Privacy Policy

This Policy applies to the Otello platform and related services (the "Service"). It describes the personal information we handle and, above all, how we protect it.

For account and identity information about you (the owner or staff user), we act as the data controller. For the operational and guest data you enter into the Service — bookings, guest contacts, stay details, messages — you (the "Customer", the accommodation business) are the data controller and we act as your data processor, handling that data on your documented instructions to provide the Service.

• Account & identity data — your name, email address, role, and a securely hashed password.
• Property & business data — details about your property, rooms, rates, and configuration.
• Operational data — bookings, folios, housekeeping, and related records you create.
• Guest data you enter — guest names, contact details, and stay information that you, as controller, choose to store.
• Communications — messages you send or route through the Service to guests or your team.
• Billing metadata — subscription and invoice information. Card and payment details are handled directly by our payment processors; we do not store full card numbers.
• Usage & device data — log data, device and browser information, and diagnostics used to operate and secure the Service.
• Local storage — cookies and on-device storage (including IndexedDB) used for authentication, preferences, and offline functionality.

We use personal information to:

• provide, operate, secure, and support the Service;
• authenticate you and manage your account and users;
• run the AI agents and features you choose to use, on your instruction;
• process subscriptions, billing, and related communications;
• comply with legal obligations and enforce our Terms; and
• improve the Service, using aggregated and de-identified data that does not identify any individual.

Where required by applicable data-protection law (including Indonesia’s Personal Data Protection Law, UU No. 27 of 2022, and other laws that may apply to you), we rely on the following bases: your consent; the performance of our contract with you; our legitimate interests in operating and securing the Service; and compliance with legal obligations.

You provide consent to this Policy and to our Terms when you tick the consent box while creating your account, and again each time you sign in. You may withdraw consent by closing your account; doing so may mean we can no longer provide the Service to you.

We do not sell personal information. We share it only as needed to run the Service, with vetted sub-processors who are bound by confidentiality and data-protection obligations, including:

• cloud hosting and infrastructure providers;
• payment processors (for example, Stripe and local payment providers);
• messaging and email providers (for example, WhatsApp/Meta, Google, and Microsoft) where you connect them;
• AI / large-language-model providers used to power the agents; and
• analytics and error-monitoring services used to keep the Service reliable.

We may also disclose information where required to comply with the law, enforce our Terms, or protect the rights, safety, and security of our users and the Service.

Some of our sub-processors operate outside Indonesia, so your information may be processed in other countries. Where we transfer personal data internationally, we take steps intended to ensure it remains protected to a standard consistent with applicable law.

Protecting the information you entrust to us is the commitment we stand behind. We apply commercially reasonable, industry-standard technical and organisational measures, including:

• encryption of data in transit (TLS) and, where applicable, at rest;
• least-privilege access controls and authentication for our systems;
• logical separation (tenant isolation) of each customer’s data;
• securely hashed account credentials;
• audit logging and monitoring of sensitive actions; and
• periodic review of our security practices.

No method of transmission or storage is completely secure. While we commit to reasonable, ongoing protection and to responding promptly to security incidents, we cannot guarantee absolute security.

We retain personal information for as long as your account is active and as needed to provide the Service, then for a reasonable period afterwards to meet legal, accounting, or security obligations. After that, we delete or de-identify it. Customers may also request deletion of their data, subject to our legal obligations.

Subject to applicable law, you have rights over your personal information, which may include the right to access, correct, delete, restrict, or object to its processing, to data portability, and to withdraw consent.

For guest and staff data held under a Customer’s account, the Customer is the controller; individuals should direct such requests to the relevant property. To exercise rights over your own account data, contact us using the details below. You may also lodge a complaint with your data-protection authority.

When you enter guest or staff personal data into the Service, you are the data controller for that data and we process it on your behalf. You are responsible for having a valid lawful basis and any required notice or consent for that data, and you instruct us to process it to deliver the Service. You agree to indemnify us for any unlawful data you provide, as set out in the Terms.

We use essential cookies and on-device storage to keep you signed in, remember your preferences, and enable offline functionality. We do not use the Service to run third-party advertising trackers.

The Service is intended for businesses and is not directed to children under 18. We do not knowingly collect personal information from children.

We maintain procedures for handling security incidents. If a breach affecting personal data occurs, we will notify affected Customers and the relevant authorities where required by applicable law, without undue delay.

We may update this Policy from time to time. If a change is material, we will give notice through the Service or by email. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

For privacy questions or to exercise your rights, contact us at support@bearon.studio.