XenoHostXenoHost← Back to home

Privacy Policy

Last updated: 24 April 2026

This Privacy Policy explains how XenoHost ("we", "us") collects and processes personal data in connection with the XenoHost AI concierge platform (the "Service"). We comply with the EU General Data Protection Regulation (GDPR) and Greek Law 4624/2019.

1. Who we are & our role

XenoHost is established in Athens, Greece. Contact: xenohostinfo@gmail.com.

  • For hotel customers (account holders): we act as controller of the data we collect to run our business (name, email, billing information).
  • For hotel guests who chat with Athena: we act as processor on behalf of the hotel. The hotel is the controller of that guest conversation data. A separate Data Processing Agreement (DPA) governs that relationship.

2. Data we collect

From hotel customers: business name, contact email, phone, website, billing address, Stripe customer ID, and usage logs. We do not store full card numbers — payment is handled by Stripe.

From hotel guests (via the widget): the content of messages they send, the language they chat in, a session identifier (random UUID, not linked to identity), timestamps, and any contact details they voluntarily submit in lead-capture forms (e.g. name, email, phone).

Automatically: IP address, browser user-agent, and page URL at the moment the widget loads. IPs are retained for a maximum of 30 days for abuse prevention and then discarded.

3. Purposes & legal bases

  • Providing the Service — legal basis: performance of contract (Art. 6(1)(b) GDPR).
  • Billing, invoicing, and tax reporting — legal obligation (Art. 6(1)(c)).
  • Security, abuse prevention, rate limiting — legitimate interest (Art. 6(1)(f)).
  • Generating AI replies — performance of the hotel's contract with its guest; the hotel is the controller for this purpose.
  • Product improvement on aggregated, anonymised data — legitimate interest.

4. Sub-processors

We engage the following sub-processors to operate the Service:

  • Vercel Inc. (USA/EU) — hosting and edge infrastructure.
  • Supabase Inc. (EU region) — database, authentication, file storage.
  • Anthropic PBC (USA) — Claude AI model inference for Athena replies. Anthropic does not use API data to train its models.
  • Stripe Payments Europe, Ltd. (Ireland) — subscription billing and payment processing.

Where sub-processors are outside the EEA we rely on Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.

5. Retention

  • Guest chat transcripts: retained for as long as the hotel keeps its account, then deleted within 30 days of account closure, unless retention is required by law.
  • Billing records: retained for 10 years (Greek accounting law).
  • IP logs: up to 30 days.
  • Account data: retained while the account is active, deleted within 30 days of closure.

6. Your rights

You have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data, and to withdraw consent at any time. To exercise these rights, email xenohostinfo@gmail.com. Guests who used Athena on a specific hotel's site should contact that hotel directly; we will assist the hotel on request.

You may lodge a complaint with the Hellenic Data Protection Authority (www.dpa.gr).

7. Cookies

The XenoHost marketing website uses only strictly necessary cookies (session + security) and does not set analytics or advertising cookies without consent. The embeddable widget uses localStorage to remember the guest's chosen chat language across visits.

8. Security

Data is encrypted in transit (TLS 1.2+) and at rest. Access to production systems is restricted to authorised personnel via multi-factor authentication. We maintain audit logs and regular automated backups.

9. Children

The Service is not directed at children under 16 and we do not knowingly collect their data.

10. Changes

We will post any updates to this Policy on this page and notify account holders by email of material changes.

11. Contact

Questions about this Policy: xenohostinfo@gmail.com.