Privacy Policy

19. Who We Are and Contact Information

Data Controller: UpStar Five Ltd, Company No. 517163234, is the primary entity responsible for personal data collected via our Services. We are an Israeli company with our registered address at HaBrosh St 9, Beit Nekofa, Jerusalem district, Israel. For the purposes of the GDPR and other data protection laws, UpStar is the “data controller” for the personal data you provide to us directly as a customer (e.g., your contact information and account details). When we process personal data on behalf of a hotel about its guests (for example, handling a guest review or reservation reference that you input), we act as a “data processor” for our customer (the hotel). In all cases, we handle personal data by the principles outlined in this Privacy Policy. Data Protection Officer: We have appointed a Data Protection Officer (DPO) to oversee our privacy practices. Our DPO is Omri Azulay. You may contact our DPO with any questions or requests regarding your data at omri@rating-iq.com or hotels@rating-iq.com (please include “Attn: DPO” in the subject line) or by mail at the address above. EU Representative (GDPR Art. 27): As we are based outside the European Union and offer services to EU-based customers, we are in the process of appointing an EU GDPR representative, as required by Article 27 of the GDPR. Once this representative is appointed, we will update this Privacy Policy with their contact details. In the meantime, EU residents may still contact our DPO or email us directly with any GDPR-related queries.

20. Scope of this Privacy Policy

This Privacy Policy applies to personal data that we collect or process when you use our Services, visit our website, or otherwise interact with UpStar. It covers:

20.1. Hotel customer data: e.g., contact details of hotel staff who use UpStar, account information, and communications.

20.2. Data related to guest feedback that our hotel customers handle via UpStar (such as guest reviews content, ratings, or reservation identifiers that may be provided to us by the hotel).

20.3. Any other personal information we process in providing our AI chatbot and analytics services. This policy does not cover data processing by third-party platforms that we do not control, such as WhatsApp/Meta or other sites where guest reviews are initially posted. For example, if you are using WhatsApp to communicate with UpStar, WhatsApp’s privacy policy applies to the messages in transit on that platform. However, once we receive the data into our system, this Privacy Policy governs how we handle it. By using our Services or submitting personal data to us, you acknowledge that you have read and understood this Privacy Policy. If you disagree with our practices, please do not use the Services or provide us with your personal information. We may provide additional privacy notices to explain specific data collection scenarios (e.g., if we collect data for marketing events); those notices supplement this policy.

21. Data We Collect

We only collect data that is necessary for the purposes described in this policy. The types of personal data we collect and process include:

21.1. Hotel and User Contact Information: When you or your employer signs up for UpStar, we collect the contact details of the authorized users, including name, work email address, job title, phone number (including WhatsApp number), and the hotel’s name and business contact information. This allows us to create your account, communicate with you, and provide support.

21.2. Account Credentials: If an account login is used (for example, for URI), we collect usernames and passwords (which are stored securely and encrypted). For WhatsApp- based access, we use your phone number as an identifier; however, we do not store or view your WhatsApp password.

21.3. Guest Review Content: The core function of UpStar Replier is to process guest reviews and craft responses. We therefore handle the content of public guest reviews about your hotel. These reviews may include the guest’s name or username (as posted on platforms such as TripAdvisor or Booking.com), their rating, visit date, and the accompanying comment text. We either receive this content from you (if you copy and paste or forward it to our WhatsApp bot) or, with your authorization, we may retrieve it from public sources via our integrations. This data may contain personal information (such as a guest's opinions, which relate to them, and possibly their name or other personal details they mention). We treat all review content as individual data to be safe, even if it’s public.

21.4. Guest Identifiers (Reservation Numbers): UpStar allows you (the hotel) to optionally provide a reservation number or code related to a guest when asking for a response or analysis. This could help identify the stay or context. By itself, a reservation number is typically not considered personal data to us (we cannot directly identify a person from just a number without access to your reservation system). Still, it may be considered personal data if it can be linked to an individual by you. We will treat any reservation identifiers as confidential and use them to tailor the AI’s response more effectively (for instance, recognizing a repeat guest or a VIP if you indicate this via the number).

