Privacy Policy

Effective Date: January 25, 2026 · Last Updated: January 25, 2026

1. Introduction

HiLucy ("we," "our," or "us") operates a SaaS platform for hospitality and short-term rental management, including an AI-powered concierge service. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our services.

This policy applies to:

  • Hotel and property guests using our AI concierge
  • Property managers and staff using our platform
  • Visitors to our website

2. Data Controller

HiLucy
10205 S Komensky Avenue
Oak Lawn, IL 60453, USA

Contact for Privacy Inquiries: privacy@hilucy.com

For EU residents: eu-privacy@hilucy.com

3. Personal Data We Collect

3.1 Information You Provide

CategoryExamplesWhen Collected
Identity DataName, nationality, date of birth, ID document detailsGuest check-in
Contact DataPhone number, email address, WhatsApp IDRegistration, check-in
Location DataCountry/city of residence, shared locationCheck-in, chat
Communication DataMessages, requests, preferencesAI chat interactions
Payment DataCard details (via Stripe), billing addressService purchases
Booking DataCheck-in/out dates, room type, guest countReservations

3.2 Information Collected Automatically

CategoryExamplesPurpose
Technical DataIP address, browser type, device infoSecurity, analytics
Usage DataPages visited, features used, timestampsService improvement
Cookie DataSession cookies, preference cookiesAuthentication, UX

4. How We Use Your Data

PurposeLegal Basis (GDPR)
Provide AI concierge serviceContract performance
Process guest check-insContract performance
Process paymentsContract performance
Send service notificationsLegitimate interest
Improve servicesLegitimate interest
Comply with legal obligationsLegal obligation
Send marketing communicationsConsent

5. Data Sharing

We share your data with the following categories of service providers:

ProviderData SharedPurpose
OpenAIConversation contentAI processing
Meta (WhatsApp)Phone, messagesMessaging
StripePayment detailsPayment processing
Google CloudLocation, languageTranslation, maps

All subprocessors are bound by Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) where applicable.

6. Data Retention

Data TypeRetention Period
AI conversation history30 days
Guest check-in dataBooking duration + 30 days
User account dataUntil account deletion
Payment records7 years (legal requirement)
Booking records2 years post-checkout
Technical logs30 days

7. Your Rights

GDPR Rights (EU/EEA Residents)

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate or incomplete data
  • Erasure — request deletion of your data
  • Restriction — limit how we process your data
  • Portability — receive your data in a structured format
  • Object — object to processing based on legitimate interest
  • Automated Decision-Making — request human review

CCPA Rights (California Residents)

  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to opt-out of the sale of personal information
  • Right to non-discrimination for exercising privacy rights

To exercise your rights, email privacy@hilucy.com. We will respond within 30 days (GDPR) or 45 days (CCPA).

8. Security

We protect your data through:

  • TLS 1.2+ encryption for all data in transit
  • Encryption at rest for stored consumer data
  • Multi-factor authentication for all admin access
  • Role-based access controls
  • Regular security monitoring and logging
  • PCI-DSS compliance for payment processing (via Stripe)

9. Cookies

We use essential cookies for authentication and session management. For analytics and marketing cookies, we obtain your consent before setting them. You can manage cookie preferences through your browser settings.

10. AI and Automated Processing

Our AI concierge (Lucy) uses OpenAI GPT-4o-mini to process your messages. AI-assisted routing and recommendations are not legally significant automated decisions. You may request human review of any AI interaction at any time.

11. Children's Privacy

Our services are not directed to individuals under 16 years of age. We do not knowingly collect data from children.

12. Changes to This Policy

We will notify you of material changes via email or in-app notice at least 30 days before they take effect.

13. Contact Us

Privacy inquiries: privacy@hilucy.com
General support: support@hilucy.com

© 2026 HiLucy. All rights reserved.Terms of Service