML. The service is designed not to store per-traveller personal fields in Postgres.

The public SES.Hospedajes preview and export endpoints read the file in memory, generate the preview or XML, and do not write traveller files to persistent storage.

RADOM UG (haftungsbeschraenkt), Telemannstr. 2, 60323 Frankfurt am Main, Germany.

Privacy contact: support@parte-listo.es.

Account data: name, email, password hash, verification status, preferences, plan and support data.

Establishment data: CIF/NIF, official commercial name, address, province, autonomous community, tourism registration number, email, phone and default check-in time.

Conversion data: filename, size, checksum, detected PMS, traveller count, validation result, technical XSD errors and output checksum. We do not store traveller fields such as name, document number, nationality, birth date, phone or address.

Traveller fields are processed to normalize, repair and validate the SES.Hospedajes XML requested by the user. We do not create a travellers table and do not persist those fields in the database.

When an authenticated flow stores a source file or output file in local/S3 storage, the database records a file expiry and scheduled cleanup is configured to remove source/output files after a maximum of 24 hours. Visible conversion metadata is retained for up to 90 days; soft-deleted records may remain for up to 30 additional days before hard deletion, unless legal, security, billing or a valid deletion request requires a different period.

Deletion is scheduled, so a file may remain until the next cleanup run within the stated window.

AI calls run server-side only through Parte-Listo Azure OpenAI configuration, using GPT-4o/GPT-4o Vision where the flow requires it. AI keys are never exposed to the browser.

Data sent to the model is limited to what is needed to repair headers, normalize fields, classify documents, infer phone prefixes or review ambiguous values. AI output is validated again before preview or download.

We do not use customer traveller data to train our own models. Provider-side processing is governed by the applicable Microsoft Azure contract and terms.

Authentication: first-party credentials and, if enabled, Google OAuth.

Payments: Stripe processes payments, subscriptions, invoices and webhook events.

Email: Resend or the configured transactional provider sends registration, verification and support emails.

Analytics and consent: Umami and the cookie banner are used according to the selected consent.

Infrastructure: hosting, Postgres, Redis and S3-compatible storage run on the providers configured for the application.

We use necessary cookies for session, security, language, consent and free-quota enforcement. Analytics cookies load only when accepted.

Technical logs may include paths, error codes, timings, truncated IPs or internal identifiers. The application applies PII redaction filters, and auth validation logging records field names and types, not values.

We process data to perform a contract or pre-contractual steps, comply with legal obligations, protect service security and, where applicable, on the basis of consent.

You may request access, rectification, deletion, restriction, portability or objection. You may also withdraw future consent. Contact support@parte-listo.es.

We use TLS, access controls, server/client separation for secrets, XSD validation and scheduled cleanup of temporary files.

We may update this policy when the product, infrastructure or law changes. The current version will be published on this page.