Privacy Policy

Last updated: 31st May 2026

This Privacy Policy explains how Hostigram, Inc. ("Hostigram", "we", "us", "our") collects, uses, shares, and protects personal data in connection with the Hostigram service (the "Service").

If you are a Host, this Policy describes the data we collect about you and how we handle it. If you are a Guest using a Service Page configured by a Host, this Policy describes the limited circumstances in which we collect your data and how it is processed on the Host's behalf.

We aim to be straightforward. If anything here is unclear, write to [email protected].

Who we are
The two roles: controller and processor
Personal data we collect
How we use personal data and the legal bases we rely on
AI processing
Who we share data with
International data transfers
How long we keep data
Your rights
Cookies and similar technologies
Security
Children
Changes to this Policy
How to contact us

1. Who we are

Hostigram is operated by Hostigram, Inc., with its registered office at 124 City Road, London, England, EC1V 2NX.

For privacy enquiries: [email protected]

Our EU and UK representative under Article 27 of the EU and UK GDPR: Deniss Zerkalijs

2. The two roles: controller and processor

Hostigram acts in two different capacities depending on the data involved. This distinction matters because it determines who you should contact about your data.

We are the controller of personal data when we determine how and why it is processed. This applies to:

the personal data of Hosts and people creating accounts;
visitors to our marketing website;
people who contact our support team or sign up for our launch-partner programme;
the operational data we generate to run the Service (logs, security events, billing records, etc.).

We are the processor of personal data that a Host instructs us to handle on their behalf. This applies to:

the contents of a Host's Knowledge Content;
Guests' messages and the names, emails, phone numbers, and other details Guests provide to a Host's Service Page;
analytics and chat logs generated through Guest interactions on the Host's Service Page.

For data we process on a Host's behalf, the Host is the controller. The Host's own privacy notice should explain how they use Guest data. Where you (as a Guest) wish to exercise rights over that data, you can contact either the Host or us (see section 9).

Our processing of personal data on behalf of Hosts is governed by our Data Processing Addendum, available on request.

3. Personal data we collect

3.1 Data Hosts provide directly

When you register, configure, or pay for the Service we collect:

Account data: name, email address, password (stored as a hash), avatar, locale preference, time zone.
Authentication data: your identifier from any third-party sign-in provider you use (currently Google).
Profile and business data: any company name, contact details, role, or other information you enter in your account settings.
Service Page configuration: titles, descriptions, photographs, addresses, dates, schedules, action links, access settings.
Knowledge Content: the questions, answers, documents, and other material you upload to inform the AI assistant. We do not require you to upload personal data of third parties, and you are responsible for the lawfulness of anything you upload.
Guest list data (where you use the "guest list" access mode or "guest services" feature): the names, emails, phone numbers, check-in/check-out dates, and similar details of your own guests. As described in section 2, we process this data on your behalf.
Billing data: information needed to process payments. We use Stripe to handle card numbers and bank details; we never see or store full card numbers. We retain billing metadata (plan, currency, amount, dates, country, last four digits of the card, invoice records).
Support communications: messages you send to us, including any attachments and the contents of any account screenshots you share.

3.2 Data Guests provide directly

When a Guest uses a Service Page configured by a Host, we collect, on the Host's behalf:

Identity details the Service Page asks for: typically a first name, optionally an email address or phone number, and any access code or token. Hosts configure which of these are requested.
Chat messages: the text the Guest sends to the AI assistant, and the AI responses, including any attached files where supported.
Feedback: thumbs-up/thumbs-down ratings and any free-text feedback a Guest submits.
WhatsApp messages (where the Host has enabled WhatsApp): content received via Meta's WhatsApp Cloud API, including the Guest's phone number.

3.3 Data we collect automatically

When you, your collaborators, or your Guests use the Service, we automatically receive:

Device and connection data: IP address, user-agent string, browser type and version, operating system, device type, screen size, referring URL.
Approximate location: derived from IP address, used to localise content and detect anomalies; we do not collect precise GPS location.
Usage data: pages viewed, features used, links clicked, the time and duration of interactions.
Service Page access logs: a record of access attempts to a Service Page (success or denial, reason, time, IP, user-agent). This is used for security, audit, and abuse prevention.
AI usage records: per-message records of which AI models were used, how many tokens were processed, and the resulting cost. These records are tied to a Service Page and a chat session.
Diagnostic data: error reports and performance metrics generated by the Service. We use Sentry (see section 6) and scrub identifiers such as email addresses and phone numbers from these reports where practical.

