Privacy Policy

FrontDesk24, Inc. ("we", "us", "our") operates the autonomous front desk agent at frontdesk24.us and the connected kiosk software, voice agent, admin dashboard, and audit record services (collectively, "the Service"). This policy explains what data we collect, how we use it, and what rights you and your hotel guests have.

---

1. What We Collect

Operator Account Data

• Email address — used for authentication, billing, and service communication.
• Password hash — stored securely by our identity provider (we never see or store plaintext passwords).
• Billing data — subscription tier, Stripe customer ID, payment status. Credit card details are stored by Stripe, never by us.
• Property configuration — property name(s), room counts, integrations enabled, kiosk identifiers, agent prompts and policies, voice/LLM provider selection, supervisor PINs (hashed).

Operational Data (Audit Records)

For every guest interaction, we record operational audit events:

• Session ID and timestamp
• Channel used (kiosk, voice, SMS, phone)
• Agent decision steps and tool calls
• Gate evaluations (pre-auth, ID verification, payment, key dispensing)
• Outcome (check-in completed, escalated to staff, abandoned, etc.)
• Cryptographic SHA-256 hashes for trace integrity; kiosk behavior traces are chained per session

For on-property deployments, operational audit records are stored on the property system by default. Operators may opt in to a cloud archive; see "Data Retention" below.

Guest Data

When a guest interacts with the agent, the Service may handle the following — strictly to fulfill the check-in, check-out, or service request:

• Reservation identifiers retrieved from the operator's PMS
• Guest name (from the PMS reservation)
• Last 4 digits of the phone number on file (used for verification)
• If REQUIRE_ID_SCAN is enabled by the operator: an image of the guest's ID document and the extracted name (used to fuzzy-match against the reservation, then discarded unless the operator's retention policy keeps it)
• Voice audio during a session (processed in real time; not stored unless the operator has opted into cloud archive)
• Card-present payment authorization data (handled and stored by the PCI-compliant payment terminal — we never touch the PAN)
• Key card encoding events (room number, encoding timestamp)

What We Do Not Collect

• Full payment card numbers (PCI-handled by the terminal hardware)
• Continuous location data, biometric identifiers beyond what is required for ID verification, or any data unrelated to the check-in flow
• Marketing, advertising, or behavioral profiling data of any kind
• Recordings or transcripts of guest sessions, unless the operator has explicitly enabled the cloud archive

2. How Data Is Processed

FrontDesk24 supports on-property, SaaS, and dedicated-cloud deployments. In on-property deployments, guest data, audit records, and session state stay on the property system and the operator's PMS unless cloud archive is enabled. SaaS or dedicated-cloud storage and retention are documented in the operator agreement.

• Voice audio is streamed in real time to the configured LLM/voice provider (e.g. xAI Grok), processed for the active session, and discarded.
• LLM prompts include only the data necessary for the task (e.g. reservation candidates for fuzzy matching) — never bulk guest exports.
• Kiosk behavior trace entries are chained with SHA-256 hashes per session; PMS folio and night-audit records use append-only controls where supported, and report artifacts include SHA-256 hashes.
• If the operator enables the cloud archive, audit records are mirrored to our cloud storage with a default 90-day retention.

3. Data Retention

• Operator account data — retained for the lifetime of the account.
• On-property audit records — retained per the operator's local policy (we do not access or rotate these unless the deployment agreement includes management services).
• Cloud-archived audit records (opt-in only) — default 90-day rolling window, configurable up to 7 years for regulated operators.
• Voice audio — transient; discarded at end of session unless the operator has opted into archive recording.
• ID-scan images — transient by default; discarded after fuzzy match completes.
• Guest reservation data — owned by the operator's PMS; FrontDesk24 holds no independent copy.

4. How We Use Your Data

• Operate the agent — fulfill check-ins, check-outs, voice calls, and service requests.
• Audit and review — power the behavior trace, dashboard, and incident review tools.
• Billing — manage your subscription via Stripe.
• Service communication — notify operators of account or service issues. We do not send marketing email.

