Company Information
| Company Name | Zosani Co., Ltd. (operating as “Hallostay”) |
|---|---|
| Registration Number | 0105566157610 |
| Registered Address | 551/1 Moo 10, Nong Prue, Bang Lamung, Chonburi 20150, Thailand |
| Country of Establishment | Thailand |
| Business Activities | AI Development, Guest Communication Automation, Hospitality SaaS, Web Solutions |
| Capital | 4,500,000 THB |
| Registered Date | 15 August 2023 |
| Status | Active |
Global Privacy Policy
Effective Date: February 2026
This Global Privacy Policy explains how Hallostay (Zosani Co., Ltd.) collects, uses, shares, and protects Personal Data. Hallostay is a B2B hospitality SaaS platform. In most guest-related contexts, Hallostay processes Personal Data on behalf of its business customers (e.g., hotels, resorts, serviced apartments, brands, and management companies) as a Processor. In limited cases, Hallostay acts as a Controller, primarily for its own customer administration, billing, security, and website operations.
1. Definitions
- “Personal Data” means information relating to an identified or identifiable individual (e.g., guest, staff user), as defined under applicable privacy laws.
- “Customer” means the business client contracting with Hallostay (e.g., hotel/brand/management company).
- “End Users” means guests, visitors, and individuals interacting with Customer channels or Customer staff using the platform.
- “Controller” means the party determining purposes/means of processing; “Processor” means processing on behalf of a Controller.
2. Scope
This Policy applies to:
- Hallostay websites and marketing pages (e.g., hallostay.app).
- Customer admin users and staff users accessing dashboards, QR guest modules, or APIs.
- Guest or visitor interactions processed through the Services as Processor (limited to what is necessary to deliver the Services).
3. Categories of Data We Process
Hallostay processes different data categories depending on your role (guest vs. hotel staff vs. website visitor) and the modules enabled by the Customer.
| Category | Examples | Primary Purpose | Practical Explanation |
|---|---|---|---|
| Account & Admin Data (Controller) | Name, work email, role, permission level, login events | Account setup, access control, support, security | Needed so the Customer can manage staff and maintain secure access. |
| Guest Communication Data (Processor) | Messages, inquiries, attachments, timestamps, channel identifiers | Deliver and automate guest conversations | Processed under Customer instructions to respond and route service/booking needs. |
| Booking & Stay Data (Processor) | Stay dates, room types, preferences, service requests | Booking assistance, in-stay service delivery, upsells | Only what the Customer collects or configures to run operations and guest experience. |
| Integration / OAuth Data | Scoped tokens, page IDs, channel configuration, webhook events | Connect and operate channels (Meta, LINE, email, web) | Allows Hallostay to send/receive messages for the Customer’s authorized channels. |
| Technical & Security Logs | IP address, device details, audit logs, error logs | Security monitoring, debugging, fraud prevention | Protects the platform and helps diagnose issues quickly. |
4. Purposes of Processing
Hallostay processes Personal Data for purposes such as:
- Service delivery: operating the messaging platform, automations, routing, dashboards, and guest experiences configured by the Customer.
- Security: authentication, abuse prevention, incident detection, monitoring, and auditing access.
- Support: troubleshooting, onboarding assistance, and responding to Customer requests.
- Service improvement: performance, reliability, usability improvements; aggregated analytics not identifying individuals where feasible.
- Legal and compliance: meeting obligations related to taxes, accounting, lawful requests, or dispute defense.
5. Legal Bases (Global Summary)
Depending on jurisdiction and context, processing may rely on contract necessity, legitimate interests, legal obligations, or consent. For guest communication processed as Processor, the Customer determines the lawful basis and provides necessary notices.
6. Sharing & Disclosure
Hallostay may share data only as needed to operate the Services:
- Sub-processors: infrastructure, monitoring, AI, and communications providers (see Sub-Processor section).
- Third-party channels: where Customer connects external platforms (Meta/LINE/email), those platforms process data under their own terms.
- Legal requests: to comply with lawful requests or protect rights, safety, and security.
- Corporate events: mergers/acquisitions where allowed; with safeguards.
7. International Transfers
Customer Data may be processed in multiple regions depending on hosting and Sub-processors. Where legally required, Hallostay supports recognized safeguards (e.g., SCCs/IDTA or similar mechanisms) and applies supplementary security measures as appropriate.