21.5. Hotel Performance Data (for URI): For URI, we may gather or generate data, such as aggregated review scores over time, response rates, common categories of feedback, and other performance analytics about your hotel. Some of this is derived from guest review content or other inputs. While these analytics primarily concern the hotel, they may indirectly involve personal data (as they stem from individual guest opinions). However, the reports are usually at an aggregate level (e.g., “Your average cleanliness rating this quarter is 8.7/10”).

21.6. Communication Records: We keep records of our communications with you. This includes WhatsApp chats between you and the UpStar bot or support team, emails you send to us, and any support tickets or calls you initiate. These communications may include personal data (such as your contact information or any additional information you provide). For example, if you message our support “Hi, I’m John from XYZ Hotel, I need help with…,” we will have that content. We use these records to assist you and improve our services.

21.7. Usage Data and Device Information: When you use the URI web platform or our website, we may collect technical information, such as your IP address, browser type, device type, operating system, and browsing actions (e.g., pages viewed, clicks), via cookies or log files. For the WhatsApp bot, both WhatsApp and our system will record metadata, including the timestamps of messages and your phone number. We collect this information to ensure service security, debug issues, and understand usage patterns. This type of data is typically not used to identify you by name, but it may be considered personal data (IP addresses can be linked to a user, for example).

21.8. Payment and Billing Info: Our primary payment method is bank transfer, so we typically only collect your billing contact details and record of payments (e.g., which invoices were paid, on what date, etc.). We do not directly collect or process credit card numbers or bank account numbers of customers through our site. If any payment details are necessary (for instance, if you choose to save wire transfer instructions), we handle those securely.

21.9. Consents and Preferences: We may record whether you have given consent for specific data uses (for example, whether you consented to receive marketing emails, if we ever send those). Additionally, if you utilize any opt-out features (such as unsubscribing from newsletters), we will record that preference. We do not actively collect any sensitive personal data (such as racial or ethnic origin, political opinions, or health information) from customers or their guests. We ask that you refrain from sending us any sensitive personal data about yourself or your guests through the Services. UpStar is not meant to process such information. If a guest’s review inadvertently contains sensitive info (e.g., a health-related comment), we will treat it with the higher care required by law, but we do not encourage processing of such data.

22. How We Use Your Data

UpStar uses the collected data to provide, maintain, and improve our Services, and to communicate with you. Specifically, we use personal data for the following purposes:

22.1. Providing the AI Reply Service: We utilize the guest review content and any context you provide (such as reservation numbers or your draft response) to generate suggested replies via our AI (OpenAI’s GPT model or other LLMs). The data is fed into the AI algorithm, which returns a reply that we deliver back to you on WhatsApp. We may also use your past interactions (previous reviews and replies) to help tailor future responses in tone or style. This processing is necessary to perform UpStar Replier's core function.

22.2. Providing Analytics and Insights: For URI, we process the collected guest feedback data to produce analytical reports, dashboards, and other relevant insights. For example, we aggregate review ratings over time, identify frequently mentioned topics, calculate sentiment scores, and generate charts. We may also compare your hotel’s metrics to industry benchmarks (in anonymized form) to give context. Additionally, our team may review the analytics to offer personalized consultation and advice. This use of data is part of fulfilling our contract with you for the URI service.

22.3. Improving AI Models and Services: We continually strive to enhance the quality of our AI suggestions and analytics. We may use the data you provide (including reviews, responses, and usage patterns) to train or fine-tune our AI models or to develop new features. Whenever feasible, we anonymize or aggregate data for this purpose (for instance, pooling data from multiple hotels and removing specific identifiers) so that the improvement process does not use identifiable personal data. Suppose we ever need to use actual personal data for service improvement (e.g., to debug a specific issue with a particular review). In that case, we will ensure it remains internal to UpStar and our authorized processors, and that it is handled in strict confidence.

22.4. Customer Support: When you contact us with a question or if our system detects an issue (such as an error in generating a reply), we use your contact information and relevant data to assist you. For example, if you say, “the bot’s reply didn’t address the guest’s question about parking,” we might examine the specific review content and the AI’s reply to troubleshoot. Our support team may manually review specific interactions or data you’ve provided to determine what went wrong and how to resolve the issue. All support communications and analysis are used solely to help you and improve your experience.

