Privacy Policy

This Privacy Policy explains how Host‑Pilot.ai (the "Service", "we", "us", or "our") collects, uses, stores, and shares your personal data when you visit our websites or use our applications. By creating an account, starting a trial, or otherwise using the Service, you acknowledge that we will process and store your data as described below. Where we rely on consent, you can withdraw it at any time.

Controller and Contact

Controller: Host‑Pilot.ai — operated by Mouhad Lassoued (sole proprietorship), Buschallee 3, 13088 Berlin, Germany

Website administrators: Mouhad Lassoued and Hedi Lassoued (same address as above)

Contact: please use the contact form at host-pilot.ai/contact or email us directly.

For privacy-specific inquiries, data subject requests, or to report a security issue, please clearly indicate "Privacy Inquiry" in your message for faster processing.

What Data We Collect

• Account and Profile Data: name, email, password hash, business details, and preferences you provide when signing up or updating your profile.
• OAuth Authentication Data: When you sign in using Google or other OAuth providers, we collect:
  • Your email address
  • Your name (if provided by the OAuth provider)
  • Profile picture URL (if provided)
  • OAuth access tokens (encrypted and stored securely) for accessing integrated services you enable (e.g., Gmail, Outlook)
  We only collect the minimum information necessary to authenticate you and provide the services you request. We do not have access to your Google account password, and you can revoke our access at any time through your Google account settings.
• Usage and Device Data: pages viewed, features used, IP address, timestamps, browser and device information, log files, and diagnostics to operate and secure the Service.
• Communication Data: messages you send to us (support emails, forms) and our correspondence with you.
• Payment and Billing Data: limited billing identifiers and subscription status. Payment details are processed by our payment processor (e.g., Stripe) and are not stored on our servers.
• Cookies and Similar Technologies: small files used for authentication, preferences, analytics, and fraud prevention. See Cookies section below.
• Third‑Party Integrations: When you enable integrations (e.g., Gmail, Outlook, Airbnb), we may access data from these services with your explicit permission to provide the requested functionality. We only access data that you specifically authorize.

Purposes and Legal Bases (GDPR)

• Provide and Improve the Service (Art. 6(1)(b) & (f) GDPR): to create and manage your account, deliver core functionality, ensure availability, and develop new features.
• Secure the Service (Art. 6(1)(f) GDPR): to detect, prevent, and investigate fraud, abuse, and security incidents.
• Communicate with You (Art. 6(1)(b) & (f) GDPR): to send transactional emails (e.g., account, billing, security), respond to inquiries, and provide support.
• Marketing with Consent (Art. 6(1)(a) GDPR): where required, to send marketing communications. You can opt out at any time.
• Compliance (Art. 6(1)(c) GDPR): to meet legal obligations, tax and accounting requirements, and regulatory requests.

How We Share Data

We do not sell personal data. We share data only with:

• OAuth Providers: When you choose to sign in with Google or other OAuth providers, your authentication is handled by the provider according to their privacy policy. We receive only the information you authorize us to access (typically name, email, and profile picture).
• Service Providers and Processors: infrastructure (Supabase, Vercel), analytics, email delivery, customer support, authentication, and payments providers who process data on our behalf under data processing agreements that require them to protect your data.
• Third-Party Services You Integrate: When you choose to integrate services (e.g., Gmail, Outlook, Airbnb), we access data from these services with your explicit permission solely to provide the functionality you request. We do not share your data with these third parties beyond what is necessary for the integration.
• Legal, Safety, and Compliance: when required by law or to protect rights, safety, and security.
• Business Transfers: in connection with a merger, acquisition, or sale of assets with appropriate safeguards.

International Transfers

If we transfer personal data outside the EEA/UK, we do so using appropriate safeguards, such as Standard Contractual Clauses, or by transferring to countries deemed to provide an adequate level of protection.

Retention

We retain personal data for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. We delete or anonymize data when it is no longer needed.

Security

We implement comprehensive technical and organizational measures to protect personal data, including:

• Encryption in transit (TLS/SSL) for all data transmission
• Encrypted storage of sensitive data, including OAuth tokens
• Access controls and authentication requirements
• Regular security audits and monitoring
• Secure infrastructure hosting (Supabase, Vercel)
• Regular backups with secure retention policies

OAuth tokens and authentication credentials are stored securely and encrypted. We follow industry best practices for credential management. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

If you suspect any unauthorized access to your account, please contact us immediately at host-pilot.ai/contact.

Your Rights (GDPR)

Subject to conditions under GDPR, you have the right to:

• Access: Request a copy of the personal data we hold about you
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data (subject to legal obligations)
• Restriction: Request limitation of processing in certain circumstances
• Objection: Object to processing based on legitimate interests
• Data Portability: Receive your data in a structured, commonly used format
• Withdraw Consent: Where processing is based on consent, you may withdraw it at any time
• Revoke OAuth Access: You can revoke our access to your Google account or other OAuth providers at any time through your account settings on those platforms

To exercise these rights, please use the contact form at host-pilot.ai/contact or email us directly. We will respond to your request within 30 days.

You may also lodge a complaint with your local supervisory authority. In Germany, this is the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI).

Cookies and Similar Technologies

We use cookies and similar technologies (localStorage, sessionStorage) for:

• Authentication: To maintain your login session and OAuth tokens securely
• Preferences: To remember your settings and preferences
• Analytics: To understand how the Service is used and improve user experience (anonymized data)
• Security: To protect against fraud and abuse

You can control cookies through your browser settings. Disabling certain cookies may affect Service functionality, particularly authentication features. We do not use cookies to track you across other websites.

OAuth and Third-Party Authentication

When you choose to sign in with Google or other OAuth providers, the following applies:

• Authentication Process: Authentication is handled by the OAuth provider (e.g., Google) according to their privacy policy. We do not receive or store your password.
• Data Collected: We receive only the minimum information necessary to create and manage your account, typically including your email address, name, and profile picture URL.
• OAuth Tokens: If you enable integrations (e.g., Gmail access), we securely store encrypted OAuth tokens necessary to access the integrated services you authorize. These tokens are stored using industry-standard encryption.
• Revocation: You can revoke our access to your Google account or other OAuth providers at any time through your account settings on those platforms. Revoking access will disable associated integrations but your Host-Pilot account will remain active.
• Third-Party Policies: When using OAuth authentication, Google's privacy policy and terms of service also apply. We recommend reviewing their privacy policy at policies.google.com/privacy.
• No Unauthorized Access: We only access data from OAuth providers that you explicitly authorize. We do not access your Google account data beyond what is necessary for the features you enable.

AI Features and Automated Processing

Some features use AI models to generate or analyze content. We process the data you submit to deliver these features and to improve model quality and safety. We do not use your content to train third‑party models unless you explicitly opt in or it is covered by the provider's enterprise terms with appropriate data protection guarantees.

Children

The Service is not directed to children under 16. If you believe a child has provided us with personal data, contact us and we will take appropriate action.

Your Agreement

By joining, creating an account, or otherwise using the Service, you agree that we will process and store your data to operate the Service as described in this Policy. Where we rely on consent, we will request it separately and you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

Changes to this Policy

We may update this Policy from time to time. We will post the updated version on this page and update the effective date above. If changes are material, we will provide additional notice.