Dormaflow is built on principles of role-based access, data isolation, and transparency. We protect guest data, restrict staff access by role, and keep you in control of recovery when something goes wrong.
Staff only see what they need for their role.
Check-in guests, assign beds, process payments, view occupancy
Cannot see other staff pay rates, financial reports, or settings
View checkout queue, mark beds clean, confirm room status
Cannot access guest payment data or create bookings
Full access to operations, reports, staff management, and settings
Cannot view detailed guest payment methods (Stripe handles payment data)
All manager functions plus financial reports, team settings, and billing
Payment details remain protected by Stripe; raw card data never stored
Your data is completely separated from other hostels.
Each hostel workspace is isolated at the database level. Staff from one hostel cannot see bookings, guest lists, or operational data from another hostel—even if they work at multiple properties. This is enforced in the database, not just the UI, so no code bug can accidentally leak data between properties.
We collect only what you need to operate your hostel.
Guest names, contact details, and check-in/out dates are stored in Dormaflow to run your operations. We do not share this data with third parties for marketing or analytics. Payment card details are never stored or seen by Dormaflow—Stripe processes and secures all payment information. If a guest requests data deletion, you can remove them from Dormaflow; their data is permanently deleted.
All direct bookings go through Stripe.
Guests pay through Stripe's secure payment form. Dormaflow never sees credit card numbers, expiration dates, or CVV codes. Stripe handles PCI compliance. All payments are encrypted in transit (TLS 1.3) and stored securely. Payment settlement is instant; you receive funds within 1–2 business days depending on your bank.
Every important action is logged for transparency and recovery.
Who checked in which guest, when beds were marked clean, what rate was charged, and when operational errors occurred—all logged with timestamp and user. These logs are non-editable and available to you via the operational support dashboard. In the event of a dispute or investigation, you have a complete record of what happened and when.
Your staff login is protected with industry-standard methods.
Staff authentication uses secure token-based sessions with automatic timeout after 15 minutes of inactivity. Sessions are encrypted and validated on every request. Password reset links are single-use and expire after 1 hour. If your Wi-Fi is compromised, sessions cannot be hijacked because tokens are cryptographically signed.
You have clear control when something goes wrong.
If a guest was incorrectly marked as checked out, if a bed status is stale, or if a retry failed—you can manually override and correct the state from the dashboard. These overrides are logged. You are never locked out of your own data or stuck waiting for support to fix something you can fix faster yourself.
Clear boundaries on what Dormaflow does not access or store.
We do not monitor your Wi-Fi network, access your bank accounts, store raw payment card data, sell your data to third parties, use your data for AI training, or claim military-grade encryption that we cannot prove. We do not track guest behavior beyond what's necessary for check-in/checkout. We do not store unencrypted passwords.
Your staff can do their job without seeing salary data from other team members. Your guests' contact details are not sold to marketers. If a payment fails or data looks stale, you can manually override and move forward. You own your data. You have visibility into every action. You have control over recovery.
This is not marketing language. These are design principles we enforce at every layer: database, API, UI, and logging.