Privacy Policy

1. Introduction and Scope

White Town LLC ("Company," "we," "us," or "our") is committed to protecting the privacy and personal data of all individuals who interact with the Gostify platform. This Privacy Policy describes how we collect, use, disclose, store, and protect personal information in connection with the Gostify service, available at https://www.gostify.app/ (the "Platform").

This Privacy Policy applies to two distinct categories of individuals: (a) Customers, meaning property owners, managers, and hosts who register for and use the Platform to deploy AI assistants for their accommodations; and (b) Guests, meaning third-party individuals who interact with a Customer\'s AI assistant through a subdomain link or QR code. Different provisions of this Policy may apply differently to each category, as described below.

This Policy is designed to comply with applicable privacy laws, including but not limited to: the General Data Protection Regulation (GDPR) (EU) 2016/679; the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA); applicable US state privacy laws; and other applicable national or international data protection legislation. Where our obligations differ based on jurisdiction, we describe those differences explicitly.

By using the Platform or interacting with a Gostify-powered AI assistant, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with its terms, you should not use the Platform or interact with a Gostify-powered assistant.

2. Data Controller and Data Processor Roles

2.1 Relationship with Customers

With respect to personal data belonging to Customers (account holders), White Town LLC acts as the data controller. We determine the purposes and means by which Customer personal data is processed, as described in this Policy.

2.2 Relationship with Guest Data

With respect to personal data generated or submitted by Guests during interactions with a Customer\'s AI assistant, White Town LLC acts as a data processor on behalf of the Customer. In this capacity, the Customer is the data controller and is responsible for ensuring a lawful basis exists for processing Guest data and for providing Guests with appropriate privacy notices. Our processing of Guest data on behalf of Customers is governed by our Data Processing Agreement (DPA), which is incorporated by reference into our Terms of Service.

2.3 Independent Responsibility

Customers who are subject to GDPR, CCPA, or other applicable data protection laws are independently responsible for their own compliance obligations with respect to Guest data they cause to be processed through the Platform. White Town LLC does not assume the data controller role with respect to Guest data and is not responsible for the Customer\'s compliance with data protection obligations toward their Guests.

3. Personal Data We Collect

3.1 Data Collected from Customers

When you register for and use the Platform as a Customer, we collect the following categories of personal data:

• Identity and contact data: full name, email address, and any other information provided during registration or account management
• Property and business data: property name, property type, city, website URL, links to Booking.com or Airbnb listings, social media links, and property descriptions submitted during onboarding
• Configuration data: amenity selections, FAQ content, welcome message text, chat color preferences, and other AI assistant configuration inputs
• Payment and billing data: billing address and transaction records; note that payment card details are processed exclusively by our third-party payment processor Stripe, Inc. and are not stored by White Town LLC
• Account activity data: login timestamps, account settings changes, and records of Subscription status and billing history
• Communication data: content of emails, support requests, or other communications sent to us

3.2 Data Collected from Guests

When a Guest interacts with a Customer\'s AI assistant deployed through the Platform, we may collect and process the following data on behalf of the Customer:

• Session and interaction data: questions and messages submitted by the Guest to the AI assistant, AI-generated responses, timestamp of the interaction, and session duration
• Device and technical data: device type, operating system, browser type and version, IP address (which may indicate approximate geographic location), and screen resolution
• Language preference: the language detected from the Guest\'s query, used to generate a language-appropriate response
• Analytics data: anonymized or aggregated usage statistics including message counts, session counts, and active user counts, used to provide analytics features to Customers

3.3 Data Collected Automatically

When any user (Customer or Guest) accesses the Platform or a Gostify-powered subdomain, we automatically collect certain technical data through the use of cookies and similar tracking technologies, including: IP address, browser type and version, operating system, referring URLs, pages viewed, time spent on pages, and clickstream data. This data is described in further detail in our Cookie Policy.

3.4 Data We Do Not Collect

We do not knowingly collect the following categories of data through the Platform: payment card numbers, CVV codes, or full financial account details (these are handled exclusively by Stripe); government-issued identification numbers; biometric data; health or medical information; racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; data concerning sexual orientation; or data relating to criminal convictions or offenses. Customers must not configure their AI assistant to solicit such information from Guests.

4. Lawful Basis for Processing

Where the GDPR applies, we rely on the following lawful bases to process personal data:

4.1 Contract Performance

We process Customer personal data to the extent necessary to perform our contractual obligations under the Terms of Service, including creating and managing accounts, activating AI assistants, processing Subscription payments, and providing customer support.

