Privacy Policy
Last updated: 12/12/2025
This privacy notice is intended to provide all information about the processing of personal data carried out by Aurora Technologies S.r.l. when the user registers to use the “Hotely.ai” service (as better described below).
1. INTRODUCTION – WHO ARE WE?
Aurora Technologies S.r.l., with registered office at Via Fornace, 40 - Solaro (MI), Italy, VAT no. 14056600969 (hereinafter, the “Controller” or “Aurora”), owner of the Hotely.ai platform (hereinafter, the “Platform”), in its capacity as controller of the personal data of users of the Platform (hereinafter, the “Users”), provides this privacy notice pursuant to Article 13 of EU Regulation 2016/679 of 27 April 2016 (hereinafter, the “Regulation” or the “Applicable Law”).
2. CONTROLLER’S CONTACT DETAILS – HOW CAN YOU CONTACT US?
The Controller attaches the utmost importance to the right to privacy and protection of the personal data of its Users.
Users may contact the Controller at any time using the following methods:
By sending a registered letter with return receipt to the Controller’s registered office indicated in paragraph 1 above;
By sending an email to: privacy@auroratechnologies.ai;
The Controller has not appointed a Data Protection Officer (DPO), as it is not subject to the obligation to designate one pursuant to Article 37 of the Regulation.
3. MAIN PURPOSE OF THE PROCESSING – WHAT DO WE DO?
By accessing the Platform, the User may create an account on the Platform in order to develop and manage a virtual assistant based on artificial intelligence, designed for hotels, resorts and accommodation facilities, which enables the automated and multilingual management of chats, calls and guest requests, as well as the creation of interactive digital menus and integration with communication and booking systems (hereinafter, the “Service”).
In relation to the activities that may be carried out through the Platform, the Controller collects personal data relating to Users: for the personal data relating to the User and processed by the Controller as data controller, please refer to this notice, while for the personal data relating to the User’s customers and/or prospects or, more generally, to users of the Platform, processed by Aurora as processor on behalf of the User, please refer to the data processing agreement attached to the General Terms and Conditions of the Service.
The Platform and any services offered through the Platform are reserved for persons who are at least eighteen years of age. The Controller therefore does not collect personal data relating to persons under 18 years of age. At the request of Users, the Controller will promptly delete any personal data unintentionally collected and relating to persons under 18 years of age.
Users’ personal data will be lawfully processed by the Controller for the following purposes:
a)Contractual obligations and provision of the Service: to enable use of the Service and to perform the General Terms and Conditions accepted by the User when registering and upon any upgrade of the User’s subscription plan to the Service; to fulfil specific requests made by the User. The User data collected by the Controller for registration on the Platform include only the email address (mandatory) as well as the full name (mandatory), telephone number (optional), and the name and type of business (mandatory). If the User synchronises his or her own calendar with the Platform calendar, all personal data contained in the User’s calendars will also be transmitted to the Controller, in accordance with the privacy policies of the relevant providers:
Google:
https://cloud.google.com/terms/cloud-privacy-notice
Microsoft:
https://www.microsoft.com/it-it/privacy/privacystatement#mainreasonswesharepersonaldatamodule
All personal information of the User that is voluntarily shared with the Controller, for example through the support chatbot available on the Platform (both on the registration page and within the Platform), may also be processed by Aurora.
Unless the User gives the Controller a specific and optional consent to the processing of his/her data for the additional purposes set out in the following paragraphs, the User’s personal data will be used by the Controller solely in order to (i) provide the Service, (ii) verify the User’s identity (by validating the email address and sending the access link to the Platform), thereby preventing possible fraud or abuse, (iii) contact the User for service reasons only (e.g. to send notifications relating to the services offered on the Platform or to any current subscription), and (iv) respond to Users’ requests, submitted either to the Controller’s contact details referred to in paragraph 2 above or via the support chatbot. Without prejudice to what is provided elsewhere in this privacy notice, under no circumstances will the Controller make Users’ personal data accessible to other Users and/or third parties.
b)Administrative and accounting purposes, i.e. to carry out activities of an organisational, administrative, financial and accounting nature, such as internal organisational activities and activities functional to the fulfilment of contractual and pre-contractual obligations;
c)Legal obligations, i.e. to comply with obligations provided for by law, by an authority, by a regulation or by EU legislation.
