Privacy Policy
How we handle personal data — clearly, carefully, and in line with GDPR.
Last updated: 19 May 2026
This Privacy Policy explains how HermesAi™ ("HermesAi", "we", "our", "us") collects, uses, shares and protects personal information. It applies to our website at askhermesai.com, to people who enquire about or use our service, and to end-guests of properties that deploy HermesAi on WhatsApp.
HermesAi is operated as a sole trader registered in the United Kingdom. Our correspondence address is 169 Great Portland Street, 5th Floor London W1W 5PF. We are the data controller for the information described in Sections 2 and 3 below, and a data processor for the information described in Section 4.
You can contact us at any time at privacy@askhermesai.com.
1. Summary
- What we do. We provide an AI concierge service for boutique hotels, delivered through WhatsApp Business. Hotels integrate HermesAi to handle guest enquiries, bookings, transfers, in-stay requests and local recommendations on their behalf.
- Whose data we handle. Visitors to our website, people who enquire about or buy our service, and end-guests of the hotels we serve.
- Where it goes. To us, and to a small set of trusted sub-processors listed in Section 7.
- Your rights. You can access, correct, delete or restrict your personal information, object to processing, withdraw consent, or complain to the UK Information Commissioner's Office. See Section 9.
2. Information we collect about website visitors and prospects
When you browse askhermesai.com, complete our enquiry form, or book a demo, we may collect:
- Identification and contact data you give us: name, email address, property name, property size, and any free-text notes you provide.
- Communications data: the content of emails, demo bookings, and other correspondence with us.
- Technical data: IP address, browser type, device type, referring URL, pages viewed, and approximate location. This is collected by our hosting provider and any analytics tools described in Section 8.
Lawful basis. We process this information either because you have asked us to respond to your enquiry (legitimate interests and steps prior to entering a contract under Article 6(1)(b) and 6(1)(f) UK GDPR), or because we are required to keep records for tax and legal compliance (Article 6(1)(c)).
3. Information we collect about our customers (hotels)
When a hotel signs up for HermesAi we also collect:
- Business information: company name, registered address, billing details, VAT or tax number where applicable.
- Account contacts: names, work email addresses and phone numbers of the people authorised to administer the account.
- Configuration data: property information, services offered, partner contacts, knowledge-base content and operational rules used to calibrate the AI.
- Payment information: processed by our payment provider; we do not store full card details.
Lawful basis. Performance of our contract with the customer (Article 6(1)(b) UK GDPR) and our legitimate interests in operating, securing and improving the service (Article 6(1)(f)).
4. Information we handle on behalf of hotels — guests' WhatsApp data
When a hotel deploys HermesAi, end-guests interact with the hotel's WhatsApp Business number. The hotel is the data controller for that conversation; HermesAi is the data processor. We process this data strictly on the hotel's documented instructions, under a Data Processing Agreement included in our Terms of Service.
The data processed in this context typically includes:
- The guest's WhatsApp phone number, display name and profile photo (as made available by WhatsApp).
- The content of WhatsApp messages sent to or from the hotel.
- Booking-related information the guest shares or that is matched from the hotel's records, such as name, email, check-in and check-out dates, number of guests, room or studio number and booking reference.
- Service requests (transfers, dining, housekeeping, late check-out, local recommendations) and their outcomes.
- Conversation summaries and metadata generated by HermesAi to operate the service.
Lawful basis. Determined by the hotel as controller. The hotel must rely on its own lawful basis (typically performance of the booking contract, legitimate interests, or the guest's consent) and must provide its own privacy notice to guests.
WhatsApp's role. Messages are delivered through the WhatsApp Business Platform operated by Meta Platforms Ireland Limited (for EU/UK users) or WhatsApp LLC (for other users). Meta processes message metadata as an independent controller under its own privacy policy at https://www.whatsapp.com/legal/privacy-policy.
5. How we use information
We use the information described above to:
- Operate the HermesAi service and respond to guest messages on behalf of hotels.
- Communicate with prospects who ask for a demo or join the waiting list.
- Bill, support and maintain the relationship with our customers.
- Improve service quality, including reviewing flagged conversations, monitoring AI performance and refining knowledge bases. We do not use the content of guest conversations to train third-party AI models.
- Detect, prevent and respond to fraud, abuse, security incidents and violations of our Terms of Service.
- Comply with legal, tax and accounting obligations.
6. Sharing your information
We share personal information only with:
- The hotel that operates the WhatsApp number the guest has messaged. Conversation history and request details are made available to that hotel's authorised staff.
- Our sub-processors (Section 7), who act on our instructions under written contracts.
