Privacy Policy

How we handle your data

We built MAIIA Concierge with a deliberate principle: collect the minimum needed to help guests, share nothing with anyone outside the hotel they are staying at, and never use guest data for advertising, profiling for sale, or any purpose beyond the hotel’s own service and analytics.

Last updated: April 28, 2026 Effective: April 28, 2026

We do not sell data.

Guest data is never sold, licensed, traded, or shared with advertisers, data brokers, or marketing networks.

We do not require your full name.

A first name is optional, used only so the assistant can address you naturally. Surname, email, phone, address, and government ID are never requested or stored.

Hotel-scoped analytics only.

Every conversation, event, and preference is isolated to the property you interact with. Only that one hotel can see its guests’ data — never another property, never us for our own purposes.

1. Who we are

MAIIA Concierge is operated by MAIIA Innovation Lab (“MAIIA,” “we,” “us”), reachable at office@maiiaconcierge.ai and on the web at maiiaconcierge.ai.

MAIIA Concierge is a multi-tenant platform supplied to hotels and hospitality operators (each, a “Hotel”). When you use the MAIIA chat widget on a hotel’s website, the MAIIA guest app inside a hotel, or any other MAIIA-powered touchpoint at a property, the Hotel is the data controller of the personal data described in this policy and MAIIA acts as a processor on the Hotel’s behalf. For data we hold about prospective customers contacting us through maiiaconcierge.ai directly (for example, demo requests), MAIIA Innovation Lab is the controller.

2. What this policy covers

This policy applies to:

  • The MAIIA Website Sales Agent (the chat widget embedded on hotel websites).
  • The MAIIA Guest App (in-room or in-property concierge experience).
  • The MAIIA Control Center used by hotel staff.
  • Information collected via maiiaconcierge.ai itself (including demo and contact requests).

It does not cover the privacy practices of any individual Hotel, any third-party booking engine the Hotel links to, or any other site or service operated independently of MAIIA.

3. What data we collect

3.1 Information you provide directly

  • First name (optional). A single name field, used only so the assistant can address you. Our system has no surname or full-name field. You may use a nickname or skip the field entirely.
  • Stay context. Where applicable: room number or room code, language preference, purpose of stay (e.g. “business,” “honeymoon”), and the hotel property you are interacting with.
  • Preferences. Food interests, point-of-interest interests, and allergens you choose to share so the assistant can give relevant recommendations and dietary warnings.
  • Conversation content. The messages you send to the AI assistant and the assistant’s replies.
  • Demo and contact requests. If you fill in a form on maiiaconcierge.ai, the contact details you provide (typically a work email and message).

3.2 Information collected automatically

  • Anonymous session identifier. A random sessionId is generated to keep your conversation continuous within a session. It is not linked to your identity outside the hotel context.
  • Technical metadata. Timestamps, the channel (website widget vs. guest app), interface language, and basic interaction events (e.g. that a recommendation card was clicked).
  • Local browser storage. The widget uses sessionStorage to keep your chat in view if you refresh the page, and localStorage to remember your chosen interface language and whether you have already dismissed a notification. We do not use cross-site tracking cookies.

3.3 What we do not collect

For clarity, the MAIIA platform does not have fields for, request, or store any of the following from guests:

  • Surname or full legal name
  • Email address (for guest chat — only for B2B contact requests)
  • Phone number
  • Postal address
  • Date of birth
  • Government-issued ID, passport, or document numbers
  • Payment card or banking information
  • Photographs or biometric data
  • Precise geolocation
  • Browsing history outside the chat or app
  • Advertising identifiers or cross-site tracking signals

4. How we use your data

We use the data described above strictly to:

  • Answer your questions and fulfil your requests through the AI assistant, grounded in the Hotel’s own approved content (rooms, menus, services, points of interest).
  • Personalise recommendations within your stay (for example, surfacing dishes that match your dietary preferences, or attractions that match your stated interests).
  • Route action requests to the relevant Hotel team (e.g. housekeeping, restaurant, concierge) when you ask the assistant to do something on your behalf.
  • Provide the Hotel with operational analytics strictly limited to that one Hotel’s own guests. The Hotel sees what its guests asked, what they engaged with, where recommendations succeeded or failed, and where its content has gaps. It does not see any other Hotel’s data.
  • Stress-test and improve the assistant’s quality for that Hotel using our anti-hallucination simulation system, so guests get accurate answers before, not after, the system goes live.
  • Operate, secure, and debug the service (rate-limiting, fraud and abuse prevention, error diagnostics).
  • Respond to your B2B inquiries if you contact MAIIA Innovation Lab directly through maiiaconcierge.ai.

We do not use guest data for behavioural advertising, profiling for sale, training of generic third-party AI models, or any purpose unrelated to delivering the service to that Hotel and its guests.

Where the GDPR or UK GDPR applies, we (and the Hotel as controller) rely on:

  • Contract. Processing necessary to provide the concierge service you have requested by interacting with the chat or app.
  • Legitimate interests. Operating, securing, and improving the service; preventing abuse; and providing the Hotel with operational analytics about its own service quality. These interests are balanced against your rights and minimised by collecting no direct identifiers.
  • Consent. Where the Hotel obtains your explicit consent for specific processing (for example, to share an allergen warning with the kitchen).
  • Legal obligation. To comply with applicable laws, court orders, or valid regulatory requests.

