Privacy Policy
Last updated: June 10, 2026
1. Introduction
HMS FREEHOST ("we", "our", or "us") operates the hotel management system accessible at hms.freehost.id and the HMS FREEHOST mobile application (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
By using the Service, you agree to the collection and use of information in accordance with this policy.
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Full name
- Email address
- Password (stored in encrypted/hashed form)
- Phone number (optional)
- Address, city, and country (optional)
- Identity document type and number (for hotel staff verification)
2.2 Google Sign-In
If you choose to sign in with Google, we receive your name, email address, profile picture, and Google account identifier from Google. We do not receive your Google password.
2.3 Guest Information
Hotel operators using the Service may enter guest data including:
- Guest full name
- Identity document type and number
- Phone number and email
- Address, city, and country
- Booking notes and special requests
2.4 Reservation & Transaction Data
We store reservation details (check-in/check-out dates, room information, number of guests), banquet booking information, and point-of-sale transaction records as part of the hotel management functionality.
2.5 Payment Information
We record payment method categories (e.g., Cash, Bank Transfer, E-Wallet, QRIS) and transaction amounts for bookkeeping purposes only. We do not process online payments through the Service, and we do not store credit card numbers, CVVs, or full bank account details. All payments are settled offline (cash) or through the user's own banking or e-wallet application; the Service merely records the outcome of such transactions. Subscription payments to HMS FREEHOST are made manually via bank transfer or QRIS and verified by our admin team.
2.6 Uploaded Files
Hotel operators may upload images such as hotel photos and room photos through the Service. Uploaded images are stored on our cloud object storage provider. The Service uses the browser's standard file-picker dialog and does not access your camera directly; on mobile devices the Android system chooser lets you pick an existing photo from your gallery or capture a new one using the Android Camera app.
2.6.1 ID Card Scanner (OCR)
The guest registration form includes an optional ID Card Scanner feature that uses Optical Character Recognition (OCR) to auto-fill fields such as full name, ID number (NIK), and address from an uploaded ID document (KTP, SIM, Paspor, or similar). This feature is optional and is only used when a hotel operator actively uploads an ID card image.
To perform text recognition, the uploaded ID card image is transmitted (over HTTPS, in base64 form) to our third-party OCR provider, OCR.space (a service operated by A9T9 Software GmbH). The image is processed to extract text and the parsed fields are returned to your browser. HMS FREEHOST does not store the ID card image on its own servers; only the text fields you confirm and submit are saved to the guest record. OCR.space's handling of the image is governed by their own privacy policy (ocr.space/privacypolicy).
If you do not want your ID card image transmitted to a third-party OCR service, simply do not use the scanner — all guest fields can be filled in manually.
2.7 Automatically Collected Information
When you access the Service, we may automatically collect:
- IP address
- Browser type and version
- Device information
- Session cookies for authentication and security
2.8 Location Information
The Service may request access to your device's precise location via the browser or Android app geolocation permission. Location access is always optional and is only requested when you actively use a feature that requires it. You may decline the permission request, and the Service will continue to function with manual input.
Location data is used for the following purposes only:
- Hotel creation / editing (staff feature): automatically centering the map and filling in the latitude/longitude fields when a hotel operator sets up a property. The coordinates are stored as part of the hotel record so guests can find the hotel on the map.
- "Find Nearest Hotels" (guest feature on the Browse Hotels page): your current latitude and longitude are sent to our server only to sort available hotels by distance. The coordinates are used in-memory for the query and are not stored in any user profile and are not shared with third parties.
We do not collect location in the background, do not track your movements over time, and do not use location for advertising or analytics. You can revoke location permission at any time via your browser or Android system settings.
2.9 In-App and Push Notifications
The Service displays in-app notifications (shown in the notification bell within the application) for events such as new reservations, booking confirmations, payment status updates, and subscription reminders. These notifications are delivered inside the app when you are logged in and are stored in our database as part of your account activity.
The Service also supports push notifications via Firebase Cloud Messaging (FCM), a service provided by Google. Push notifications are opt-in and are only enabled after you explicitly grant notification permission through your browser or the Android system prompt. When enabled, your device registers an anonymous FCM registration token that we store securely in our database and associate with your user account solely for the purpose of delivering notifications to your authorized devices. The token does not contain personally identifying information and can be revoked at any time by disabling notifications in your device or browser settings, or by signing out of the application. We do not use push notifications for marketing or advertising; they are limited to Service-related events (new reservations, cancellations, payment confirmations, and subscription invoices).
Email notifications (e.g., invoices, payment receipts) are delivered via the email address associated with your account.
3. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the hotel management Service
- Authenticate users and manage access control
- Process reservations, banquet bookings, and record transactions
- Center maps and determine hotel coordinates when you explicitly grant location permission
- Sort available hotels by distance when you use the "Find Nearest Hotels" feature
- Send transactional emails (booking confirmations, invoices, payment receipts)
- Send subscription-related notifications (invoices, expiry reminders)
- Display in-app notifications for Service-related events
- Deliver opt-in push notifications via Firebase Cloud Messaging for reservation, cancellation, payment, and subscription events (only when you enable notifications)
- Protect against fraud and unauthorized access
- Improve and optimize the Service
4. Third-Party Services
We use the following third-party services:
| Service | Purpose | Data Shared |
|---|---|---|
| Google OAuth | Social login | Name, email, profile picture |
| Cloudflare Turnstile | Bot protection (CAPTCHA) | IP address, browser data |
| Cloudflare R2 | File/image storage | Uploaded images |
| OpenStreetMap / Nominatim | Location search and map tiles | Search query text, map view coordinates |
| OCR.space (A9T9 Software GmbH) | Optical Character Recognition for the optional ID Card Scanner | Uploaded ID card image (transmitted, not stored by HMS FREEHOST) |
| Firebase Cloud Messaging (Google LLC) | Delivery of opt-in push notifications for reservations, cancellations, payment confirmations, and subscription events | Anonymous device FCM registration token, notification title, body, and event metadata (e.g., reservation ID). No marketing content is ever sent. |
| WhatsApp (Meta Platforms) | Optional deep link for payment confirmation of subscription invoices | Pre-filled confirmation message (invoice number, hotel name, amount) — only if you click the WhatsApp button |
| Email provider (SMTP) | Transactional emails | Email address, email content |
Each third-party service has its own privacy policy governing their use of your data. We recommend reviewing their respective policies.
5. Cookies & Local Storage
We use the following cookies:
- Session cookie — required for authentication (expires after browser session or 120 minutes of inactivity)
- CSRF token cookie — required for security against cross-site request forgery
- Remember me cookie — optional, for persistent login if you choose "Remember Me"
The Service Worker may cache static assets (CSS, JavaScript, images) locally for offline functionality. No personal data is cached by the Service Worker.
We do not use third-party analytics or advertising cookies.
6. Data Security
We implement industry-standard security measures including:
- Password hashing (bcrypt)
- HTTPS encryption for all data in transit
- CSRF protection on all forms
- Role-based access control
- API authentication via tokens
- Multi-tenant data isolation (each hotel can only access their own data)
7. Data Retention
We retain your account data for as long as your account is active. When an account is deleted, the data is soft-deleted and may be retained for a reasonable period for backup, legal, or legitimate business purposes before permanent deletion.
Reservation and transaction records are retained as required for hotel operational and legal compliance purposes.
8. Your Rights
You have the right to:
- Access your personal data stored in the Service
- Request correction of inaccurate data
- Request deletion of your account
- Withdraw consent for optional data processing
To exercise any of these rights, please contact us at the email address provided below.
9. Children's Privacy
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can take appropriate action.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.
11. Android Application Permissions
The HMS FREEHOST Android application (distributed via Google Play Store) is a Trusted Web Activity (TWA) wrapper of the web Service. It may request the following runtime permissions, all of which are optional and requested only when a relevant feature is used:
| Permission | Purpose | Required? |
|---|---|---|
Internet (INTERNET) |
Communicate with our servers | Yes (required) |
Precise Location (ACCESS_FINE_LOCATION) |
Auto-fill hotel coordinates and find nearest hotels | No (optional, user prompt) |
Notifications (POST_NOTIFICATIONS) |
Display push notifications for reservations, cancellations, and subscription events via Firebase Cloud Messaging (FCM) | No (optional, user prompt; Android 13+) |
Push notifications: The Service uses Firebase Cloud
Messaging (FCM) to deliver push notifications to authorized
devices. Notifications are opt-in: on Android 13 and above
the system will prompt you for the POST_NOTIFICATIONS
permission the first time you enable push notifications in the app. You can
revoke this permission at any time from Android Settings → Apps →
HMS FREEHOST → Notifications. Notifications are limited to Service
events (new reservations, cancellations, payment confirmations, subscription
invoices) and are never used for marketing or advertising.
Camera & Storage: The Android app does not
declare or request the CAMERA, READ_EXTERNAL_STORAGE,
or READ_MEDIA_IMAGES permissions. When you upload an image (hotel
photo, room photo, or ID card for OCR), the Android system file/photo picker
opens; you may optionally choose to capture a new photo through the Android
Camera app. The picker grants the app one-time access only to the specific
file you select, so no broad camera or gallery permission is ever granted to
the Service.
The Android app does not request access to your microphone, contacts, SMS, call logs, background location, device identifiers, or any other sensitive permission beyond those listed above.
12. Contact Us
If you have any questions about this Privacy Policy, please contact us:
- Email: [email protected]
- Website: hms.freehost.id