Privacy Policy
This policy explains what we collect, why, and what choices you have. It covers two kinds of people: the hotels and their staff who use Maison ("customers"), and the guests whose information a hotel stores in Maison ("guest data").
How the two roles work
A hotel is our customer. The hotel decides what guest information to put into Maison and how to use it. For that guest data, the hotel is the controller and Maison is the processor: we hold and process it on the hotel's instructions. If you are a guest and want your information changed or removed, contact the hotel you stayed with. We will help that hotel act on your request.
What we collect
From hotel accounts and staff
- Account details: name, work email, role, and password (stored only as a secure hash by our authentication provider).
- Property details you enter, such as hotel name, address, branding, and settings.
- Billing details needed to run your subscription. Card numbers are handled by Stripe and are never stored on our servers.
- Usage and log data, such as sign-in times and basic technical logs, used to keep the service secure and working.
Guest data, on the hotel's behalf
- Guest name and contact details, booking and stay history, folio and payment records, and any notes or preferences the hotel chooses to store.
Why we process it
- To provide, secure, and maintain the service.
- To process subscription billing.
- To send transactional email, such as booking confirmations and account messages.
- To meet legal and tax obligations.
Service providers we use
We use a small number of trusted providers to run Maison. They process data only to provide their service to us.
| Provider | Purpose |
|---|---|
| Supabase | Database and authentication |
| Stripe | Subscription billing and card processing |
| Railway | Application hosting |
| [Email provider] | Sending transactional and confirmation email |
Where data is held and how long
Data is stored with the providers above, which may process it in [regions]. We keep account and guest data for as long as the hotel's account is active, and after closure for the period needed to meet legal, tax, and audit obligations, after which it is deleted or anonymized.
How we protect it
Data is encrypted in transit. Each hotel's data is isolated using database row-level security so one hotel cannot see another's records. Card data is handled by Stripe, so we do not store it. See our Security page for more.
Your choices
Hotel account holders can access, correct, export, or delete most data from inside the app, or by emailing us. Guests should contact the hotel that holds their record; we will assist that hotel. Depending on where you live, you may have additional rights under local law.
Changes and contact
We may update this policy and will change the effective date above when we do. Questions or requests: support@royalbengal.ai.