KonukKonuk

Privacy Policy

Last updated: March 29, 2026

Konuk ("we," "us," or "our") operates the Konuk platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our Service. This policy applies to hotel customers ("Customers") and visitors to our website. For information about how we process guest data on behalf of our Customers, see our Data Processing Agreement.

1. Information We Collect

Account Information (Customer Data)

  • Name, email address, and password when you create an account
  • Hotel or property name, address, phone number, and contact details
  • Billing information (processed securely by Stripe; we do not store full card numbers)
  • Staff member names, emails, and assigned roles
  • Business registration details provided for phone number registration (10DLC)

Guest Data (Processed on Behalf of Customer)

We process the following guest data solely on behalf of and under the instructions of our Customers. The Customer is the data controller for all guest data.

  • Guest names, phone numbers, email addresses, and WhatsApp identifiers
  • Reservation details: check-in/out dates, room number, booking source
  • SMS, WhatsApp, email, and OTA message content exchanged through the platform
  • Conversation metadata (timestamps, read status, delivery status, channel used)
  • Messaging consent status (opted-in, opted-out, pending) and consent timestamps
  • Guest satisfaction survey responses
  • Language preferences and communication preferences

PMS Integration Data

  • Reservation data synced from supported PMS systems (Cloudbeds, Mews, WebRezPro, roomMaster)
  • PMS access tokens and property identifiers (stored encrypted)
  • We access PMS data only with explicit Customer authorization and solely to provide the Service

Knowledge Base Data

  • Documents, FAQs, policies, and structured information you upload to train the AI assistant
  • This data is used exclusively for your property and is never shared with other Customers

Usage and Technical Data

  • Log data (IP address, browser type, pages visited, timestamps)
  • Feature usage analytics (aggregated and anonymized)
  • Device and session information for security and fraud prevention
  • Message delivery metrics (sent, delivered, failed, read) per channel

2. How We Use Information

Customer Data

  • To create and manage your account
  • To process payments and manage subscriptions
  • To send service-related notifications (security alerts, billing, product updates)
  • To provide customer support
  • To detect and prevent fraud, abuse, and security incidents
  • To comply with legal obligations

Guest Data (as Data Processor)

  • To send and receive guest messages on the Customer's behalf via SMS, WhatsApp, email, and OTA channels
  • To generate AI-powered reply suggestions based on conversation context and the Customer's knowledge base
  • To execute automated guest journeys configured by the Customer (via WhatsApp and email)
  • To deliver broadcast messages to consented guests as directed by the Customer
  • To track and enforce messaging consent (opt-in/opt-out) for TCPA compliance
  • To provide analytics and reporting to the Customer about their guest communications

3. AI and Automated Processing

  • Our AI features use conversation context and your uploaded knowledge base to generate draft replies and classify guest requests.
  • AI-generated messages are presented as drafts for staff review before sending. Template-based automations configured by the Customer may send without per-message review.
  • We do not use your guest data or knowledge base to train our AI models. Your data remains isolated to your account and is not shared across Customers or used for any purpose beyond providing the Service to you.
  • AI processing is performed by third-party AI providers (see Section 5). Message content is sent to these providers for processing and is not retained by them for model training.

4. Messaging Channels and Consent

SMS

  • SMS messages are delivered via third-party telecommunications providers.
  • We track per-guest consent status (opted-in, opted-out) with timestamps.
  • We automatically process opt-out keywords (STOP, UNSUBSCRIBE, etc.) and block messages to opted-out guests.
  • The Customer is responsible for obtaining initial consent. See our Terms of Service for consent requirements.

WhatsApp

  • WhatsApp messages are delivered via the WhatsApp Business API.
  • Outbound messages outside the 24-hour session window require pre-approved message templates.
  • Guest journey automation uses WhatsApp as the primary channel (SMS is not used for automated journeys).
  • WhatsApp message content is end-to-end encrypted by Meta during transit.

Email

  • Email messages are delivered via third-party email providers.
  • All emails include an unsubscribe mechanism as required by the CAN-SPAM Act.
  • Email is used as a fallback channel for guest journeys when WhatsApp is not available.

OTA Messages

  • OTA messages (Booking.com, Expedia, Airbnb, Agoda, and others) are routed through third-party connectivity providers.
  • OTA messages are subject to each OTA platform's own terms and privacy policies.
  • We display OTA messages in the Customer's inbox and route replies back to the originating platform.

