SmartHotels — Privacy Policy

Last updated: 6 May 2026 · Data controller: ERBACCI LTD (Strovolou 77, Strovolos Center 301, Strovolos 2018, Cyprus)

This privacy policy applies to:

SmartHotels Console — staff app for hotel personnel (iOS, Android, and web console at aspsmartskills.com);
SmartHotels Guest — companion app for hotel guests (iOS and Android).

1. Who we are

The SmartHotels apps are built and operated by ERBACCI LTD, a company registered in Cyprus (DUNS 965372494). The company is the data controller under GDPR.

Privacy contact email: info@erbacciltd.com

2. What we collect

2.1 SmartHotels Console (staff)

Identity: business email, first name, last name, role (admin / reception / operator / marketing), assigned property ID.
Authentication: password (bcrypt-hashed) and/or federated Apple/Google sign-in via AWS Cognito; SMS/email OTP codes for the alternative login flow.
Push token: Expo push token + device type (iPhone / iPad / Android), used to deliver new-request, new-booking and new-review notifications.
Operational: action logs (request handling, reservation edits, announcements) for audit and troubleshooting.

2.2 SmartHotels Guest

Reservation identity: room number + guest surname (entered at login), full name (pre-filled from the hotel's reservation record).
Stay details: check-in / check-out dates, property ID, hotel name.
Requests and orders: text submitted to room service (maintenance descriptions, food orders, service bookings such as spa/restaurant).
Chat: messages exchanged with hotel staff.
Reviews: optional star rating and comment left at check-out.
Push token: Expo push token + room number, used to notify the guest of staff replies and hotel announcements.

We do not collect additional contact details (e.g., personal email, phone number) for guests. We do not use third-party tracking cookies or advertising profiling tools. We do not sell data to third parties.

3. How we use the data

Service delivery: routing requests/orders to the right room, threading chat to the right staff, surfacing history to the staff dashboard.
Push notifications: alerting staff of new requests, alerting guests of staff replies or hotel announcements.
Automated emails: forwarding new requests to the email recipients the hotel has registered for the relevant category (e.g., maintenance@hotel.com).
Security and abuse prevention: login rate limiting, access logs.
Subscription billing (hotel-side only): managing the SaaS plan via the Revolut Merchant API (we never store card details — they are held by Revolut).

4. Sub-processors and where data flows

To deliver the service we rely on third-party cloud providers. Data may be transferred to the United States — every provider participates in the EU-US Data Privacy Framework and/or relies on the European Commission's Standard Contractual Clauses.

Amazon Web Services (DynamoDB, SES, S3, Lightsail) — infrastructure + database hosting. Region: us-east-1.
Amazon Cognito — staff user authentication.
Amazon Alexa Smart Properties — when the hotel has activated Echo Show devices, voice announcements and rotating cards transit through Amazon's ASP API.
Apple Push Notification service and Firebase Cloud Messaging — push delivery on iOS and Android (via Expo Notifications).
Revolut Business — payment processor for the Pro subscription.
OpenAI — only used for AI-translation of catalog item names entered by staff (non-personal text).

5. How long we keep data

Staff accounts: for the duration of the SaaS contract + 12 months (then deleted on request, or automatically after 24 months of inactivity).
Guest session: automatically invalidated at 13:00 Europe/Rome on the check-out date. Chat messages and requests remain visible to staff for 90 days post-checkout for audit purposes, then anonymized.
Reviews: kept while the hotel remains an active SmartHotels customer.
Access logs: 30 days.
Payment invoices: 10 years (tax obligation).

6. Your rights (GDPR / European privacy law)

You have the right to:

Access the data we hold about you;
Correct inaccurate data;
Erase your data ("right to be forgotten") — within the limits of legal obligations (e.g., invoices);
Object to processing or restrict its scope;
Port your data in a structured, machine-readable format;
Withdraw consent at any time;
Lodge a complaint with the relevant supervisory authority (in Cyprus: Office of the Commissioner for Personal Data Protection; in Italy: Garante per la Protezione dei Dati Personali).

To exercise a right, write to info@erbacciltd.com. We respond within 30 days.

7. Children

The SmartHotels apps are not directed at children under the age of 13. We do not knowingly collect data from children. If you are a parent and believe your child has shared data with us, contact us and we will remove it.

8. Security

All traffic uses HTTPS (TLS 1.2+). Passwords are stored with bcrypt; databases are encrypted at rest (AWS DynamoDB encryption-at-rest). Access to production data is limited to a small number of administrators and is audited.

9. Changes to this policy

Material changes will be communicated by email to staff accounts and/or via in-app notice before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

10. Contact

ERBACCI LTD
Strovolou 77, Strovolos Center 301
Strovolos 2018, Cyprus
Email: info@erbacciltd.com
DUNS: 965372494