Privacy Policy
At Alfred Hospitality AI, we collect information to provide and improve our services.
This includes personal information you provide directly, as well as data collected automatically through your use of our platform.
1. Introduction and Scope
This Privacy Policy explains how Alfredco.host collects, uses, stores and shares personal data when you use our websites, applications and services. It applies to hosts, property managers, guests whose information is processed through our service, website visitors and any other individuals whose personal data we handle.
Alfredco.host acts as data controller for user account data and website visitor data. When processing guest data on behalf of hosts (e.g., reservation details and guest messages), we act as data processor under the GDPR and a service provider under CCPA/CPRA. We provide a Data Processing Addendum (DPA) that forms part of your agreement with us and sets out our obligations as a processor.
2. Personal Data We Collect
We collect personal data through several channels:
Data provided by users (hosts/property managers): Account information (name, email address, phone number, business details, password and profile details). Billing information (payment method processed by Stripe, billing address and VAT or tax identifiers; we store limited billing details; Stripe processes full payment card data). Property and listing data (property addresses, descriptions, photos, house rules and OTA listing identifiers). Communications (information you provide in support enquiries, surveys or feedback).
Data obtained from integrated OTA platforms: When you connect your OTA account, we retrieve reservation details (guest names, booking dates, property booked, price), guest profile information (as available), and message histories to provide a unified inbox and automate communications.
Data from messaging services (e.g., WhatsApp): If you integrate WhatsApp, we collect message content and metadata (timestamps, recipient numbers) to manage conversations. We adhere to WhatsApp's policies and require hosts to obtain consent from guests before sending messages.
Data collected automatically (usage data): We collect log data such as IP address, device type, browser type, operating system, referring URLs and pages visited; cookies and similar technologies (see Section 9 on Cookies); and anonymised analytics through third-party tools to improve the service.
AI interaction data: When you use the AI assistant, your prompts and relevant context (including guest inquiries) are sent to our AI provider to generate responses. We may log and anonymise these interactions to improve our AI features; AI providers do not use API data for training models by default.
Guest data: We process guest personal data (e.g., name, contact details, reservation information and message content) solely to provide the service to hosts. Hosts must ensure they have a lawful basis to collect and share guest data with us. We do not use guest data for any purpose other than delivering the service or as required by law.
Sensitive personal data: Our service is not intended to process special categories of personal data (racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic or biometric data, health data or data concerning sex life or sexual orientation), or full payment card numbers or bank account numbers. We ask users not to input such information. If you inadvertently provide sensitive data, we will delete or anonymise it when detected.
Minors' data: Our service is not directed at children under the age of 16 and should not be used to process their personal data. Hosts must not input personal data of guests under 16 unless they have obtained verifiable parental or guardian consent. If we become aware that minors' data has been processed without consent, we will delete or anonymise it.
3. Purposes of Processing and Legal Bases
Providing and improving the service: We use account, property and guest data to provide the core features of our platform — managing reservations, generating AI responses, sending messages and providing analytics. Legal basis: performance of a contract (Art. 6(1)(b) GDPR) and legitimate interest. We have conducted Legitimate Interest Assessments; documentation is available upon request.
Payments and subscription management: Billing information is used to process payments, handle renewals and provide invoices. Legal basis: performance of a contract and compliance with legal obligations (e.g. tax laws).
Communications: We use contact information to send service-related emails (account confirmations, billing notices, security alerts), respond to support requests and, with consent, send marketing communications. Legal basis: performance of contract, legitimate interest and/or consent (for marketing).
Customer support: Support data is used to assist users and improve support quality. Legal basis: legitimate interests.
Analytics and product development: We analyse aggregated usage data to understand how the service is used and to improve features. Legal basis: legitimate interests, with measures to protect privacy (e.g., anonymisation).
Security and abuse prevention: We use log data and analytics to detect fraudulent or abusive behaviour, protect accounts and maintain system integrity. Legal basis: legitimate interests and compliance with legal obligations.
Legal compliance: We process data as necessary to comply with laws, respond to lawful requests and enforce our terms. Legal basis: compliance with legal obligations and legitimate interests.
Advertising: At present we do not sell personal data or engage in cross-contextual behavioural advertising. If we use advertising cookies, we will obtain consent where required and provide a "Do Not Sell or Share My Personal Information" option.
4. How We Share Personal Data
We share personal data only as necessary to provide the service and comply with law. Service providers: We engage third-party service providers (processors) for payment processing (Stripe), hosting (cloud providers), email/SMS delivery, analytics, AI processing and customer support. These providers are contractually obligated to handle personal data only as instructed and to implement appropriate security measures.
Within Alfredco.host: Authorised employees and contractors may access personal data only as needed for their job functions and are subject to confidentiality obligations. Business partners: If you enable optional integrations, we share data with that partner at your instruction. Legal and compliance: We may disclose data to law enforcement or regulatory authorities if required by law or court order. Business transfers: In the event of a merger, acquisition or asset sale, personal data may be transferred subject to appropriate safeguards. Aggregated data: We may share aggregated statistics that do not identify individuals. No sale of personal data: We do not sell personal data for monetary consideration.
5. International Transfers
We may transfer personal data outside the European Economic Area (EEA) or the UK. For example, data may be processed in the United States by our AI provider or cloud hosts. When transferring data internationally, we rely on Standard Contractual Clauses or other approved transfer mechanisms under GDPR and ensure that data is protected by equivalent safeguards. By using the service, you consent to these transfers.