6. Who can see your data

6.1 The Hotel

The Hotel you are interacting with is the only customer-facing organisation with access to its guests’ conversations, preferences, and analytics. Each Hotel sees only its own property’s data, enforced by tenant isolation in our database.

6.2 We do not share data with third parties for their own purposes

We never sell guest data. We never share guest data with advertisers, data brokers, marketing networks, social media platforms, or any party that would use it for their own purposes.

6.3 Sub-processors that help us deliver the service

Like every modern AI product, MAIIA relies on a small number of sub-processors that act strictly under our instructions and only for the purpose of running the service:

  • AI model inference. Conversation messages and retrieved Hotel content are sent to OpenAI to generate the assistant’s response. OpenAI processes data on our instructions under its enterprise data-processing terms and does not use this data to train its general models.
  • Vector search. The Hotel’s approved content is indexed in Pinecone so the assistant can retrieve the right answer; query embeddings are short-lived and never sold.
  • Cloud hosting and infrastructure. Reputable European/EEA hosting and storage providers used to run the MAIIA backend, queue jobs, and store logs.
  • Translation services. A subset of message content may be translated by our internal translation pipeline (which itself runs on the AI model inference sub-processor above).

Where a Hotel chooses to deploy MAIIA against its own private AI endpoint, conversation data is routed to that endpoint instead of the default sub-processor.

6.4 Other limited disclosures

We may disclose information if strictly required by law (for example, in response to a valid court order), or to protect the rights, safety, or property of MAIIA, the Hotel, guests, or the public.

7. AI processing and anti-hallucination

The MAIIA assistant generates answers using large language models. To prevent fabricated information, every answer is grounded in the Hotel’s approved content (rooms, menus, facilities, events, points of interest) stored in our content management system. Before launch and after configuration changes, we stress-test each Hotel’s assistant with hundreds of simulated guest scenarios and report knowledge gaps to the Hotel so they can be addressed.

Conversation content is not used to train general-purpose AI models. Sub-processors that handle inference are contractually prohibited from using this data for their own model training.

8. How long we keep data

  • Active session data (chat history visible in the widget) lives in your browser’s sessionStorage and is cleared when the session expires.
  • Conversations and event logs are retained for as long as the Hotel needs them for service quality and analytics, subject to the Hotel’s own retention rules. The Hotel can request deletion at any time.
  • Operational logs (errors, rate-limit events, security signals) are retained for short periods needed to diagnose and secure the service.
  • B2B contact data (demo requests sent to MAIIA Innovation Lab) is retained for as long as needed to handle the inquiry and any resulting customer relationship.

9. Cookies and local storage

The MAIIA chat widget uses minimal browser storage to function:

  • sessionStorage — keeps your chat continuous if you reload the page; cleared when you close the tab.
  • localStorage — remembers your chosen interface language and whether you have dismissed a notification.
  • Authentication cookie (where the guest app is used) — a short-lived session token so the app can authenticate API calls.

We do not use advertising cookies, social media tracking pixels, or any cross-site tracking technology.

10. Your rights

Depending on your location (notably, the EU/EEA, UK, California, and other jurisdictions with comparable laws), you have the following rights over your personal data:

  • Access — ask what data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Deletion — ask us to delete your data.
  • Restriction — ask us to limit how we use your data.
  • Portability — receive a copy of your data in a machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where we rely on consent, you can withdraw it at any time.
  • Lodge a complaint — with your local data protection authority.

Because the Hotel is the controller of guest data on its property, requests about that data are typically handled by the Hotel directly. You can also contact us at office@maiiaconcierge.ai and we will route your request to the right Hotel and assist with the technical side of fulfilling it.

11. Children’s privacy

MAIIA is designed for adult hotel guests and hotel staff. We do not knowingly collect personal data from children under the age relevant in their jurisdiction (16 in the EU, 13 in the United States). If you believe a child has interacted with MAIIA in a way that captured personal data, contact us at office@maiiaconcierge.ai and we will delete it.

12. Security

We protect data with: encrypted transport (HTTPS/TLS for all API calls), strong authentication (short-lived JWT tokens, scoped API keys for hotel partners), per-tenant data isolation, rate limiting against abuse, and standard infrastructure security practices (least-privilege access, audit logging, restricted admin access). No system is perfectly secure; if we ever become aware of a breach affecting your data, we will notify the affected Hotel(s) and, where required by law, the relevant authorities and individuals.

13. International data transfers

MAIIA primarily processes data in the European Economic Area. Where data is transferred to a sub-processor outside the EEA (for example, AI model inference), the transfer is protected either by an adequacy decision, by Standard Contractual Clauses approved by the European Commission, or by another lawful transfer mechanism.

14. Changes to this policy

We may update this policy as the service evolves or as the law changes. The “Last updated” date at the top of the page reflects the most recent version. Material changes will be announced through the MAIIA assistant, on maiiaconcierge.ai, or directly to Hotel administrators.

15. Contact us

If you have any questions, requests, or concerns about this policy or how your data is handled, please write to:

MAIIA Innovation Lab
Email: office@maiiaconcierge.ai
Web: maiiaconcierge.ai