8. Data Retention
| Data Type | Default Retention | Explanation |
|---|---|---|
| Customer Data (Processor) | During contract + post-termination deletion window (typically up to 60 days) | Allows export/migration; then delete/anonymize unless legally required. |
| Security & Audit Logs | Up to 24 months | Used for security, investigations, and forensic integrity. |
| Billing/Financial Records | Up to 7 years (or as required by law) | Required for tax/accounting compliance. |
9. Rights of Individuals
Rights vary by jurisdiction (access, correction, deletion, portability, objection). For guest data, requests should generally be directed to the Customer (the Controller). Hallostay will assist the Customer where feasible as Processor.
10. Security
Hallostay implements security measures described in the Security (TOMs) section of this page and maintains processes for incident response.
11. Children’s Data
Hallostay is not intended for children. Customers must not knowingly collect or process children’s data through Hallostay where prohibited by law or without appropriate legal basis and safeguards.
12. Contact
Privacy contact: privacy@hallostay.app
General: hello@hallostay.app
If you are a guest and want to exercise rights related to a hotel’s processing, contact the hotel directly. Hallostay can assist the hotel as Processor.
Data Processing Agreement (DPA) – Annex
Effective Date: February 2026
1. Roles
- Customer acts as Controller for guest and prospect Personal Data.
- Hallostay acts as Processor for such data, processing it only on Customer instructions as described here and in the platform configuration.
- For Hallostay’s own admin/billing/security data, Hallostay may act as Controller.
2. Processing Details
| Item | Description | Explanation |
|---|---|---|
| Subject matter | Processing of Personal Data in Customer Data (messages, bookings, requests, metadata). | Hallostay runs guest communication and service workflows. |
| Duration | Agreement term + limited deletion/return window after termination. | Allows export/migration before deletion. |
| Nature | Hosting, transmitting, analyzing, and displaying data; automation execution; support. | Normal SaaS operations + configured AI/automation. |
| Purpose | Provide Services; security; troubleshooting; compliance obligations. | Only what is necessary and proportionate. |
3. Processor Obligations
Hallostay will:
- Process Personal Data only on documented instructions (including platform settings and support tickets).
- Ensure confidentiality commitments for personnel with access to Personal Data.
- Implement appropriate technical and organizational measures (see Security section).
- Assist with data subject requests and compliance queries where feasible.
- Notify Customer without undue delay of confirmed personal data breaches affecting Customer Data.
- Maintain Sub-Processor governance (selection, contracts, and oversight).
4. Customer Obligations
Customer will:
- Ensure lawful basis and required notices/consents for guest data processing.
- Ensure instructions are lawful and do not require unlawful processing.
- Configure automations responsibly (including escalation/human review for sensitive cases).
- Secure Customer devices, accounts, and external endpoints (webhooks, integrations).
5. Sub-Processors
Hallostay may appoint Sub-Processors. Hallostay will ensure Sub-Processors are bound by data protection obligations consistent with this DPA. Notification and objection rights are described in the Sub-Processor section.
6. International Transfers
Where transfers are restricted by law, Hallostay supports recognized safeguards such as SCCs/IDTA or comparable mechanisms, together with supplementary security measures where appropriate.
7. Audits
Upon reasonable request no more than once per year (unless a material incident occurs), Hallostay may provide available compliance evidence and/or permit an audit under confidentiality and non-disruption conditions with 30 days notice.
8. Deletion / Return
On termination, Hallostay will delete or anonymize Personal Data within a commercially reasonable timeframe (typically up to 60 days), unless retention is legally required or permitted (e.g., security logs, dispute defense, accounting).
For enterprise customers, SCCs/IDTA can be attached as a separate annex if required by procurement.
Sub-Processor Framework & List
Effective Date: February 2026
1. Purpose
Hallostay uses carefully selected vendors (“Sub-Processors”) to provide cloud infrastructure, observability, communications connectivity, and AI capabilities. This section explains (a) how Hallostay chooses Sub-Processors, (b) how changes are communicated, and (c) which Sub-Processors may be used.
2. Selection & Governance
- Due diligence: evaluate security posture, access controls, encryption, and reliability.
- Contract controls: ensure confidentiality, incident notification, and deletion obligations.
- Least privilege: Sub-Processors receive only the access necessary for their function.
