Privacy Policy

Last updated: February 2026

1. Who we are

This service is operated by Digital Oas AB, a company registered in Sweden, European Union. We provide an AI-powered guest communication platform for hostels (the "Service").

For privacy enquiries or data requests, contact us at: victor.palmlund@gmail.com

Digital Oas AB is the data controller for data relating to hostel staff accounts. For guest data, the hostel (our customer) is the data controller and we act as a data processor on their behalf.

2. What data we collect and why

Hostel staff

  • Email address: used to create and authenticate your account, and to send escalation notifications when a guest conversation requires staff attention. Legal basis: contract performance.
  • Account activity: records of settings changes and knowledge base edits for operational purposes. Legal basis: legitimate interest.

Hostel guests (webchat)

  • Message content: the text of messages sent through the embedded chat widget, used to generate AI responses. Legal basis: legitimate interest of the hostel in providing guest support.
  • Session identifier: a randomly generated ID stored in the guest's browser (localStorage) to maintain conversation continuity. No personal identity is inferred from this identifier.

Hostel guests (WhatsApp)

  • Phone number: the sender's WhatsApp phone number, used to route messages to the correct conversation thread and to send replies.
  • Message content: the text of WhatsApp messages, used to generate AI responses.
  • WhatsApp messages are delivered to us via the WhatsApp Business Cloud API. WhatsApp's own privacy policy also applies to WhatsApp communications.

Reservation data (PMS integration)

  • When a hostel connects a property management system (currently Cloudbeds), we sync reservation data including guest names, email addresses, phone numbers, check-in/check-out dates, and room types. This data is used solely to answer guest queries about their own bookings. Legal basis: legitimate interest of the hostel.

3. Third-party processors

We use the following sub-processors to operate the Service:

  • Anthropic (EU, with US fallback available on request) - AI language model processing. Guest message content is sent to Anthropic's API to generate responses. Since August 2025, Anthropic processes and stores EU API traffic within the EU by default. Anthropic does not train on API data. Anthropic Privacy Policy.
  • Supabase (EU, Ireland) - database and file storage. Our Supabase project is hosted on AWS eu-west-1 (Dublin, Ireland). All conversation data, knowledge base content, and reservation data is stored in this region.
  • WhatsApp Ireland Limited (Ireland, EU) - WhatsApp message delivery via the Business Cloud API. For EU customers, the contracting entity is WhatsApp Ireland Limited, a subsidiary of Meta Platforms. Message content may also be processed in the US under Meta's EU-US Data Privacy Framework certification and Standard Contractual Clauses. WhatsApp Privacy Policy.
  • Resend (USA) - transactional email delivery for escalation notifications to hostel staff. Resend is certified under the EU-US Data Privacy Framework and processes transfers under Standard Contractual Clauses.
  • Vercel (USA, with EU execution regions) - application hosting and serverless function execution. Vercel's control plane is US-based; serverless functions may execute in EU regions. Vercel is ISO 27001:2022 certified and processes EU transfers under Standard Contractual Clauses. Vercel DPA.
  • Voyage AI / MongoDB (USA) - text embedding generation for knowledge base search. Data is processed in the United States. We are in the process of obtaining a Data Processing Addendum with Standard Contractual Clauses from this vendor. Until that is in place, knowledge base content (hostel information documents) is processed in the US; guest message content is not sent to this service.

Transfers to processors outside the EU are covered by Standard Contractual Clauses (SCCs) or adequacy decisions where applicable. A list of current sub-processors is available on request.

4. How long we keep data

  • Conversation messages: retained for 12 months from the date of the conversation, then deleted.
  • Staff account data: retained for the duration of the account and deleted within 30 days of account closure on request.
  • Reservation data: retained for 90 days after check-out, then deleted from our systems. The authoritative record remains in the hostel's PMS.
  • Action logs (AI tool call audit trail): retained for 12 months.

5. Your rights (GDPR)

If you are in the European Union or UK, you have the right to:

  • Access: request a copy of personal data we hold about you.
  • Rectification: request correction of inaccurate data.
  • Erasure: request deletion of your data ("right to be forgotten").
  • Portability: receive your data in a machine-readable format.
  • Objection: object to processing based on legitimate interest.
  • Restriction: request that we restrict processing of your data.

To exercise any of these rights, email victor.palmlund@gmail.com. We will respond within 30 days. If you are a hostel guest, we may need to coordinate with the hostel as data controller to fulfil your request.

You also have the right to lodge a complaint with your national data protection authority. In Sweden this is the Integritetsskyddsmyndigheten (IMY).

6. Cookies and tracking

The admin dashboard uses a session cookie set by Supabase Auth for authentication. The guest chat widget stores a session identifier in localStorage. This is not a cookie and is not used for tracking or advertising. We do not use any third-party analytics or advertising trackers.

7. Changes to this policy

We may update this policy as the Service evolves. Material changes will be communicated to hostel account holders by email. The "last updated" date at the top of this page reflects the most recent revision.

8. Contact

Digital Oas AB
Sweden, EU
victor.palmlund@gmail.com