Legal
Privacy Policy
Effective date: · Last updated:
1. Introduction
GuestSet ("we", "our", or "us") is a Software-as-a-Service platform providing Hotel Property Management System (PMS), Tours & Travel CRM, and related hospitality management tools to businesses registered in India. This Privacy Policy explains how we collect, use, store, share, and protect personal information in accordance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 (DPDP Act).
By registering for or using GuestSet, you agree to the practices described in this Policy. If you do not agree, please discontinue use of the platform.
2. Data We Collect
We collect data in the following categories:
2.1 Hotel Account & Registration Data
Name of the hotel/business entity, GSTIN, PAN, registered address, contact person name, email address, phone number, and bank account details (for subscription billing via Razorpay).
2.2 Guest Personally Identifiable Information (PII)
As entered by hotel staff during check-in or booking: guest full name, nationality, passport/Aadhaar/Voter ID number, date of birth, address, email, phone number, and FRRO-required Form C information for foreign nationals. This data is owned by your hotel and processed by us on your behalf.
2.3 Booking & Transaction Data
Reservation details, room types, stay dates, folio charges, GST invoice amounts, payment amounts, and payment method (card/UPI/cash) as recorded in your PMS.
2.4 Payment Data
Online payments for GuestSet subscriptions are processed by Razorpay Software Private Limited. We do not store full card numbers or CVV codes. We retain Razorpay order IDs, payment IDs, and payment status as returned by the Razorpay API.
2.5 WhatsApp Interaction Logs
Message delivery status, timestamps, template names, and guest phone numbers used in WhatsApp Business API communications sent via Meta (formerly Facebook) and MSG91.
2.6 Usage & Technical Data
IP addresses, browser type, pages viewed, actions taken within the dashboard, session tokens, and error logs. This data is used for security, debugging, and product improvement.
3. How We Use Your Data
- Service delivery: Operating the PMS, billing module, channel manager, travel CRM, and all platform features.
- GST compliance: Generating HSN-coded, GSTIN-verified tax invoices and maintaining records required under the CGST Act, 2017.
- FRRO / Form C compliance: Storing foreign guest ID data as required under the Registration of Foreigners Act, 1939.
- WhatsApp & SMS communications: Sending booking confirmations, reminders, and automated workflows on behalf of your hotel to your guests.
- AI features: Generating demand forecasts, pricing suggestions, and daily briefings using anonymised and aggregated operational data.
- Support: Diagnosing and resolving technical issues.
- Billing & subscription management: Processing renewal payments and sending invoices.
- Security: Detecting and preventing fraudulent access or data breaches.
We do not sell your data or your guests' data to third parties for marketing purposes.
4. Data Sharing & Sub-processors
We share data only with vendors who are essential to delivering the service:
| Vendor | Purpose | Data shared |
|---|---|---|
| Razorpay | Payment processing for subscriptions | Billing name, email, amount |
| Neon (Neon Inc.) | PostgreSQL database hosting | All platform data (encrypted at rest) |
| Cloudinary | Media storage (hotel images, documents) | Uploaded files only |
| Meta (WhatsApp Business API) | WhatsApp message delivery | Guest phone number, template content |
| MSG91 | SMS fallback notifications | Guest phone number, message text |
| Google (Gemini AI) | AI-powered features (forecasting, briefings) | Anonymised operational metrics |
We require all sub-processors to maintain confidentiality and appropriate security standards. We do not transfer personal data outside India except where the sub-processor is certified under applicable cross-border data transfer mechanisms.
5. Data Retention
- Booking & GST invoice data: Retained for 7 years from the date of transaction as required under the CGST Act and Income Tax Act, 1961.
- Guest PII (identity documents, Form C): Retained for 3 years after the guest's last recorded stay, then securely deleted or anonymised.
- Hotel account data: Retained for the duration of the subscription plus 90 days post-termination to allow data export. Permanently deleted thereafter.
- WhatsApp & SMS logs: Retained for 12 months for audit and troubleshooting.
- Usage logs: Retained for 90 days.
6. Data Security
We implement industry-standard technical and organisational measures including: AES-256 encryption at rest, TLS 1.3 in transit, role-based access controls, multi-factor authentication for staff accounts, regular security audits, and automated anomaly detection. No system is perfectly secure; in the event of a breach, we will notify affected parties as required by applicable law.
7. Your Rights Under Indian Law
Under the IT Act, 2000 and DPDP Act, 2023, you have the following rights:
- Right of access: Request a copy of personal data we hold about you.
- Right of correction: Request correction of inaccurate personal data.
- Right of erasure: Request deletion of your personal data, subject to legal retention obligations.
- Right to withdraw consent: Withdraw consent for processing at any time (this may affect your ability to use the platform).
- Right to grievance redressal: Lodge a complaint with our Data Protection Officer.
To exercise any of these rights, email privacy@guestset.in. We will respond within 30 days.
8. Cookies
We use strictly necessary cookies for session management and authentication. We do not use tracking cookies or third-party advertising cookies. You may disable cookies in your browser settings, but this may prevent login.
9. Children's Privacy
GuestSet is a business-to-business platform not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. Guest data of minors may be entered by hotel staff as required by law (e.g., Form C for foreign nationals); such data is handled with the same protections as all guest PII.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to account administrators at least 14 days before taking effect. Continued use of the platform after the effective date constitutes acceptance of the revised Policy.
11. Contact & Grievance Officer
For privacy-related queries, data requests, or complaints, contact our Data Protection Officer:
GuestSet
Email: privacy@guestset.in
Jurisdiction: Rajasthan, India