GuestFlowTerms of Service
Last updated: April 2026 · Applies to operators on guestflow.io
1. Scope
These terms apply to hotel operators, apartment hosts, and accommodation providers ("operators") using GuestFlow. They do not apply to guests using the public chat.
2. Service description
Through the GuestFlow dashboard, operators can:
- Manage a knowledge base for their property
- Provide guests with an AI concierge (via QR code and public URL)
- View and analyse conversations
- Manage subscriptions and billing
3. Subscription and payment
GuestFlow offers monthly rolling subscriptions (Vacation Rental, Hotel Starter, Hotel Pro). New operators receive a 14-day free trial with no credit card. Billing is monthly via Stripe. Each property has its own subscription; one account can manage multiple properties.
4. Operator obligations
- Enter only accurate and up-to-date information into the knowledge base
- Not use GuestFlow for unlawful purposes
- Not share login credentials with third parties
- Indirectly accept Anthropic's terms of use (AI provider)
5. Limitation of liability
GuestFlow is not liable for AI responses based on incorrect knowledge, infrastructure downtime, misuse by guests, or indirect damages. GuestFlow is liable for gross negligence or wilful misconduct.
6. Cancellation
Cancel anytime via the Stripe customer portal. Data remains accessible until end of billing period. On account deletion, all data is erased within 30 days.
7. Changes to these terms
GuestFlow may amend these terms with 30 days' email notice. Continued use constitutes acceptance.
8. Governing law
Italian law applies. Place of jurisdiction: Bolzano/Bozen (South Tyrol).
Data Processing Agreement under Art. 28 GDPR
Data Processing Agreement (DPA)
Between GuestFlow (Processor) and the Operator (Controller)
DPA § 1 — Subject matter
This DPA governs processing of personal data by GuestFlow on behalf of the Operator under Art. 28 GDPR.
DPA § 2 — Data processed
- Data subjects: Guests of the accommodation
- Data categories: Chat messages, guest profile, language, session ID (anonymous UUID)
- Purpose: Providing the AI concierge service
DPA § 3–4 — Instructions and confidentiality
GuestFlow processes data only on documented Operator instructions and ensures confidentiality.
DPA § 5 — Security measures (TOMs)
- HTTPS/TLS and database encryption
- Row Level Security — no cross-tenant data access
- Pseudonymisation via session UUIDs
- Dashboard accessible only to authenticated operators
DPA § 6 — Sub-processors
- Supabase Inc. — Database (EU/EEA)
- Vercel Inc. — Hosting (USA, SCCs)
- Anthropic PBC — Claude AI (USA, SCCs)
- Stripe Inc. — Payments (EU entity)
- Upstash Inc. — Rate-limiting (EU)
DPA § 7–9 — Rights, deletion, audits
GuestFlow assists with data subject rights. Data deleted within 30 days of contract end.
Last updated: April 2026.