22.5. Communicating with You: We use your contact details to send operational communications. This includes messages about billing (such as invoices and payment reminders), service updates, security or privacy notices, and changes to terms or features. We may also send you service announcements (e.g., “We have a new feature” or “Planned maintenance on Sunday”). These are not marketing emails, but rather essential notices related to the service you’re using, and you cannot opt out of receiving these operational emails if you are a subscriber, except by discontinuing the service.

22.5.1. Marketing and News (Optional): We do not spam our customers with marketing materials, but if you are interested and give your consent, we may occasionally send you a newsletter or offer (for example, tips on improving response rates or a discount on a new feature). We will obtain your consent before using your email address for marketing purposes, and you can opt out at any time. Whether or not you opt in to marketing does not affect your access to services. By default, we will not add you to any marketing mailing list without permission.

22.6. Billing and Account Management: We use billing information to issue invoices, process payments (and record them), and handle accounting. For instance, we track the subscriptions a customer has, their terms, and payment status. If an invoice is overdue, we might use your contact information to send a reminder or discuss the account.

22.7. Security and Fraud Prevention: We may process personal data to ensure the security of our systems and detect fraud or abuse. For example, we might log IP addresses and device information to detect unauthorized access to an account or to prevent “spam” or abusive automated use of our WhatsApp bot. Suppose we suspect any violation of the law or breach of our terms and conditions. In that case, we might analyse relevant data to confirm and address the issue (such as investigating logs following a security alert).

22.8. Legal Compliance: We will use and disclose personal data as required to comply with our legal obligations. For example, to respond to a court order, a regulator's inquiry, or to fulfill data retention requirements under tax laws. If we need to use your data for a purpose other than those listed above, we will update this Privacy Policy or seek your consent as appropriate. Our use of personal data is generally limited to what is necessary to perform the contract (i.e., provide the services you subscribed to) or to further our legitimate interests (such as improving our service, securing our platform, and communicating with customers), all while balancing your privacy rights. Where we rely on consent (for example, for optional marketing or before processing a guest's data in specific contexts), we will make that clear, and you have the right to withdraw consent at any time.

23. Legal Bases for Processing (GDPR Notice)

If you are in the European Economic Area (EEA), the UK, or another jurisdiction that requires a legal justification for data processing, the legal bases on which we rely are:

23.1. Performance of a Contract: Article 6(1)(b) GDPR. We process most personal data as necessary to fulfill our contractual obligations to you, our customer. For example, using guest review data to generate replies or using your contact info to provide support are processing activities to deliver the service you requested. Without this data, we cannot provide the Services.

23.2. Legitimate Interests: Article 6(1)(f) GDPR. We process some data for our legitimate interests, which include improving our services, securing our platform, understanding how customers use our services, and communicating necessary information. When we rely on this basis, we ensure that your data protection rights do not override our interests. For instance, analysing anonymized data to enhance our AI is in our business interest and does not harm user privacy. Another example is maintaining basic records of communications to ensure good customer service and protect our legal interests in the event of disputes.

23.3. Consent: Article 6(1)(a) GDPR. In certain cases, we ask for your consent before processing your data. For example, if we ever need to use a customer's testimonial or identify them in marketing materials, we will obtain their consent. Also, as mentioned, we would seek consent for sending marketing emails. Suppose you, as a hotel, provide us with your guests' personal data for processing. In that case, we assume you have obtained the necessary consent from those individuals or have another valid basis (since, in that scenario, you are the controller). Suppose local law requires that the guest consent to UpStar's processing; we rely on you to facilitate or obtain that consent. You can withdraw your consent at any time by contacting us; however, please note that this will not affect the lawfulness of processing that has already taken place.

23.4. Legal Obligation: Article 6(1)(c) GDPR. When we are required to comply with a legal obligation, such as retaining transaction records for tax audits or providing information to law enforcement in response to a lawful request, we will process and share the necessary data.

24. How We Share Data (Recipients of Personal Data)

We treat your data as confidential and do not sell it. We only share data as necessary to provide our Services or as required by law, as detailed below:

24.1. Sub-Processors and Service Providers: UpStar uses trusted third-party companies to support our operations. We share data with these sub-processors only to the extent necessary for them to perform their functions, and under appropriate data processing agreements. We will provide reasonable advance notice of any material addition or replacement of a sub-processor that will process customer personal data. If you reasonably object on data protection grounds, we will work with you in good faith to find a solution.. Our key sub-processors are:

24.1.1. Meta (WhatsApp): Our UpStar Replier service operates via WhatsApp, which Meta Platforms, Inc. prData Security

24.1.2. ovides. When you send messages and data to our WhatsApp bot, that data is transmitted through WhatsApp’s systems. WhatsApp may process metadata about communications (such as timestamps and phone numbers), and it uses end-to-end encryption for content. We do not control WhatsApp’s internal processing, but we must use their platform to deliver our service. We also recommend reviewing WhatsApp's privacy policy. We have configured our usage to comply with WhatsApp's Business API terms, ensuring data protection.

24.1.3. OpenAI: UpStar's AI-generated replies and some analytics are powered by OpenAI (OpenAI, L.L.C. or its affiliates). This means that the text of guest reviews and related inputs you provide (and the AI's output) are sent to and processed by OpenAI's servers. OpenAI will process that data to return the language model's result. OpenAI's API terms state that they do not use API data to train their models by default (for data submitted after April 2023), so they should not store or reuse your content beyond providing the service, except for logging as necessary to monitor for abuse. We have a data processing agreement with OpenAI to ensure GDPR compliance, as OpenAI may process personal data on our behalf.

24.1.4. Landbot S.L.: We utilize services from Landbot.io (Hello Umi S.L., a company based in Spain) as part of our chatbot interface and possibly for our web chat flows. Landbot may host conversation logic or chat interfaces for URI’s web component. For example, if our URI service includes a web chat widget or if we design conversational forms, Landbot's platform might process the messages. Landbot is GDPR-compliant and hosted in the EU (e.g., Belgium). Any data processed via Landbot is under our direction and subject to our agreement with them.

24.1.5. Microsoft (OneDrive/Azure): We use Microsoft's cloud services for data storage and backup. Specifically, OneDrive (Microsoft) is used to securely store documents, reports, and possibly interaction transcripts or datasets for analysis and review. For instance, your hotel's monthly PDF report or raw data exports might be stored in an UpStar OneDrive folder. Microsoft, as a sub-processor, maintains strong security and privacy commitments. Data stored in OneDrive may be hosted on servers in the EU, Israel, or the United States. Microsoft is covered under the EU Standard Contractual Clauses for international transfers and is a party to the new EU-US Data Privacy Framework as of 2023 (if applicable). Additionally, Microsoft is obligated by its Online Services Terms to protect customer data.

24.1.6. Anthropic PBC (Claude): UpStar employs large-language-model services from Anthropic PBC ("Claude") to perform advanced text analytics and summarisation of guest-review data. When you submit review content for analysis, the relevant text (and any parameters we supply) is transmitted over an encrypted channel to Anthropic's U.S.-based servers, processed to generate the analytical output, and then returned to UpStar. Anthropic’s API terms state that customer data sent via the Claude API is not retained for model training and is stored only transiently for abuse monitoring and debugging. Transfers rely on Anthropic’s Standard Contractual Clauses and supplementary security measures.

24.1.7. Google LLC (Gemini models on Vertex AI): For specific insight workflows, UpStar utilises Google’s Gemini family of models delivered through Vertex AI. Review text and derived metrics may be sent—encrypted in transit—to Google Cloud’s regional infrastructure (EU or U.S., depending on the configured data residency settings). Google processes this data solely to return the requested Gemini model output and logs it for short-term operational auditing. Google is certified under ISO 27001, participates in the EU–US Data Privacy Framework, and offers the EU Standard Contractual Clauses, which we have adopted in our data-processing agreement to ensure GDPR-level protections. UpStar turns off data logging for model training; Gemini does not use our content to train its models. These sub-processors only access data to perform tasks on our behalf (such as transmitting messages or storing files), and they are obligated not to disclose or use the data for any purpose other than the specified task. We have performed due diligence to ensure each of these providers has appropriate security measures and data protection standards in place. A list of current sub-processors can be provided on request, and we will update you if we add or change sub-processors that handle your data.

