Ameniti Logo

Privacy Policy - Ameniti Hotel Booking MCP Server

Last Updated: September 16, 2024

Effective Date: September 16, 2024

Overview

This Privacy Policy describes how the Ameniti Hotel Booking MCP Server ("Service", "we", "us") collects, uses, stores, and protects personal information when you use our Model Context Protocol server for hotel bookings.

Information We Collect

Personal Information

When you use our booking service, we collect:

Guest Information:

  • First name and last name
  • Email address
  • Phone number (with country code)
  • Number of guests

Booking Details:

  • Hotel name
  • Check-in and check-out dates
  • Room type preferences
  • Special accommodation requests

Cancellation Information:

  • Reservation ID
  • Cancellation reason

Technical Information

We automatically collect:

API Usage Data:

  • Request timestamps
  • Response times
  • Error logs
  • Tool usage patterns

System Information:

  • Server logs
  • Performance metrics
  • Connection details

OAuth Authentication Data:

  • OAuth bearer tokens (temporarily processed for authentication)
  • Authentication timestamps
  • Token validation requests
  • Authentication failure logs

How We Use Your Information

Primary Purposes

  • Hotel Reservations: Process and manage your hotel bookings
  • Guarantee Setup: Secured reservations with in-person payment at check-in at the hotel (same or different payment method)
  • Communication: Send booking and cancellation confirmations
  • Customer Support: Assist with booking modifications and cancellations

Secondary Purposes

  • Authentication: Validate OAuth tokens to secure access to booking services
  • Service Improvement: Analyze usage patterns to enhance functionality
  • Security: Monitor for fraudulent activity and system abuse
  • Compliance: Meet legal and regulatory requirements

Information Sharing

Third-Party Services

We share information with:

1. Stripe (Booking Guarantee Setup)

  • Purpose: Secure reservation booking and payment processing at check-in
  • Data Shared: Name, email, card details (we do not store the card details)
  • Privacy Policy: https://stripe.com/privacy

2. Ameniti.net (URL Shortening)

  • Purpose: Generate shortened checkout URLs
  • Data Shared: Long URLs containing guarantee ID
  • Retention: URLs stored for service functionality

3. Hotel Partners

  • Purpose: Process reservations and provide services
  • Data Shared: Guest information, booking details, special requests

Legal Disclosure

We may disclose information when required by law or to:

  • Protect our rights and property
  • Investigate fraud or security incidents
  • Comply with legal processes
  • Protect user safety

Data Storage and Security

Storage Locations

  • Primary Database: Hosted on secure cloud infrastructure
  • Logs: Stored on secure logging infrastructure

Security Measures

  • Encryption: All data encrypted in transit and at rest
  • Access Controls: Role-based access with multi-factor authentication
  • Monitoring: 24/7 security monitoring and alerting
  • Auditing: Regular security audits and penetration testing

Credit Card Storage Security

  • Reservations are secured through Stripe tokenization infrastructure
  • In-person payment processing occurs at check-in (not during booking) and can be completed with any payment method accepted at the hotel
  • We never store complete credit card information
  • PCI DSS compliance maintained through Stripe integration

Data Retention

Booking Information

  • Active Reservations: Retained until checkout completion
  • Completed Bookings: Retained for 7 years for accounting and legal purposes
  • Cancelled Bookings: Retained for 3 years for customer service
  • Cancellation Policy: Free cancellation up to 1 day before arrival date - or as indicated during the booking process and at the booking confirmation screen

Technical Logs

  • API Logs: Retained for 90 days
  • Error Logs: Retained for 1 year
  • Security Logs: Retained for 3 years

Account Deletion

Upon request, we will:

  • Delete personal information where legally permissible
  • Anonymize data required for legal retention
  • Provide confirmation of deletion

Your Rights

Access and Control

You have the right to:

  • Access: Request copies of your personal information
  • Correction: Update inaccurate or incomplete information
  • Deletion: Request deletion of your personal information
  • Portability: Receive your data in a machine-readable format
  • Objection: Object to certain processing activities

How to Exercise Rights

Contact us at privacy@ameniti.ai with:

  • Your full name and email address
  • Specific request details
  • Verification information (for security)

Response Time: We will respond within 30 days

Contact Information

Privacy Inquiries

Response Time: 5-10 business days

Data Protection Officer

  • Email: dpo@ameniti.ai
  • Responsibilities: Privacy compliance, policy updates, breach response

General Support

Questions or Concerns?

If you have any questions about this Privacy Policy or our data practices, please contact us at privacy@ameniti.ai.