Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Cloudbeds is a hospitality management platform providing property management, channel management, and online booking engine software for hotels, hostels, and vacation rentals. Its embedded booking widget collects guest personal data including names, contact details, and payment information. While the booking data relies on contract performance as its legal basis, the widget sets cookies requiring ePrivacy consent, and all guest data is processed in the United States.
Cloudbeds is a comprehensive hospitality management platform used by hotels, hostels, bed and breakfasts, and vacation rental properties worldwide. It provides a property management system (PMS), channel manager for OTA distribution, and an embedded online booking engine that can be integrated into a property''s website. When guests book directly through the Cloudbeds booking engine, their personal and payment data is captured, processed, and stored in Cloudbeds'' US-based system. The platform also manages guest profiles, housekeeping, revenue management, and integrates with payment gateways.
Cloudbeds collects guest name, email address, phone number, nationality, date of birth (for identification purposes in some jurisdictions), arrival and departure dates, room preferences, special requests, and payment card details (tokenised through the payment gateway). It also collects IP addresses and device information when the booking widget loads. Guest profiles are retained across bookings to build stay history and preferences. In some countries, hospitality regulations require retention of guest identity data for specified periods.
The GDPR compliance profile of Cloudbeds is relatively straightforward for direct booking use cases. The collection of guest data necessary to process the reservation has a clear contract performance basis. The ePrivacy Directive still requires consent for non-essential cookies set by the booking widget script before booking begins. Particular attention is required for marketing communications: using guest email addresses for post-stay marketing requires a separate marketing consent, as the contract performance basis only covers the booking transaction itself.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Consent for the booking data is not required as contract performance covers the processing. However, ePrivacy consent is required for non-essential cookies set by the Cloudbeds widget before booking begins. Guests must be informed through a privacy notice at the point of booking that their data will be processed by Cloudbeds in the US. For marketing emails post-stay, a separate opt-in marketing consent must be captured, typically via a checkbox on the booking form. This marketing consent must be separate from the booking acceptance.
Cloudbeds is a US company and processes all guest and reservation data on US infrastructure. Standard Contractual Clauses apply as the transfer mechanism. Hospitality operators in the EU must disclose this transfer in their privacy policy, sign Cloudbeds'' Data Processing Agreement, and document the transfer in their Records of Processing Activities. Guests must be informed of the US transfer before completing their booking.
To use Cloudbeds compliantly: obtain ePrivacy consent before the booking widget script loads; display a privacy notice on the booking page identifying Cloudbeds as a processor and disclosing the US transfer; include a separate opt-in for marketing communications on the booking form; sign Cloudbeds'' DPA; update your privacy policy; configure data retention periods in the Cloudbeds admin panel to align with local hospitality regulations and GDPR data minimisation; implement a process for handling guest data subject requests including erasure; and document the processing in your RoPA.
Websites using Cloudbeds must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for standard hotel booking deployments. It becomes advisable when Cloudbeds is integrated with payment processors, loyalty programs, or CRM systems that extend the guest data processing scope, or when guest profiling for marketing purposes goes beyond the original booking relationship.
Sample consent text
This booking form is powered by Cloudbeds (Cloudbeds.com Inc., United States). To process your reservation, Cloudbeds will collect your name, email address, phone number, payment details, and stay preferences. This data will be processed in the United States. Your information is necessary to complete your booking. Please review our privacy policy for full details.
Third-party domains contacted
cloudbeds.comhotels.cloudbeds.comapi.cloudbeds.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| cb_session | session | Session | Session identifier used to maintain the active booking flow state and guest form data |
| cb_visitor | persistent | 1 year | Anonymous visitor identifier used to track booking funnel behaviour and attribution |
Cloudbeds uses cookies for user preferences — inform visitors with a consent banner.
Cloudbeds collects guest name, email, phone number, nationality, date of birth, arrival and departure dates, room preferences, special requests, and payment card details (tokenised). IP addresses and device information are also collected when the booking widget loads. Guest profiles and stay history are retained across bookings.
For booking data, no separate consent is required as contract performance covers the processing. However, ePrivacy consent is required for non-essential cookies the booking widget sets before guests start booking. Guests must also receive a privacy notice before entering their data, identifying Cloudbeds as a processor and disclosing the US data transfer.
Contract performance (Art. 6(1)(b)) is the primary basis for processing reservation and guest data necessary to fulfil the booking. Legal obligation (Art. 6(1)(c)) applies where local hospitality regulations require retention of guest registration data. Marketing communications to past guests require a separate consent. Consent (Art. 6(1)(a)) is required for non-essential booking widget cookies.
Yes. Cloudbeds is a US company and processes all reservation and guest data on US infrastructure. Standard Contractual Clauses apply as the GDPR transfer mechanism. European hospitality operators must sign Cloudbeds' DPA and disclose the US transfer in their guest-facing privacy policy.
Generally not for standard property management and direct booking use cases. A DPIA becomes advisable when Cloudbeds is integrated with payment processors, loyalty programs, or CRM systems that significantly extend the guest data scope, or when detailed guest profiling for targeted marketing is implemented beyond the booking relationship.
Only with separate marketing consent. The contract performance basis covers reservation processing but not post-stay marketing. You must capture a separate, explicit marketing opt-in on the booking form, distinct from the booking acceptance. Do not pre-tick the marketing consent box. Guests who decline marketing must still be able to complete their booking.
Mews is a Dutch hospitality platform with EU data residency. Apaleo is a German-founded cloud PMS with GDPR-compliant EU infrastructure. Lodgify offers EU data processing options. For smaller properties, open-source hotel PMS tools like Hotelogix can be self-hosted on EU infrastructure for full data sovereignty.
For access requests, export the guest profile and booking history from the Cloudbeds admin panel. For erasure requests, delete the guest profile, anonymise booking records where retention is required by law for accounting or hospitality regulation purposes, and confirm deletion in writing. Document all requests in your data subject request log. Note that some booking records may need to be retained for legal obligation periods before erasure.