6. Data Retention
Account data is retained for the duration of the account. If you delete your account, we will delete your user-provided content (property descriptions, photos, custom responses) within 30 days. Reservation history and communications may be retained for up to five years for legal, accounting and regulatory purposes and will then be anonymised or deleted. Guest data is retained as long as the host account is active or as required by law. Upon account deletion, guest data will be anonymised or deleted unless retention is required for compliance. AI interaction logs are retained in anonymised form for up to two years for product improvement and research, then deleted. Backups may contain data for up to 90 days after deletion.
7. Data Subject Rights (EEA/UK)
If you reside in the EEA, UK or other jurisdictions with similar laws, you have the following rights: Right of access (request a copy of your personal data). Right to rectification (request corrections). Right to erasure ("right to be forgotten"). Right to restriction. Right to object. Right to data portability (data provided in JSON or CSV format). Right to withdraw consent. We will respond to verified requests without undue delay and within one month of receipt, extendable by two months where necessary. Guests who wish to exercise their rights should contact the host directly. Hosts must forward such requests to info@alfredco.host if they need assistance.
8. California Privacy Rights
California residents have additional rights under CCPA/CPRA: Right to know (categories of personal information collected, sources, purposes, and third parties). Right to delete. Right to correct. Right to opt-out of sale or sharing (we do not sell personal information). Right to non-discrimination. Identity verification: We will match at least two data points you provide against our records. CCPA requests may be submitted to info@alfredco.host. California residents may also contact the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs at 1625 North Market Blvd., Sacramento, CA 95834, or by telephone at (916) 445-1254 or (800) 952-5210.
9. Cookies and Tracking Technologies
We use cookies and similar technologies to maintain sessions, remember preferences and analyse usage. Essential cookies are necessary for basic operation; functional cookies remember preferences; analytics cookies help us improve the product; and, with consent, advertising cookies may be used for retargeting. EU visitors will see a cookie consent banner allowing them to manage preferences.
Cookie examples: session_id (authentication, session duration, essential), lang (language preference, 1 year, functional), analytics_id (usage statistics, 12 months, non-essential analytics). Additional cookies may be set depending on features used. Our service does not currently respond to Do Not Track (DNT) browser signals.
10. Data Security
We implement industry-standard measures to protect personal data, including encryption in transit, access controls, secure hosting environments and regular backups. While we strive to protect data, no system is completely secure. Users should use strong passwords and enable two-factor authentication where available. In the event of a personal data breach, we will comply with notification requirements as described in the Terms of Service.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify users of material changes (e.g., through the dashboard or by email). Your continued use of the service after the effective date of the updated policy constitutes acceptance of the changes. If required by law, we will seek consent for changes that affect how we process your data.
12. Contact Information
For privacy inquiries or to exercise your rights, please contact us at info@alfredco.host or write to Alfredco Host OU, Priisle tee 2-26, 13914 Tallinn, Estonia. EU residents may also lodge a complaint with the Estonian Data Protection Inspectorate or another supervisory authority in their country if they believe their rights have been violated.
Introduction
This Cookie Policy explains how Botique.me OU ("Alfredco.host", "Company", "we", "us" or "our") uses cookies and similar technologies on our website and services. It should be read together with our Terms of Use and Privacy Policy. By continuing to browse or use our services, you consent to the use of cookies as described in this policy, unless you choose to disable them via your browser settings or our cookie management tools. Cookies are small text files that a website stores on your device when you visit a site. They enable the website to remember your actions and preferences over a period of time and provide various functions, such as authentication, analytics and personalisation.
How We Use Cookies
Essential cookies: Necessary for the basic functioning of the website and the services. Without these cookies, certain features (such as logins or session management) will not work. These cookies do not require consent. Functional cookies: Remember your preferences and settings to enhance your experience. Disabling these may affect how our website functions for you. Analytics cookies: Collect information about how you interact with our website to help us improve performance and usability. These cookies may require your consent depending on your location. Advertising cookies: May be used (with your consent) to deliver personalised advertisements. We do not currently use advertising cookies, but we may introduce them in the future with appropriate consent mechanisms.
Types of Cookies We Use
session_id: Maintains your session so you remain logged in while navigating our site (session duration, essential). lang: Stores your language preference to show content in your selected language (1 year, functional). analytics_id: Collects aggregated usage statistics to help us analyse how our site is used (12 months, analytics). This list is not exhaustive and may be updated over time.
Managing Cookies and Opting Out
When you first visit our site, you may see a cookie banner or pop-up that allows you to accept or reject non-essential cookies. Essential cookies cannot be disabled as they are necessary for our services to work. You can also manage your cookie preferences at any time by adjusting your browser settings to delete or block cookies. Please note that blocking or deleting cookies may affect your ability to use certain features of our site.
Do Not Track Signals
Some browsers offer a "Do Not Track" (DNT) signal. Our site currently does not respond to DNT signals. If you wish to opt out of tracking, please use the cookie management options described above.
Changes to This Cookie Policy
We may update this Cookie Policy from time to time to reflect changes in our practices, technology or legal requirements. When we do, we will revise the "Last Updated" date at the top of this policy. We encourage you to review this policy periodically for the latest information on our cookie practices.