HeyConciergeSign in

Data Processing Agreement

Between HeyConcierge (Processor) and the Host (Controller)

Version 1.0 | February 2026

Note: This Data Processing Agreement ("DPA") is incorporated into and forms part of the HeyConcierge Terms of Service. By activating your HeyConcierge account or continuing to use the service after this DPA is made available, you (as the Host / Data Controller) agree to the terms of this DPA.

1. Parties

This Data Processing Agreement is entered into between:

Data Controller ("Controller"): The Host entity or individual who has registered for and uses the HeyConcierge service, as identified in the HeyConcierge account registration (hereinafter "Controller" or "Host").

Data Processor ("Processor"): HeyConcierge AS Hjalmar Johansens gate 314, 9007 Tromsø, Norway Organisation number: 937 386 206 Email: hello@heyconcierge.io (hereinafter "Processor" or "HeyConcierge")

Together referred to as the "Parties".

2. Background and Purpose

The Controller operates a property rental or hospitality business and uses the HeyConcierge platform to deploy an AI-powered guest concierge chatbot for their guests. In providing this service, the Processor necessarily processes personal data of the Controller's guests on behalf of the Controller.

This DPA sets out the terms governing that processing in accordance with Article 28 of the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and the Norwegian Personal Data Act (Personopplysningsloven).

3. Definitions

In this DPA:

  • "Applicable Data Protection Law" means the GDPR, the Norwegian Personal Data Act, and any other applicable data protection or privacy legislation as amended or replaced from time to time.
  • "Personal Data" has the meaning given in Article 4(1) GDPR.
  • "Processing" has the meaning given in Article 4(2) GDPR.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
  • "Data Subject" means an identified or identifiable natural person to whom Personal Data relates — in this context, primarily the Controller's guests.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "DSAR" means a data subject access request or exercise of any other data subject right under Applicable Data Protection Law.
  • "Services" means the AI-powered guest concierge platform provided by HeyConcierge under the Terms of Service.

Capitalised terms not defined here have the meaning given in the HeyConcierge Terms of Service.

4. Subject Matter of Processing

The Processor shall process Personal Data on behalf of the Controller for the sole purpose of operating and providing the HeyConcierge AI concierge service, which enables the Controller's guests to receive automated, AI-generated responses to property-related enquiries via Telegram and/or WhatsApp.

5. Duration

This DPA shall commence upon the date the Controller first uses the HeyConcierge service (or accepts this DPA, whichever is earlier) and shall remain in force for the duration of the service agreement between the Parties. The obligations in Clause 12 (Deletion and Return) shall survive termination.

6. Details of Processing

6.1 Nature of Processing

The Processor will:

  • Receive incoming messages from Data Subjects via Telegram and/or WhatsApp
  • Store and retrieve conversation history for context
  • Transmit message content to an AI language model to generate responses
  • Deliver AI-generated responses back to Data Subjects via the relevant messaging platform
  • Log metadata (timestamps, session identifiers) for operational and debugging purposes

6.2 Purpose of Processing

The sole purpose of processing is to provide the HeyConcierge AI concierge service as instructed by the Controller, including:

  • Answering guest questions about the Controller's property
  • Providing property information, check-in instructions, house rules, and local recommendations as configured by the Controller
  • Maintaining conversation continuity during a guest's stay

Processing for any other purpose requires prior written instruction from the Controller.

6.3 Types of Personal Data Processed

The Processor may process the following categories of Personal Data:

| Category | Details | |---|---| | Identity data | Guest first name (where disclosed or inferred from the messaging platform) | | Contact data | Mobile phone number, Telegram user ID, WhatsApp number | | Communication data | Content of messages sent by and to the guest via the AI concierge | | Metadata | Message timestamps, session identifiers, conversation thread IDs |

The Processor shall not process special categories of personal data (Article 9 GDPR) unless the Controller provides explicit written instructions and confirms that an appropriate condition under Article 9(2) GDPR applies.

6.4 Categories of Data Subjects

The Personal Data processed relates to guests of the Controller's property — individuals who interact with the AI concierge chatbot deployed by the Controller.

7. Controller Obligations

The Controller represents, warrants, and undertakes that it shall:

7.1 Ensure that it has a valid legal basis under Applicable Data Protection Law for sharing guest Personal Data with the Processor and for the processing described in this DPA.

7.2 Inform guests, prior to or at the time of interaction, that an AI-powered concierge service is in use and that their messages will be processed by HeyConcierge and its sub-processors. This may be done via a check-in information sheet, a welcome message, or equivalent notice.

7.3 Ensure that the property information, instructions, and data provided to HeyConcierge are accurate and do not include data that is unlawful, harmful, or that the Controller does not have the right to share.

7.4 Not instruct the Processor to process Personal Data in a manner that would violate Applicable Data Protection Law.

7.5 Respond promptly to DSARs received from guests, making use of the Processor's assistance as set out in Clause 9.5 below.

7.6 Maintain its own records of processing activities as required by Article 30 GDPR.

8. Processor Obligations

8.1 Processing on Instructions Only

The Processor shall process Personal Data only on documented instructions from the Controller, as set out in this DPA and the Terms of Service, unless required to do so by applicable EU or Norwegian law. In such cases, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law from doing so.

If the Processor believes any instruction infringes Applicable Data Protection Law, it shall promptly notify the Controller.

8.2 Confidentiality

The Processor shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

8.3 Technical and Organisational Security Measures

The Processor shall implement and maintain appropriate technical and organisational security measures as set out in Clause 10 of this DPA.

8.4 Sub-processors

The Processor shall only engage sub-processors in accordance with Clause 11 of this DPA.

8.5 Assistance with Data Subject Rights

The Processor shall assist the Controller, by appropriate technical and organisational measures and to the extent reasonably possible, to fulfil the Controller's obligations to respond to DSARs, including requests for access, rectification, erasure, restriction, portability, and objection.

8.6 Assistance with Compliance Obligations

The Processor shall assist the Controller in ensuring compliance with its obligations relating to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and the information available to the Processor.

8.7 Deletion on Termination

The Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller upon termination of the service agreement, and delete existing copies, unless applicable law requires storage of the Personal Data. See Clause 12 for details.

8.8 Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice of at least 30 days and agreement on scope and confidentiality.

The Processor may satisfy audit requirements by providing a current third-party audit report (e.g., SOC 2) or equivalent documentation in lieu of an on-site inspection, at the Processor's discretion.

9. Specific Processing Provisions

9.1 Data Minimisation

The Processor shall process only the minimum Personal Data necessary to provide the Services. The Processor shall not process guest data beyond what is required to generate a relevant response and maintain conversation continuity.

9.2 Purpose Limitation

The Processor shall not use Personal Data processed under this DPA for any purpose other than providing the Services to the Controller. In particular, the Processor shall not use Guest conversation data to train its AI models or for its own commercial purposes.

9.3 No Sale of Data

The Processor shall not sell, rent, or otherwise commercially exploit Personal Data processed under this DPA.

9.4 Staff Training

The Processor shall ensure that staff with access to Personal Data receive appropriate data protection training.

9.5 Handling DSARs

Where a Data Subject contacts the Processor directly to exercise their rights, the Processor shall:

(a) Promptly forward the request to the relevant Controller (where identifiable); (b) Provide the Controller with all information necessary to respond to the request within the applicable statutory period; (c) Comply with any erasure or restriction request that the Controller instructs the Processor to carry out.

10. Security Measures

The Processor currently implements, at minimum, the following technical and organisational security measures:

| Measure | Description | |---|---| | Encryption in transit | All communications between users, the platform, and sub-processors are encrypted using TLS 1.2 or higher | | Encryption at rest | All Personal Data stored in the database is encrypted at rest using AES-256 or equivalent | | Access controls | Access to production systems and Personal Data is restricted to authorised personnel on a least-privilege basis | | Multi-factor authentication (MFA) | MFA is required for all administrative access to production infrastructure | | Logging and monitoring | Access to Personal Data is logged; anomalous access triggers automated alerts | | Vulnerability management | Regular dependency updates; periodic security reviews | | Incident response | A documented data breach response procedure is maintained |

The Processor may update these measures over time to maintain an appropriate level of security. Any updates shall not materially reduce the overall level of protection.

11. Sub-processors

11.1 Authorised Sub-processors

The Controller hereby grants the Processor general authorisation to engage the following sub-processors, subject to the requirements of this Clause:

| Sub-processor | Purpose | Location | Transfer Mechanism | |---|---|---|---| | Anthropic, PBC | AI language model (Claude) — processes message content to generate responses | USA | Standard Contractual Clauses (SCCs) | | Supabase, Inc. | Database hosting — stores conversation data and host configurations | EU region | EEA — no restricted transfer | | Vercel, Inc. | Cloud hosting and infrastructure — serves the HeyConcierge application | USA | Standard Contractual Clauses (SCCs) | | Stripe, Inc. | Payment processing — handles subscription billing (Host data only; not Guest data) | USA | Standard Contractual Clauses (SCCs) |

11.2 Requirements for Sub-processors

The Processor shall:

(a) Enter into a written agreement with each sub-processor imposing data protection obligations at least equivalent to those in this DPA; (b) Remain fully liable to the Controller for the performance of the sub-processor's obligations; (c) Carry out appropriate due diligence on sub-processors prior to engagement.