4.2 Legitimate Interests

We process certain personal data based on our legitimate business interests, including: improving the Platform and Service features; maintaining Platform security and preventing fraud; conducting analytics on aggregated and anonymized usage data; sending operational and transactional communications to Customers; and managing legal claims or disputes. Where we rely on legitimate interests, we have conducted a balancing assessment to ensure that our interests do not override the rights and freedoms of data subjects.

4.3 Legal Obligation

We may process personal data where necessary to comply with applicable laws and regulations, including financial record-keeping requirements, tax obligations, and responses to lawful requests from public authorities or courts.

4.4 Consent

Where we rely on consent as a lawful basis, we will obtain freely given, specific, informed, and unambiguous consent. This applies primarily to the use of non-essential cookies and to certain marketing communications. You have the right to withdraw consent at any time, and such withdrawal does not affect the lawfulness of processing conducted prior to withdrawal.

4.5 CCPA / US State Law Basis

For California residents and residents of other US states with applicable privacy laws, our data processing is conducted for the business purposes described in this Policy, as permitted under the CCPA and applicable state law. We do not sell personal information as defined under the CCPA. Further rights available to US residents are described in Section 10.

5. How We Use Personal Data

5.1 Customer Data

We use Customer personal data for the following purposes:

• To create, manage, and maintain your account and Subscription
• To activate, configure, and operate your AI assistant on the Platform
• To process Subscription payments and manage billing history
• To communicate with you regarding your account, Subscription, technical issues, and support requests
• To send transactional emails, including Subscription confirmations, renewal notices, and payment receipts
• To send service-related announcements, including updates to these policies, maintenance notices, and feature updates
• To provide and improve analytics features on the Platform
• To detect, investigate, and prevent fraudulent transactions, unauthorized access, and other illegal activities
• To enforce our Terms of Service and other applicable policies
• To comply with applicable legal obligations
• To respond to legal requests, court orders, or government inquiries as required by law

5.2 Guest Data

We process Guest data on behalf of Customers for the following purposes:

• To operate the AI assistant and generate automated responses to Guest queries
• To detect the Guest\'s language and deliver multilingual responses
• To maintain session continuity during a Guest\'s interaction with the AI assistant
• To generate aggregated and anonymized analytics data provided to Customers
• To maintain security, detect abuse, and ensure Platform integrity

5.3 Marketing Communications

We may send promotional communications to Customers about new features, pricing changes, or other Gostify-related updates. Customers can opt out of marketing communications at any time by using the unsubscribe mechanism included in each email or by contacting us at info@gostify.app. Opting out of marketing communications does not affect the delivery of transactional or service-related emails.

5.4 Automated Decision-Making

The AI assistant generates automated responses to Guest queries without human review of individual responses. This automated processing does not constitute legally or similarly significant automated decision-making as defined under GDPR Article 22. Customers retain full control over the information configured in the assistant and are responsible for reviewing the appropriateness of AI-generated responses. We do not use personal data for automated profiling that produces legal or significant effects on individuals.

6. Data Sharing and Disclosure

6.1 Third-Party Service Providers

We share personal data with trusted third-party service providers who assist us in operating the Platform and delivering the Service. These providers are permitted to use personal data only as necessary to perform services on our behalf and are bound by appropriate data protection agreements. Current categories of sub-processors and service providers include:

• Payment processing: Stripe, Inc., for processing Subscription payments. Stripe\'s privacy policy is available at https://stripe.com/privacy. Card data is processed directly by Stripe and is not transmitted to or stored by White Town LLC.
• Artificial intelligence services: third-party AI model providers used to power the conversational AI functionality of the Platform. We maintain data processing agreements with these providers and restrict their use of data to service delivery only.
• Cloud infrastructure and hosting: third-party cloud service providers used to host the Platform, store data, and ensure service availability and reliability.
• Analytics services: tools used to collect and analyze aggregated usage data for Platform improvement. Where such tools process personal data, appropriate controls are in place.
• Email delivery services: third-party email service providers used to deliver transactional and operational emails to Customers.

6.2 Legal Disclosures

We may disclose personal data to government authorities, law enforcement agencies, courts, or other public bodies where: (a) required to do so by applicable law or regulation; (b) in response to a valid legal process, including a subpoena, court order, or government demand; or (c) we believe in good faith that disclosure is necessary to protect the rights, property, or safety of White Town LLC, our Customers, Guests, or the public.

