1. Introduction & scope

This Privacy Policy explains how Alfredco.host collects, uses, stores and shares personal data when you use our websites, applications and services. It applies to hosts, property managers, guests whose information is processed through our service, website visitors and any other individuals whose personal data we handle.

Alfredco.host acts as data controller for user account data and website visitor data. When processing guest data on behalf of hosts (e.g., reservation details and guest messages), we act as data processor under the GDPR and a service provider under CCPA/CPRA. We provide a Data Processing Addendum (DPA) that forms part of your agreement with us and sets out our obligations as a processor.

2. Personal data we collect

We collect personal data through several channels:

1. Data provided by users (hosts/ property managers):
   • Account information: name, email address, phone number, business details, password and profile details.
   • Billing information: payment method (processed by Stripe), billing address and VAT or tax identifiers. We store limited billing details; Stripe processes full payment card data.
   • Property and listing data: property addresses, descriptions, photos, house rules and OTA listing identifiers.
   • Communications: information you provide in support enquiries, surveys or feedback.
2. Data obtained from integrated OTA platforms: When you connect your OTA account, we retrieve reservation details (guest names, booking dates, property booked, price), guest profile information (as available), and message histories to provide a unified inbox and automate communications.
3. Data from messaging services (e.g., WhatsApp): If you integrate WhatsApp, we collect message content and metadata (timestamps, recipient numbers) to manage conversations. We adhere to WhatsApp’s policies and require hosts to obtain consent from guests before sending messages
4. Data collected automatically (usage data): We collect log data such as IP address, device type, browser type, operating system, referring URLs and pages visited; cookies and similar technologies (see Section 10 on Cookies); and anonymised analytics through third‑party tools to improve the service.
5. AI interaction data: When you use the AI assistant, your prompts and relevant context (including guest inquiries) are sent to our AI provider to generate responses. We may log and anonymise these interactions to improve our AI features; AI providers do not use API data for training models by default
6. Guest data: We process guest personal data (e.g., name, contact details, reservation information and message content) solely to provide the service to hosts. Hosts must ensure they have a lawful basis to collect and share guest data with us. We do not use guest data for any purpose other than delivering the service or as required by law.
7. Sensitive personal data: Our service is not intended to process special categories of personal data (racial or ethnic origin, political opinions, religious beliefs, trade‑union membership, genetic or biometric data, health data or data concerning sex life or sexual orientation), or full payment card numbers or bank account numbers. We ask users not to input such information. If you inadvertently provide sensitive data, we will delete or anonymise it when detected.
8. Minors’ data: Our service is not directed at children under the age of 16 and should not be used to process their personal data. Hosts must not input personal data of guests under 16 unless they have obtained verifiable parental or guardian consent. If we become aware that minors’ data has been processed without consent, we will delete or anonymise it.

3. Purposes of processing and legal bases

We process personal data for the following purposes and legal bases:

1. Providing and improving the service. We use account, property and guest data to provide the core features of our platform—managing reservations, generating AI responses, sending messages and providing analytics. The legal basis is performance of a contract (Art. 6(1)(b) GDPR) and our legitimate interest in providing a reliable service. We have conducted Legitimate Interest Assessments to balance our business needs against user privacy rights; documentation is available upon request to data protection authorities.
2. Payments and subscription management. Billing information is used to process payments, handle renewals and provide invoices; the legal basis is performance of a contract and compliance with legal obligations (e.g. tax laws).
3. Communications. We use contact information to send service‑related emails (account confirmations, billing notices, security alerts), respond to support requests and, with consent, send marketing communications. The legal basis is performance of contract, legitimate interest and/or consent (for marketing).
4. Customer support. Support data is used to assist users and improve support quality. Legal basis: legitimate interests.
5. Analytics and product development. We analyse aggregated usage data to understand how the service is used and to improve features. Legal basis: legitimate interests, with measures to protect privacy (e.g., anonymisation).
6. Security and abuse prevention. We use log data and analytics to detect fraudulent or abusive behaviour, protect accounts and maintain system integrity. Legal basis: legitimate interests and compliance with legal obligations.
7. Legal compliance. We process data as necessary to comply with laws, respond to lawful requests and enforce our terms. Legal basis: compliance with legal obligations and legitimate interests.
8. Advertising. At present we do not sell personal data or engage in cross‑contextual behavioural advertising. If we use advertising cookies, we will obtain consent where required and provide a “Do Not Sell or Share My Personal Information” option.

