1. Introduction
HoreBot ("we", "our", "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website (horebot.eu) or use our AI-powered hotel receptionist services.
We are a company registered in the Netherlands and fully comply with the General Data Protection Regulation (GDPR) (EU) 2016/679, the Dutch Implementation Act (UAVG), and other applicable EU data protection laws.
Data Controller: HoreBot is the data controller for the personal data processed through our website and services. Our contact details are provided in Section 12 below.
2. Scope and Applicability
This Privacy Policy applies to:
- Visitors to our website (horebot.eu)
- Hotel partners and customers using our services
- Individuals who contact us via email, phone, or contact forms
- Users of our AI-powered robot receptionist platform
- Newsletter subscribers
- Job applicants
3. Personal Data We Collect
3.1 Data You Provide Voluntarily
We collect personal data when you:
- Contact us: Name, email address, phone number, company name, hotel details, message content
- Request a demo: Contact information, hotel size, requirements
- Subscribe to newsletter: Email address
- Use our services: Guest data processed through our robot receptionist (see Section 5)
- Apply for jobs: Resume, contact details, work history
3.2 Data Collected Automatically
When you visit our website, we may automatically collect:
- Device information: Browser type, operating system, device type
- Usage data: Pages visited, time spent, click patterns, referring website
- Location data: General geographic location based on IP address (country/city level)
- Cookies: Session cookies, preference cookies, analytics cookies (see Section 9)
3.3 Categories of Personal Data
| Category | Examples |
|---|
| Identifiers | Name, email, phone number |
| Professional data | Company name, hotel details, job title |
| Technical data | IP address, browser type, device info |
| Usage data | Website visits, page views, interactions |
| Communication | Messages, inquiries, feedback |
4. Legal Basis for Processing (GDPR Art. 6)
We process your personal data only when we have a lawful basis under GDPR Article 6:
- Consent (Art. 6(1)(a)): When you opt-in to newsletter, analytics cookies, or marketing communications
- Contract (Art. 6(1)(b)): When processing is necessary to provide services requested by you
- Legal obligation (Art. 6(1)(c)): When we must comply with laws (e.g., tax records, regulatory requirements)
- Vital interests (Art. 6(1)(d)): In emergency situations involving hotel guests
- Public interest (Art. 6(1)(e)): Rarely applicable to our business operations
- Legitimate interests (Art. 6(1)(f)): For business operations, security, fraud prevention, and improving our services
We maintain records of processing activities as required by GDPR Article 30.
5. Purposes of Processing
We process personal data for specific purposes:
- Service delivery: Responding to inquiries, providing demos, delivering robot receptionist services
- Communication: Sending requested information, updates, newsletters (with consent)
- Business development: Analyzing inquiries, improving services, developing new features
- Security: Protecting our systems, preventing fraud, maintaining security logs
- Analytics: Understanding website usage, optimizing user experience (with consent)
- Legal compliance: Meeting regulatory requirements, responding to legal requests
- Hotel guest services: When hotels use our robot receptionist, we may process guest data under contract with the hotel (hotel is data controller)
6. Data Sharing and Recipients
We may share your data with:
- Service providers: Email services (SMTP), hosting (Vercel), analytics (Plausible) - all under Data Processing Agreements
- Business partners: Hotel partners (with your consent), PMS system providers (under contract)
- Legal authorities: When required by law, court orders, or regulatory bodies
- Professional advisors: Lawyers, accountants, auditors (under confidentiality)
We do not sell your personal data to third parties. We ensure all recipients have appropriate data protection measures.
7. International Data Transfers
As a Netherlands-based company, we primarily process data within the EU/EEA. However, some services may involve transfers outside the EU:
- Hosting: Vercel (US) - We rely on Standard Contractual Clauses (SCCs) approved by EU Commission
- Analytics: Plausible (EU-hosted) - No transfer outside EU
- Email: SMTP providers - We use EU-hosted services or ensure SCCs
We ensure appropriate safeguards for all international transfers as required by GDPR Articles 44-49.
8. Your GDPR Rights
Under GDPR, you have the following rights:
Right to Access (Art. 15)
Request confirmation and copy of your personal data being processed.
Right to Rectification (Art. 16)
Request correction of inaccurate or incomplete data.
Right to Erasure (Art. 17)
Request deletion of your data ("right to be forgotten") when no longer necessary.
Right to Restriction (Art. 18)
Request limitation of processing in certain circumstances.
Right to Portability (Art. 20)
Request your data in a portable format to transfer to another service.
Right to Object (Art. 21)
Object to processing based on legitimate interests or direct marketing.
Right to Withdraw Consent (Art. 7)
Withdraw consent at any time for consent-based processing.
Right to Lodge Complaint (Art. 77)
File a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local supervisory authority.
Website: autoriteitpersoonsgegevens.nl
To exercise these rights, contact us at info@horebot.nlWe will respond within one month (can be extended to three months for complex requests).
9. Cookies and Tracking Technologies
We use cookies and similar technologies:
Cookie Types Used:
| Type | Purpose | Duration |
|---|
| Essential | Website functionality, security | Session |
| Analytics (Plausible) | Privacy-friendly website analytics | Persistent (with consent) |
| Preference | Remember your settings | 1 year |
We use Plausible Analytics - a privacy-friendly, GDPR-compliant analytics tool that:
- Does not use cookies
- Does not collect personal data
- Does not track across websites
- Anonymizes all data
- Hosted entirely in EU
You can manage cookie preferences through your browser settings. For more details, see our Cookie Notice.
10. Data Retention Periods
We retain personal data only as long as necessary:
- Contact inquiries: 2 years (for business follow-up), then anonymized
- Demo requests: 2 years or until service contract ends
- Newsletter subscribers: Until unsubscribe, then immediately deleted
- Service contracts: Duration of contract + 7 years (legal requirement)
- Analytics data: Anonymized after 90 days
- Job applications: 6 months (rejected), 2 years (hired)
- Legal records: 7 years minimum (tax, regulatory requirements)
After retention period, data is securely deleted or anonymized in accordance with GDPR Art. 5(1)(e).
11. Data Security Measures
We implement robust security measures:
- Encryption: TLS 1.3 for all data in transit, AES-256 for data at rest
- Access controls: Role-based access, multi-factor authentication
- Infrastructure: Secure hosting, regular updates, firewall protection
- Monitoring: Real-time security monitoring, intrusion detection
- Backups: Regular encrypted backups with secure storage
- Audits: Annual security assessments, penetration testing
- Training: Regular data protection training for all staff
In case of data breach, we will notify you and the Dutch DPA within 72 hours as required by GDPR Art. 33-34.
12. Contact Information & DPO
Data Controller: HoreBot
For GDPR-related inquiries, contact our Data Protection Officer at: dpo@horebot.nl
Supervisory Authority: Dutch Data Protection Authority (Autoriteit Persoonsgegevens)
autoriteitpersoonsgegevens.nl
13. Policy Updates
We may update this Privacy Policy. Significant changes will be announced on our website with updated "Last updated" date. We encourage you to review this policy periodically.
Previous versions are available upon request.
Version History
| Version | Date | Changes |
|---|
| 2.0 | April 22, 2026 | Comprehensive GDPR update, enhanced rights section |
| 1.0 | April 16, 2026 | Initial privacy policy |