We do not sell, share, or provide your data — operator or guest — to third parties for advertising, profiling, or any purpose unrelated to operating the Service.

5. Third-Party Services

FrontDesk24 integrates with the following providers. Where data flows through them, their privacy policies apply in addition to ours:

• xAI Grok (default LLM and realtime voice) — receives the voice stream and prompt context for the active session. xAI Privacy Policy
• Anthropic, OpenAI, Google — alternative LLM/voice providers, used only when the operator selects them. Their respective privacy policies apply.
• Twilio (telephony) — bridges inbound calls. Twilio Privacy
• Stripe (billing) — processes operator subscription payments. Stripe Privacy
• Supabase (admin dashboard auth and metadata) — stores operator account data. Supabase Privacy
• PMS providers (Oracle Opera, Mews, Cloudbeds, HotelKey, etc.) — guest reservation data flows directly between the operator's PMS and the kiosk; we do not relay or store it.
• Lock manufacturers (ASSA ABLOY, Dormakaba, Salto) — receive room/encoding requests during key dispensing.
• Let's Encrypt — provides TLS certificates for our domains.

No analytics trackers, advertising pixels, or social media widgets are loaded on frontdesk24.us or the admin dashboard.

6. Data Security

• All web and admin traffic encrypted via HTTPS (TLS 1.2+)
• Kiosk behavior trace integrity protected by a per-session SHA-256 hash chain; PMS report artifacts protected by SHA-256 hashes
• Locally-encrypted kiosk storage
• Supervisor PIN required for sensitive overrides (refunds, key re-dispense, payment voids)
• Pre-auth gating for key dispensing and payment capture — no key issued without a verified guest and authorized capability
• Passwords hashed by the identity provider (bcrypt)
• Database access governed by row-level security policies
• Stripe webhook signatures verified cryptographically
• Capability lookups fail closed — if the system can't confirm a permission, the operation is denied

7. Operator Rights

As an operator, you have the right to:

• Access your data — view it in the admin dashboard.
• Export your data — audit records, configuration, and account data via the dashboard's export tool.
• Delete your account — permanent and irreversible deletion via the dashboard or by contacting [email protected].
• Correct your data — edit property configuration, integrations, and policies at any time through the dashboard.

8. Guest Rights

For data about hotel guests, the operator (the hotel) is the data controller; FrontDesk24 acts as the data processor. Guests should direct privacy requests to the property where they stayed. We will assist the operator in fulfilling guest requests on request, including data deletion and export.

9. GDPR Compliance (EU Operators and Guests)

• Legal basis — contract performance (operators), legitimate interest in fulfilling the booking (guests).
• Data minimization — we collect only what the check-in flow requires.
• Data portability — full export available via the dashboard.
• Right to erasure — operator account deletion is self-service; guest data deletion is coordinated with the operating property.
• Retention limits — voice audio and ID images are transient by default; cloud-archived audit records default to 90 days.
• DPA — a Data Processing Agreement is available on request for EU operators.

10. CCPA Compliance (California Operators and Guests)

• We do not sell personal information.
• We do not share personal information for cross-context behavioral advertising.
• You may request deletion of your data at any time.

11. Recording and Notice

Operators are responsible for posting clear, conspicuous notice at the kiosk and in the voice/phone channel that interactions involve an AI agent and may be recorded for audit purposes. We provide template notices; deploying them in compliance with local two-party consent and disclosure laws is the operator's responsibility.

12. Children's Privacy

FrontDesk24 is not directed at children under 13 and is intended for adult guests checking in to a hotel. We do not knowingly collect data from children. Operators should escalate any minor-only check-in attempt to staff per their property policy.

13. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated by updating the "Last updated" date at the top of this page and, where appropriate, by emailing operators directly.

14. Contact

For privacy questions, data requests, or DPA inquiries: [email protected].