YMMEHotels
Become a partner
Insights · Data

Who owns your hotel's data — and why where it lives matters

By the YMME revenue team·9 min read·June 2026

A hotel runs on data — every booking, every preference, every passport scanned at check-in. Most owners assume they control it. The breach numbers from the last two years, and the fine print in the average OTA and brand contract, say otherwise. Here is who actually owns your guest data, who is liable when it leaks, and why the question of where it physically sits has stopped being an IT detail — especially for owners outside the West.

The year the data leaked

Hospitality has become one of the most attacked industries on earth. By VikingCloud's 2025 report, 82% of North American hotels suffered a successful breach in a single summer; more than half were hit five times or more. The average hospitality breach now costs around $4.03 million. The headline incidents are familiar — Marriott exposed 283 million guest records and settled for $52 million; MGM lost over $100 million to a single social-engineering attack.

But the most instructive breach is the one most owners haven't heard of. When the hotel-management platform Otelier was breached, it spilled roughly 437,000 customer email addresses along with names, addresses, phone numbers and booking records — for hotels under Marriott, Hilton and Hyatt. None of those brands was hacked. Their vendor was. Your data is only ever as safe as the weakest company you hand it to.

Who actually owns it (it isn't you)

For years, brands and OTAs treated guest data as their property. The law has quietly turned that on its head. Under GDPR, and California's CCPA/CPRA, the personal data belongs to the guest — they grant you the right to use it, and they can limit or revoke it. You don't own your guest's data. You are trusted with it.

That distinction has teeth. In GDPR terms the hotel is usually the data controller — the party responsible for how guest data is handled, and the party that pays when it goes wrong. Fines run up to €20 million or 4% of global annual revenue, whichever is higher. Worse, if you operate on a brand's systems you may be a joint controller: liable for data you don't fully control. The liability is yours; the control often isn't.

OTA data is not ownership. It is temporary visibility — borrowed at the exact moment recognition matters most.

The OTA sleight of hand

This is where distribution and data quietly become the same problem. An OTA controls discovery and keeps the guest's identity at the moment of booking; the hotel often receives usable data only after the stay, if at all. You see the booking, but you cannot truly use the relationship. The platform shares as little of the guest as it can while taking as much of yours as it can. (We unpack the commercial side of this in the real cost of OTA commissions.)

Why where it lives is now a business question

GDPR is extraterritorial: hold the data of one EU resident and it applies to you, wherever you operate. That alone forces a question most hotels have never answered — where, physically, does our guest data sit, and under whose laws? For an independent in the CIS, Asia or Africa, the answer carries an extra weight Western hotels rarely consider: a guest database living inside a US hyperscaler is exposed not only to that provider's terms but to sanctions and access regimes outside your control. Sovereignty — knowing the jurisdiction your data lives under, and being able to keep operating regardless of someone else's politics — has become a real line item, not a slogan.

What an owner should actually demand

You do not need to become a privacy lawyer. You need to ask five questions and get them in writing:

  • Where does the data physically live, and under which jurisdiction? A vague "the cloud" is not an answer.
  • A Data Processing Agreement from every vendor — PMS, channel manager, OTA, concierge tool. Each one touching guest data must have one. It is mandatory under GDPR, and most owners have never collected them.
  • Who is controller, who is processor? Know exactly where your liability begins and ends, especially under a brand's systems.
  • Can you export everything, cleanly, on exit? Data you cannot take with you was never really yours.
  • What happens if the vendor disappears? Continuity — escrow, export, a path to keep running — should be written down before you sign, not improvised after a breach.
Where YMME fits — plainly. Our data and code questions are answered in the open on the Data & Security page: jurisdiction in the Republic of Armenia (Law HO-49-N) with GDPR standards for EU guests, a platform designed to avoid US hyperscaler lock-in, source-code escrow, and guest data that stays yours with a clean export on exit. We also mark what is still being finalised, because pretending otherwise would defeat the point. YMME is pre-launch with no operating portfolio yet.

Sources

Breach frequency and cost: VikingCloud 2025 State of Hospitality Cyber; Verizon DBIR. Marriott / MGM / Otelier incidents: public reporting. Data ownership, controller/processor and GDPR penalties: Ericsoft, EU GDPR (Art. 83). Figures are industry benchmarks, not YMME results.

See exactly where your data would live.

Data & Security
RelatedThe real cost of OTA commissionsAI concierge: reality vs marketingThe partnership model
We use only essential local storage to remember your language and view. No tracking, no ads. Details