Social Media (Instagram, Facebook)

  • Instagram and Facebook messages are received and sent via Meta's APIs.
  • These messages are subject to Meta's Platform Terms and Privacy Policy.

5. How We Share Information

We do not sell, rent, or trade personal data. We share information only with the following categories of recipients, solely to provide the Service:

Service Providers

  • Telecommunications: For SMS and WhatsApp message delivery (guest phone numbers and message content are shared for delivery purposes)
  • Email delivery: For sending emails on Customer's behalf (guest email addresses and email content are shared)
  • Payment processing: Stripe processes all payment transactions (billing data only; Stripe's privacy policy applies)
  • Database hosting: Our database infrastructure provider stores all platform data (encrypted at rest)
  • AI processing: AI providers process message content to generate draft replies (data is not retained for model training)
  • OTA connectivity: Third-party providers route OTA messages between platforms and our inbox
  • Error monitoring: For platform stability and debugging (anonymized technical data only)

PMS Integrations

  • We exchange guest data with the Customer's authorized PMS system as directed by the Customer
  • Only the data necessary to sync guest information is shared

Legal Requirements

  • When required by law, subpoena, court order, or government request
  • To protect our rights, property, or safety, or the rights of our users
  • In connection with a merger, acquisition, or sale of assets (with notice to affected Customers)

6. Data Security

  • All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Per-Customer data isolation via row-level security policies
  • Role-based access controls limit data visibility to authorized staff members
  • PMS access tokens and API credentials stored with application-layer encryption
  • Immutable audit logging of all data access, message sends, and consent changes
  • Regular security monitoring and vulnerability assessment
  • Automatic session management with device tracking

7. Data Retention

  • Active accounts: Data retained for the duration of the subscription
  • Canceled accounts: Data retained for 30 days post-cancellation, then permanently deleted
  • SMS opt-out records: Retained indefinitely as required for TCPA compliance (phone number and opt-out date only)
  • Audit logs: Retained for 12 months after account termination
  • Billing records: Retained as required by tax and accounting regulations
  • You may request earlier deletion by contacting us (subject to legal retention requirements)

8. Your Rights

Customer Rights

Depending on your location, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate information
  • Request deletion of your data (subject to legal retention requirements)
  • Export your data in a portable format (CSV export available from dashboard)
  • Object to or restrict certain processing
  • Withdraw consent where processing is consent-based

Guest Rights

Hotel guests should direct data access, correction, or deletion requests to the hotel (the data controller). We will assist Customers in responding to guest rights requests as outlined in our Data Processing Agreement.

California Residents (CCPA)

  • We act as a "service provider" under the CCPA when processing guest data on behalf of Customers.
  • We do not sell personal information.
  • California hotel guests may exercise their CCPA rights by contacting the hotel directly. We assist Hotels in fulfilling these requests.
  • California residents who are our direct Customers may contact us to exercise their rights.

European Residents (GDPR)

  • We act as a data processor under GDPR when processing guest data on behalf of Customers.
  • For EU guest data transfers, our Data Processing Agreement includes Standard Contractual Clauses (SCCs).
  • Legal basis for processing Customer data: contract performance and legitimate interests.
  • EU-based hotel guests should contact the hotel (data controller) to exercise GDPR rights.

To exercise any rights as a Customer, contact us at privacy@konuk.us.

9. International Data Transfers

Our Service and service providers operate primarily in the United States. If you are located outside the United States, your data will be transferred to and processed in the United States. We ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses where required by applicable law.

10. Cookies and Tracking

  • Our marketing website uses essential cookies for functionality and analytics cookies to understand usage patterns.
  • The Service application uses session cookies for authentication.
  • We do not use third-party advertising cookies or cross-site tracking.
  • You can manage cookie preferences through your browser settings.

11. Children's Privacy

Our Service is not directed to individuals under 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us personal data, please contact us and we will take steps to delete such information.

12. Data Breach Notification

In the event of a data breach affecting personal data, we will notify affected Customers within 72 hours of becoming aware of the breach, as required by applicable law. We will provide details about the nature of the breach, the data affected, and the remedial actions taken.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service at least 30 days before they take effect. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: