Privacy Policy
Last Updated: March 4, 2026 Effective Date: January 1, 2026
Hello Native AI Inc. ("Hotel Native," "we," "us," or "our") operates the hotelnative.ai website and the Hotel Native platform — an AI-native Property Management System (PMS), Channel Manager, and hospitality technology suite. This Privacy Policy explains how we collect, use, disclose, retain, and protect information about you when you use our services.
By accessing or using Hotel Native, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our services.
1. Who We Are
Company: Hello Native AI Inc. Platform: Hotel Native (hotelnative.ai) Registered Office: Costa Rica Data Controller Contact: privacy@hotelnative.ai
Hotel Native provides technology services to independent hotels, boutique properties, villas, and hospitality businesses. We act as a data controller for the account and billing information of our customers (hotel operators), and as a data processor for guest data that hotel operators collect through our platform.
2. Scope of This Policy
This Privacy Policy applies to:
- Hotel Operators: Businesses and individuals who subscribe to Hotel Native to manage their properties ("Customers").
- End Users: Staff, managers, and administrators who use the Hotel Native dashboard on behalf of a Customer.
- Hotel Guests: Guests whose data is processed through our platform at the direction of our hotel operator Customers.
- Website Visitors: Anyone who visits hotelnative.ai or our related websites.
- Travel Agents: Agents who access the Travel Agent Portal provided through our platform.
3. Information We Collect
3.1 Information You Provide Directly
Account Registration:
- Full name, business name, job title
- Email address and password (hashed using bcrypt)
- Phone number
- Property name, address, type, and size
- Billing address and payment method details
Property & Operations Data:
- Room types, rates, availability, policies, and inventory settings
- Staff profiles, roles, and permissions
- Housekeeping tasks and schedules
- Booking records, invoices, and financial data
- Custom fields and operational notes
Communications:
- Messages you send to our support team
- Feedback, survey responses, and feature requests
3.2 Guest Data (Processed on Behalf of Hotel Operators)
When hotel operators use our platform to manage guest relations, the following guest data is processed at the operator's direction:
- Full name, email address, phone number, nationality, and date of birth
- Government-issued ID type and number (for digital check-in)
- Home address, city, country, and postal code
- Booking details, stay history, preferences, and notes
- Payment card information (stored encrypted, PCI-DSS compliant)
- Concierge chat messages and service requests
- IP address and device information collected during digital check-in
Hotel operators are the data controllers for guest data. Hotel Native processes this data solely as a processor under the operator's instructions. Guests seeking to exercise privacy rights should contact the hotel property directly.
3.3 Information Collected Automatically
Log Data:
- IP address, browser type, operating system, device identifiers
- Pages visited, time spent, referring URLs
- Errors, crashes, and API response times
Cookies and Tracking:
- Session cookies (essential for login and security)
- Analytics cookies (Google Analytics 4 — see our Cookie Policy)
- Meta Pixel for advertising attribution (hotelnative.ai only)
- Preference cookies (theme, language settings)
Visitor Analytics:
- Geo-IP derived country and region
- Channel attribution (organic, direct, paid search, paid social, referral)
- Session duration and page depth
- Device type (mobile, tablet, desktop)
3.4 Third-Party Sources
- Payment Processors (Tilopay, Stripe): Transaction status, payment method tokens
- Channel Managers (Channex, RoomCloud): OTA booking data and guest profiles pushed from Booking.com, Expedia, Airbnb, and other channels
- Google Analytics 4 and Search Console: Aggregated website performance data
4. How We Use Your Information
4.1 To Provide and Operate Our Services
- Create and manage your Hotel Native account
- Process reservations, invoices, payments, and refunds
- Sync availability and rates to connected OTA channels
- Power AI concierge, upsell automation, and staff tools
- Send booking confirmations, check-in instructions, and operational alerts
- Facilitate digital check-in and door lock integrations
4.2 To Improve Our Platform
- Analyze usage patterns to improve UX and performance
- Train and refine AI models that power concierge and automation features
- Identify and fix bugs, crashes, and security vulnerabilities
- Develop new features based on customer feedback and behavior
4.3 To Communicate With You
- Respond to support inquiries and technical questions
- Send product updates, release notes, and feature announcements
- Notify you of billing events, subscription changes, and policy updates
- Send onboarding and educational materials (you can opt out anytime)
4.4 Marketing and Advertising
- Display targeted advertisements on third-party platforms (Google Ads, Meta) using anonymized or hashed data
- Measure the effectiveness of our marketing campaigns
- Attribute conversions from advertising to booking activity
You can opt out of marketing emails at any time using the unsubscribe link in any email we send, or by contacting privacy@hotelnative.ai.
