Privacy Policy

1. Who We Are

This Privacy Policy is issued by Arete Logistics sp. z o.o. ("Arete Logistics", "we", "us", "our"), a Polish limited liability company with its registered office at Jeździecka 11a, 30-698 Kraków, Poland, registered in the National Court Register (KRS) under number 0000958703, NIP 6793234479, REGON 521397362. Arete Logistics is the operator of the MigoAI platform available at migoai.host ("MigoAI" or the "Platform").

2. Personal Data We Process

2.1 Customer Account Data

Provided when you register for a MigoAI account. This data is required to create and maintain your account; without it we cannot deliver the service.

• Full name
• Business email address
• Organisation name
• Role within the organisation
• Password
• Login history (IP address and timestamp of authentication events)
• Account authentication data

2.2 Guest Data

Synchronised from your channel manager or property management system. If you are a guest, your data was provided to us by the accommodation provider through their booking platform — we did not collect it directly from you.

• Guest name
• Guest email address
• Guest phone number
• Check-in date, check-out date, number of guests
• Booking source and reservation status
• Declared guest language and country
• The full text of messages exchanged between the guest and the AI

2.3 Technical & Security Data

Recorded automatically by the Platform:

• IP addresses
• Audit-trail entries for administrative actions
• Operational logs necessary to run and monitor the service

3. How We Use Your Data

• Providing the service — delivering the features you have subscribed to.
• Account and billing — managing your account and processing payments.
• Security and abuse prevention — protecting the Platform and its users from threats and misuse.
• Service improvement — aggregated analytics and quality monitoring to improve the Platform.
• Legal obligations — complying with applicable law and defending legal claims.

4. How AI Replies Are Generated

MigoAI uses a third-party AI provider to generate replies to guest messages on your behalf. The provider processes data solely to deliver the requested service. Our data-use commitments are set out in Section 11.

Conversations are not routinely reviewed by our staff. Authorised staff may access conversation content when investigating a technical issue, resolving a service disruption, or responding to a legal request. Such actions are recorded in our audit log.

5. Who We Share Data With

To deliver the service we share personal data with the following categories of recipients:

• AI processing provider — generates AI replies to guest messages.
• Channel-manager and property-management-system providers — facilitates the exchange of reservation and messaging data.
• Hosting and infrastructure provider — stores and serves Platform data.
• Network protection provider — protects the Platform from malicious traffic.
• Transactional email provider — delivers account-related notifications.

Some of these providers are established in the United States or operate global networks. Where personal data is transferred outside your jurisdiction, we ensure appropriate safeguards are in place.

6. Data Retention

We retain personal data only for as long as we need it to deliver the service, comply with our legal obligations, or defend legal claims.

• Customer account data — kept while your subscription is active. On termination we provide your data within 30 days of your request. After 90 days following termination, the account record and associated personal data are deleted, except where retention is required by law.
• Guest reservation and conversation data — kept for the duration of your subscription so that you can review the AI's communication with your guests. On subscription termination the same 30-day provision and 90-day deletion periods apply, unless retention is required by law.
• Audit and security logs — retained for up to 180 days, then deleted. Operational logs are retained for up to 30 days.
• Backups — taken on a regular schedule, retained for up to 30 days, and access-restricted. Should a backup restore be necessary, we take appropriate steps to ensure previously fulfilled erasure requests are honoured.

7. Security

We implement appropriate technical and organisational measures designed to protect personal data from unauthorised access, loss, alteration, destruction, or disclosure. No method of electronic transmission or storage is completely secure; however, we continuously review and improve our safeguards to maintain a level of security appropriate to the risk.

In the event of a personal data breach we notify the competent authorities and, where required, affected individuals without undue delay and in accordance with applicable law. Where we act as a processor we notify the customer without undue delay.

8. Your Privacy Rights

Depending on where you are located, you may have rights regarding your personal data. These may include the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Request deletion of your personal data
• Receive your data in a structured, portable format
• Object to or restrict certain processing
• Withdraw consent where processing is based on consent
• Lodge a complaint with your local data protection authority

Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal. To exercise any of these rights, write to the contact address in Section 13. We will respond within one month of verifying your request, or within the time required by applicable law. Where your data was supplied to us by one of our customers, we will route your request to that customer and assist them in fulfilling it.

9. Children's Data

MigoAI is a business-to-business service intended for hospitality professionals. It is not directed at children. We do not knowingly collect personal data from a child under 16. If you believe we hold such data please contact us and we will delete it.

10. Changes to This Policy

We may revise this Privacy Policy when our practices, sub-processors or applicable law change. Material changes will be notified by email at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

11. What We Don't Do

We make the following commitments about how we handle your data:

• We do not sell, rent, trade, or otherwise commercialise personal data.
• We do not use customer or guest data to train AI models.
• We do not engage in profiling or automated decision-making that produces legal or similarly significant effects.
• We do not use tracking cookies, third-party analytics, advertising, or social-media scripts. We use only strictly-necessary cookies for authentication and session management.
• We do not request, store, or process sensitive personal data.

12. Additional Information for EEA and UK Residents

If you are located in the European Economic Area, the United Kingdom or Switzerland, the following additional information applies to you under Regulation (EU) 2016/679 (the "GDPR").

12.1 Our Roles Under GDPR

We are the Controller for the personal data of our customers and their staff, and the Processor for the personal data of hotel guests, which our customers supply to us through their channel manager or property management system. We process guest data only on the customer's documented instructions, in accordance with Article 28 GDPR.

12.2 Legal Bases for Processing

• Providing the service — Article 6(1)(b) for customer data; Article 28 for guest data.
• Account and billing — Articles 6(1)(b) and 6(1)(c).
• Security — Article 6(1)(f) — platform and user protection.
• Service improvement — Article 6(1)(f) — service quality and reliability.
• Legal obligations — Article 6(1)(c).

12.3 Your GDPR Rights

The rights listed in Section 8 correspond to Articles 15–21 and Article 7(3) GDPR. We respond within one month of receipt, with the possibility of extending by two further months where necessary (Article 12(3)). Exercising these rights is free of charge, except where requests are manifestly unfounded or excessive (Article 12(5)).

12.4 Automated Processing and AI Transparency

Under Article 22 GDPR you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. MigoAI's AI provides informational and conversational assistance only and does not make decisions with legal or contractual effect. Any request requiring a decision is routed to the customer's staff. Customer staff can pause the AI at any time and take over manually.

In accordance with Article 50 of Regulation (EU) 2024/1689 (the EU AI Act), the AI identifies itself as an AI assistant in its first message to each guest.

12.5 Data Transfer Mechanisms

Where personal data is transferred outside the EEA, we rely on applicable adequacy decisions (including the EU-U.S. Data Privacy Framework decision of 10 July 2023) or implement appropriate safeguards such as Standard Contractual Clauses (Commission Decision 2021/914). You may request a copy of the relevant mechanism by writing to the contact address in Section 13.

12.6 Supervisory Authority

You may lodge a complaint with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement. In Poland the supervisory authority is the Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl.

12.7 Sub-Processors and Data Protection Officer

The list of named sub-processors is made available to customers as part of the subscription agreement. We inform customers before any sub-processor handling personal data is added or replaced, in accordance with Article 28(2) GDPR. We have not appointed a Data Protection Officer as the criteria of Article 37 GDPR are not met. For all data protection enquiries please use the contact details in Section 13.

13. Contact

For privacy enquiries, to exercise your rights, or to raise a complaint about how we handle personal data: