Trust centre
A practical account of data isolation, provider use, payments, retention, and the route for security or privacy review.
Current security read · July 2026
Rose-Brook sends controlled hotel benchmark context only to the providers needed to run enabled features. Account, billing, and authentication secrets are not included in benchmark prompts.
Review route
Hotel groups, advisers, and procurement teams can request current data-processing information or send a security questionnaire through support.
Request a trust reviewSafeguards
Authenticated workspace records are scoped to the signed-in user. Database row-level security and server-side ownership checks protect hotel, benchmark, competitor, and analytics records.
Checkout and card handling are provided by Stripe. Rose-Brook stores customer, subscription, price, and billing-status references rather than card details.
Google Analytics OAuth tokens are encrypted by the application before storage. The connection uses read-only analytics access and can be disconnected from the workspace.
Production traffic uses HTTPS with HSTS. Security headers restrict framing, content types, browser permissions, and the external services that pages may connect to.
Subprocessor register
| Provider | Purpose | Data involved |
|---|---|---|
| Supabase | Authentication, database, and protected workspace records | Account, hotel, benchmark, and operational data |
| Vercel | Application hosting, delivery, and product analytics | Requests, technical logs, and page analytics |
| Stripe | Checkout, subscriptions, and billing portal | Billing identity and subscription references |
| Resend | Transactional and benchmark-report email | Recipient details and message content |
| OpenAI, Google, and Anthropic | Enabled AI benchmark execution | Controlled prompts containing relevant hotel and competitor context |
| Google Places | Hotel identity search | The hotel search phrase |
| Google Analytics | Optional customer-connected referral reporting | Read-only reporting data when the customer enables it |
AI provider use
Prompts may contain hotel names, locations, competitors, stay attributes, and public positioning details. Enabled providers receive only the context needed for that run.
Retention and deletion
Workspace and benchmark records are retained while needed to operate the service and preserve the requested audit history. Access, correction, and deletion requests go through privacy support.
Incidents and questions
Report a suspected security issue or request current processing information through the support form. Rose-Brook replies to the verified contact address supplied there.
This overview supports, but does not replace, the full privacy notice and service terms.