Outreach Privacy Notice
This notice explains why and how Easy RFP contacts hotel sales and RFP teams during our. It covers our legal basis, the narrow categories of data we use, and the one-click ways you can opt out at any time.
1. Who is contacting you
Easy RFP is an independent European software product that helps event planners send, compare, and manage hotel RFPs. During our (April to June 2026), we are contacting a small number of European hotel sales and RFP teams to introduce the product and invite feedback.
Data controller: Easy RFP · [email protected] · easyhotelrfp.com
2. Our legal basis (GDPR Art. 6(1)(f))
We send this outreach under the legal basis of legitimate interest (Article 6(1)(f) GDPR). We believe a short, relevant, professional introduction to an RFP or group sales team at a business address is within the reasonable expectations of a B2B recipient, and is not overridden by your interests, rights, and freedoms because:
- We contact business role inboxes only (sales, events, groups, meetings, RFP, reservations) that are published by the hotel for commercial enquiries — not personal email accounts.
- The product we are introducing is directly relevant to the recipient’s job function.
- Volume is capped per domain and per day, and the programme includes automatic safeguards that pause all outreach if bounce, complaint, or failure rates exceed pre-set thresholds.
- Every message includes a one-click opt-out in the headers and a plain-language unsubscribe link in the body.
We have performed a documented Legitimate Interests Assessment (LIA) and can share a summary on request.
3. Where we got your contact details
Role inbox addresses used in this programme were obtained from publicly available commercial sources, including:
- Public hotel websites (Contact, Meetings & Events, Press, Sales pages).
- Public business listings on Booking.com, Google Business, and the hotel’s own domain.
- Industry directories that publish role-based sales and RFP contacts.
We do not buy marketing lists, scrape personal inboxes, or use enrichment services that harvest personal mobile numbers.
4. What data we use
| Category | Examples | Retention |
|---|---|---|
| Business contact | Hotel name, role inbox (e.g. sales@…), city, locale | Until opt-out or end of + 30 days |
| Engagement events | Delivered, opened, replied, bounced, unsubscribed, complained | 90 days, then aggregated |
| Reply content | Free-text replies you send back to us | Until opt-out, then deleted within 30 days |
| Suppression record | Unsubscribed email address + timestamp | Retained indefinitely to honour your opt-out |
We do not use special-category data. We do not profile recipients for automated decisions that produce legal effects.
5. One-click opt-out — four ways
Any of the four methods below will permanently suppress your address. You do not need to confirm, justify, or reply.
- 1. Use the unsubscribe link at the bottom of any email we send you. One click, no login, no form.
- 2. Gmail, Apple Mail, Outlook’s built-in Unsubscribe button — we support RFC 8058 one-click headers, so the native button in your inbox works.
- 3. Reply with the word “unsubscribe” and nothing else, to the email you received.
- 4. Email [email protected] with “Unsubscribe outreach” in the subject and we will remove you within one business day.
If an address or whole domain is opted out, we also suppress every related role inbox at that hotel so nobody on your team is re-contacted.
6. Your rights under GDPR
You have the following rights in relation to personal data we hold about you:
- Object to processing based on legitimate interests (Art. 21) — this is what the unsubscribe flow does.
- Access a copy of the data we hold about you (Art. 15).
- Rectify data that is inaccurate (Art. 16).
- Erase data, subject to our legal obligation to keep a suppression record (Art. 17).
- Restrict processing in certain circumstances (Art. 18).
- Lodge a complaint with your national supervisory authority. A list is maintained by the European Data Protection Board at edpb.europa.eu.
To exercise any right, email [email protected]. We respond within 30 days and do not charge for first requests.
7. Sub-processors for this programme
| Provider | Role | Region |
|---|---|---|
| Supabase | Database and edge functions | EU (eu-west-2) |
| Resend | Transactional email delivery | EU/US (SCCs) |
| Cloudflare | Website hosting, DDoS protection | Global edge |
| PostHog | Aggregated programme health analytics | EU |
All processors are contractually bound by Data Processing Agreements. International transfers rely on European Commission Standard Contractual Clauses (SCCs).
8. Data security
All outreach data is stored in the EU and encrypted in transit (TLS 1.2+) and at rest (AES-256). Access is limited to the Easy RFP founder team on a need-to-know basis, with role-based permissions and audit logging. We do not share your contact data with third-party marketers or advertisers.
9. Changes to this notice
If we materially change how this programme operates, we will update this page and refresh the “Last updated” date. Prior versions are available on request.
10. Contact
Questions, objections, or requests related to this outreach programme:
Easy RFP
Data protection contact
Email: [email protected]
Full privacy policy: easyhotelrfp.com/privacy