24.2. Within UpStar and Affiliates: Our team members (employees and contractors of UpStar Five Ltd) will have access to personal data on a need-to-know basis. For example, a support engineer may access your account details and recent review interactions to assist with a problem. All staff are bound by confidentiality and data protection obligations. If, in the future, UpStar Five Ltd has affiliates or parent companies that provide the service, we may share data within our corporate group, but always under equivalent protections. (As of the effective date, UpStar Five Ltd operates as a single entity.)

24.3. Legal Requirements and Safety: We may disclose personal data if required to do so by law or in response to valid requests by public authorities (e.g., a court order, subpoena, or government demand). We may also disclose data if we believe in good faith that such action is necessary to comply with legal obligations, to protect and defend our rights or property, to prevent fraud, abuse, or illegal activity on our platform, or to protect the personal safety of users or others. We will try to notify you if a request for your data has been made, unless we are legally prohibited from doing so.

24.4. Business Transfers: If UpStar Five Ltd is involved in a merger, acquisition, investment, restructuring, or sale of assets, personal data may be transferred to the involved third party as part of that transaction. We would ensure that any such party is bound to process personal data in a manner consistent with this Privacy Policy. If a change of ownership occurs, we will provide notice to our customers and outline any options you may have regarding your data.

24.5. With Your Consent: We will share your data with others if you specifically request or consent to such sharing. For example, if you ask us to coordinate with a third-party consultant or integrate with another service that requires sharing data, we will do so with your direction. No Unauthorized Third-Party Sharing: We do not sell, rent, or trade your personal information to unrelated third parties for their promotional purposes. We do not share your hotel’s data with other hotels or clients. Each customer’s data is segregated. Any analytics we share publicly or with other customers will be in an aggregate, anonymized form (e.g., publishing an industry trend report that states, “Hotels using UpStar saw an average 5% increase in response rate” – this would not identify any specific hotel or guest).

25. International Data Transfers

UpStar is based in Israel, and our sub-processors operate in various countries (Israel, the United States, and the European Union). Therefore, personal data may be transferred across international borders. We handle international transfers in compliance with applicable laws:

25.1. Israel: The headquarters of UpStar, and where some data processing occurs. The European Commission has determined that Israel offers an adequate level of data protection for personal data transferred from the EU. This means data can flow from the EU/EEA to Israel lawfully under GDPR. Similarly, in other jurisdictions that recognize adequacy (such as the UK at the time of writing), transfers to Israel are permitted.

25.2. United States: Some of our providers (e.g., OpenAI, Meta/WhatsApp, Microsoft, potentially) may process data in the U.S. The U.S. does not currently have a blanket adequacy finding from the EU (though new frameworks are developing). For transfers from the EEA or the UK, we rely on Standard Contractual Clauses (SCCs) as our transfer mechanism, and our providers, such as Microsoft and OpenAI, are also committed to these clauses for their services. These SCCs are contractual commitments that bind recipients to protect data in accordance with EU standards. Additionally, Meta and Microsoft have joined the EU-US Data Privacy Framework (as of 2023/2024), which, if applicable, provides a recognized safeguard for data transfers.

25.3. European Union: Landbot is based in the EU, and Microsoft may also host in the EU. Thus, for data originating in Israel or elsewhere that enters the EU, this is generally not problematic, as Israel's laws are robust and we ensure compliance. Data may also be transferred within the EU among our sub-processors (e.g., from Spain to other EU states) under GDPR-compliant terms.