4. How we share personal data

We share personal data only as necessary to provide the service and comply with law:

1. Service providers. We engage third‑party service providers (processors) for payment processing (Stripe), hosting (cloud providers), email/SMS delivery, analytics, AI processing and customer support. These providers are contractually obligated to handle personal data only as instructed and to implement appropriate security measures.
2. Within Alfredco.host. Authorised employees and contractors may access personal data only as needed for their job functions and are subject to confidentiality obligations.
3. Business partners. If you enable optional integrations (e.g., connecting to a third‑party pricing tool), we share data with that partner at your instruction.
4. Legal and compliance. We may disclose data to law enforcement or regulatory authorities if required by law or court order. We may share data with our legal advisors and auditors as needed.
5. Business transfers. In the event of a merger, acquisition or asset sale, personal data may be transferred to the acquiring entity subject to appropriate safeguards.
6. Aggregated or de‑identified data. We may share aggregated statistics that do not identify individuals.
7. No sale of personal data. We do not sell personal data for monetary consideration】.

5. International transfers

We may transfer personal data outside the European Economic Area (EEA) or the UK. For example, data may be processed in the United States by our AI provider or cloud hosts. When transferring data internationally, we rely on Standard Contractual Clauses or other approved transfer mechanisms under GDPR and ensure that data is protected by equivalent safeguards. By using the service, you consent to these transfers.

6. Data retention

We retain personal data only as long as necessary for the purposes described:

1. Account data is retained for the duration of the account. If you delete your account, we will delete your user‑provided content (property descriptions, photos, custom responses) within 30 days. Reservation history and communications may be retained for up to five years for legal, accounting and regulatory purposes (e.g., to comply with bookkeeping laws) and will then be anonymised or deleted.
2. Guest data is retained as long as the host account is active or as required by law. Upon account deletion, guest data will be anonymised or deleted unless retention is required for compliance.
3. AI interaction logs are retained in anonymised form for up to two years for product improvement and research, then deleted.
4. Backups may contain data for up to 90 days after deletion.

7. Data subject rights

If you reside in the EEA, UK or other jurisdictions with similar laws, you have the following rights with respect to your personal data:

1. Right of access. You can request a copy of your personal data that we hold.
2. Right to rectification. You can request corrections to inaccurate or incomplete personal data.
3. Right to erasure (“right to be forgotten”). You can request deletion of your personal data when it is no longer needed or when processing is based on consent that you withdraw, subject to legal obligations.
4. Right to restriction. You can request that we restrict processing of your data in certain circumstances.
5. Right to object. You can object to processing based on our legitimate interests.
6. Right to data portability. You can request a copy of your data in a machine‑readable format and request transfer to another controller. Data will be provided in JSON or CSV format, which are widely accepted and easy to import into other systems.
7. Right to withdraw consent. Where processing is based on consent, you may withdraw consent at any time (e.g., opt‑out of marketing emails).

We will respond to verified requests without undue delay and in any event within one month of receipt. This period may be extended by a further two months where necessary, in which case we will inform you of the extension and reasons. Guests who wish to exercise their data subject rights should contact the host directly. Hosts must forward such requests to [email protected] if they need assistance. We will respond to verified requests within the aforementioned timeframes.

8. California privacy rights

California residents have additional rights under CCPA/CPRA:

1. Right to know. You may request information about the categories of personal information collected, the sources, the business or commercial purposes for collection, and the categories of third parties with whom we share the information.
2. Right to delete. You may request deletion of personal information, subject to legal exceptions.
3. Right to correct. You may request correction of inaccurate personal information.
4. Right to opt‑out of sale or sharing. We do not sell personal information. If we engage in data sharing for advertising, you will have the right to opt‑out.
5. Right to non‑discrimination. We will not discriminate against you for exercising your privacy rights.
6. Identity verification. To verify your identity for CCPA requests, we will match at least two data points you provide against information in our records, such as your email address and recent transaction details.

CCPA requests may be submitted to [email protected]. California residents may also contact the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs at 1625 North Market Blvd., Sacramento, CA 95834, or by telephone at (916) 445‑1254 or (800) 952‑5210

9. Cookies and tracking technologies

We use cookies and similar technologies to maintain sessions, remember preferences and analyse usage. Essential cookies are necessary for basic operation; functional cookies remember preferences; analytics cookies help us improve the product; and, with consent, advertising cookies may be used for retargeting. EU visitors will see a cookie consent banner allowing them to manage preferences.

Cookie examples

These cookies illustrate typical uses; additional cookies may be set depending on features used.

Our Service does not currently respond to Do Not Track (DNT) browser signals. For more detailed information, please refer to our Cookie Policy.

10. Data security

We implement industry‑standard measures to protect personal data, including encryption in transit, access controls, secure hosting environments and regular backups. While we strive to protect data, no system is completely secure. Users should use strong passwords and enable two‑factor authentication where available.
In the event of a personal data breach, we will comply with notification requirements as described in Section II.11.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will notify users of material changes (e.g., through the dashboard or by email). Your continued use of the service after the effective date of the updated policy constitutes acceptance of the changes. If required by law, we will seek consent for changes that affect how we process your data.

