Privacy Policy

RegolithX operates as a data processor. Your hotel operates as the data controller. This distinction is legally significant under GDPR (Regulation (EU) 2016/679) and Indonesia's UU PDP (Personal Data Protection Law). As a data processor, we only process personal data on your documented instructions and do not determine the purposes or means of that processing.

As the data controller, your hotel is responsible for ensuring you have a lawful basis for collecting and processing guest data, providing privacy notices to guests, and honouring their data subject rights.

Account Data

• ›Name and email address of hotel staff and administrators
• ›Hotel name, address, and property configuration details
• ›Billing information (invoicing name and address — no card numbers stored by RegolithX)
• ›Account credentials (passwords stored as salted hashes; never in plain text)

Operational Data

This is data you input into the platform to run your hotel operations:

• ›Guest names, email addresses, and phone numbers
• ›Reservation records, check-in and check-out dates, room assignments
• ›Maintenance requests and staff task assignments
• ›In-room orders and upsell transactions
• ›Web push notification tokens for guest communications
• ›OTA integration data synced from Booking.com, Agoda, Airbnb, and other connected channels

Automatically Collected Data

• ›IP address and approximate geolocation (country/city level) for security logging
• ›Browser type, operating system, and device information
• ›Pages visited, features used, and session duration for product analytics
• ›Crash reports and error logs to improve platform stability

RegolithX uses Anthropic's Claude API to power several AI features. When you use these features, certain data inputs are transmitted to Anthropic's servers for processing.

Third-Party Service Providers

• ›Anthropic Claude API — AI language model processing for assistant, pricing, and upsell features
• ›Supabase — primary database, authentication, and file storage infrastructure
• ›OTA Providers (Booking.com, Agoda, Airbnb, etc.) — channel management data sync
• ›Payment Gateways — Midtrans, GoPay, OVO, Dana, ShopeePay, QRIS for payment processing
• ›Web Push Services — browser-based push notification delivery

We apply security measures across all layers of the platform. Primary data storage is located in Singapore, within an AWS / Supabase-managed environment.

• ›TLS 1.3 encryption for all data in transit between your browser, our servers, and third-party APIs
• ›AES-256 encryption for all data at rest
• ›Row-Level Security (RLS) — each hotel account can only read and write its own data; cross-tenant data access is architecturally prevented
• ›Multi-tenant isolation ensures no hotel can access another hotel's guest records, reservations, or operational data
• ›Access to production infrastructure is restricted to authorised RegolithX engineers via multi-factor authentication
• ›Automated backups with point-in-time recovery

• ›Card numbers — handled exclusively by the payment gateway (Midtrans). RegolithX never stores, logs, or transmits raw card numbers. We receive only a masked token and transaction status.
• ›Passport and ID scans — these must be stored locally by the hotel (e.g., on your front-desk device or in a physical register). Do not upload passport or ID images to the RegolithX platform.
• ›Bank account credentials — if stored for payout purposes, encrypted at rest with AES-256 and never exposed in API responses or logs.
• ›Biometric data — not collected or processed by RegolithX under any circumstances.

Your hotel, as the data controller, bears primary responsibility for how you use guest data within RegolithX. Specifically:

• ›Obtaining valid guest consent before using AI features that process their personal data
• ›Providing guests with a clear privacy notice that discloses AI processing of their data
• ›Honouring guest requests to access, correct, or delete their personal data
• ›Ensuring that your team members who use RegolithX understand your hotel's data protection obligations

Recommended Consent Language

We recommend including the following (or equivalent) on your check-in form or guest communication:

Hotel operators (as our direct customers) have the following rights regarding personal data we hold about them and their accounts:

To exercise any of these rights, contact privacy@regolithx.com. We respond to all requests within 30 days and will never charge a fee for reasonable requests.

• ›Active hotel and guest data is retained for the duration of your active subscription.
• ›All hotel and guest data is permanently deleted within 30 days of account cancellation — no exceptions.
• ›Immediate deletion is available upon written request to privacy@regolithx.com.
• ›Anonymised, aggregated analytics (e.g., total reservation volume, feature usage trends) may be retained indefinitely as they cannot be linked to any individual.
• ›Billing records and invoices are retained for 7 years in compliance with Indonesian tax law (UU Perpajakan).
• ›Web push notification tokens are deleted immediately upon unsubscribe or on account cancellation.

We use a minimal set of cookies. We do not use advertising cookies and we do not sell your data to advertisers.

For all privacy-related enquiries, data subject requests, or breach notifications, contact us at: