Your guest data, handled with care.

All guest data is stored in Supabase Postgres, hosted on AWS infrastructure in the Sydney region (ap-southeast-2). Data never leaves this region for storage purposes.

File attachments (guest photos, observation attachments) are stored in Supabase Storage, same region.

Application hosting is provided by Vercel, with edge delivery from the nearest CDN node.

Data is encrypted at rest using AES-256 on Supabase-managed infrastructure.

All traffic between client, server, and database is encrypted in transit over TLS 1.3. No unencrypted connections are accepted.

Database credentials, API keys, and service tokens are stored exclusively as environment variables in Vercel, never committed to source control.

Every row in every table is protected by Row Level Security (RLS). A user can only read or write data belonging to the hotel they are assigned to. This is enforced at the database level, not the application layer.

Roles follow a strict hierarchy: platform admin → hotel admin → manager → staff. Sensitive sections (SPA preferences, confidential observations, dietary restrictions) are additionally filtered by department.

Two-factor authentication is available through Supabase Auth. Single Sign-On (SAML/OIDC) is on the roadmap for enterprise clients.

CORN acts as a data processor. You, the hotel, are the data controller for your guest records. We process guest data strictly on your instructions.

We support the full range of GDPR data subject rights:

• Right of access — export all data for a guest in JSON format
• Right of rectification — edit or correct guest records from the admin interface
• Right of erasure — delete a guest and all associated records (pillars, observations, stays, preparations, attachments)
• Right of restriction — flag a guest record as restricted to prevent further processing
• Data portability — export in a structured, machine-readable format

Requests are fulfilled within 30 days of a verified controller request.

A Data Processing Agreement (DPA) compliant with Article 28 GDPR is available on request. The DPA covers scope of processing, security obligations, subprocessor disclosure, breach notification, and cross-border transfer safeguards (Standard Contractual Clauses where applicable).

Contact privacy@meetcorn.com to request a copy.

CORN relies on a minimal set of trusted subprocessors. The current list:

• Supabase Inc. — database, authentication, file storage (Sydney, AU)
• Vercel Inc. — application hosting, edge CDN (global)
• Resend / Supabase SMTP — transactional email delivery

Any change to this list is communicated to controllers 30 days in advance, with a right to object.

In the event of a confirmed data breach affecting personal data, affected controllers are notified within 72 hours of our becoming aware of the breach, in line with Article 33 GDPR.

Notifications include the nature of the breach, categories and approximate numbers of records affected, likely consequences, and remediation steps taken.

Guest data is retained as long as the controller (the hotel) maintains an active CORN account. On account termination, data is returned in exported form and permanently deleted within 30 days unless legal retention requirements apply.

Internal audit logs (who accessed or modified what) are retained for 12 months.

Individual guest records can be deleted at any time by an authorized user.

Every create, update, and delete on sensitive tables (guests, pillars, observations, stays, profiles) is logged with the acting user, timestamp, old and new values. Audit records are hotel-scoped and available to hotel administrators.

Supabase performs automated daily backups with point-in-time recovery. Vercel deployments are immutable and versioned; a rollback to any previous release is available in seconds.

In the unlikely event CORN ceases operations, we commit to providing a full data export and a 90-day wind-down window for controllers to migrate.

CORN is an early-stage product. We are not yet independently certified, and we will not claim otherwise. Our current posture:

• Annual penetration test — conducted by an independent third party. Report available under NDA on request.
• SOC 2 Type I — target completion Q3 2026.
• ISO 27001 — target certification Q2 2027.

Supabase (our database provider) holds SOC 2 Type II and ISO 27001 certifications. Their reports are available at supabase.com/security.

Our commitments for production incidents:

Incidents are logged, root-cause analysed, and a written post-mortem is shared with affected controllers within 5 business days of resolution.

We recognize that hotels deploying CORN for guest profiling may be required to conduct a Data Protection Impact Assessment (DPIA) under GDPR Article 35.

We provide the following to support your DPIA:

• A completed CORN Data Flow description covering categories of data processed, retention periods, and legal bases
• Our executed Data Processing Agreement (DPA, Article 28 compliant)
• Our current subprocessor list with transfer mechanisms (Standard Contractual Clauses where applicable)
• Technical and organisational measures (TOMs) documentation

Contact privacy@meetcorn.com with subject line DPIA support request. We respond within 3 business days.

How data moves through the CORN stack:

No data transits through third-party analytics, CDN caches, or AI providers. All personally identifiable data stays within the Supabase Postgres instance in Sydney (AWS ap-southeast-2).