25.4. Other Countries: If in the future we or our sub-processors transfer data to other countries without an adequacy decision (for instance, if we use an Asia-Pacific data centre or a new service provider), we will ensure a valid transfer mechanism is in place (such as SCCs, Binding Corporate Rules, or other approved measures under Article 46 GDPR). We will also assess, on a case-by-case basis, whether additional technical or organizational measures are necessary to protect data in transit and at rest. You can request a copy of the relevant transfer safeguards, such as Standard Contractual Clauses (SCCs), by contacting us. We ensure that, regardless of where data is processed, this Privacy Policy and our internal policies apply. Our goal is to maintain a consistent level of global privacy protection.

26. Data Retention and Deletion

We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy or as required by law or legitimate business purposes. In general:

26.1. During Subscription: For active customers, we retain all relevant data for the duration of the subscription to ensure uninterrupted service provision. For example, we keep past guest reviews and responses so you (and the AI) can reference them and maintain your analytics history for year-over-year comparisons.

26.2. After Termination: Upon termination or cancellation of your subscription, we will retain your data for up to 24 months (2 years), unless you request earlier deletion or unless a longer retention is required by law. The reason we keep data for 24 months post-contract is to support customers who may return or have a lapse and then renew (so we can restore their history), and to fulfill any obligations like responding to legal disputes or audits that may arise shortly after service. During this post-termination retention:

26.2.1. Your account will be inactive, and we will not be processing the data except for storage and any legally required purposes.

26.2.2. You may request a data export or deletion during this time. If you are sure that you do not require us to retain your data (for example, if you are confident that you will not return), you can instruct us to delete it upon termination. We will securely wipe all personal data (except any that we are required to retain for legal reasons).

26.3. End of Retention Period: After 24 months following contract termination, we will delete or anonymize the personal data associated with your account. This includes purging guest review content, responses, and any identifying data. Anonymized aggregate statistics (that no longer identify a person or a specific hotel) may be retained for our analytics purposes. If, for some reason, we cannot completely erase data from backups, we will continue to protect it and isolate it from further use until those backups expire and are overwritten.

26.4. Legal Requirements: Notwithstanding the above, we might retain certain information for longer if required to do so by law. For example, financial transaction records (such as invoices and payment records) may be kept for 7 years or the period required under Israeli accounting or tax law. Additionally, if a legal dispute or investigation arises, we may retain relevant data until it is resolved, based on advice from our legal counsel.

26.5. Trial Users: If you use a free trial and do not continue with a paid subscription, we may contact you shortly after the trial regarding the service. If you do not become a customer, we will delete the data collected during the trial within a reasonable time (generally within a few months after the trial ends), unless you consent to remain on a mailing list or similar. Guest review data processed during trials is typically discarded promptly once it’s no longer needed.

26.6. Routine Deletion and Anonymization: We have processes in place to ensure that data is deleted at the end of its lifecycle. Where possible, instead of outright deletion, we may anonymize data (remove or irreversibly scramble personal identifiers) so that it can no longer be linked to an individual. For example, after 24 months, we might convert a guest review in our archives to an anonymized form (“Guest [ID] left a 4-star review about [category]”) without disclosing any names or specifics, for internal analysis purposes. Anonymized data is not considered personal data and may be kept indefinitely as it poses no privacy risk. If you require the deletion of your data sooner (for instance, if you decide to exercise the right to erasure under the GDPR), don't hesitate to get in touch with us – we will accommodate such requests by law (see “Your Rights” below). Please note that deletion may not be immediate if the data is in active use; we may need to schedule it or ensure it doesn’t disrupt any service obligations. We will confirm once deletion is completed.

27. Data Security

UpStar takes appropriate security measures to protect personal data from unauthorized access, alteration, disclosure, or destruction. We use industry-standard administrative, technical, and physical safeguards. These include:

27.1. Encryption: All communications between you and UpStar (for example, messages via WhatsApp or the use of the URI dashboard) are encrypted in transit using TLS/HTTPS, where applicable. WhatsApp messages are end-to-end encrypted by WhatsApp’s protocol. Data stored in our databases or on OneDrive is encrypted at rest using strong encryption algorithms.

27.2. Access Controls: We limit access to personal data to those employees, contractors, and service providers who have a legitimate need to know that data in the context of their role. Access to production systems requires authentication and follows the principle of least privilege. We use role-based access control and two-factor authentication for administrative access. Our sub-processors also implement strict internal access controls.

