Privacy Policy

In effect from 21.06.2024

By accepting this privacy policy, you express your consent to the processing of your personal data according to the purposes and under the conditions mentioned in this document.

This privacy policy applies to the personal data we collect when you use the  iExperience  mobile application whose provider is BFF AI SOLUTIONS SRL.

Contact details of BFF AI SOLUTIONS SRL:

• Address: Str. Main, No. 70, Capusu de Câmpie, Mureș, Romania, 547341

• Email:  hi@iexperience.ai

BFF AI SOLUTIONS SRL collects, processes and stores personal data in the EU, being able to demonstrate at any time compliance with European Union legislation and the principles established in this document.

To better understand your overall experience during your stay at different hotels and to help both you and the company get the most out of your current and future trips, BFF AI SOLUTIONS SRL through the  iExperience application  collects , stores, processes and shares some of your personal data as described below.

All personal data processing activities carried out by BFF AI SOLUTIONS SRL are in accordance with the provisions of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and its repeal of Directive 95/46/CE (General Data Protection Regulation).

Terms and Definitions

Personal data  – any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identification element such as a name, an identification number, location data, an online identifier, or to one or more specific elements, specific to his physical, physiological, genetic, psychological, economic, cultural or social identity.

Processing  – any operation or set of operations performed on personal data or sets of personal data, with or without the use of automated means, such as collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction.

Consent  – any manifestation of free, specific, informed and unambiguous will of the user of the Application, by which he accepts, through a statement or through an unequivocal action, that his personal data will be processed.

Operator –  BFF AI SOLUTIONS SRL, which processes personal data in the EU, through the  iExperience application , according to the legislation and this policy.

User  – natural person, at least 16 years old (or the legal minimum age to access or use an online service, without the provider of that service having the legal obligation to obtain the consent of one of the parents or the guardian), who expresses consent to use the Application according to the operator’s policies and who authenticates or not in the Application by creating a profile.

Supervisory Authority  – independent public authority established by a Member State pursuant to Regulation (EU) 2016/679.

Principles

The personal data processing policy of BFF AI SOLUTIONS SRL is based on the following principles:

  1. The processing of personal data is carried out in a legal, fair and transparent manner.
  2. The collection of personal data is done for specific, explicit and legitimate purposes, they are not subsequently processed in a way incompatible with these purposes.
  3. Personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  4. Personal data is strictly accurate and updated where necessary.
  5. Personal data are kept in a form that allows identification only for the period necessary to fulfill the purposes for which the data are processed.
  6. Processing is carried out in a way that ensures adequate security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage, by taking appropriate technical or organizational measures.

Who is responsible for processing personal data?

The responsibility for processing personal data rests with BFF AI SOLUTIONS SRL, as the provider of the  iExperience mobile application. It decides what data it processes, for what purpose and how this processing takes place.

The legal basis for the processing of personal data

Personal data is processed on the basis of the express, freely expressed, specific and unequivocal consent of the user of the mobile application, in accordance with the provisions of the legislation in force and under the terms of this policy, as well as in order to comply with a legal obligation.

What data do we collect and for what purpose?

We collect the following categories of personal data from those who use the  iExperience mobile application:

  • When you create an account:
    • Necessary
      • Name
      • First name
      • email address
    • Optional:
      • Gender
      • Date of birth
      • Urban/Rural Life
      • Education level
      • Financial level
      • Hobbies and interests
  • When you update your account:
    • Optional:
      • Phone number
      • Profile photo
  • When using the  iExperience  Indoor Location wristband during an Active Hotel Experience:
    • Optional:
      • Relative indoor location – The system will not know your exact position in the hotel, but will only estimate your visits to rooms and facilities through access points.
  • When you connect various health and fitness data accounts to  iExperience:
    • Optional:
      • Heart rate
      • Sleep score
      • Stress level
      • workouts

* iExperience does not retain connections to your health and fitness data accounts after an experience ends, nor does it request historical data before the experience begins.

BFF AI SOLUTIONS SRL, as a supplier of the  iExperience mobile application , does not process personal data within the mobile application that reveals racial or ethnic origin, political opinions, religious confession or philosophical beliefs or trade union membership and the processing of genetic data, data biometrics for the unique identification of a natural person, health data or data on a natural person’s sex life or sexual orientation.

For what purpose are personal data processed?

We process personal data for the general purpose of understanding and improving your current and future experiences with the hotels you stay at.

How is personal data collected and processed?

The collection of personal data is carried out automatically by accessing the mobile application and by consenting to the use of certain functions within the application.

For what period do we store personal data?

Personal data is stored  throughout the use of the mobile application.

You have the possibility to completely delete the account by using the red button on the profile page. The total deletion of the account implies the deletion of all data related to your person, including personal details on the profile but also all the data you have accumulated over time on various experiences at various hotels (reviews, AI recommendations, chat messages with the hotel etc.). After confirmation, you will also receive an automatically generated email, to the address you used when creating the account, regarding the confirmation of the request to delete the account.

BFF AI SOLUTIONS SRL as a provider of iExperience does not retain personal data after deleting your account.

To whom do we transfer personal data and for what purpose?

In addition to the obvious need to share some of your personal data with the hotels where you stay for the general purpose of understanding and improving your current and future experiences,  iExperience uses some third-party cloud services to process your data.

When sharing your data,  iExperience  takes a best available approach to fully or partially anonymize your data as follows.