3.4 Data from third parties

We may receive limited data from:

Identity providers when you sign in with a third-party account (e.g. Google): generally your email address, name, and a stable provider identifier.
Stripe, when a payment is processed: confirmation, payment status, and limited card metadata.
Meta, when WhatsApp is enabled: message contents and sender phone numbers via the WhatsApp Cloud API.

3.5 Special-category data

We do not intend to collect special-category data (such as health, racial or ethnic origin, religious beliefs, political opinions, sexual orientation, biometric or genetic data). Do not enter special-category data into Knowledge Content, support messages, or chat. If you do, you provide it at your own risk and on your own legal basis.

4. How we use personal data, and our legal bases

When EU/UK data protection law applies, we rely on the following legal bases:

Purpose	Categories of data	Legal basis (EU/UK GDPR)
Provide the Service to Hosts: create accounts, run Service Pages, process Knowledge Content, generate AI responses, deliver receipts	Account data, Knowledge Content, billing data	Performance of a contract with you (Art. 6(1)(b))
Operate the Service for the Host as processor of Guest data	Guest identity, chat content, access logs	Performance of the Host's contract with the Guest; on behalf of the Host as controller
Process payments, manage subscriptions, prevent payment fraud	Billing data, IP, device data	Performance of a contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) for tax and accounting; legitimate interests (Art. 6(1)(f)) in preventing fraud
Secure the Service, prevent abuse, enforce limits, detect bots, investigate incidents	Device and connection data, access logs, usage data	Legitimate interests in protecting our Service and users (Art. 6(1)(f))
Communicate with you about your account, send transactional and operational messages	Account data	Performance of a contract (Art. 6(1)(b))
Send product updates and marketing communications (where applicable)	Account data, preferences	Consent (Art. 6(1)(a)), withdrawable at any time
Provide customer support	Account data, support communications, related metadata	Performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) in supporting our users
Maintain analytics, troubleshoot, and improve the Service	Usage data, diagnostic data, AI usage records	Legitimate interests (Art. 6(1)(f)) in understanding and improving the Service
Comply with legal obligations and respond to lawful requests from authorities	Any data implicated by the request	Legal obligation (Art. 6(1)(c))
Establish, exercise, or defend legal claims	Any data necessary	Legitimate interests (Art. 6(1)(f)); legal claims exemption (Art. 9(2)(f)) where applicable

Where we rely on legitimate interests, we have considered whether those interests are overridden by your rights and freedoms. You may object to processing based on legitimate interests on grounds relating to your particular situation; see section 9.

5. AI processing

The Service relies on third-party AI models to generate responses, embeddings, and document extractions. Currently we use OpenAI as our AI provider.

When a Guest sends a message, we transmit the following to the AI provider:

the relevant excerpts of the Host's Knowledge Content selected by our retrieval system,
the recent conversation history for that session,
the Guest's current message,
service metadata (such as the service type, host display name, and configured action links).

We do not include account passwords, billing data, or any data unrelated to that Guest's session in the prompt.

5.1 No model training on your data

Our AI sub-processors operate under contractual terms that prohibit using your Knowledge Content, Guest messages, or AI Outputs to train their general-purpose models. We do not train our own models on this data either.

5.2 AI Output is not reliable advice

AI Output is generated probabilistically and may be inaccurate, incomplete, or outdated. It should not be used for medical, legal, financial, emergency, safety, or other professional decisions. The Terms of Service explain this in more detail.

5.3 Embeddings

When a Host saves a Knowledge Content item, we send the text to the AI provider to generate a vector embedding that allows us to retrieve relevant content for future Guest questions. Embeddings are stored in our database alongside the source item.

6. Who we share data with

We do not sell personal data. We share it only as described below.

6.1 Sub-processors

We use third-party sub-processors to operate the Service. Each is bound by a written agreement requiring appropriate security and confidentiality and prohibiting use of data for purposes other than providing their service to us.

Sub-processor	Purpose	Region(s)
Cloudflare, Inc. (US)	Web hosting, CDN, edge compute, object storage (R2), DDoS protection	Global infrastructure; data primarily processed in the United States
Neon, Inc. (US) and AWS (US)	Managed Postgres database hosting	AWS `us-east-1` (Northern Virginia, USA)
Upstash, Inc. (US)	Redis cache and rate-limiting infrastructure	United States
OpenAI, OpCo, LLC (US)	AI chat completions, embeddings, and document extraction	United States
Stripe, Inc. (US)	Payment processing, customer billing portal, tax calculation	United States and other regions used by Stripe
Meta Platforms, Inc. (US)	WhatsApp Cloud API (only when WhatsApp is enabled for a Service Page)	United States
Resend, Inc. (US)	Transactional email delivery	United States
Functional Software, Inc. d/b/a Sentry (US)	Error tracking and application performance monitoring	United States
Inngest, Inc. (US)	Background job orchestration and scheduling	United States
Google LLC (US)	OAuth sign-in identity (used only if you choose to sign in with Google)	United States

A current list is maintained at hostigram.com/sub-processors. We may engage additional sub-processors and will update that page when we do. Hosts may subscribe to notifications of changes by writing to [email protected].

6.2 Other recipients

We may disclose personal data to:

Professional advisers (lawyers, accountants, auditors) under duties of confidentiality, for the purposes of legal advice, audit, or tax;
Authorities when required by law, court order, or regulatory request, or when we have a good-faith belief that disclosure is necessary to protect a person from harm or to investigate fraud, abuse, or a security incident;
A successor entity in connection with a merger, acquisition, financing, or sale of all or part of our business. Your data may be transferred subject to this Policy or a successor policy with at least equivalent protections.
A Host's collaborators, where the Host has invited them and granted access to one or more Service Pages.

We do not share Host or Guest data with advertisers, data brokers, or any party that would use it to deliver advertising to you.

7. International data transfers

We are based in the United States. The Service runs primarily in the United States and most of our sub-processors are US-based. When you use the Service from outside the United States, your personal data will be transferred to, and processed in, the United States and other countries where our sub-processors operate.

When we transfer personal data out of the EEA, the UK, or Switzerland, we rely on one or more of the following safeguards:

the EU-US Data Privacy Framework (and the UK Extension and Swiss-US framework) for transfers to certified US recipients;
Standard Contractual Clauses approved by the European Commission, the UK Information Commissioner's Office, or the Swiss Federal Data Protection and Information Commissioner;
where appropriate, supplementary technical and contractual measures consistent with the European Data Protection Board's recommendations.

You may request a copy of the safeguards we apply to any particular transfer by writing to [email protected].

8. How long we keep data

We keep personal data only for as long as we need it for the purposes described in this Policy, after which we delete or anonymise it. Specific retention periods include:

Data	Default retention
Account data	For the life of your Account, plus 90 days after closure for operational wind-down
Knowledge Content	For the life of the associated Service Page, plus 30 days after deletion
Chat messages	13 months from the message date by default; configurable down to 30 days by the Host
Guest identity data (name, email, phone)	For the life of the associated Service Page or guest record, plus the same 30-day grace
Access attempts and security logs	6 months
AI usage records	24 months (needed for billing and cost-audit purposes)
Email logs	12 months
Stripe and billing records	At least 7 years where required by accounting and tax law
Webhook event logs (Stripe, Meta)	24 months
Support tickets	24 months after closure
Backups	Database backups are retained for up to 30 days on a rolling basis
Account deletion	When you delete your Account, deletion is initiated immediately, fully completed within 30 days (and within 7 days for the bulk of data), and Stripe-required billing records are retained for legal compliance only

A Host may change retention settings within the limits we offer and may request earlier deletion of specific data by contacting [email protected] or using self-serve tools where available.

9. Your rights

9.1 Rights under the EU GDPR and UK GDPR

If you are in the EEA, the UK, or Switzerland, you have the right to:

access the personal data we hold about you, and request a copy;
rectify inaccurate or incomplete data;
erase your data ("right to be forgotten"), where one of the conditions in Article 17 applies;
restrict processing in certain circumstances;
port the data you provided to us in a structured, commonly used, machine-readable format;
object to processing based on legitimate interests, including profiling;
withdraw consent at any time, where we rely on consent (this does not affect prior lawful processing);
lodge a complaint with a supervisory authority, including the data protection authority of your country of residence. In Ireland, the Data Protection Commission. In the UK, the Information Commissioner's Office.

To exercise these rights, write to [email protected]. We will respond within one month and may ask for information to verify your identity. We will not charge a fee unless your request is manifestly unfounded or excessive.

For data we process on a Host's behalf (Guest data), please direct your request to the Host first, as they are the controller. You may also contact us and we will forward the request to the relevant Host if we are able to identify them.

