Legal

Privacy Policy

Last updated 23 June 2026

Linen operates an infrastructure layer that carries guest context between hospitality partners. This policy explains what personal data we process, why, and the rights you have over it. It is written to meet the EU General Data Protection Regulation (GDPR) and the Portuguese RGPD.

1. Who we are

Linen ("Linen", "we", "us") is the entity responsible for the platform described on this website. For data exchanged through partner integrations, the partner establishment is the data controller and Linen acts as a processor on their behalf. For data you provide directly to us — for example through our contact or subscription forms — Linen is the controller.

You can reach our Data Protection Officer at dpo@linen.agency.

2. Scope

This policy covers our public website, the partner workspace, and the Linen widget embedded on partner sites. It does not cover the independent privacy practices of partners or third parties who may link to or from our services; those are governed by their own notices.

3. Personal data we process

Depending on how you interact with Linen, we may process:

  • Guest context data — booking references, stay dates, stated preferences, dietary or accessibility notes, and service history shared between partners.
  • Partner account data — names, business email addresses, company details, and billing identifiers of partner staff.
  • Enquiry data — the name, email, subject, and message you submit through our forms.
  • Technical data — IP address, device and browser type, and aggregated usage events needed to operate and secure the service.

We do not seek to process special-category data and ask partners not to transmit it through Linen unless strictly necessary and lawfully justified.

4. How we collect it

We receive data directly from you, automatically through your use of our services, and from partners who integrate the Linen widget under a Data Processing Agreement. Guest context is only transmitted where there is a lawful basis recognised by the originating partner.

5. Why we process it and our legal bases

  • Performance of a contract — to provide the platform to partners and to respond to your requests.
  • Legitimate interests — to secure, maintain, and improve the service, balanced against your rights.
  • Legal obligation — to meet accounting, tax, and regulatory duties.
  • Consent — where required, for example certain non-essential cookies; consent can be withdrawn at any time.

6. Sharing context between partners

The core purpose of Linen is to let a guest's context follow them between participating partners. Sharing only occurs within the network defined by the controlling partner and only for the purpose of preparing and delivering the guest's experience. Partners remain responsible for the lawfulness of the context they originate.

7. Service providers and sub-processors

We rely on a limited set of vetted sub-processors for hosting, payment (Stripe), and communications. Each is bound by contract to process data only on our instructions and to maintain appropriate safeguards. A current list is available on request to dpo@linen.agency.

8. International transfers

Linen stores personal data within the European Union. Where a sub-processor operates outside the EEA, transfers are protected by an adequacy decision or by Standard Contractual Clauses together with supplementary measures.

9. Retention

We keep personal data only as long as necessary for the purposes above, after which it is deleted or irreversibly anonymised. Guest context is retained according to the instructions of the controlling partner; enquiry data is kept for up to 24 months unless a longer period is legally required.

10. Your rights

Subject to applicable law, you have the right to access, rectify, erase, restrict, or object to the processing of your data, and the right to data portability. You can exercise the right to erasure or request a copy of your data through our Right to be Forgotten page, or by writing to our DPO.

11. Security

We apply encryption in transit and at rest, role-based access controls, continuous audit logging, and regular review of our technical and organisational measures. No system is perfectly secure, but we work to reduce risk to a level appropriate to the data we handle.

12. Cookies and tracking

Our public website uses only the cookies strictly necessary to function. We do not run advertising trackers. Where any non-essential cookie is introduced, we will ask for your consent first.

13. Children

Linen is intended for use by businesses and is not directed at children. We do not knowingly collect data from anyone under 16.

14. Changes to this policy

We may update this policy to reflect changes in our practices or the law. Material changes will be signalled on this page with a revised "last updated" date.

15. Contact and complaints

For any privacy question, contact dpo@linen.agency. You also have the right to lodge a complaint with your local supervisory authority — in Portugal, the Comissão Nacional de Proteção de Dados (CNPD).