The provision of personal data for the above processing purposes is optional but necessary, since failure to provide such data will make it impossible for the User to use the Service, notifications or individual features thereof (e.g. calendars, support chatbot, etc.).
4. ADDITIONAL PURPOSES OF PROCESSING – WHAT ELSE CAN WE DO?
Marketing (sending advertising material, direct sales and commercial communications)
Some of the User’s personal data (namely the indicated name and email address) may also be processed by the Controller for marketing purposes (sending advertising material, direct sales and commercial communications), i.e. so that the Controller may contact the User by email, telephone (landline and/or mobile, using automated calling systems or communication systems with and/or without the intervention of an operator) and/or SMS and/or messaging systems and/or in‑app notifications to propose to the User the purchase of products and/or services offered by the Controller and/or partner companies, present promotions, new services of the Platform and/or of the Controller and commercial opportunities.
Failure to provide consent will in no way affect the possibility of using the Service.
If consent is given, the User may withdraw it at any time by making a request to the Controller in the manner indicated in paragraph 8 below or by disabling the option to receive marketing communications directly from his or her account (in the “Settings” section).
The User may also easily object to further sending of promotional communications by email, SMS and messaging systems by clicking on the appropriate unsubscribe link included in each promotional communication. Once consent has been withdrawn, the User will see a confirmation message from the Controller. If the User wishes to withdraw consent to the sending of promotional communications by telephone or SMS while continuing to receive promotional communications by email, or vice versa, he or she should send a request to the Controller in the manner indicated in paragraph 8 below.
The Controller informs the User that, following the exercise of the right to object to the sending of promotional communications by email, it is possible that, for technical and operational reasons (e.g. creation of contact lists already completed shortly before receipt by the Controller of the objection request), the User may continue to receive some further promotional messages. If, after 24 hours have elapsed from the exercise of the right to object, the User continues to receive promotional messages, please report the problem to the Controller using the contact details indicated in paragraph 8 below.
5. LEGAL BASIS – WHY CAN WE PROCESS YOUR DATA?
Contractual obligations and provision of the Service (as described in paragraph 3, letter a) above): the legal basis is Article 6(1)(b) of the Regulation, i.e. processing is necessary for the performance of a contract to which the User is party or in order to take steps at the User’s request prior to entering into a contract.
Administrative and accounting purposes (as described in paragraph 3, letter b) above): the legal basis is Article 6(1)(b) of the Regulation, since the processing is necessary for the performance of a contract and/or in order to take steps at the User’s request prior to entering into a contract.
Legal obligations (as described in paragraph 3, letter c) above): the legal basis is Article 6(1)(c) of the Regulation, since the processing is necessary for compliance with a legal obligation to which the Controller is subject.
Additional purposes of processing: as regards processing relating to marketing activities (as described in paragraph 4.1 above), the legal basis is Article 6(1)(a) of the Regulation, i.e. the data subject’s consent to the processing of his or her personal data for one or more specific purposes. For this reason, the Controller asks the User to give specific, free and optional consent in order to pursue this purpose of processing.
6. METHODS OF PROCESSING AND DATA RETENTION PERIOD – HOW AND FOR HOW LONG DO WE PROCESS YOUR DATA?
The Controller will process Users’ personal data by manual and electronic means, following logic strictly related to the purposes themselves and, in any case, in such a way as to guarantee the security and confidentiality of the data.
Users’ personal data collected through the Platform will be stored for as long as the User uses the Service and, in any case, for the time necessary to fulfil the primary purposes described in paragraph 3 above and, in any case, for as long as necessary for the protection, in civil proceedings, of the interests of both the Users and the Controller.
In the case referred to in paragraph 4.1 above, Users’ personal data will be stored for as long as the User uses the Service and, in any case, until the User withdraws his or her consent.
In any case, statutory retention periods provided for by laws or regulations are reserved.
7. SCOPE OF COMMUNICATION AND DISCLOSURE OF DATA – WHERE AND TO WHOM DO WE TRANSFER YOUR DATA?
Users’ personal data may be transferred outside the European Union and, in such a case, the Controller will ensure that the transfer takes place in compliance with the Applicable Law and, in particular, in accordance with Articles 45 (Transfers on the basis of an adequacy decision) and 46 (Transfers subject to appropriate safeguards) of the Regulation.
