Privacy Policy

Last updated: March 2026

1. Who we are

This service is operated by Digital Oas AB, a company registered in Sweden, European Union. We provide an AI-powered guest communication platform for hostels (the "Service").

For privacy enquiries or data requests, contact us at: hello@bunkbell.com

Digital Oas AB is the data controller for data relating to hostel staff accounts and billing. For guest data, the hostel (our customer) is the data controller and we act as a data processor on their behalf.

2. What data we collect and why

Hostel staff accounts

  • Email address: used to create and authenticate your account and to send operational notifications. Legal basis: contract performance.
  • Account activity: records of settings changes and knowledge base edits for operational purposes. Legal basis: legitimate interest.
  • Billing data: subscription plan, billing contact email, and payment method summary (card last 4 digits and expiry date). Full payment card data is processed exclusively by Stripe and never stored on our servers. Legal basis: contract performance.

Hostel guests (web chat)

  • Message content: the text of messages sent through the embedded chat widget, used to generate AI responses. Legal basis: legitimate interest of the hostel in providing guest support.
  • Session identifier: a randomly generated ID stored in the guest's browser (localStorage) to maintain conversation continuity. No personal identity is inferred from this identifier.

Hostel guests (WhatsApp)

  • Phone number: the sender's WhatsApp phone number, used to route messages to the correct conversation thread and to send replies.
  • Message content: the text of WhatsApp messages, used to generate AI responses.
  • WhatsApp messages are delivered to us via the WhatsApp Business Cloud API. WhatsApp's own privacy policy also applies to WhatsApp communications.

Reservation data (PMS integration)

  • When a hostel connects a property management system (currently Cloudbeds, Sirvoy, and Beds24), we sync reservation data including guest names, email addresses, phone numbers, check-in and check-out dates, and room types. This data is used solely to answer guest queries about their own bookings. Legal basis: legitimate interest of the hostel.

3. Third-party processors

We use the following sub-processors to operate the Service:

  • Anthropic (EU, with US fallback available on request) - AI language model processing. Guest message content is sent to Anthropic's API to generate responses. Since August 2025, Anthropic processes and stores EU API traffic within the EU by default. Anthropic does not train on API data. Anthropic Privacy Policy.
  • Supabase (EU, Ireland) - database and file storage. Our Supabase project is hosted on AWS eu-west-1 (Dublin, Ireland). All conversation data, knowledge base content, and reservation data is stored in this region.
  • Stripe (USA, with EU operations) - payment processing and subscription management. Subscription plan, billing contact email, and payment method summary are processed by Stripe. Full card data is stored exclusively by Stripe and never reaches our servers. Stripe is SOC 2 certified and processes EU transfers under Standard Contractual Clauses and the EU-US Data Privacy Framework. Stripe Privacy Policy.
  • WhatsApp Ireland Limited (Ireland, EU) - WhatsApp message delivery via the Business Cloud API. For EU customers, the contracting entity is WhatsApp Ireland Limited, a subsidiary of Meta Platforms. Message content may also be processed in the US under Meta's EU-US Data Privacy Framework certification and Standard Contractual Clauses. WhatsApp Privacy Policy.
  • Resend (USA) - transactional email delivery for notifications to hostel staff. Resend is certified under the EU-US Data Privacy Framework and processes transfers under Standard Contractual Clauses.
  • Vercel (USA, with EU execution regions) - application hosting and serverless function execution. Vercel's control plane is US-based; serverless functions may execute in EU regions. Vercel is ISO 27001:2022 certified and processes EU transfers under Standard Contractual Clauses. Vercel DPA.
  • Voyage AI / MongoDB (Voyage AI Innovations, Inc., USA) - text embedding generation for knowledge base search. Data is processed in the United States under Standard Contractual Clauses (EU Commission Decision 2021/914, governing law Ireland). A UK Addendum covers UK GDPR transfers. Voyage AI DPA. Knowledge base content (hostel information documents) is processed by this service; guest message content is not sent to this service.

Transfers to processors outside the EU are covered by Standard Contractual Clauses or adequacy decisions where applicable. A list of current sub-processors is available on request.

4. How long we keep data

  • Conversation messages: retained for 12 months from the date of the conversation, then deleted.
  • Staff account data: retained for the duration of the account and deleted within 30 days of account closure on request.
  • Reservation data: retained for 90 days after check-out, then deleted from our systems. The authoritative record remains in the hostel's PMS.
  • Action logs (AI tool call audit trail): retained for 12 months.
  • Billing records (subscription history, invoices): retained for 7 years to comply with Swedish accounting law (Bokföringslagen).

5. Your rights (GDPR)

If you are in the European Union or UK, you have the right to:

  • Access: request a copy of personal data we hold about you.
  • Rectification: request correction of inaccurate data.
  • Erasure: request deletion of your data ("right to be forgotten").
  • Portability: receive your data in a machine-readable format.
  • Objection: object to processing based on legitimate interest.
  • Restriction: request that we restrict processing of your data.

To exercise any of these rights, email hello@bunkbell.com. We will respond within 30 days. If you are a hostel guest, we may need to coordinate with the hostel as data controller to fulfil your request.

You also have the right to lodge a complaint with your national data protection authority. In Sweden this is the Integritetsskyddsmyndigheten (IMY).

6. Cookies and tracking

The admin dashboard uses a session cookie set by Supabase Auth for authentication. The guest chat widget stores a session identifier in localStorage. This is not a cookie and is not used for tracking or advertising. We do not use any third-party analytics or advertising trackers.

7. Changes to this policy

We may update this policy as the Service evolves. Material changes will be communicated to hostel account holders by email. The "last updated" date at the top of this page reflects the most recent revision.

8. Contact

Digital Oas AB
Sweden, EU
hello@bunkbell.com