Privacy Policy

PRIVACY POLICY Pursuant to Art. 13 of EU Regulation 2016/679 (GDPR) ADV GROUP of P.F., with registered office at Via Roveredo 20/b, 33170 Pordenone, Italy, VAT number 01661510931 (hereinafter also referred to as "ADV"), as the controller of the website www.reception24.com (hereinafter the "Website") and the related WebApps, Chatbot, and SaaS platforms Reception24 and Assistant24 (hereinafter the "Platform"), pursuant to Art. 13 of EU Regulation 2016/679 (hereinafter "GDPR") and in relation to the personal data it will process, hereby informs the User as follows. 1. CATEGORIES OF PERSONAL DATA PROCESSED 1.1 The personal data that will be processed by ADV are as follows: a) Identification data provided by the User: first name, last name, email address, password (stored exclusively in encrypted form via hashing), profile picture (optional). b) Data provided via third-party authentication: if the User chooses to register via Google or Apple, ADV will receive the name and email address associated with the account. Google or Apple login credentials are not stored. c) Hospitality establishment data: name, address, city, website, phone number, email, booking link, chatbot configuration (name, avatar, tone, languages, colors), textual knowledge base, custom prompts. d) Guest data collected via the chatbot: guest identifier (optional, e.g. name or room number), conversation messages, sentiment analysis, feedback and ratings about the establishment. e) Guest data collected via review requests: name, phone number, email, checkout date — exclusively subject to the guest's explicit consent (GDPR-compliant). f) Payment-related data: Stripe customer identifier, subscribed plan, billing interval, subscription status. Credit card details are never stored by ADV — they are managed entirely by Stripe, Inc. g) Automatically collected browsing data: IP address, browser user agent, language preference, session data (token, expiration date). h) Usage data: monthly chatbot message count per property, AI tokens used (for billing purposes), interaction events (QR code clicks, service mentions in chat, booking link clicks). i) Marketing attribution data (first-touch): traffic source (utm_source), medium (utm_medium), campaign (utm_campaign), landing page, referrer, device type, date of first visit. j) Files uploaded by the User: images and PDF documents (maximum 5 MB per file). k) Browsing data collected via analytical cookies: please refer to Section 3bis and the Cookie Policy. 1.2 Personal data will be provided to ADV voluntarily by the data subject electronically at the time of registration, completion of forms on the Website or Platform, or use of the chatbot. 2. LEGAL BASIS AND PURPOSES OF PROCESSING 2.1 Personal data will be processed in accordance with the GDPR for the following purposes and legal bases: a) Registration, account management, and service delivery (AI chatbot, dashboard, knowledge base, property management, QR codes, feedback collection): legal basis — performance of a contract (Art. 6.1.b GDPR). b) Payment management, invoicing, subscriptions, and message credits: legal basis — performance of a contract and compliance with legal obligations (Art. 6.1.b and 6.1.c GDPR). c) Sending transactional emails (account confirmation, email verification, password reset, purchase confirmation, renewal, invoices): legal basis — performance of a contract (Art. 6.1.b GDPR). d) Security and abuse prevention (IP-based rate limiting, audit logs of sensitive operations, prevention of unauthorized access): legal basis — legitimate interest (Art. 6.1.f GDPR). e) Website statistical analysis via Google Analytics: legal basis — consent of the data subject (Art. 6.1.a GDPR), activated only after explicit approval via the cookie banner. f) Internal marketing attribution (first-touch tracking of traffic sources, campaigns, and landing pages): legal basis — legitimate interest (Art. 6.1.f GDPR). Data is used exclusively to evaluate the effectiveness of advertising campaigns and is not shared with third parties. g) With the User's express consent, data may be used for commercial communications relating to additional products or services offered by the Controller or similar services offered by third parties. The legal basis for this processing is the freely given consent of the data subject. h) Tax and accounting compliance: legal basis — legal obligation (Art. 6.1.c GDPR). Outside of these cases, users' browsing data is retained only for the time strictly necessary for the management of processing activities, within the limits provided by law. 3.METHODS OF PROCESSING — SECURITY AND CONFIDENTIALITY REQUIREMENTS 3.1 The processing of personal data by the controller or any data processors will be carried out using IT and electronic tools and through the organization of such data in predominantly automated databases. Data will be stored in dedicated archives in compliance with the technical and organizational measures necessary to ensure their security. 3.2 ADV guarantees the utmost confidentiality of personal data by adopting the following security measures: * Password encryption via hashing * Communications secured via HTTPS protocol (TLS) * Secure authentication with mandatory email verification * Rate limiting to prevent brute-force attacks * Restricted and secure database access * Monitoring and audit logs of sensitive operations * httpOnly session cookies to prevent unauthorized access 3.3 Guest personal data collected via the chatbot will be disclosed exclusively to the managers of the hospitality establishment of which the user is a guest, for the purposes indicated in Section 2.1. 3.4 Conversations with the AI chatbot are processed by a Large Language Model (LLM). Messages sent to the model include the establishment's knowledge base and the messages of the ongoing conversation. This data is used exclusively to generate responses and is not used to train artificial intelligence models. No automated decision-making pursuant to Art. 22 GDPR that produces legal effects or similarly significantly affects data subjects is carried out. The AI generates suggested responses that may be reviewed and modified by the user and/or the guest. Pursuant to Art. 50 of Regulation (EU) 2024/1689 (AI Act), please be advised that communications generated by the Service may be produced or assisted by artificial intelligence systems. The property manager is required to inform their guests of the use of AI systems in communication management. 