Employees and/or collaborators of the Controller in charge of managing the Platform and Users’ requests may become aware of Users’ personal data. These persons, who have been instructed by the Controller pursuant to Article 29 of the Regulation, will process the User’s data exclusively for the purposes indicated in this notice and in compliance with the provisions of the Applicable Law.
Third parties who may process personal data on behalf of the Controller as processors may also become aware of Users’ personal data, such as, by way of example, providers of IT and logistics services functional to the operation of the Platform and some of its features (e.g. hosting, email sending, etc.), providers of outsourcing or cloud computing services, professionals and consultants.
Third parties who may process personal data as independent controllers may also become aware of Users’ personal data, such as, by way of example, payment service providers (Stripe, which will process the data in accordance with its own privacy notice available at https://stripe.com/it/privacy) and providers of the digital calendar service used by the User, as better described in paragraph 3 above.
Users have the right to obtain a list of any processors appointed by the Controller by making a request to the Controller in the manner indicated in paragraph 8 below.
8. DATA SUBJECTS’ RIGHTS – HOW CAN YOU PROTECT YOUR DATA?
Users may exercise the rights granted to them by the Applicable Law by contacting the Controller at the addresses indicated in paragraph 3 above and, in certain cases, by using the features available within their account (e.g. withdrawal of marketing consent).
Pursuant to the Applicable Law, the Controller informs Users that they have the right to obtain information about (i) the origin of the personal data; (ii) the purposes and methods of the processing; (iii) the logic applied in the case of processing carried out with the aid of electronic tools; (iv) the identification details of the controller and of any processors; (v) the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of them as processors or persons in charge of the processing.
Furthermore, Users have the right to obtain:
a)access to, updating and rectification of the data or, where interested, integration of the data;
b)erasure, anonymisation or restriction of data processed in breach of the law, including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed;
c)certification that the operations referred to in letters a) and b) have been notified, also as regards their content, to those to whom the data have been communicated or disclosed, unless this proves impossible or involves a manifestly disproportionate effort compared with the right protected.
Furthermore, Users have the right:
a)to withdraw consent at any time, where processing is based on their consent;
b)(where applicable) to data portability (the right to receive all personal data concerning them in a structured, commonly used and machine‑readable format);
c)to object:
i)in whole or in part, on legitimate grounds, to the processing of personal data concerning them, even if relevant to the purpose of the collection;
ii)in whole or in part, to the processing of personal data concerning them for the purpose of sending advertising material or direct sales or for carrying out market research or commercial communications;
iii)where personal data are processed for direct marketing purposes, at any time, to the processing of their data carried out for such purposes, including profiling to the extent that it is related to such direct marketing.
d)if they consider that the processing concerning them infringes the Regulation, to lodge a complaint with a supervisory authority (in the Member State of their habitual residence, place of work or place of the alleged infringement). The Italian supervisory authority is the Garante per la protezione dei dati personali, with offices in Piazza Venezia no. 11, 00187 – Rome (http://www.garanteprivacy.it/).
9. REGISTRATION THROUGH THIRD‑PARTY SERVICES – WHAT HAPPENS IF YOU REGISTER WITH YOUR GOOGLE ACCOUNT?
Registration via “Sign in with Google”
The Controller informs Users who have a Google account that they can register on the Platform through the “Sign in with Google” service or its equivalent, where such option is available by means of the relevant button.
The data that may be communicated by Google to the Controller through the “Sign in with Google” service are the following: first name, surname and email address. The Controller will process such data exclusively for the purposes indicated in this notice, in compliance with the consents that the User decides to provide.
By clicking the “Sign in with Google” button, the User consents to Google transferring the above‑mentioned data to the Controller. The Controller will use such data to simplify the registration procedure by pre‑filling certain fields in the registration form with the data communicated by Google.
For further information on the “Sign in with Google” service and to change your privacy settings relating to that service, you can consult the following links:
- www.google.com/intl/it_ALL/policies/privacy/
- https://support.google.com/accounts/answer/12849458?hl=it
_____________
The Controller is not responsible for updating all links that can be viewed in this notice. Therefore, whenever a link is not working and/or up to date, Users acknowledge and agree that they must always refer to the document and/or section of the websites referred to by that link.