Privacy Policy

1. Introduction

TIOO ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform at tioo.com and associated services.

TIOO operates as a data processor on behalf of our customers (property managers, hosts, and hotel operators) who are the data controllers for their guest data. A Data Processing Agreement (DPA) governs this relationship and is available to all customers upon request or during account setup.

This policy should be read alongside our Terms of Service and Cookie Policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, phone number, and business details including property name, country, and timezone.

2.2 Guest Data (Processed on Behalf of Our Customers)

When guests use the check-in system, property managers may collect guest names, email addresses, phone numbers, ID documents, car registration details, and arrival times. This data is controlled by the property manager and processed by TIOO as a data processor.

ID Documents: Where a property manager has enabled ID verification, guest identity documents are stored securely in encrypted object storage. ID documents are subject to automatic retention limits (see Section 7) and are accessible only to authorised property staff.

2.3 Usage and Security Data

We automatically collect information about how you use our platform, including pages visited, features used, and device information. For security purposes, we also log IP addresses and browser information when users perform significant account actions such as logging in, changing settings, or accessing sensitive data.

2.4 Payment Information

Payment processing is handled by Stripe. We do not store full credit card numbers on our servers. We retain only the information necessary to manage your subscription.

2.5 Communications

When property managers communicate with guests through the platform (via email, SMS, or messaging services), message content, sender details, and delivery status are stored to provide a communication history and ensure message delivery.

3. How We Use Your Information

• To provide and maintain the TIOO platform
• To process subscriptions and payments
• To send transactional communications (booking confirmations, check-in instructions) via email, SMS, or messaging services
• To manage property access on behalf of property managers (e.g. generating temporary access codes)
• To verify guest identity when ID verification is enabled by the property manager
• To provide customer support
• To detect and prevent fraud, abuse, and security incidents
• To improve our platform and develop new features
• To comply with legal obligations

4. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases:

• Contract performance: Processing necessary to provide the service you signed up for (account management, subscriptions, platform features)
• Legitimate interests: Security logging, fraud prevention, platform improvement, and customer support
• Legal obligation: Where we are required to retain data by law (e.g. financial records, tax obligations)
• Consent: Marketing communications (you may withdraw consent at any time)

5. Automated Processing

When enabled by the property manager, our platform may use automated processes to assist with ID document verification. These automated checks produce a confidence score to help the property manager verify guest identity. No decisions are made solely on the basis of automated processing — a property manager can always review and override the result manually.

6. Data Sharing and Sub-Processors

We do not sell your personal data. We share data with the following categories of service providers (sub-processors) as necessary to operate the platform:

• Cloud hosting: DigitalOcean (infrastructure and database hosting)
• Payment processing: Stripe (subscription billing and payment processing)
• Email delivery: Mailgun (transactional and tenant email delivery)
• SMS delivery: Twilio (SMS messaging and notifications)
• Messaging: Meta/WhatsApp Business API (guest messaging where enabled by property manager)
• Image hosting: Cloudinary (property images and website media)
• Error monitoring: Sentry (application error tracking — no guest personal data is transmitted)
• Event data: Ticketmaster Discovery API (publicly available event information for Smart Pricing — no personal or guest data is shared)
• Smart lock providers: When smart lock integration is enabled by the property manager, access codes and scheduling data are shared with the lock provider (e.g. TTLock)
• Stock photography: Unsplash (photo search and download API — no personal or guest data is shared; only search queries are transmitted)
• Stock photography: Pexels (photo and video search API — no personal or guest data is shared; only search queries are transmitted)
• Legal requirements: When required by law or to protect our rights

A full list of sub-processors with their processing purposes is available in our Data Processing Agreement.

7. Data Retention

• Active accounts: Data retained while the account is active
• Deleted accounts: Data deleted within 30 days of account deletion request. A data export is available during this period
• Guest ID documents: Automatically deleted 90 days after upload. Property managers may configure a shorter retention period (minimum 7 days) but may not exceed 90 days. Deletion removes both the database record and the stored file
• Security logs: Retained for 12 months, then automatically purged
• Communication records: Retained while the account is active and deleted with the account
• Financial and billing records: Retained for 7 years after the end of the relevant financial period, as required by UK tax law (HMRC)
• Inactive free accounts: Accounts inactive for 12 months are automatically deleted after a 30-day notice period

8. Your Rights (GDPR)

If you are in the European Economic Area or the United Kingdom, you have the right to:

• Access your personal data
• Rectify inaccurate data
• Request deletion of your data
• Export your data in a portable format
• Restrict or object to processing
• Withdraw consent at any time
• Not be subject to decisions based solely on automated processing

To exercise these rights, contact us at [email protected].

For guests: If you are a guest whose data has been processed through a property manager's account, please contact the property manager directly in the first instance, as they are the data controller. You may also contact TIOO and we will assist where possible.

You also have the right to lodge a complaint with your local data protection authority. In the United Kingdom, this is the Information Commissioner's Office (ICO) at ico.org.uk.

9. Data Security

We implement industry-standard security measures including encrypted data transmission (TLS), encrypted credential storage, regular backups, access controls, and continuous security monitoring. We conduct regular security reviews and maintain measures to detect and respond to potential threats.

10. International Transfers

Your data may be processed in the United Kingdom and European Economic Area. Where data is transferred outside these regions, we ensure appropriate safeguards are in place in accordance with applicable data protection legislation.

11. Children's Privacy

TIOO is not intended for use by children under 16. We do not knowingly collect data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through the platform at least 30 days before the changes take effect.

13. Contact Us

For privacy-related enquiries:

• Email: [email protected]
• General: [email protected]