Sub-Processor Policy

1. Overview

Maison.cx (“Maison,” “we,” “our,” or “us”) provides conversational and AI-driven intelligence tools embedded on partner hotel websites (the “Services”).
We process data solely on behalf of our hotel partners (“Controllers”) to deliver anonymized analytics, interaction insights, and knowledge-based intelligence.

Maison.cx does not collect, retain, or process personal identifiable information (PII) of hotel guests or end-users. All datasets used for analytics, reporting, and AI retrieval are aggregated, pseudonymized, or non-personal.

2. Roles and Responsibilities

Maison.cx operates under a controller-processor model consistent with GDPR and equivalent frameworks:

• Hotel Partners act as Data Controllers, determining the purposes and lawful basis of processing.
• Maison.cx acts as a Data Processor, processing anonymized or pseudonymized data under the Controller’s documented instructions.
• Sub-processors are third-party providers engaged by Maison.cx to support hosting, inference, or observability. They act as sub-processors to the Controller.

3. Data Minimization and Anonymization

Maison.cx follows strict privacy-by-design and data-minimization principles:

• No personal identifiers (such as guest names, emails, phone numbers, booking IDs, or IP addresses) are collected or stored.
• Hotel KnowledgeBase content (e.g., property descriptions, FAQs, amenities, and policies) is processed solely to improve retrieval accuracy. Embeddings derived from such content contain no personal data.
• Analytics outputs are based on aggregated or statistical data only—such as conversation counts, topic frequency, and response performance.
• Logs and telemetry are redacted automatically to remove payloads or any residual identifiers.

4. Authorized Sub-processors

Amazon Web Services (AWS)

Maison.cx uses AWS for cloud hosting, compute, and secure storage of anonymized and pseudonymized data.
All data is encrypted in transit and at rest, and AWS maintains SOC 2 Type II and ISO 27001 certifications.

OpenAI (ChatGPT API / Enterprise)

Maison.cx uses OpenAI’s enterprise API to generate natural-language responses during user interactions.
Requests are processed transiently and never used for model training under the paid API terms. No persistent storage or profiling occurs.

Google Analytics (GA4)

Maison.cx uses Google Analytics to understand general usage and engagement patterns for the embedded concierge widget.
Data is de-identified, IP addresses are anonymized, and consent mode is enforced where required.

Datadog

Maison.cx uses Datadog for application performance monitoring, error tracking, and security telemetry.
Data consists only of system metrics and redacted logs. Datadog holds SOC 2 Type II certification and enforces encryption in transit.

Pinecone

Maison.cx uses Pinecone as a managed vector database for storing hotel KnowledgeBase embeddings.
These vectors are mathematical representations of non-personal, hotel-provided content, used solely for AI retrieval and response improvement.
No PII, guest data, or user interactions are stored within Pinecone.

5. Sub-processor Oversight

Maison.cx maintains written Data Processing Agreements with all Sub-processors.
Each Sub-processor is contractually required to:

• Process data only under Maison’s documented instructions.
• Maintain technical and organizational measures consistent with GDPR Article 28.
• Notify Maison.cx promptly of any security or privacy incident.
• Support Maison.cx’s compliance with data-subject rights and breach-notification obligations.

Maison.cx conducts annual reviews of Sub-processor security posture and certifications, and enforces encryption, access control, and key-management policies aligned with ISO 27001 and NIST SP 800-53.

6. Updates and Notifications

Maison.cx will provide hotel partners with at least 30 days’ written notice before engaging a new Sub-processor.
Partners may object to a new Sub-processor in writing during that period.
If an objection cannot be resolved, Maison.cx will work in good faith to find an alternative or allow suspension of the affected service component.

7. Contact

Maison.cx Data Protection Office
Email: privacy@maison.cx