- Professional advisers (accountants, lawyers, insurers) where strictly necessary.
- Authorities or third parties where required by law, or to protect our rights, our customers' rights, or the safety of any person.
We do not sell personal information, and we do not share it for advertising purposes.
7. Our sub-processors
We use the following sub-processors to deliver the service. This list is current as of the date above and may change; an up-to-date version is available on request.
| Provider | Purpose | Location of processing |
|---|---|---|
| Meta Platforms Ireland Ltd / WhatsApp LLC | WhatsApp Business message delivery | EU, US |
| OpenAI | Large language model inference | US, EU |
| Landbot | Conversation flow orchestration | EU |
| Google LLC / Google Ireland Ltd | Operational logging via Google Sheets | EU, US |
| Slack Technologies LLC | Internal notifications to the hotel team | US, EU |
| Formspree, Inc. | Contact-form submissions on our website | US |
| Calendly LLC | Demo scheduling | US |
| Netlify | Website hosting and content delivery | Global edge |
Where personal data is transferred outside the UK or EEA, we rely on the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision, as appropriate. Copies of the safeguards are available on request.
8. Cookies and similar technologies
Our website uses a minimal set of cookies and local storage:
- Strictly necessary: to remember your language preference and to make the site work.
- Analytics (if enabled): to understand which pages are visited and how the site performs. Any analytics provider is listed in Section 7.
We do not currently use advertising or cross-site tracking cookies. If we add any in the future we will update this Policy and ask for your consent before they load.
9. Your rights
Under UK GDPR you have the right to:
- access the personal information we hold about you;
- ask us to correct information that is inaccurate;
- ask us to delete information (subject to limits where we must keep it for legal or contractual reasons);
- ask us to restrict or object to processing;
- receive a copy of information you provided to us in a portable format;
- withdraw any consent you have given, without affecting the lawfulness of processing already carried out;
- not be subject to a solely automated decision that has a legal or similarly significant effect.
To exercise any of these rights, email privacy@askhermesai.com. We will respond within one month.
End-guests of a hotel should usually contact the hotel directly first, because the hotel is the controller of that conversation. We will assist the hotel in responding to your request.
If you are unhappy with how we have handled your data you can complain to the UK Information Commissioner's Office at https://ico.org.uk or 0303 123 1113. You also have the right to complain to your local supervisory authority in the EEA.
10. How long we keep information
We keep personal information only as long as we need it:
- Enquiry data from people who did not become customers: up to 12 months from last contact.
- Customer account and billing data: for the duration of the contract and for 6 years afterwards, to meet UK tax and accounting requirements.
- Guest conversation data: in line with the hotel's documented retention policy, by default no longer than 24 months. Operational logs are typically rotated after 12 months.
- Backups: encrypted backups are retained for up to 90 days.
11. Security
We protect personal information with technical and organisational measures appropriate to the risk, including encryption in transit, access controls, principle-of-least-privilege for any access to customer environments, secure credential storage, and review of sub-processor security posture. No system is perfectly secure; if we become aware of a personal data breach affecting your information we will notify the ICO and you in line with our legal obligations.
12. Children
HermesAi is a business service. We do not knowingly market to, or collect personal information from, children. Hotels deploying our service must take reasonable steps to ensure WhatsApp interactions are conducted by adults (typically the booking holder). If you believe a child has provided us information, please contact us and we will delete it.
13. WhatsApp-specific terms
Because our service runs on WhatsApp, the following terms apply in addition to the rest of this Policy:
- Opt-in. Guests are messaged only after they initiate a conversation, scan a QR code, or have otherwise consented to being contacted on WhatsApp by the hotel.
- Opt-out. Guests can opt out at any time by replying with "STOP" or any equivalent we make available, or by blocking the hotel's WhatsApp number. Opting out will end HermesAi's processing of new messages for that guest.
- Meta's terms. Use of WhatsApp is also governed by Meta's WhatsApp Business Solution Terms and its Privacy Policy, which we cannot vary.
- Cross-border delivery. WhatsApp routes messages through its global infrastructure; we cannot guarantee a specific country of message transit.
14. Changes to this Policy
We may update this Policy from time to time. The current version is always available at https://askhermesai.com/privacy. Material changes will be notified to customers by email and shown on this page for at least 30 days before they take effect.
15. Contact
If you have questions about your data or how we use it, we'd like to hear from you. Reach out at privacy@askhermesai.com and we respond within 30 days, as required by law
HermesAi169 Great Portland Street, 5th Floor London W1W 5PF
privacy@askhermesai.com
+44 (0)7770 525094