Privacy Policy

The data controller is NCS Services Ltd, BRN C-18161201, Le Parc de Mont Choisy, Mont Choisy, Mauritius — trading as "Hospitality AI Studio".

Privacy contact: info@hospitalityaistudio.com.

Depending on where you reside, your data is protected by one or more of the following regulations, all of which we comply with:

• EU / EEA: Regulation (EU) 2016/679 (GDPR).
• United Kingdom: UK GDPR and the Data Protection Act 2018.
• Switzerland: Federal Act on Data Protection (revFADP).
• California, USA: CCPA / CPRA.
• Canada: PIPEDA.
• Brazil: LGPD (Lei nº 13.709/2018).
• Mauritius: Data Protection Act 2017.
• Other jurisdictions: the local equivalent applies; the principles we follow are uniform worldwide.

• Contact data (first/last name, email, phone, establishment name, address) — to process requests, deliver reports and issue invoices. Legal basis: performance of contract (GDPR Art. 6.1.b).
• Audit questionnaire data (revenue, occupancy rate, average ticket, team, operational challenges, etc.) — to generate the audit report. Legal basis: performance of contract.
• Payment data — processed exclusively by our PCI-DSS-certified payment processor (Stripe or equivalent). No card data is stored on our servers. Legal basis: contract performance and legal obligation.
• Browsing data (technical logs, functional cookies) — for security, proper functioning and anonymised audience measurement. Legal basis: legitimate interest / consent for non-essential cookies.
• Marketing emails (newsletter) — only with your explicit opt-in. Legal basis: consent (GDPR Art. 6.1.a).
• Audit data historisation — each audit result together with detected market, menu and reputation data is retained as historical snapshots in order to build anonymised hospitality industry benchmarks and to power our future AI-assisted advisory tools. No individual establishment data is ever exposed to another client. You may object to this purpose at any time by contacting us. Legal basis: legitimate interest (GDPR Art. 6.1.f), unless you exercise your right to object.

By ticking the checkbox "I have read and accept the Privacy Policy, Legal Notices and Terms & Conditions" at the end of the questionnaire, you explicitly consent to the processing of your data for the purposes described above.

• Customer and questionnaire data: 3 years after last interaction.
• Historical audit snapshots (market, menu and reputation data): 3 years after the establishment's most recent audit, or until you request erasure.
• Invoices and accounting records: 10 years (statutory obligation).
• Technical logs: 12 months.
• Newsletter data: until consent is withdrawn.

Your data is accessible only to authorised personnel within NCS Services Ltd and to the following technical sub-processors, all bound by confidentiality and security obligations:

• Supabase, Inc. (Singapore) — database, authentication and storage hosting.
• Cloudflare, Inc. (USA) — CDN and application runtime.
• Mailgun Technologies, Inc. (USA) — transactional email delivery.
• OpenAI / Anthropic — algorithmic analysis of the questionnaire (only the minimum necessary data is sent; it is not used to train their models).
• Payment processor (Stripe or equivalent) for transaction handling.

Some data may be transferred outside your country of residence (notably to Mauritius, the United States and Singapore). Such transfers are framed by:

• EU Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework;
• UK International Data Transfer Addendum (IDTA);
• Equivalent safeguards in other jurisdictions.

Depending on your jurisdiction, you may have the right to:

• Access, rectify and erase your data.
• Restrict or object to processing.
• Receive your data in a portable format.
• Withdraw consent at any time (without retroactive effect).
• Opt out of the use of your data for benchmarking and AI enrichment — we will immediately stop using your data for that purpose while retaining any elements required for contract performance.
• Opt out of the "sale" or "sharing" of personal information (California residents — note: we do not sell or share personal data for cross-context behavioural advertising).
• Lodge a complaint with your supervisory authority (e.g. CNIL in France, ICO in the UK, EDPB list for the EU).

To exercise these rights, write to info@hospitalityaistudio.com. We respond within 30 days at most (45 days for CCPA requests, extendable once).

The Site uses strictly necessary cookies (session, security) that do not require consent, and anonymised audience-measurement cookies. No third-party advertising cookies are set without your explicit consent. You can configure your browser at any time to refuse cookies.

Data is stored on encrypted infrastructure (TLS in transit, encryption at rest). Access is strictly limited to authorised personnel through strong authentication. In the event of a data breach likely to affect your rights, you will be notified in accordance with applicable law (GDPR Art. 34 and equivalents).

The Site is intended for hospitality professionals and is not directed at minors under 16. We do not knowingly collect personal data from children.