27.3. Monitoring and Testing: We monitor our systems for possible vulnerabilities and attacks. We keep our software and infrastructure up to date with security patches. Regular backups are performed for critical data, and we have disaster recovery plans in place. We may conduct periodic security assessments or audits (and some of our sub- processors, like Microsoft, are regularly audited for compliance with standards such as ISO 27001).

27.4. Employee Training and Policies: All UpStar personnel are trained on data protection and are bound by confidentiality agreements. We have internal policies for handling personal data safely. Any contractor or partner with access must agree to comply with our data protection requirements.

27.5. Physical Security: Our company offices (if any physical records were stored, though we primarily operate digitally) are secured. Our cloud providers maintain physical security at their data centres (such as 24/7 surveillance, controlled entry, etc.).

27.6. Security by Design: We integrate security considerations into our feature development. For instance, we avoid storing more data than necessary and sanitize input to prevent injection attacks. Despite all measures, no system is 100% secure. The internet is not entirely under our control, and we cannot guarantee the absolute security of data, especially during transmission. However, we make every reasonable effort to protect your information. In the unlikely event of a data breach involving personal data, we will promptly notify affected customers and the relevant authorities as required by law (for example, under the GDPR, we'd inform the supervisory authority within 72 hours if the breach is likely to result in a risk to individuals' rights). We will also take steps to remediate the breach and prevent similar occurrences in the future. You are responsible for maintaining the security of your account credentials (passwords, API tokens, etc.) and your systems. Please use a strong password and do not share it with anyone. If you suspect any unauthorized access to your account or data, notify us immediately so we can help secure your account. If a personal data breach likely to result in risk to individuals occurs, we will notify you without undue delay and in any event within seventy-two hours after becoming aware, and will provide updates as more information becomes available.

28. Your Rights and Choices

Depending on your jurisdiction, you have certain legal rights regarding your data. UpStar is committed to honouring these rights. For individuals in the EU/EEA, UK, Israel, and many other regions, the following rights apply (with some exceptions or variations under local law):

28.1. Right of Access: You have the right to request a copy of the personal data we hold about you, and to obtain information about how we process it. We will provide this in a commonly used format. For example, hotel staff users can request a copy of their profile information, communication logs, etc. (For guest data processed on behalf of a hotel, the hotel should typically provide access to the guest, as they are the controller; however, we can assist.)

28.2. Right to Rectification: If any of the data we hold about you is inaccurate or incomplete, you have the right to request its correction or update. You can update some information (such as your contact details) by contacting us or using the account settings. We encourage you to keep your information up to date.

28.3. Right to Erasure: You have the right to request that we delete your data. This is sometimes referred to as the “right to be forgotten.” We will honour such requests to the extent required by law. For example, if you are a hotel user who has left your job and would like your personal contact information removed, we can delete or anonymize it. Please note that we may need to retain specific data for legal reasons (see 'Data Retention' above) – in such cases, we will inform you accordingly. Additionally, if the data is critical to the service your company is still using, we may need to discuss alternatives (e.g., replacing the contact person). If you are a guest seeking the erasure of your data processed by a hotel via UpStar, we will coordinate with the hotel to address your request.

28.4. Right to Restrict Processing: You have the right to ask us to restrict or suspend the processing of your personal data in certain circumstances – for instance, if you contest the accuracy of the data or object to our processing, we can put a hold on processing (aside from storing it) until the issue is resolved.

28.5. Right to Data Portability: For data you provided to us directly and that we process using automated means based on contract or consent, you have the right to request that we offer it to you in a structured, commonly used, machine-readable format, or to ask that we transfer it to another provider where technically feasible. In practice, this might apply to, for example, your user profile info or the set of guest reviews you submitted. We will assist in exporting data as needed.

28.6. Right to Object: You may have the right to object to our processing of your data when we process it on the legal basis of legitimate interests. If you object, we will evaluate whether our legitimate grounds for processing override your privacy rights. You also have an unconditional right to object to the use of your data for direct marketing – if we were sending marketing, you can opt out at any time (and we will stop). Similarly, if we were processing data for scientific/historical research or statistical purposes, you could object on grounds related to your situation.

