HiJiffy Console: Privacy Policy

1. Introduction and Roles

This Privacy Policy describes how HIJIFFY, S.A. (“HiJiffy,” “we,” “us”) processes personal data in connection with the HiJiffy Console platform (the “Console”).

This policy applies to the Client (our customer, e.g., the hotel) and its authorised Users (agents) who access the Console.

Under the General Data Protection Regulation (GDPR), our roles regarding personal data within the Console are clear:

• The Client (Your Employer) is the Data Controller: The Client determines the purposes and means of processing personal data related to its guests (End-Users) and its own employees (Users).
• HiJiffy is the Data Processor: HiJiffy processes this personal data only on behalf of the Client and in accordance with their documented instructions, as defined in the Master Service Agreement (MSA) and Data Processing Agreement (DPA).

   

This Privacy Policy must be read in conjunction with the DPA.

2. Personal Data We Process as a Data Processor

As a Data Processor, HiJiffy processes the following categories of personal data within the Console, based on the Client’s instructions:

• End-User (Guest) Data:
  • Connection & Device Data: IP address, OS, browser version, browser settings, and timestamps.
  • Identification Data: First name, Surname, Email Address, and Phone number.
  • Conversation Data: All messages exchanged between the End-User and the platform.
  • Booking Data: Check-in/check-out dates, booking ID, booking amount, and other reservation data.
• Client User (Agent) Data:
  • Account Data: First and Last Name, Email Address, Time Zone, and optional Photo.
  • Usage Data: Console usage logs for system analytics and security compliance.

     

3. Purpose and Legal Basis of Processing

As the Data Processor, HiJiffy does not determine the legal basis. The Client (Data Controller) is responsible for establishing a valid legal basis for all data processing.

HiJiffy processes the data for the following purposes, based on the legal bases established by the Client (typically Contractual Necessity or Legitimate Interest):

• Purpose: To securely transfer information to the hotel, engage with customers, deliver automated communications, and enable agents to view and respond to conversations.
• Purpose: For system analytics and security compliance.

   

4. HiJiffy as a Data Controller (Limited Scope)

HiJiffy only acts as a Data Controller for personal data processed for its own operational purposes, which are separate from the Console service. This includes:

• Client Account Management: Processing Client contact details (e.g., administrative or billing contacts) for communication, service management, and invoicing.
• Internal Data: Managing employee records for HR and payroll.

   

This data processing is governed by HiJiffy’s general Privacy Policy.

5. Data Retention and Deletion

HiJiffy retains personal data processed in the Console according to the retention periods defined in our Data Retention Policy and DPA:

• Guest Chat Messages: 5 years.
• Booking Information: 5 years.
• Console Usage Logs: 5 years.
• Client User (Agent) Accounts: Active contract + 5 years.

   

Upon expiration of the retention period or termination of the contract, HiJiffy securely deletes or anonymises personal data. This process includes automated purging mechanisms and removal from backups according to defined retention cycles.

6. Security Measures

HiJiffy implements robust technical and organisational security measures to protect data within the Console, adhering to the principles of Privacy by Design and by Default. These measures include:

• Access Controls: Restricting personal data access to authorised personnel only.
• Encryption: Protecting data at rest and in transit using industry-standard encryption protocols.
• Pseudonymization: Applying techniques to reduce privacy risks where applicable.
• Regular Assessments: Conducting regular security assessments and periodic internal audits.

   

7. Subprocessors and International Data Transfers

HiJiffy engages third-party subprocessors to provide the Console service. All subprocessors are vetted for GDPR compliance.

• EU Hosting: All Client data is hosted in the EU (AWS Ireland).
• Subprocessors (Examples):
  • Amazon Web Services (AWS) EMEA SARL (Ireland)
  • Google Cloud EMEA Limited (Ireland)
  • Twilio, Inc. (USA)
  • HubSpot (USA)
• International Transfers: For subprocessors located outside the EEA (e.g., Twilio, HubSpot), HiJiffy ensures that transfers comply with GDPR requirements by relying on Standard Contractual Clauses (SCCs).

   

8. Data Subject Rights (DSRs)

The Client, as the Data Controller, is responsible for responding to all Data Subject Rights requests from End-Users (guests) and its own Users (agents).

HiJiffy’s obligation as a Processor is to facilitate these requests when instructed by the Client.

• End-User Requests: If an End-User contacts HiJiffy directly to exercise their right of access, rectification, erasure, or others, HiJiffy will not act on the request directly. We will promptly forward the request to the Client.
• Client User (Agent) Requests: Users of the Console seeking to exercise their data rights regarding their agent account must contact their employer (the Client).

   

9. Contact Information

For any inquiries regarding this Privacy Policy or data processing within the Console, Client Users should contact their organisation’s designated administrator (the Client).

The Client may direct data protection inquiries to HiJiffy’s Data Protection Administrator (DPA), Pedro Miguel dos Santos Gonçalves, at: [email protected].

10. Changes in Privacy Policy and language versions

HiJiffy may, from time to time, change and update this privacy policy. You will be notified of any changes to this privacy policy through the release of an updated version on HiJiffy’s website. The English-language version of this privacy policy shall be controlling in all respects and shall prevail in case of any inconsistencies with translated versions HiJiffy may provide, if any.