9.2 Rights under US state privacy laws

If you are a resident of a US state that grants privacy rights (including, at the time of writing, California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, Virginia, and others as they come into force), you have the right to:

know what personal information we collect, the sources, the purposes, and the categories of third parties with whom we share it;
access the specific pieces of personal information we have collected about you;
delete personal information we have collected, subject to exceptions;
correct inaccurate personal information;
opt out of the sale or sharing of personal information for cross-context behavioural advertising (we do not sell or share personal information for these purposes, so this right is not engaged in practice);
limit the use of sensitive personal information (we do not use sensitive personal information for purposes that require this right);
non-discrimination for exercising your rights.

For California residents specifically: we have not sold or "shared" (as defined under the CCPA/CPRA) personal information in the preceding 12 months. We do not knowingly collect personal information from children under 16. California residents can find a detailed notice covering all CCPA rights, including our full position on selling and sharing, in our California Privacy Notice.

Submit requests to [email protected]. We will verify your identity (typically by confirming control of the email associated with your account or by checking details on file) and respond within the time required by applicable law.

You may authorise an agent to submit a request on your behalf, subject to verification of the agent's authority.

9.3 Communication preferences

You can manage transactional and promotional email preferences in your account settings or by following the unsubscribe link in marketing emails. Operationally necessary communications (e.g. security alerts, billing notices) cannot be opted out of while you maintain an active Account.

10. Cookies and similar technologies

We use a minimal set of cookies and similar technologies.

Type	Purpose	Examples
Strictly necessary	Authentication and session integrity. Without these, you cannot sign in or use the Service.	Auth session cookie, CSRF token cookie
Preference	Remember your locale and interface preferences.	Locale cookie
Security	Protect against attacks (e.g. rate limiting, bot detection at the edge).	Cloudflare bot management

We use Cloudflare Web Analytics for marketing-site analytics. It is cookie-free and does not track individual users across sites.

We do not use Google Analytics, Facebook pixels, or other third-party advertising or cross-site tracking cookies. We do not sell or share data for cross-context behavioural advertising.

Where your jurisdiction requires consent for non-essential cookies, we ask for it before setting them. You can also control cookies through your browser settings; disabling strictly necessary cookies will break the Service.

11. Security

We take security seriously and apply controls appropriate to the sensitivity of the data we hold. These include:

Encryption in transit using TLS for all client-server communications.
Encryption at rest for our managed database and object storage.
Hashing of passwords using modern algorithms; we never store passwords in plain text.
Strict role-based access controls within our team; production access is limited to the minimum necessary personnel.
Multi-factor authentication for administrative access to critical systems.
Tenant isolation enforced at the application layer with defence-in-depth tests.
Audit logging of administrative and security-sensitive actions.
Regular review of sub-processor security posture.
A documented incident response process and breach-notification workflow that, where applicable, meets the 72-hour notification window under GDPR.

No system is perfectly secure. If you discover a security issue, please report it responsibly to [email protected].

12. Children

The Service is not directed at children. We do not knowingly collect personal data from anyone under the age of 13 in the United States, or under the age of 16 in the European Economic Area or the United Kingdom (or such other minimum age as applicable local law sets for online services). If you believe a child has provided personal data to the Service, contact us and we will take appropriate steps to delete it.

Hosts must not configure Service Pages that target children or that solicit personal data from children without appropriate parental consent in compliance with applicable law.

13. Changes to this Policy

We may update this Policy from time to time. When we make a material change, we will notify you by email to the address associated with your Account or by an in-product notice at least 14 days before the change takes effect (or longer where required by law). The Last updated date at the top of this Policy will reflect the date of the most recent revision. Older versions are available on request.

Your continued use of the Service after a change takes effect constitutes acceptance of the updated Policy. If you do not agree to a change, you may close your Account before the change takes effect.

14. How to contact us

For any question, request, or complaint about your personal data:

Hostigram, Inc. 124 City Road, London, England, EC1V 2NX

Privacy and legal: [email protected] Customer support: [email protected]

EU and UK representative under Article 27 EU and UK GDPR: Deniss Zerkalijs

If you are in the EEA, the UK, or Switzerland and remain unsatisfied with our response, you have the right to complain to your national data-protection supervisory authority.

This Privacy Policy describes our current practices. It is not legal advice. If anything is unclear, please contact us before relying on it.