Skip to content
English
  • There are no suggestions because the search field is empty.

How we keep your guests' data safe and compliant

A plain-English tour of our hosting, encryption, access and security testing.

Protecting guest data is built into the product, not bolted on. Here is a plain summary of what we do. For the full, always current list of controls, see our Security & Compliance Centre.

Your data is hosted in the EU

The core HiJiffy platform runs in the European Union (AWS, Ireland), which keeps things simple if you operate in Europe. Where any data is handled outside the EEA, such as with certain messaging providers, we put proper safeguards in place (see "Who else helps run the service").

It is encrypted

  • At rest: AES-256 encryption.
  • In transit: TLS 1.2 or higher.

Only the right people can access it

Access to guest data is limited to staff who genuinely need it, with unique logins, role-based permissions and multi-factor authentication. Inside your Console, you control your own team's access too, including property-level scoping when you manage more than one site. The complete list of controls lives on our Security & Compliance Centre.

We keep only what is needed, for only as long as needed

We collect the minimum data required to run the service and hold it for set periods, then securely delete or anonymise it. As a rule of thumb, guest conversation and booking data is kept for 5 years, after which older events are purged automatically. You can also request earlier deletion (see "Guest data requests").

We test ourselves, and bring in outside experts

An independent security firm runs penetration testing at least once a year, following recognised industry standards, and anything found is fixed and re-tested. We also run internal reviews at least annually. A summary statement is available via the Security & Compliance Centre.

If something ever goes wrong

If a personal-data breach happens, we tell you promptly, give you the details you need, and work alongside you so you can meet your own obligations to your supervisory authority and, where required, your guests.

Guests always know they are talking to AI

In line with the EU AI Act, our assistants are designed as limited-risk AI systems. Guests are clearly told when they are chatting with an AI, for example through a visible "powered by AI" greeting. We do not process sensitive data such as health or biometric information, and the assistant does not make automated decisions that significantly affect guests.

 

Reassurance in one line: EU hosting, strong encryption, tight access controls, annual independent testing and clear AI transparency all come as standard, with no add-on required.