6.3 Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, or similar corporate transaction involving White Town LLC, personal data held by the Company may be transferred to the acquiring or successor entity as part of that transaction. We will notify affected individuals of such a transfer and any material changes to this Privacy Policy via email or through the Platform prior to the transfer taking effect, to the extent required by applicable law.

6.4 No Sale of Personal Data

White Town LLC does not sell, rent, or trade personal data belonging to Customers or Guests to third parties for their own marketing or commercial purposes. This commitment applies to the definition of "sale" under the CCPA and similar applicable laws.

6.5 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified data that does not identify any individual with third parties, including for research, industry analysis, or business development purposes. Such data is not subject to the restrictions set out in this Policy.

7. International Data Transfers

White Town LLC is based in the United States. If you are accessing the Platform from outside the United States, including from the European Economic Area (EEA), the United Kingdom, or Switzerland, please be aware that your personal data will be transferred to and processed in the United States and potentially other countries where our service providers operate.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on appropriate transfer mechanisms as required under Chapter V of the GDPR, including: Standard Contractual Clauses (SCCs) approved by the European Commission; the UK International Data Transfer Agreement (IDTA) or addendum where applicable; or other recognized transfer mechanisms such as adequacy decisions or derogations permitted under applicable law.

By using the Platform, you acknowledge that your personal data may be transferred to countries that may not have the same level of data protection as your home country. Where we transfer data internationally, we take appropriate safeguards to ensure that personal data remains protected in accordance with this Policy and applicable law.

A current list of our sub-processors and the countries in which they process data is available on request by contacting info@gostify.app.

8. Data Retention

8.1 Customer Data

We retain Customer personal data for as long as your account remains active or as long as necessary to provide the Service. Following termination or cancellation of a Subscription, we retain Customer account data for a period of thirty (30) days to allow for potential account reactivation. After this period, Customer account data is deleted or anonymized, unless we are required to retain it for longer under applicable law or to resolve disputes, enforce agreements, or comply with legal obligations.

8.2 Guest Data

Guest interaction data, including session logs and message content, is retained for a period of up to ninety (90) days from the date of the interaction, unless the Customer requests earlier deletion or a longer retention period is required by applicable law. After the applicable retention period, Guest data is deleted or anonymized. Aggregated and anonymized analytics data derived from Guest interactions may be retained indefinitely.

8.3 Financial and Legal Records

Billing records, payment transaction logs, and related financial data are retained for a minimum of seven (7) years from the date of the transaction, as required for tax and accounting purposes under applicable US law. Legal correspondence and records related to disputes or legal proceedings are retained for the duration of the proceeding and for a reasonable period thereafter.

8.4 Deletion Requests

Customers and Guests (where applicable) may request deletion of their personal data as described in Section 9. Where a deletion request conflicts with a legal obligation to retain data, we will retain only the minimum data required to satisfy that obligation and will notify the requesting individual accordingly.

9. Your Privacy Rights

9.1 Rights Under GDPR (EEA, UK, and Switzerland Residents)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under applicable data protection law:

• Right of access: you have the right to request a copy of the personal data we hold about you and information about how we process it.
• Right to rectification: you have the right to request correction of inaccurate or incomplete personal data.
• Right to erasure (right to be forgotten): you have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you have withdrawn consent, or where the processing is unlawful, subject to legal retention obligations.
• Right to restriction of processing: you have the right to request that we restrict the processing of your personal data in certain circumstances, including while the accuracy of the data is contested or while an objection to processing is being assessed.
• Right to data portability: you have the right to receive a copy of the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to have that data transmitted to another controller where technically feasible.
• Right to object: you have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to processing for direct marketing, we will cease processing for that purpose immediately.
• Right not to be subject to automated decision-making: you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you, except where such processing is necessary for a contract or authorized by law.
• Right to withdraw consent: where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal.
• Right to lodge a complaint: you have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

9.2 Rights Under the CCPA / CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to know: you have the right to request information about the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purposes for collection, and the categories of third parties with whom it is shared.
• Right to delete: you have the right to request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to correct: you have the right to request correction of inaccurate personal information we hold about you.
• Right to opt out of sale or sharing: we do not sell or share personal information as defined under the CCPA. No opt-out mechanism is required, but we will honor any opt-out requests received.
• Right to limit use of sensitive personal information: to the extent we process sensitive personal information as defined under the CPRA, you have the right to limit our use of such information to purposes permitted by law.
• Right to non-discrimination: we will not discriminate against you for exercising any of your CCPA rights, including by denying services, charging different prices, or providing a different quality of service.

