Privacy Policy

This Privacy Policy describes how Hostella (the "Company", "we", "us") collects, uses, shares, retains, and protects personal data in connection with the Hostella platform and any related software, websites, APIs, mobile applications, and services (collectively, the "Service").

Hostella is the controller of personal data we collect from operators, prospects, and visitors to hostellagent.com. For personal data we process on behalf of an operator (for example, guest messages and reservation data flowing through the Service), the operator is the controller and Hostella is the processor under GDPR Article 28. See §6.

This Policy applies to:

• the Hostella public website (hostellagent.com), including marketing pages, the trust center, the blog, and any forms;
• the Hostella operator dashboard at /clients and any sub-routes;
• the staff/worker portal at /staff/[token];
• the guest-facing portal at /portal (when an operator enables it for their guests); and
• all messages and data exchanged through Hostella's integrations with messaging channels (WhatsApp Business, Telegram, SMS, email) and reservation platforms (Airbnb, Booking.com, Agoda, Vrbo, Expedia).

It does not apply to third-party websites, apps, or services we link to. Their privacy practices are governed by their own policies.

Account Data

name, business email, phone (optional), password hash, company / villa name, billing address, role, and Account metadata such as creation date and last login. We collect this directly from you when you sign up.

Configuration Data

house rules, brand-voice samples, escalation thresholds, property metadata, worker rosters, pricing rules, and any other data you provide to configure the Service.

Guest Data

guest names, phone numbers, email addresses, reservation identifiers, conversation transcripts, and any other personal data exchanged via the channels you connect. You are the controller of Guest Data and lawfully responsible for collecting it.

Worker Data

names, phone numbers, role assignments, schedules, task completion records, and any photos workers upload as task proof. You are the controller of Worker Data.

Usage & Technical Data

IP address, browser type and version, device identifiers, referrer URL, requested URL, response status, timestamp, feature interactions, error logs, and performance metrics. Collected automatically when you use the Service.

Billing Data

we do not store full payment card numbers. Payment instruments are tokenised and stored by our payment processor (Paddle). We retain the last four digits, card brand, billing address, invoice history, and tax identifiers.

Communications

the support chat in the operator dashboard, emails you send to contact@hostellagent.com and similar mailboxes, and any feedback you submit.

Cookies & Similar

essential cookies for authentication and security, plus a limited set of first-party analytics cookies. See §13.

We use personal data only for the purposes set out below. We do not sell personal data. We do not share personal data with third parties for their independent marketing.

• Provide and operate the Service: authenticate users, render the dashboard, deliver messages between operators and guests, route tasks to workers, generate AI replies, sync calendars and reservations.
• Bill you: calculate subscription fees, overages, and taxes; issue invoices; process payments via our payment processor; recover unpaid balances.
• Support you: answer your questions in chat or email, investigate bug reports, and improve onboarding.
• Secure the Service: detect and prevent fraud, abuse, malware, account takeover, and other security incidents; comply with our information-security obligations.
• Improve the Service: aggregate and de-identify usage metrics to identify bottlenecks, ship features, and prioritise the roadmap.
• Comply with law: respond to lawful requests from authorities, enforce our Terms, and protect our legitimate interests in legal proceedings.

We do not train shared AI models on Customer Data. Improvements derived from your corrections are scoped to your Account only. If we ever introduce a shared-training opt-in, it will be disclosed and require your explicit, separate consent.

Where the EU or UK General Data Protection Regulation applies, we rely on the following legal bases:

Contract (Art. 6(1)(b))

to deliver the Service you signed up for, including all processing necessary to render the dashboard, route messages, and bill you.

Legitimate interests (Art. 6(1)(f))

to keep the Service secure, prevent fraud, debug, aggregate de-identified usage metrics, and conduct direct marketing to existing operators about features relevant to their use. You can object at any time.

Legal obligation (Art. 6(1)(c))

to retain invoices and tax records, comply with court orders, and respond to law-enforcement requests under valid legal process.

Consent (Art. 6(1)(a))

for any non-essential cookies, optional marketing communications, and any future shared-AI-training programme. You can withdraw consent at any time without affecting prior processing.

6.1 Controller / processor. When you use the Service to communicate with guests, manage reservations, or route tasks, the personal data flowing through the Service (Configuration Data, Guest Data, Worker Data) is processed by us on your behalf and under your instructions. You are the data controller; we are the data processor.

6.2 Data Processing Addendum. Our processing obligations are set out in the Data Processing Addendum (DPA), available at hostellagent.com/trust. The DPA is incorporated by reference into our Terms of Service and into this Policy.

6.3 Your responsibilities as controller. You must (a) have a lawful basis to collect Guest Data and Worker Data, (b) provide guests and workers with appropriate notice of the processing, (c) honour their data-subject rights when they exercise them with you, and (d) only configure the Service in ways consistent with applicable privacy law.

We share personal data only with the categories of recipients listed below, and only as necessary for the purposes described in §4.

