Privacy Policy

Effective Date: March 18, 2026
Company: HERO TECHNOLOGIES, S.L. ("we," "us," or "our")

1. Introduction and Our Role (Controller vs. Processor)

Welcome to the privacy policy for "Guido," our Conversational AI Travel Assistant. We provide this technology to hotel chains worldwide to help you discover properties, book rooms, and manage your stay.

Under global data protection laws (including the GDPR), it is important to understand who controls your data:

  • The Data Controller: The hotel chain you are booking with (e.g., Eurostars Hotel Company) is the Data Controller. They own the relationship with you and determine why and how your data is processed.
  • The Data Processor: HERO TECHNOLOGIES, S.L. acts strictly as the Data Processor. We process your information solely on behalf of, and under the strict instructions of, the hotel chain.

2. AI Transparency and EU AI Act Disclosures

As required by the EU AI Act and global transparency standards, we want to be completely clear about how our technology works:

  • You are interacting with an AI: When you use our chat interface, you are speaking with an Artificial Intelligence system ("Guido"), not a human agent.
  • Operational Data vs. Training Data: The personal data you share during your conversation is used strictly for operational purposes (e.g., to answer your questions and book your room). We do not use your personal data to train, retrain, or improve our foundational Large Language Models (LLMs).
  • Automated Decision-Making & Profiling: Our AI retrieves dynamic room pricing and availability directly from the hotel's database based on your requested dates and criteria. The AI does not engage in automated profiling to alter prices based on your identity, nor does it make legal or significant decisions about you autonomously.
  • Right to Human Intervention: You have the right to bypass the AI at any time. If you wish to speak with a human, simply ask the assistant to "transfer me to a human," or use the standard contact forms/phone numbers provided on the hotel's website.

3. What Information We Collect

To act as your digital concierge, we collect the following categories of data during your interaction:

  • Identity & Contact Data: Name, email address, phone number, and loyalty program member ID (if provided).
  • Transaction & Booking Data: Travel dates, room preferences, number of guests, and payment routing information (processed securely; we do not store full credit card numbers).
  • Behavioral & Technical Data: Chat logs (the contents of your conversation with the AI), IP address, browser type, device information, and session IDs.
  • Sensitive Personal Information: You may voluntarily disclose sensitive data during the chat (e.g., requesting wheelchair accessibility revealing health data, or dietary requirements revealing religious beliefs). The AI will only process this data to fulfill your specific request.

4. Purpose and Legal Basis for Processing (GDPR)

We process your data on behalf of the hotel based on the following lawful bases:

  • Contractual Necessity: To process your room booking, manage your reservation, and provide the services you requested.
  • Explicit Consent: For processing any Sensitive Personal Information (like health or accessibility needs) you voluntarily provide in the chat.
  • Legitimate Interest: To ensure network security, prevent fraudulent bookings, and provide 24/7 customer support.

5. Data Retention and Anonymization

We adhere to strict data minimization principles:

  • Booking Data: Passed directly to the hotel's reservation system. We do not retain this data longer than necessary to confirm your booking.
  • Chat Logs: Retained temporarily for session continuity and customer support. After the retention period defined by the hotel (typically 30 days), chat logs are either securely deleted or heavily anonymized (stripped of all personal identifiers) for statistical analytics.

6. Third-Party Sharing and International Transfers

To provide our service across 23 countries, we use trusted sub-processors:

  • Cloud Infrastructure: Our systems and AI models are hosted on secure, enterprise-grade cloud environments (e.g., Google Cloud Platform). For our European clients, data is hosted exclusively within the European Union (Madrid, Spain).
  • Third-Party Disclosures: We do not share your data with third parties for marketing or advertising. Data is only shared with sub-processors necessary to run the AI infrastructure, all of whom are bound by strict Data Processing Agreements (DPAs).
  • Cross-Border Transfers: If data must be transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as the European Commission's Standard Contractual Clauses (SCCs), to protect your privacy rights.

7. Your Privacy Rights (GDPR & CCPA/CPRA)

Depending on your location, you have specific rights regarding your personal data. Because we act as a Data Processor, we will assist the hotel (the Data Controller) in fulfilling your requests.

For European Users (GDPR):

  • Access & Portability: Request a copy of the personal data processed by the AI.
  • Rectification & Erasure: Request correction of inaccurate data or the deletion of your chat logs and data ("Right to be Forgotten").
  • Withdraw Consent: Withdraw your consent for the processing of sensitive data at any time.

For California & US Users (CCPA/CPRA):

  • Right to Know & Delete: Request disclosure of the specific pieces of personal information we have collected about you and request their deletion.
  • Do Not Sell or Share My Personal Information: We do not sell your personal data to data brokers, nor do we share it for cross-context behavioral advertising. However, to exercise your formal opt-out rights, please use the "Do Not Sell or Share" link provided in the hotel's main privacy footer.
  • Non-Discrimination: You will not receive discriminatory treatment or pricing for exercising your privacy rights.

To exercise any of these rights, please contact the hotel directly using the privacy contact information on their website, or contact us, and we will route your request to the appropriate Data Controller.

8. Contact Information

If you have questions about this Privacy Policy, our AI technologies, or how we handle data on behalf of our hotel partners, please contact our Data Protection Officer (DPO):

  • HERO TECHNOLOGIES, S.L.
  • Attn: Data Protection Officer
  • Address: C/Francesc Carbonell 35, 08034 Barcelona, Spain
  • Email: privacy@holaguest.ai