3.5 Personal data may be transferred to Third Countries in compliance with the GDPR and applicable laws (see Section 6). 3bis. COOKIES AND TRACKING TECHNOLOGIES 3bis.1 Technical cookies (necessary, no consent required): * Session cookies: to maintain authentication during browsing * NEXT_LOCALE: to store the user's language preference * ft_utm: a functional httpOnly cookie for internal marketing attribution (first-touch); does not contain personal identifiers 3bis.2 Analytical cookies (subject to consent): * Google Analytics: activated exclusively after the user's explicit consent via the cookie banner. Consent is stored locally in the browser (localStorage). 3bis.3 Upon first access, a banner is displayed for cookie management. The user may accept all cookies, reject non-essential cookies, or modify their preferences at any time. 4.DATA PROVISION AND CONSEQUENCES OF REFUSAL 4.1 The personal data held by ADV and subject to processing are those voluntarily provided by the data subject at the time of registration on the Platform, authentication via Google or Apple, or completion of forms on the Website or Platform. 4.2 Apart from what is specified regarding browsing data, the user is free to provide personal data in order to request the services offered by the Controller. Failure to provide such data may result in the inability to obtain what has been requested. 5.DATA RETENTION PERIODS AND WITHDRAWAL OF CONSENT 5.1 Personal data will be retained according to the following timelines: * User account data: until account deletion * Payment data (Stripe identifier): until account deletion, plus the period required by tax obligations (10 years) * Chatbot conversations (session context): up to a maximum of 72 hours depending on the subscribed plan * Chatbot conversations: up to a maximum of 12 months, then anonymized * Guest feedback and reviews: until deletion by the establishment * Audit logs: 12 months * Google Analytics data: in accordance with Google's policies (maximum 26 months) * Uploaded files: until deletion by the user 5.2 Upon account deletion, personal data is removed within 30 days, subject to legal retention obligations. 5.3 The user may withdraw consent to processing at any time, without prejudice to the lawfulness of processing based on consent given prior to withdrawal. 6.RECIPIENTS OF PERSONAL DATA 6.1 Within the limits and for the purposes indicated in the GDPR, personal data may be disclosed to the following service providers, necessary for the operation of the Platform: * Stripe, Inc. (USA, Standard Contractual Clauses): payment processing and subscription management * Resend, Inc. (USA, SCC): transactional email delivery * Supabase, Inc. (EU server — Frankfurt): database and file storage * Anthropic, PBC (USA, SCC): AI-based chatbot conversation processing * Google LLC (USA, SCC): website analytics (only with user consent) * Upstash, Inc. (EU server): security rate limiting (IP address only) * Vercel, Inc. (EU/USA servers): web application hosting 6.2 Transfers to Third Countries (in particular the United States) are carried out on the basis of the EU-US Data Privacy Framework (DPF) — for certified recipients — Standard Contractual Clauses (SCC) approved by the European Commission, and adequate contractual and technical safeguards provided for in the DPAs entered into with each provider. 6.3 ADV does not sell, rent, or share personal data for third-party marketing purposes. 6.4 Personal data may also be disclosed to any public or private entities where disclosure is required by law or necessary for tax-related purposes. 7.RIGHTS OF THE DATA SUBJECT The data subject is entitled to the rights provided for under Arts. 15–22 of the GDPR. In particular: a) Right of access (Art. 15): obtain confirmation of the existence of personal data and a copy thereof, including the purposes of processing, categories of data, recipients, and retention period. b) Right to rectification (Art. 16): correct inaccurate or incomplete data. c) Right to erasure — "right to be forgotten" (Art. 17): request the deletion of personal data. d) Right to restriction of processing (Art. 18): request restriction of processing in certain circumstances. e) Right to data portability (Art. 20): receive personal data in a structured, commonly used, and machine-readable format. f) Right to object (Art. 21): object to processing based on legitimate interest. g) Right to withdraw consent (Art. 7): withdraw consent at any time, without prejudice to prior processing. Rights may be exercised by contacting the Data Controller indicated in Section 8 directly. The data subject also has the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) at www.garanteprivacy.it. 8.DATA CONTROLLER The Data Controller is ADV GROUP of P.F., with registered office at Via Roveredo 20/b, 33170 Pordenone (PN), Italy, VAT number 01661510931. Email: support@reception24.com Certified Email (PEC): advgroup@legalmail.it Legal representative: Titolare. An updated list of data processors may be requested directly from the Controller. 9.CHANGES TO THIS PRIVACY POLICY 9.1 The Data Controller reserves the right to make changes to this privacy policy at any time by publishing the updated version on this page. In the event of material changes, notice will be provided via email or an announcement on the Platform. Users are therefore encouraged to consult this page regularly, referring to the date of last modification indicated at the bottom of the page. 9.2 In any case, personal data already provided to ADV may not be used for purposes other than those indicated by ADV to data subjects at the time of collection, unless a new and explicit consent is obtained from the data subject. 10.MINORS The Service is not intended for persons under the age of 16. ADV does not knowingly collect data from minors. If a parent or guardian believes that a minor has provided personal data, they may contact the Controller to request its deletion.