- Review: periodic re-assessment and vendor management.
3. Change Notifications & Objections
Hallostay will update the list below when introducing new Sub-Processors or materially changing processing. Where feasible, Hallostay will provide email or in-app notice. Customer may object within 30 days on reasonable data protection grounds.
If objection cannot be resolved, Hallostay may offer a reasonable alternative or allow termination of the affected module (if feasible).
4. Sub-Processor List (Template)
| Vendor | Category | Purpose | Data Potentially Processed | Primary Processing Location(s) |
|---|---|---|---|---|
| [Primary Cloud / Hosting Provider] | Infrastructure | Compute, storage, networking, backups | Customer Data, logs, metadata | [e.g., Thailand / Singapore / EU / US] |
| [AI Model Provider] | AI / NLP | Generate responses, classification, intent extraction | Conversation text (as configured), limited metadata | [Region(s) per provider] |
| Meta Platforms | Channel provider | Facebook/Instagram messaging APIs | Message content and metadata under Meta terms | Global |
| LINE Corporation | Channel provider | LINE OA messaging API | Message content and metadata under LINE terms | Global |
| [Email Provider / Relay] | Connectivity | Email routing, SMTP/IMAP/API connectivity | Email content/headers as configured | [Region(s)] |
| [Monitoring / Observability] | Security/Monitoring | Performance monitoring and alerting | Technical logs, metrics | [Region(s)] |
If you want, we can generate a separate subprocessors.html that mirrors this list and is easy to maintain.
Security (Technical & Organisational Measures – TOMs)
Effective Date: February 2026
1. Access Control
- Role-based access control (RBAC) for staff/admin functions.
- Least-privilege access to production systems and databases.
- Audit logging of key administrative actions.
- Segregation of duties where practicable (e.g., deployment vs. billing vs. support access).
2. Encryption
- In transit: TLS/HTTPS for platform traffic and API communications.
- At rest: encryption for stored data where feasible and proportionate (depending on infrastructure and module).
- Secrets management: tokens and keys stored with restricted access and appropriate rotation practices.
3. Application Security
- Secure development practices, testing, and review prior to deployment.
- Change management procedures to reduce downtime and regressions.
- Rate limiting, webhook verification, and input validation to reduce abuse.
4. Logging, Monitoring & Detection
- Monitoring service health, error rates, and suspicious behavior.
- Alerting and incident response workflows.
- Retention of logs consistent with security needs and applicable law.
5. Backup & Recovery
- Regular backups of key platform data/configuration.
- Restore procedures tested periodically where practicable.
- Disaster recovery planning and resilience measures.
6. Vulnerability Management
- Patch management based on severity and risk.
- Security updates and improvements on a recurring basis.
- Periodic security testing (including penetration testing where feasible).
7. Incident Response
Hallostay maintains procedures for detecting, triaging, and responding to security incidents. For confirmed incidents affecting Customer Data, Hallostay will notify Customer without undue delay and provide reasonably available information.
SLA & Uptime Policy
Effective Date: February 2026
1. Availability Targets
| Component | Target Monthly Uptime | Explanation |
|---|---|---|
| Core Web App / Dashboard | 99.7% | Platform is accessible and usable for core operations during the month (excluding permitted downtime). |
| API (where enabled) | 99.5% | API endpoints respond successfully (excluding Customer/third-party causes). |
| QR Guest Experience (where enabled) | 99.7% | Guest pages load and submit requests normally. |
2. What is Excluded
- Third-party channel outages (Meta, LINE, telecom networks, email provider downtime).
- Customer internet outages or Customer misconfiguration.
- Scheduled maintenance and emergency security maintenance.
3. Maintenance Windows
- Planned maintenance: 48 hours notice where practicable.
- Emergency maintenance: may occur without prior notice to protect security/stability.
4. Support Response Targets
| Severity | Definition | Initial Response | Explanation |
|---|---|---|---|
| P1 Critical | Core platform down / major outage | 1 hour | Immediate triage and continuous remediation work. |
| P2 High | Major feature degraded; significant business impact | 4 hours | Priority fix with status updates. |
| P3 Medium | Partial impact; workaround exists | 24 hours | Scheduled fix and clear tracking. |
| P4 Low | Minor issue; cosmetic; requests | 3 business days | Handled via roadmap/backlog. |
5. Service Credits (Optional – Enterprise)
Service credits may be offered in enterprise contracts. If not included in your Order, no credits apply by default.
