Privacy Policy

1. Scope and who this applies to

This Policy applies to (a) hotel staff and administrators who register for and use the Service on behalf of a hotel in India, and (b) processing activities we perform as a technology provider to those hotels. Guest-facing features may involve data about end guests (e.g. room identifiers, order details); such processing is typically carried out on behalf of the hotel, which acts as the data principal's first point of contact for many guest queries.

The Service is intended for use within India only. If you access the Service from outside India, different laws may apply; we currently target Indian hotels and Indian operations.

2. Legal framework

We aim to align our practices with applicable Indian law, including the Digital Personal Data Protection Act, 2023 ("DPDPA") and rules issued thereunder, as well as the Information Technology Act, 2000 and applicable rules (including those relating to reasonable security practices and sensitive personal data or information, where relevant).

This Policy is for transparency and does not limit any rights you may have under law. Where the hotel is the primary decision-maker for certain guest data, the hotel's own privacy notices may also apply.

3. Categories of personal data we may process

Depending on how you use the Service, we may process:

• Hotel administrator / staff accounts: name, email address, role, hotel affiliation, and a cryptographically hashed password (we do not store your password in plain text).
• Hotel profile: hotel name, address, phone, branding assets (e.g. logo URL), operating hours, and similar business information you choose to provide.
• Operational data: menu items, categories, room numbers or identifiers, orders, order status, timestamps, optional guest notes or names associated with orders, and service requests submitted through the platform.
• Technical and usage data: IP address, device/browser type, cookies or similar technologies where used, logs for security and reliability, and diagnostic information.

4. Purposes of processing

We use personal data to:

• Provide, operate, and improve the Service (account creation, authentication, dashboards, guest menu and ordering flows).
• Communicate with you about the Service, security, or policy updates.
• Ensure security, prevent fraud and abuse, and comply with legal obligations.
• Analyse aggregated or de-identified usage to improve product quality (where we do not identify individuals).

5. Legal bases (India)

Under the DPDPA, we rely on appropriate grounds as applicable — including your consent where required (for example, where you accept this Policy or cookie use where mandated), performance of a contract with you or your hotel, compliance with law, and legitimate uses permitted under the DPDPA (such as certain operational or security purposes), as interpreted in line with applicable regulations and guidance.

6. Sharing and subprocessors

We may share personal data with trusted service providers who assist us in hosting, databases, email delivery, file storage, analytics, or security — only to the extent needed to provide the Service and under appropriate contractual safeguards. We may also disclose information if required by law, court order, or government request in India, or to protect our rights and the safety of users.

7. International transfers

Our primary focus is India. If any processing or storage occurs outside India (for example, through a cloud provider), we will take steps consistent with applicable Indian law, including any requirements for transfers and safeguards.

8. Retention

We retain personal data only as long as necessary for the purposes above, including to meet legal, accounting, or reporting requirements, resolve disputes, and enforce agreements. Retention periods may vary by data type; some logs may be kept for shorter periods for security monitoring.

9. Security

We implement technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction. These include access controls, encryption in transit where appropriate for the Service, and secure handling of credentials. No method of transmission or storage is 100% secure; we encourage strong passwords and safeguarding of account access.

10. Your rights and choices

Subject to applicable law, you may have rights to access, correct, update, or request deletion of your personal data, withdraw consent where processing is consent-based (without affecting prior lawful processing), and nominate another person to exercise rights on your behalf in case of death or incapacity, as prescribed under the DPDPA.

To exercise these rights, or for questions about this Policy, contact us at: the contact details shared with you when you subscribed to the Service, or your account administrator.

11. Grievance redressal

If you have concerns about how we handle personal data, please contact us at the details above. We will acknowledge and address grievances in line with applicable timelines and requirements under Indian law. You may also have the right to approach the Data Protection Board of India or other remedies as provided by law.

12. Children

The Service is not directed at minors. Hotels should not use the Service to knowingly collect data from children in a manner that violates applicable law. If you believe we have inadvertently processed a child's data, contact us and we will take appropriate steps.

13. Changes to this Policy

We may update this Privacy Policy from time to time. We will post the revised version on this page and update the "Effective date" where material changes are made. Continued use of the Service after changes constitutes your acknowledgment of the updated Policy where permitted by law.

14. Contact

Hotel AI
For privacy-related queries and grievances: the contact details shared with you when you subscribed to the Service, or your account administrator.