GDPR Compliance
Last updated: June 2026
vGuest provides an AI guest-communication platform to hotels. Under the General Data Protection Regulation (GDPR), the hotel is the Data Controller of its guests' personal data and vGuest acts as a Data Processor on the hotel's behalf. This page summarises how we meet our GDPR obligations and what we offer our hotel partners and their legal teams.
Data Processing Agreement
A Data Processing Agreement (DPA) per Article 28 GDPR is available for signature with every hotel customer. It covers documented instructions, confidentiality, security measures, sub-processor management, assistance with data subject requests, breach notification and deletion or return of data at contract end. To receive our DPA for signature, contact privacy@vguest.ai.
EU Data Residency
All vGuest production infrastructure — application servers, databases and message queues — runs in the European Union, in Google Cloud region europe-west3 (Frankfurt, Germany). Guest data is stored and processed in the EU, encrypted in transit and at rest.
Data Subject Rights
Access & portability
Hotels can export a guest's full record — profile, conversation history and requests — in CSV/JSON at any time.
Erasure
Permanent deletion of a guest's data via the dashboard or API, completed within 30 days of the request.
Rectification
Hotel staff can correct guest profile data and recorded preferences at any time.
Objection & consent
Marketing messages are sent only to guests with recorded consent; opt-outs are honoured automatically by all campaign workflows.
Guests can also request deletion directly via our data deletion page.
Security Measures (Article 32)
- All production infrastructure — application servers, databases and queues — runs in Google Cloud region europe-west3 (Frankfurt, Germany).
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Role-based access control (Admin / Operator / Viewer) with strict per-hotel tenant isolation.
- Least-privilege, scoped API keys and short-lived signed session tokens.
- Full audit logging of API access and administrative changes, retained for 90 days.
- Defined retention schedule per data category, published in our Privacy Policy.
Sub-processors
We use a small set of vetted sub-processors. Where a transfer outside the EEA occurs, it is covered by the European Commission's Standard Contractual Clauses (2021/914) and/or the EU-US Data Privacy Framework. Hotels are notified at least 30 days before any sub-processor change.
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Google Cloud EMEA (Google Ireland Ltd.) | Cloud infrastructure, application hosting and databases | EU — europe-west3 (Frankfurt, Germany) | Data processed and stored in the EU |
| Meta Platforms Ireland Ltd. | WhatsApp Business Platform message delivery | EU / Global | Standard Contractual Clauses; only message content transits Meta — never internal hotel notes or tickets |
| AI model providers (OpenAI, Anthropic, Google, xAI) | Generating AI assistant responses to guest messages | United States | Standard Contractual Clauses / EU-US Data Privacy Framework; enterprise API terms — no training on customer data |
| Amazon Web Services | Storage of public media files (CDN-served images) | United States | Standard Contractual Clauses; no guest conversation data |
| PMS & telephony connectors (per hotel, e.g. Optima, Mews, Twilio) | Reservation sync and voice/payment callbacks, only where enabled by the hotel | Varies by provider | Engaged only on the hotel's instruction; listed in the hotel's DPA |
Breach Notification
We notify affected hotels without undue delay — and within 72 hours of incident verification — of a personal data breach, with the information the hotel needs for its own notifications under Articles 33 and 34 GDPR, and cooperate fully in remediation.
Documentation & Contact
A signed DPA, security questionnaire responses and further documentation are available on request. See also our Privacy Policy and Terms of Service.
Privacy team: privacy@vguest.ai | Support: support@vguest.ai