AI Governance & Ethics Policy
Effective Date: February 2026
1. Principles
- Human oversight: AI supports staff; humans remain responsible for outcomes.
- Transparency: AI use should be disclosed where appropriate.
- Privacy: minimize data and restrict access.
- Safety: prevent harmful or unsafe automation.
- Fairness: reduce discriminatory behavior where feasible.
2. Mandatory Escalation (Human-in-the-loop)
AI must escalate to staff for:
- Refunds, payment disputes, chargebacks.
- Medical, safety, emergency issues.
- Threats, harassment, discrimination.
- Complaints implying legal claims.
- Overbooking conflicts and contractual disputes.
3. Prohibited Uses
- Autonomous decisions with legal/similarly significant effects without human review.
- Biometric identification or sensitive profiling unless explicitly enabled and legally justified.
- Political persuasion/disinformation or unlawful surveillance.
- Use that violates third-party channel policies.
4. Monitoring & Quality Controls
- Logging and review of AI outputs where feasible.
- Prompt/knowledge base governance to reduce hallucinations.
- Continuous improvement based on feedback and observed failure modes.
Platform Terms (Operational Use Rules)
Effective Date: February 2026
1. Authorized Use
The platform is intended for hospitality businesses (hotels, resorts, serviced apartments, brands, and management groups). Only authorized Customer staff may access and configure the platform. Customer is responsible for staff actions.
2. Supported Channels & Permissions
Hallostay may support channels such as webchat widgets, LINE Official Accounts, Meta (Facebook/Instagram) business messaging, and connected email inboxes. Channel availability depends on third-party approvals and ongoing compliance with provider rules.
Where configured, Hallostay may request permissions and tokens such as:
pages_messaging, pages_manage_metadata, pages_manage_engagement,
instagram_manage_messages, and related permissions required by providers.
3. Customer Responsibilities
- Customer must only connect channels it legally controls and is authorized to operate.
- Customer must maintain accurate hotel policies (pricing, cancellation, refunds, house rules) in templates and AI knowledge.
- Customer must not use Hallostay for spam, unlawful marketing, harassment, or illegal content.
- Customer must supervise AI and ensure escalation rules are in place for high-risk scenarios.
4. Service Changes
Hallostay may adjust integrations to comply with third-party API changes or legal requirements. Hallostay may suspend channels where misuse or policy violations are detected to protect the platform and other customers.
5. Intellectual Property
Hallostay retains all intellectual property in platform code, templates, flows, documentation and designs. Customer receives only a limited subscription right to use the Services during the active term.
6. Indemnity
Customer indemnifies Hallostay against claims, damages, fines, or costs arising from Customer’s unlawful use of the platform, violation of marketing/telecom laws, or breach of third-party channel policies.
Master Terms of Use (Global B2B SaaS)
Effective Date: February 2026
1. Agreement Structure
These Master Terms govern access to and use of Hallostay globally. The following sections are incorporated by reference and form part of the Agreement: Privacy Policy, DPA, Sub-Processor Framework, Security (TOMs), SLA/Uptime Policy, AI Governance, and Platform Terms. If there is a conflict, the Order Form or Statement of Work prevails over these Terms.
2. Subscription Term & Renewal
Unless otherwise agreed, subscriptions run for 12 months and renew automatically for successive 12-month terms. Non-renewal requires written notice in accordance with the Order Form (or, if not stated, no later than 30 days before term end).
3. Fees & Payment
Fees are defined in the Order Form. Fees are typically payable in advance and are non-refundable except where required by law or explicitly stated. Customer is responsible for taxes and withholding obligations where applicable.
4. Warranty Disclaimer
The Services are provided “as is” and “as available”. Hallostay does not guarantee uninterrupted operation or error-free service, and AI outputs may be inaccurate or incomplete. Customer remains responsible for verifying critical outcomes.
5. Limitation of Liability
To the maximum extent permitted by law, Hallostay is not liable for indirect or consequential damages. Hallostay’s total liability is capped at fees paid in the 12 months preceding the event giving rise to the claim.
6. Governing Law
Default: Thailand law and courts (replace with Singapore arbitration if you prefer global enterprise default).
7. Contact
General: hello@hallostay.app | Legal: legal@hallostay.app