4.5 Legal Obligations
- Comply with applicable laws and regulations in Costa Rica and applicable international frameworks
- Respond to lawful requests from courts, government authorities, or regulatory bodies
- Enforce our Terms of Service and protect the rights, property, and safety of Hotel Native, our customers, and others
5. Legal Bases for Processing (GDPR)
If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases:
| Processing Activity | Legal Basis |
|---|---|
| Providing contracted services | Contract (Art. 6(1)(b) GDPR) |
| Billing and account management | Contract (Art. 6(1)(b) GDPR) |
| Security, fraud prevention | Legitimate Interest (Art. 6(1)(f) GDPR) |
| Analytics and product improvement | Legitimate Interest (Art. 6(1)(f) GDPR) |
| Marketing emails (existing customers) | Legitimate Interest (Art. 6(1)(f) GDPR) |
| Marketing emails (prospects) | Consent (Art. 6(1)(a) GDPR) |
| Legal compliance | Legal Obligation (Art. 6(1)(c) GDPR) |
| Guest data processing | Contract as Processor (Art. 28 GDPR) |
6. Data Sharing and Disclosure
We do not sell your personal information. We share information only in the following circumstances:
6.1 Service Providers
We share data with trusted third-party vendors who help us deliver our services, under strict data processing agreements:
- Cloud Infrastructure: Cloudflare (CDN, R2 storage, DNS, Tunnels)
- Database Hosting: Self-hosted PostgreSQL on VPS infrastructure
- Payment Processing: Tilopay (Costa Rica), Stripe (international)
- Channel Management: Channex, RoomCloud (booking sync only)
- Email Delivery: SMTP providers configured per property
- AI Infrastructure: Anthropic (Claude), OpenAI, Google (Gemini)
- Analytics: Google Analytics 4
- Communication: Meta (Facebook Pixel, WhatsApp Business infrastructure)
6.2 OTA Channel Partners
When you sync availability and rates to OTA channels (Booking.com, Expedia, Airbnb, etc.), the channel manager transmits inventory data to those platforms per their own terms of service. Guest data received from OTA bookings is processed under your operator agreement with those channels.
6.3 Legal Requirements
We may disclose information if required by law, subpoena, or court order, or if we believe in good faith that disclosure is necessary to protect our rights, prevent fraud, or protect the safety of our users or the public.
6.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and/or a prominent notice on our website at least 30 days before any such transfer and before your information becomes subject to a different privacy policy.
7. Data Retention
We retain your data for as long as your account is active or as needed to provide services. Specific retention periods:
| Data Type | Retention Period |
|---|---|
| Account information | Duration of subscription + 90 days after termination |
| Booking and financial records | 7 years (legal/tax compliance) |
| Guest profiles | Until deleted by operator, max 7 years |
| Activity logs and audit trails | 2 years |
| Support communications | 3 years |
| Marketing emails (opt-outs) | Indefinitely (to prevent future sends) |
| Anonymized analytics | Indefinitely |
After the applicable retention period, we securely delete or anonymize your data.
8. Data Security
We implement industry-standard security measures to protect your information:
- Encryption in Transit: TLS 1.2+ for all data in transit
- Encryption at Rest: Database encryption for sensitive fields (payment cards, credentials)
- Access Controls: Role-based access control (RBAC) with least-privilege principles
- Authentication: NextAuth.js with secure session tokens; TOTP two-factor authentication available
- Payment Security: PCI-DSS compliant card tokenization; no raw card numbers stored
- API Security: HMAC-SHA256 webhook signatures; rate limiting on all public endpoints
- Infrastructure: Cloudflare WAF, DDoS protection, and firewall rules
- Audit Logging: All staff actions are logged with timestamps and IP addresses
Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.
9. International Data Transfers
Hotel Native operates servers in the United States and Europe. If you are located in the EEA, UK, or another jurisdiction with data transfer restrictions, we ensure that transfers comply with applicable law through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Data Processing Agreements (DPAs) with all sub-processors
To request a copy of our DPA or SCCs, email privacy@hotelnative.ai.
10. Your Privacy Rights
Depending on your location, you may have the following rights:
10.1 Rights Under GDPR (EEA/UK Residents)
- Right of Access: Request a copy of the personal data we hold about you
- Right to Rectification: Request correction of inaccurate or incomplete data
- Right to Erasure ("Right to Be Forgotten"): Request deletion of your data, subject to legal retention requirements
- Right to Restriction: Request that we limit how we process your data
- Right to Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests or direct marketing
- Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time
- Right to Lodge a Complaint: File a complaint with your local data protection authority (DPA)
10.2 Rights Under CCPA (California Residents)
California residents have the right to:
- Know what personal information we collect and why
- Request deletion of personal information
- Opt out of the sale of personal information (we do not sell personal information)
- Non-discrimination for exercising privacy rights
To submit a verifiable consumer request, email privacy@hotelnative.ai or use the subject line "CCPA Request."
10.3 How to Exercise Your Rights
Submit a request by emailing privacy@hotelnative.ai with your full name, email address, and description of your request. We will respond within 30 days (or 45 days with notice for complex requests). We may require identity verification before processing your request.
11. Children's Privacy
Hotel Native is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information promptly. If you believe we have collected data about a child, contact privacy@hotelnative.ai.
12. Third-Party Links and Integrations
Our platform integrates with and links to third-party services (Booking.com, Expedia, Google, Meta, Channex, etc.). These services have their own privacy policies, which we do not control. We encourage you to review the privacy policies of any third-party services you access through our platform.
13. AI and Automated Decision-Making
Hotel Native uses artificial intelligence (Anthropic Claude, OpenAI, Google Gemini) to power concierge, upsell, and automation features. Automated decisions that significantly affect you will be disclosed. You have the right to:
- Be informed about automated processing
- Request human review of automated decisions
- Object to solely automated decision-making with significant effects
Our AI features augment — but do not replace — human judgment for significant decisions such as booking approval or rate setting.
14. Changes to This Privacy Policy
We may update this Privacy Policy periodically. When we make material changes, we will notify you by:
- Updating the "Last Updated" date at the top of this page
- Sending an email notification to the account email address on file
- Displaying a prominent notice on our dashboard
Your continued use of Hotel Native after the effective date of the updated policy constitutes acceptance of the changes.
15. Contact Us
For any privacy questions, requests, or concerns:
Email: privacy@hotelnative.ai General: hello@hotelnative.ai Company: Hello Native AI Inc.
We aim to respond to all privacy inquiries within 5 business days.
This Privacy Policy was prepared for Hotel Native (hotelnative.ai), operated by Hello Native AI Inc. It complies with GDPR, CCPA, and applicable Costa Rican data protection law.