HospitalityFlow

Privacy Policy - HospitalityFlow

Your privacy matters. Learn how we collect, use, and protect your data.

Last Updated: March 2026

Your privacy matters. HospitalityFlow ("we", "us", "our") is committed to protecting the privacy and security of your data. This Privacy Policy explains what information we collect, how we use it, and your rights under applicable law, including Singapore's Personal Data Protection Act 2012 (PDPA) and the EU General Data Protection Regulation (GDPR).

1. Information We Collect

1.1 Information You Provide

  • Uploaded files and operational data (PMS reports, POS data, OTA exports, email content, etc.)
  • Account registration details (name, email, company details)
  • Billing details (for subscription payments)
  • Communication logs (support requests, emails)

1.2 Automatically Collected Information

  • Browser type, IP address, timestamps
  • Usage metrics (workflow runs, dashboard interactions)
  • Device information for performance and security optimisation

2. How We Use Your Data

We use your data to:

  • Process workflows and deliver automation outputs
  • Generate AI-powered drafts, categorisations, and responses on your behalf
  • Provide customer support
  • Ensure platform security and prevent misuse
  • Improve platform performance based on anonymised, aggregated usage analytics

We never sell personal or guest data. We do not use client data to train AI models.

3. AI Processing

HospitalityFlow uses large language model (LLM) APIs to power its automation features. When your data is processed through AI:

  • All AI requests are routed via our EU-based infrastructure using OpenRouter's EU endpoint (`eu.openrouter.ai`), keeping processing within Europe;
  • Zero Data Retention (ZDR) is enforced: prompts and AI completions are not stored by the AI provider after processing;
  • We do not use your data or guest data to train any AI models;
  • Where deployed on-premise (Ollama), all AI processing runs locally on your own infrastructure and no data leaves your environment.

4. Data Storage & Retention

HospitalityFlow follows a privacy-first approach. Data is stored only as long as necessary to deliver the Services.

5. Legal Bases for Processing

We process your data under the following legal bases:

  • Performance of a contract: delivering the Services you have subscribed to;
  • Legitimate interest: preventing fraud, ensuring security, improving service reliability;
  • Legal obligation: where required by applicable law;
  • Consent: where explicitly required and obtained.

These bases apply under both GDPR (for EU/EEA data subjects) and PDPA (for Singapore data subjects).

6. Data Sharing & Sub-Processors

We share data only with sub-processors necessary to deliver the Services. All sub-processors are bound by data protection agreements consistent with applicable law. We do not share or sell data to advertisers or external marketing companies.

A full Authorised Sub-Processor List is available at hospitalityflow.ai/subprocessors or upon written request to legal@hospitalityflow.ai. We will provide at least 14 days' notice before adding or replacing any sub-processor.

7. International Transfers

All data is stored and processed within the European Union by default - our infrastructure runs on Hetzner servers in Germany and Finland, and our database is hosted in Frankfurt (AWS eu-central-1). AI processing is routed exclusively via OpenRouter's EU endpoint.

Where any transfer outside the EU/EEA is required:

  • For EU data: we rely on Standard Contractual Clauses (SCCs) approved by the European Commission;
  • For Singapore data: transfers comply with Section 26 PDPA, ensuring equivalent protection.

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of your data;
  • Correction: Update inaccurate information;
  • Deletion: Request deletion of your data;
  • Portability: Receive your data in a structured format;
  • Objection: Object to certain data processing;
  • Restriction: Request limitation of processing.

To exercise any of these rights, contact us at legal@hospitalityflow.ai. We will respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with your relevant supervisory authority - for EU residents, your national data protection authority; for Singapore residents, the Personal Data Protection Commission (pdpc.gov.sg).

9. Security

We implement the following technical and organisational measures to protect your data:

  • Encryption in transit: TLS 1.2 or higher for all connections;
  • Encryption at rest: AES-256 for stored data;
  • Role-based access controls and principle of least privilege;
  • Access and activity audit logs retained for 90 days;
  • Regular security reviews of infrastructure and third-party dependencies.

10. Children's Privacy

HospitalityFlow is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have done so, we will delete it promptly.

11. Governing Law

This Privacy Policy is governed by the laws of Singapore. For EU-established clients, this Policy is additionally interpreted in a manner consistent with GDPR requirements.

12. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated by email or via an in-platform notice at least 30 days before taking effect. The current version is always available at hospitalityflow.ai/privacy.

13. Contact

For privacy-related questions, requests, or complaints:

Email: legal@hospitalityflow.ai

Website: hospitalityflow.ai/contact

HospitalityFlow | Singapore