Privacy Policy

1. Data controller

The controller responsible for processing your personal data is:
Prabin Paudel (Einzelunternehmen), Leebgasse 70/4, 1100 Wien, Austria. UID: ATU 81934089.
Contact for all privacy matters: privacy@virtualhost.at.

2. What data we process

2.1 Account data (hosts)

When you register, we store your email address, hashed password, display name, account creation timestamp, and subscription status. If you purchase a paid plan, our payment processor (Stripe) stores billing data; we receive only the last four digits of the card, the cardholder name and billing country.

2.2 Integration data (Smoobu)

When you connect your Smoobu account, we fetch and cache: apartment metadata (name, address, check-in/out times), reservation data (guest name, arrival, departure, channel, amount), and guest conversation threads (message text, timestamps, sender). We store the most recent 90 days of messages by default. API credentials are stored encrypted at rest.

2.3 Guest communication

To reply to guest messages, we process the content of messages sent to your Smoobu inbox. Messages are transmitted to Google Gemini (our AI inference provider; see §4) for the sole purpose of generating a reply. Messages are not retained by Gemini for training (enterprise terms). We keep the message and the AI reply in our database for audit and intervention-shield purposes.

2.4 Technical data

Like any web service, we log IP address, user agent, request path and timestamp for every request to our servers. These logs are used for security monitoring and are deleted after 30 days. We do not use IP addresses for advertising or behavioural profiling.

2.5 Analytics

We use Google Analytics 4 with IP anonymisation enabled. GA4 sets a _ga cookie to distinguish returning visitors. You can opt out at any time via the Google Analytics opt-out browser add-on, by rejecting analytics in our cookie banner, or via your browser's Do-Not-Track setting.

2.6 Advertising (Google AdSense)

Pages on virtualhost.at may display ads served by Google AdSense, a service operated by Google Ireland Ltd. AdSense uses cookies (including the DoubleClick DART cookie and IDE, ANID, NID) to serve ads based on your prior visits to this site and other websites on the internet, and to measure ad performance and fraud.

These cookies are set only after you grant explicit consent via our cookie banner (Art. 6(1)(a) GDPR, §96 Abs. 3 TKG 2021). If you reject non-essential cookies, no AdSense scripts are loaded and no advertising identifiers are stored.

You can:

• withdraw consent at any time via the "Cookie preferences" link in our footer,
• opt out of personalised advertising across Google's ad network at adssettings.google.com,
• opt out of third-party cookies across participating vendors at youronlinechoices.eu,
• read Google's own policy on how it uses data from sites that use its services at policies.google.com/technologies/partner-sites.

3. Legal basis for processing

• Contract performance (Art. 6(1)(b) GDPR) — account data, integration data, guest communication: processing is necessary to deliver the service you contracted for.
• Legitimate interest (Art. 6(1)(f) GDPR) — technical logs for security, fraud prevention, service availability.
• Legal obligation (Art. 6(1)(c) GDPR) — invoices and tax records (retained 7 years per §132 BAO).
• Consent (Art. 6(1)(a) GDPR) — analytics cookies, optional marketing emails. Withdrawable at any time.

4. Sub-processors

We use the following sub-processors to run Virtual Host AI. All are bound by data processing agreements compliant with Art. 28 GDPR.

• Hetzner Online GmbH (Germany / Finland) — primary server hosting, database storage.
• Stripe Payments Europe, Ltd. (Ireland) — payment processing.
• Google Ireland Ltd. (Ireland) — Gemini AI inference, Google Calendar integration, Google Analytics, and Google AdSense advertising (the last only after your explicit cookie consent).
• Smoobu GmbH (Germany) — property management system you connect voluntarily.
• Telegram FZ-LLC (UAE) — optional host notifications; only your Telegram chat ID is stored.
• Brevo SAS (France) — transactional email delivery.

Some sub-processors may transfer data outside the EU/EEA. In those cases we rely on EU Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.

5. Retention

• Account data — for the life of the subscription, plus 30 days after cancellation for data-export requests.
• Guest messages — rolling 90 days by default; configurable in your settings.
• Technical logs — 30 days.
• Invoices and tax records — 7 years (§132 BAO).
• Cookies — session only, except _ga (13 months if you consented to analytics).

6. Your rights under GDPR

You have the right to:

• access the data we hold about you (Art. 15),
• correct inaccurate data (Art. 16),
• request deletion (Art. 17),
• restrict processing (Art. 18),
• receive a copy in machine-readable form (Art. 20),
• object to processing based on legitimate interest (Art. 21),
• withdraw consent at any time without affecting prior processing.

To exercise any right, email privacy@virtualhost.at. We respond within 30 days.

You also have the right to lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde).

7. Security

We use TLS 1.3 for all traffic, bcrypt for password hashing, and encryption at rest for database backups. Access to production data is limited to the two managing engineers and gated by hardware 2FA. Full details on the Security page.

8. Cookies

We use cookies in three categories:

• Strictly necessary — vh_session (login, required for the app). Not set on the public site. No consent required.
• Analytics — _ga, _ga_* (Google Analytics 4). Set only after you click "Accept" in our cookie banner.
• Advertising — IDE, ANID, NID, DoubleClick DART (Google AdSense). Set only after you click "Accept" in our cookie banner. Reject and no AdSense script loads at all.

You can change your choice at any time via the "Cookie preferences" link in the footer.

9. Children

Virtual Host AI is a business tool. It is not directed at children under 16 and we do not knowingly collect data from them.

10. Changes to this policy

We may update this policy to reflect product changes or legal updates. Material changes are announced via email at least 30 days in advance. The "Last updated" date at the top of this page always shows the current version.

← Back to home