GDPR Compliance Statement

Last Updated: December 24, 2025

At HelloGuest, we are committed to data privacy and the principles of the General Data Protection Regulation (GDPR). This document outlines how we ensure compliance for our users (Data Controllers) and their guests (Data Subjects).

1. Our Role

Data Processor: HelloGuest acts as a Data Processor when we handle guest feedback and business profile data on behalf of our users.

Data Controller: We act as a Data Controller for the account information of the business owners who sign up for our services.

2. Data Minimization

We only collect the minimum amount of personal data necessary to provide our feedback and review management services.

Guests are not required to provide personal identification to leave a review via our platform.

3. Data Subject Rights

Under GDPR, individuals have specific rights regarding their personal data. HelloGuest facilitates these rights by:

• Right to Access: Users can export their data directly from the HelloGuest dashboard.
• Right to Erasure (Right to be Forgotten): Upon request, we will permanently delete all personal data associated with an account.
• Right to Rectification: Users can update their account information at any time via their profile settings.

4. Security Measures

We implement robust technical and organizational measures to protect your data:

• Encryption: All data is encrypted in transit via SSL/TLS and at rest using industry-standard AES-256 encryption within the Firebase/Google Cloud environment.
• Access Control: Access to backend data is strictly limited to authorized personnel only.
• Hosting: Our infrastructure is hosted on Google Cloud Platform (Firebase), which maintains world-class compliance certifications (ISO 27001, SOC 2/3).

5. Data Processing Agreement (DPA)

We offer a standard Data Processing Agreement for our business users that outlines our commitments to data security and privacy under GDPR.

By using HelloGuest, you agree to our processing of data in accordance with these standards.

6. International Transfers

For data transferred outside the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) to ensure a high level of protection.

We continuously monitor legal developments regarding international data transfers to remain compliant.

7. Contact Information

For any GDPR-related inquiries or to exercise your data rights, please contact our Data Protection Officer at dpo@helloguest.ai.