The Hotel

Data shared with the hotel will be partially anonymized using a privacy-based summary model as follows:

  • The hotel will receive:
    • Name, surname and email address.
    • Summary of your market segment classification. (e.g. Category: Customers aged 30-60, urban living, above average education level, above average financial level, hobbies and interests.)
    • History of your interaction with various hotel facilities (time spent on each unit) based on indoor location data.
    • Overall rating of your current experience (Positive/Neutral/Negative) along with some personalized recommendations to improve it.
    • Optional reviews (overall rating and text) for various hotel facilities.
  • The hotel will NOT receive
    • Your accurate answers to the personal data questionnaire during account setup.
    • Your health and fitness data.

WeFitter

iExperience uses WeFitter to connect health and fitness data accounts, spanning multiple sources. WeFitter does not store or process any of your personal data. Connection to your health and fitness accounts and periodic data extraction are handled in a completely anonymous way, where WeFitter only holds an anonymous access token, with no connection to your personal identity, that  iExperience  uses to retrieve your data from your health and fitness accounts.

OpenAI

iExperience uses the OpenAI GPT-4 model to process your data (interaction with various hotel facilities, health and fitness data, reviews of various hotel facilities) and get some personalised recommendations for both you and the hotel to improve your current and future experiences.

All this data is shared with the OpenAI GPT-4 API in a completely anonymised way, without any connection to your personal identity.

Learn more about the OpenAI Privacy Policy .

Microsoft

iExperience uses the Microsoft Translator API to translate optional text reviews for various hotel amenities (if your native language is other than English) and personalised recommendations that iExperience provides to you as part of your experience. (if your native language is other than English).

All this data is shared with the Microsoft Translator API in a completely anonymised way, without any connection to your personal identity.

Learn more about the Microsoft Privacy Policy .

What security measures have we implemented?

Your data is safe with us!

iExperience uses the latest practices and advanced technologies to ensure complete protection of your data in transit and at rest, including but not limited to:

  • SSL/TLS
  • Encryption and hashing for data storage
  • Azure Firewall
  • Azure private link

User rights

The regulation gives the user a series of rights, which we briefly present below:

1. the right to information and access to personal data , based on which you can obtain a confirmation from us that we process personal data or not, having access to the respective data and to information regarding the methods and purposes of their processing;

2. the right to rectification of data , which can be exercised to obtain, without undue delay, the rectification of inaccurate data or the completion of incomplete personal data;

3. the right to data deletion (the right “to be forgotten”) , by virtue of which the deletion of personal data can be obtained, without undue delay, for one of the following reasons:

i. the data are no longer necessary to fulfill the purpose for which they were collected or processed;

ii. the user withdraws his consent and there is no other legal basis for the processing;

iii. the user objects to the processing and there are no legitimate reasons that prevail with regard to the processing;

iv. personal data were processed illegally;

v. personal data must be deleted to comply with a legal obligation;

vi. the personal data were collected in connection with the provision of services to the information society.

4. the right to restrict processing  can be exercised in the following situations:

i. when the accuracy of the data is disputed, for a period that allows us to verify their correctness;

ii. the processing is illegal, and the user opposes the deletion of the data, requesting instead the restriction of their processing;

iii. we no longer need the personal data for the purpose of processing, but the user requests it for establishing, exercising or defending a right in court;

iv. when the user opposes the processing for reasons related to the particular situation in which he is, for the time interval in which it is checked whether in this case the legitimate rights of the operator prevail.

5. the right to opposition , under which the user can oppose the processing of personal data, including the creation of profiles, for reasons related to the particular situation in which he is, in cases where the processing is necessary for the performance of a task that serves an interest publicly or when it takes place for the purpose of legitimate interests pursued by us or a third party. In these cases the processing will only be done if it is justified by legitimate and compelling reasons, which prevail over the interests, rights and freedoms of the user, or when the purpose of the processing is to establish, exercise or defend a right in court.

When the processing of personal data is aimed at direct marketing, the user has the right to object at any time to the processing of data for this purpose, including the creation of profiles, to the extent that it is related to direct marketing.

6. the right to data portability , which allows the user to receive the personal data concerning him and which he has provided in a structured, commonly used and machine-readable format and to transmit this data to another operator, provided that the processing is based on consent or a contract and is carried out by automated means.

Pursuant to this right, personal data concerning the user may be transferred directly from one operator to another where this is technically feasible.

Modification of the personal data processing policy

This policy can be updated as a result of changes in relevant legislation in the field or changes in the structure and functions of the Application.

If changes are made to the personal data processing policy, users will be notified through notifications within the Application, before the changes take effect.

We encourage users to check this page periodically to stay informed of the latest developments regarding our personal data processing practices.

How can you contact us?

For concerns or questions regarding the processing of personal data, you can contact us at the email address:  data@iexperience.ai 

If you wish to make complaints regarding the processing of personal data, you can write to us at the same address, and we will respond within the legal correspondence period, in accordance with our internal policies and procedures.

In the unlikely event that you consider that your rights regarding the processing of personal data have been violated and BFF AI SOLUTIONS SRL as a supplier of  iExperience  has not handled the complaint properly, you can contact the Supervisory Authority for the processing of personal data .

The National Supervisory Authority for the Processing of Personal Data in Romania is headquartered in Bucharest, bld. Gheorghe Magheru no. 28 – 30, sector 1, postal code 010336.