12. Contact information (privacy)

For privacy inquiries or to exercise your rights, please contact us at [email protected] or write to Alfredco Host OÜ, Priisle tee 2‑26, 13914 Tallinn, Estonia. EU residents may also lodge a complaint with the Estonian Data Protection Inspectorate or another supervisory authority in their country if they believe their rights have been violated.

IV – Legal Mentions (Imprint)

1. Site publisher / service provider

Company name: BOTIQUE.ME OÜ
Legal form: Private limited company (Osaühing) registered in Estonia
Registration number: 16392657 (Estonian Commercial Register)
VAT ID: EE102617184
Business address: Järvevana tee 9, 11314 Tallinn, Estonia
Contact email: [email protected]
Telephone: +372 580 54864

2. Hosting provider

Our website and application are hosted on cloud infrastructure located in the European Union (e.g., Amazon Web Services in Dublin, Ireland). Contact details for the hosting provider: AWS Europe, 5 Burlington Plaza, Dublin 4, Ireland.

3. Professional licenses and memberships

The Company is not subject to any specific professional licence regime. Alfredco.host is a software service for hospitality management and does not act as a real estate broker or travel agency.

4. Intellectual property notice

All content on our site and service, including software, text, graphics and logos, is protected by intellectual property laws. You may not reproduce, modify or distribute our content without permission. Trademarks of third parties (e.g., Airbnb, WhatsApp) are the property of their respective owners and are used for identification purposes only; Alfredco.host is not affiliated with or endorsed by those companies.

5. Liability disclaimer (website use)

While we endeavour to keep information on the website up‑to‑date, we do not guarantee its accuracy. The website may link to third‑party sites; we are not responsible for their content or availability.

6. Governing law (imprint)

The Legal Mentions section is governed by Estonian law. Consumers in the EU retain the protection of mandatory consumer protection laws and may bring proceedings in their home courts.

7. Contact information (imprint)

For any legal or technical inquiries related to the site, please contact us at [email protected] or by mail at our registered office.

Cookie Policy

Introduction

This Cookie Policy explains how Botique.me OÜ (“Alfredco.host”, “Company”, “we”, “us” or “our”) uses cookies and similar technologies on our website and services. It should be read together with our Terms of Use and Privacy Policy. By continuing to browse or use our services, you consent to the use of cookies as described in this policy, unless you choose to disable them via your browser settings or our cookie management tools.

Cookies are small text files that a website stores on your device (computer, tablet or mobile) when you visit a site. They enable the website to remember your actions and preferences (such as login and language settings) over a period of time and provide various functions, such as authentication, analytics and personalisation. Some cookies are placed by third parties acting on our behalf.

How We Use Cookies

We use cookies and similar technologies for the following purposes:

• Essential cookies – Necessary for the basic functioning of the website and the services. Without these cookies, certain features (such as logins or session management) will not work. These cookies do not require consent.
• Functional cookies – Remember your preferences and settings to enhance your experience (e.g., your selected language or user interface customisations). Disabling these may affect how our website functions for you.
• Analytics cookies – Collect information about how you interact with our website, such as pages visited and links clicked, to help us improve the performance and usability of our services. These cookies may require your consent depending on your location.
• Advertising cookies – May be used (with your consent) to deliver personalised advertisements or measure the effectiveness of advertising campaigns. We do not currently use advertising cookies, but we may introduce them in the future with appropriate consent mechanisms.

Types of Cookies We Use

Below are examples of the cookies we use on our site. This list is not exhaustive and may be updated over time.

Managing Cookies and Opting Out

When you first visit our site, you may see a cookie banner or pop‑up that allows you to accept or reject non‑essential cookies (such as analytics and advertising cookies). Essential cookies cannot be disabled as they are necessary for our services to work.

You can also manage your cookie preferences at any time by adjusting your browser settings to delete or block cookies. Each browser provides different mechanisms for managing cookies; please refer to your browser’s help documentation for instructions. Please note that blocking or deleting cookies may affect your ability to use certain features of our site.

Do Not Track Signals

Some browsers offer a “Do Not Track” (DNT) signal that you can enable to indicate that you do not wish to be tracked. Our site currently does not respond to DNT signals. If you wish to opt out of tracking, please use the cookie management options described above.

Changes to This Cookie Policy

We may update this Cookie Policy from time to time to reflect changes in our practices, technology or legal requirements. When we do, we will revise the “Last Updated” date at the top of this policy. We encourage you to review this policy periodically for the latest information on our cookie practices.