Skip to content
English
HiJiffy.com
  • There are no suggestions because the search field is empty.

How we keep your guests' data safe and compliant

A plain-English tour of our hosting, encryption, access and security testing.

Protecting guest data is built into the product, not bolted on. Here's a plain summary of what we do behind the scenes. For the full, always-current list of controls, see our Security & Compliance Centre.

Your data is hosted in the EU

The core HiJiffy platform runs in the European Union (AWS, Ireland). Keeping data in the EU by default keeps things simple for European hotels. Where any data is handled outside the EEA (for example, certain messaging providers) we put proper safeguards in place (see "Who else helps run the service").

It's encrypted, end to end

  • At rest: AES-256 encryption.
  • In transit: TLS 1.2 or higher for all traffic over the public internet.

Only the right people can access it

Access to guest data is limited to authorised staff with a genuine business need. That's backed by unique logins, role-based permissions, multi-factor authentication for remote access, network segmentation, IP whitelisting and regular access reviews. Inside your Console, you control your own team's access too — with roles and, for multi-property groups, property-level data scoping.

We keep only what's needed, for only as long as needed

We collect the minimum data required to run the service, hold it for defined periods, then securely delete or anonymise it. As a rule of thumb, guest conversation and booking data is kept for 5 years, after which older events are automatically purged. (A few records, such as billing, are kept longer where the law requires.) You can also request earlier deletion — see "Guest data requests".

We test ourselves, and bring in outside experts

  • An independent security firm runs penetration testing at least once a year, following recognised standards such as NIST SP 800-115 and OWASP. Anything found is fixed and re-tested.
  • We run internal control reviews at least annually.
  • A summary penetration-testing statement is available via the Security & Compliance Centre.

If something ever goes wrong

If a personal-data breach happens, we notify you without undue delay, give you the details and evidence you need, and work alongside you so you can meet your own obligations to your supervisory authority and, where required, your guests. Our incident-response process is documented and tested.

Guests always know they're talking to AI

In line with the EU AI Act, our assistants are designed as limited-risk AI systems: guests are clearly told when they're chatting with an AI (for example, a visible "I am your virtual assistant," greeting). HiJiffy doesn't process sensitive data such as health or biometric information, and it doesn't make automated decisions that have legal or similarly significant effects on guests.

 

EU hosting, strong encryption, least-privilege access, annual independent testing and clear AI transparency all come as standard — no add-on required.