11.3 Changes to Sub-processors

The Processor shall notify the Controller of any intended changes to the sub-processor list (additions or replacements) by updating the list at https://heyconcierge.io/legal/sub-processors and by providing notice at least 14 days in advance. The Controller may object to a new sub-processor by notifying the Processor in writing within 14 days of receiving notice, setting out the legitimate grounds for objection. If the Parties cannot resolve the objection, either Party may terminate the service agreement with respect to the affected processing on reasonable notice.

11.4 International Transfers

Where processing involves a transfer of Personal Data to a country outside the EEA that does not benefit from an adequacy decision, the Processor shall ensure such transfers are subject to appropriate safeguards, including Standard Contractual Clauses as approved by the European Commission, supplemented by a Transfer Impact Assessment where required.

12. Deletion and Return of Data

12.1 Routine Deletion

The Processor shall automatically delete Guest conversation data 90 days after each message is created, in accordance with its standard data retention policy.

12.2 Deletion on Termination

Within 30 days of the termination or expiry of the service agreement, the Processor shall:

(a) Permanently delete all Personal Data relating to the Controller's guests from its systems and those of its sub-processors (to the extent technically feasible); and (b) Provide the Controller with written confirmation of deletion upon request.

12.3 Exceptions

The Processor may retain Personal Data beyond the termination period only to the extent and for as long as required by applicable law (e.g., accounting records). Such retained data shall remain subject to the confidentiality and security obligations of this DPA.

13. Data Breach Notification

13.1 Notification to Controller

In the event of a Data Breach affecting Personal Data processed under this DPA, the Processor shall notify the Controller without undue delay and, where feasible, within 24 hours of becoming aware of the breach.

13.2 Content of Notification

The notification shall include, to the extent known at the time:

(a) A description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected; (b) The name and contact details of the Processor's data protection contact; (c) A description of the likely consequences of the breach; (d) A description of the measures taken or proposed to address the breach and to mitigate its possible adverse effects.

Information may be provided in phases where not all details are available immediately.

13.3 Controller's Notification Obligations

The Controller is responsible for notifying the relevant supervisory authority (Datatilsynet or other applicable authority) and, where required, affected Data Subjects of any breach, based on the information provided by the Processor. The Processor shall cooperate with and assist the Controller in preparing such notifications.

14. Data Protection Impact Assessments

Where the Controller determines that a Data Protection Impact Assessment (DPIA) is required in connection with processing under this DPA, the Processor shall provide reasonable assistance, including access to relevant information about the Processor's processing activities and security measures.

15. Records of Processing

The Processor maintains records of all categories of processing activities carried out on behalf of Controllers as required by Article 30(2) GDPR. These records are available for inspection by supervisory authorities upon request.

16. Supervisory Authority

The lead supervisory authority for HeyConcierge (as Processor) is:

Datatilsynet (Norwegian Data Protection Authority) Postboks 458 Sentrum, 0105 Oslo, Norway Website: www.datatilsynet.no

17. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of Norway. Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the Norwegian courts, with Tromsø District Court (Troms og Finnmark tingrett) as the agreed venue.

This is without prejudice to any rights that a Data Subject may have under Applicable Data Protection Law to bring proceedings before a court or supervisory authority in their country of residence.

18. Order of Precedence

In the event of any conflict between this DPA and the Terms of Service regarding data protection matters, this DPA shall prevail. In the event of any conflict between this DPA and the Standard Contractual Clauses (where applicable), the Standard Contractual Clauses shall prevail.

19. Amendments

The Processor may amend this DPA from time to time to reflect changes in Applicable Data Protection Law or operational requirements. Amendments will be notified to the Controller with at least 30 days' notice. Continued use of the Services after the effective date of an amendment constitutes acceptance.

20. Contact

For all data protection queries relating to this DPA, please contact:

HeyConcierge — Data Protection Contact Email: hello@heyconcierge.io Hjalmar Johansens gate 314, 9007 Tromsø, Norway

This Data Processing Agreement incorporates the requirements of Article 28 of Regulation (EU) 2016/679 (GDPR) and the Norwegian Personal Data Act.

Effective date: Upon acceptance of the HeyConcierge Terms of Service or first use of the HeyConcierge service, whichever is earlier.