• Sub-processorswho host the Service, provide AI inference, send transactional email, process payments, and operate observability tooling. The current list, including each sub-processor's name, role, location, and data category, is at hostellagent.com/trust. We update this list before engaging any new sub-processor and notify you of material changes.
• Integrated channels (WhatsApp Business Platform, Airbnb, Booking.com, Telegram, etc.) when you connect them. We act as a passthrough for messages between your guests and the channel.
• Professional advisers (lawyers, auditors, accountants) bound by confidentiality.
• Acquirers and successors in the context of a merger, acquisition, financing, or sale of all or substantially all of our assets. Any successor will be bound by privacy commitments at least as protective as this Policy.
• Public authorities when required by valid legal process. We push back on overbroad requests where practicable and notify the affected customer unless legally prohibited.

Our production hosting is in the European Union (Frankfurt region). Some sub-processors may process personal data outside the EEA / UK. When that happens, we put in place an adequate transfer mechanism — typically the European Commission Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or reliance on an adequacy decision (e.g., for the United Kingdom from the EU perspective). The current list of sub-processor locations and transfer mechanisms is at hostellagent.com/trust.

We retain personal data only for as long as we need it for the purpose for which it was collected, subject to any longer period required by law (for example, tax laws generally require us to retain invoices for several years).

Account & Configuration Data

for the lifetime of the Account, plus 90 days after deletion.

Guest & Worker Data

as long as your Account is active. On Account termination, you have 30 days to export, after which data is purged from production within 90 days and from back-ups within 12 months.

Usage & Technical Data

up to 13 months for security and analytics, then de-identified or deleted.

Billing Data

retained for the period required by applicable tax law (typically 7–10 years).

Support communications

up to 24 months after the support thread is resolved.

We maintain administrative, technical, and physical safeguards designed to protect personal data from unauthorised access, use, alteration, or destruction. These include: encryption in transit (TLS 1.2+) and at rest (AES-256); least-privilege access controls; mandatory MFA for staff accounts; logging and monitoring; a documented incident response plan; staff security training; and vendor risk-management for sub-processors. Our current security controls and certification status are at hostellagent.com/trust.

No security control is perfect. If we become aware of a personal-data breach affecting your data, we will notify you without undue delay in accordance with applicable law and our DPA.

Subject to applicable law, you have the rights below. To exercise any of them, contact us at privacy@hostellagent.com. We will respond within the timeframe required by law (typically 30 days under GDPR).

• Access: a copy of the personal data we hold about you.
• Rectification: correction of inaccurate or incomplete data.
• Erasure:deletion of personal data when it's no longer necessary for the purpose collected, you withdraw consent, or you object and we have no overriding lawful basis.
• Restriction: temporary limitation of our processing while a dispute is resolved.
• Portability: machine-readable export of personal data you provided to us.
• Objection: to processing based on legitimate interests or for direct marketing.
• Withdraw consent: for processing based on consent. Withdrawal does not affect prior lawful processing.
• Complaint:lodge a complaint with your local supervisory authority. In the UK that is the Information Commissioner's Office (ico.org.uk); in the EU, the data-protection authority in your country.

Guests and workers: if your data is processed by Hostella because an operator uses the Service to run their property, you should direct your rights request to the operator first (they are the controller). We will assist the operator in fulfilling the request as their processor.

The Service is intended for businesses. We do not knowingly collect personal data from children under the age of 16. If you believe a child has provided us with personal data, please contact us at privacy@hostellagent.com and we will delete it.

We use a small set of first-party cookies and storage mechanisms:

Essential

session authentication, CSRF tokens, security fingerprints. These cannot be disabled while using the Service.

Functional

UI preferences such as display currency (hostella.displayCurrency), support-chat history cache, and the first-open flag for the in-dashboard setup assistant.

Analytics

first-party, privacy-respecting analytics that record aggregate page views and feature usage. No third-party ad tracking. No cross-site cookies.

We do not use third-party advertising cookies. Where consent is required, we present a cookie banner on first visit.

The Service uses machine-learning models to generate replies, route tasks, and classify messages. These AI outputs are generated based on Configuration Data and conversation context you provide. Where applicable law gives data subjects a right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects:

• the AI Agent does not, by itself, make legally significant decisions about guests. It generates messages and creates operational tasks; final decisions on refunds, complaints, and access are made by the operator;
• escalation triggers route uncertain or sensitive cases to a human (the operator) for review before any reply is sent; and
• guests can always request human review by replying with a clear request to speak to a human, which the operator receives in the dashboard.

We send transactional emails (e.g., billing receipts, security alerts) that are necessary to operate the Service and that you cannot opt out of while you have an active Account. We also occasionally send product-update emails to existing operators relying on our legitimate interest in keeping you informed. Every product email contains a clear one-click unsubscribe; opting out does not affect transactional or security communications.

We may amend this Policy by posting an updated version at this URL and updating the "Effective date" above. If a change materially affects how we process your personal data, we will give at least thirty (30) days' notice by email or in-product banner before it takes effect. Continued use after the change becomes effective constitutes acceptance.

For any privacy-related question, request, or complaint:

• Email: privacy@hostellagent.com
• Security incidents: security@hostellagent.com
• Legal: legal@hostellagent.com
• General: contact@hostellagent.com

We respond to all rights requests within the timeframe required by applicable law (typically 30 days under GDPR; we'll extend by up to 60 days for complex requests and tell you why).