28.7. Right to Withdraw Consent: If we rely on your consent for any processing, you have the right to withdraw that consent at any time. For example, if you consented to receive a newsletter, you could unsubscribe. Withdrawing consent will not affect the lawfulness of processing done before the withdrawal. If you withdraw consent for something essential (such as allowing us to process guest data you send), we may need to limit or terminate your use of the Service; however, we will notify you in such cases.

28.8. Right not to be subject to Automated Decision-Making: UpStar’s AI provides suggestions, but these do not amount to legal or similarly significant decisions made solely by automated means. There is always a human (the hotel user) in the loop deciding whether to use the AI’s suggestion. We do not have fully automated decision- making that produces legal effects or similarly significant effects on individuals without human intervention. If that ever changes, you will have rights to certain safeguards, like human review. To exercise any of these rights, don't hesitate to get in touch with us at omri@rating-iq.com or hotels@rating-iq.com (Attn: Privacy/DPO). We may need to verify your identity to process specific requests (for example, ensure that the person requesting data access is the data subject or an authorized representative). We will respond to requests within the timeframe required by law (under GDPR, typically within one month, extendable by another two months for complex requests – but we aim to be faster). There is no fee for legitimate requests. However, if requests become excessive or repetitive, we may charge a reasonable fee or refuse them, as allowed by law. Suppose you are an individual who interacted with one of our hotel customers (for example, a guest who wrote a review that UpStar processed). You want to exercise rights regarding that data. In that case, ideally, you should direct your request to the hotel (as they are the primary data controller for guest data). However, you can also contact us directly, and we will assist and/or forward your request to the relevant customer when appropriate. We will support our customers in fulfilling data subject rights requests concerning the data we process on their behalf.

29. Children’s Privacy

Our Services are not directed to children under 18. We do not knowingly collect personal data from individuals under 18. Our Terms of Use prohibit individuals under 18 from using UpStar. If you are under 18, do not use our Service or send us any personal information. If we become aware that we have inadvertently received personal data from a child under 18, we will delete it. In the context of guest reviews, it is theoretically possible that a minor could leave a review on a site. If we become aware of such a case and are processing the data, we will handle it with care or remove it if necessary. If you believe we may have any information about or from a minor, please contact us immediately.

30. Updates to this Privacy Policy

We reserve the right to update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or other operational reasons. If we make material changes, we will notify you by appropriate means, such as email to account holders or by placing a prominent notice on our website or dashboard. The “Effective Date” at the top indicates when the latest changes take effect. We encourage you to review this Policy periodically to stay informed about how we are protecting your information. If you continue to use the Services after a revised Privacy Policy has become effective, you are deemed to have accepted the updated policy. If you disagree with the changes, you should stop using the Services and may request that we delete your data. For significant changes, especially those that might retroactively affect how we use data we collected under a prior version, we will obtain consent if required by law.

31. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, don't hesitate to get in touch with us:

31.1. By Email: hotels@rating-iq.com (please include “Privacy” or “DPO” in the subject to route your query properly).

31.2. By Phone to Omri Azulay: +972-542-533-296 (available during regular business hours, Israel Time, for privacy inquiries).

31.3. By Mail to Omri Azulay: Data Protection Officer, UpStar Five Ltd, HaBrosh St 9, Beit Nekofa, Jerusalem, 0090830, Israel. We will address your inquiry as soon as possible. Suppose you are in the EU/EEA or the UK and feel that we have not adequately addressed your privacy concern. In that case, you have the right to complain to your country’s data protection supervisory authority. For example, in the UK, it’s the Information Commissioner’s Office (ICO); in France, it's the CNIL; in Germany, it's your state’s Data Protection Authority, and so on. Israeli users can contact the Israeli Privacy Protection Authority. We would appreciate the opportunity to address your concerns first, so please consider reaching out to us or our DPO before involving regulators. We are committed to protecting your privacy and will do our best to resolve any issues. Thank you for trusting UpStar with your hotel’s data. We take that responsibility seriously and work hard to maintain your confidence.