9.3 Rights Under Other US State Laws

Residents of Virginia, Colorado, Connecticut, Texas, and other US states with comprehensive privacy laws may have additional rights similar to those described above, including rights of access, correction, deletion, portability, and opt-out of targeted advertising or profiling. We will honor such rights to the extent required by applicable law.

9.4 How to Exercise Your Rights

To exercise any of the rights described in this Section, please submit a request to us by email at info@gostify.app with the subject line "Privacy Rights Request." Your request should include: your full name and email address associated with your account (if applicable); the specific right you wish to exercise; and sufficient information for us to verify your identity and locate your personal data.

We will respond to verified requests within thirty (30) days for GDPR requests and forty-five (45) days for CCPA requests. We may extend these periods by an additional thirty (30) days where necessary due to complexity or volume, and will notify you of any such extension. We do not charge a fee for processing reasonable rights requests.

Note that Guests who wish to exercise rights over data processed by a Customer\'s AI assistant should contact the relevant Customer directly, as the Customer is the data controller for Guest data. White Town LLC will assist Customers in responding to such requests in our capacity as data processor, subject to the terms of the Data Processing Agreement.

10. Children\'s Privacy

The Platform is not directed at, and is not intended for use by, individuals under the age of sixteen (16). We do not knowingly collect personal data from children under the age of sixteen. If you believe that a child under sixteen has provided personal data to us, please contact us immediately at info@gostify.app. Upon receiving such notification, we will take steps to delete the relevant data promptly.

Customers are responsible for ensuring that their AI assistant is not used to collect data from minors and that their accommodation services comply with applicable laws regarding minors.

11. Data Security

White Town LLC implements appropriate technical and organizational measures to protect personal data against unauthorized access, accidental loss, destruction, alteration, or disclosure. These measures include, but are not limited to:

• Encryption of data in transit using TLS (Transport Layer Security) protocol
• Encryption of sensitive data at rest using industry-standard encryption algorithms
• Access controls limiting personal data access to authorized personnel on a need-to-know basis
• Regular security assessments and monitoring of the Platform infrastructure
• Pseudonymization and anonymization of data where technically feasible and appropriate
• Vendor due diligence and contractual data security obligations imposed on all sub-processors
• Incident response procedures for detecting, reporting, and managing personal data breaches

No method of data transmission or storage is completely secure. While we strive to use commercially reasonable means to protect personal data, we cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify affected individuals and, where required, the relevant supervisory authorities, within the timeframes prescribed by applicable law.

12. Cookies and Tracking Technologies

The Platform and Gostify-powered subdomains use cookies and similar tracking technologies to operate effectively, remember your preferences, analyze usage patterns, and improve the Service. A detailed description of the cookies we use, their categories, durations, and your choices regarding cookies is provided in our Cookie Policy, available at https://www.gostify.app/.

By continuing to use the Platform after being presented with a cookie consent notice, you consent to the use of cookies as described in the Cookie Policy, to the extent that consent is required by applicable law. You may withdraw or manage your cookie consent at any time through the cookie settings available on the Platform.

13. Third-Party Links and Services

The Platform may contain links to third-party websites or services, including accommodation listing platforms such as Airbnb and Booking.com. This Privacy Policy does not apply to third-party websites or services. We encourage you to review the privacy policies of any third-party services you access through the Platform, as we have no control over and assume no responsibility for their privacy practices or content.

If you access the Platform through a third-party service or integrate the Platform with other tools, the collection and use of your data by those third parties is governed by their own privacy policies.

14. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or the Services we offer. When we make material changes, we will notify you by email to the address associated with your account and by posting a notice on the Platform, at least fourteen (14) days before the updated Policy takes effect.

The "Effective Date" at the top of this Policy indicates when it was last revised. We encourage you to review this Policy periodically to stay informed about how we protect your personal data. Your continued use of the Platform after the effective date of any update constitutes your acceptance of the revised Policy.

15. Contact and Data Protection Inquiries

For any questions, concerns, or requests relating to this Privacy Policy or our data protection practices, please contact us:

White Town LLC

75 E 3rd St, Sheridan, WY 82801, United States

Email: info@gostify.app

Website: https://www.gostify.app/

If you are located in the European Economic Area and have concerns about our data processing practices that we have not resolved to your satisfaction, you have the right to lodge a complaint with the supervisory authority in your country of residence. Contact details for EU data protection authorities are available at https://edpb.europa.eu/.

We aim to respond to all privacy-related inquiries within five (5) business days.