Privacy Policy
Last updated: 2 June 2026
1. Who we are
GuestAssistant is operated from the United Kingdom (The Studio, 45 Southend, Garsington, Oxford OX44 9DJ). For data-protection purposes we are the controller of:
- Host account information you give us directly (email, password hash, billing data).
- Marketing-page enquiries (demo form, contact form).
- Analytics events we collect about visits to our marketing site and app.
We are the processor of the listing and guest-conversation data hosts ask us to handle on their behalf — the host (your hospitality business) remains the controller for that data.
Reach us via the contact page for any privacy question, data-subject request, or breach notification.
2. What we collect, and the legal basis
Hosts (signed-up users): email, password hash, billing data (handled by Stripe — we never see your card), the listing data you import or enter, any notification phone number you set, and basic usage events (which pages you visit in the app). Legal basis: contract performance + legitimate interest in running the service.
Guests (using a host's assistant): messages typed or spoken into the assistant, an anonymous random visitor ID (only with your consent), and basic device info (browser, screen size). Legal basis: the host's contract with their guest + our legitimate interest in providing the service for them. Analytics events are by consent only.
Marketing enquiries: if you submit the demo form, we collect the email/phone you provide so we can send you the demo link. Legal basis: pre-contract step at your request. We don't add you to a marketing list without separate, explicit consent.
Cookies + storage: see the Cookie policy for a line-by-line list.
3. What we use it for
- Providing the GuestAssistant service to hosts and their guests.
- Sending transactional emails (demo links, billing receipts, account notices, weekly/monthly Analytics Reports a host has opted in to).
- Sending you transactional SMS only if a host has chosen SMS as a notification channel, or if you (as a guest) submitted a callback number via the Review Interceptor.
- Anonymous analytics so a host can see how their guest page is being used. No cross-site tracking, no profile building.
- Improving the product (debugging issues, planning features). We do not use guest conversation data to train AI models.
- Meeting our legal obligations (e.g. tax, accounting, responding to lawful requests).
We do not sell your data. We do not share it with advertisers.
4. Sub-processors
We use the following providers to run GuestAssistant. Each has signed-up data-processing agreements with us and has their own privacy notice.
| Provider | Purpose | Data they touch | Region |
|---|---|---|---|
| Supabase | Database, authentication, file storage | All host + guest data | EU (Frankfurt) |
| Netlify | Hosting + serverless functions | All request traffic (in transit) | Global (US-headquartered) |
| Stripe | Subscriptions + billing | Host email + payment details | US (with UK/EU sub-processors) |
| Google (Gemini API) | AI text + voice responses | Conversation transcripts (not used for training) | US / global |
| Google (Maps Platform) | Nearby-places, geocoding, time-zone | Listing addresses + coordinates | US / global |
| SendGrid (Twilio) | Transactional email | Host email + notification body | US |
| Twilio | SMS + voice line (optional) | Phone number + message body | US (with regional carriers) |
| FireCrawl | Scraping public listing pages | Public listing URL only | US |
When data leaves the UK or EEA we rely on the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses (SCCs) plus the UK Addendum, with the safeguards each provider applies (encryption in transit and at rest, access controls).
5. Data retention
- Host accounts: retained while active and for 90 days after cancellation, then deleted. Billing records are kept for the period required by HMRC (currently 6 years).
- Guest conversations: retained for 12 months for host audit, then deleted.
- Analytics events: retained for 24 months, then deleted or anonymised.
- Marketing enquiries: retained for 6 months unless you convert to a paying customer.
You can ask us to delete your data sooner at any time using the contact form below.
6. Cookies + storage
On first visit we show a consent banner with three equal-weighted choices: Reject optional / Settings / Accept all. Essential storage (sign-in session, theme preference, chat history) is always on. Analytics is by consent only. You can change your mind at any time via the Cookie preferences link in the footer or inside the app under Settings → Account → Privacy. See the Cookie policy for the line-by-line list.
7. Your rights under UK GDPR
You have the right to:
- Access the personal data we hold about you.
- Correct anything that's inaccurate.
- Have it deleted (subject to legal-retention exceptions).
- Restrict or object to certain processing.
- Receive your data in a portable, machine-readable format.
- Withdraw consent at any time where we relied on consent.
Send any of these requests through the contact form. We'll respond within 30 days, free of charge.
If we don't resolve a complaint to your satisfaction you can complain to the UK Information Commissioner's Office (ICO) — ico.org.uk/concerns or 0303 123 1113.
8. Children
GuestAssistant is a B2B product for hospitality hosts. It is not directed at children under 16, and we don't knowingly collect their data. If you believe a child has provided us data, contact us and we'll delete it.
9. Changes
We'll update the date at the top whenever this policy changes. If a change is material we'll email active users and (where relevant) re-prompt the cookie banner.