![logo icon white.png]](https://help.hijiffy.com/hs-fs/hubfs/logo%20icon%20white.png?width=50&height=50&name=logo%20icon%20white.png)
Guest data requests: access and deletion
What to do when a guest asks to see or delete their data — step by step.
Your guests have rights over their personal data under the GDPR, including the right to:
- get a copy of their data (access)
- correct it (rectification)
- have it deleted (erasure, the "right to be forgotten")
- limit how it's used (restriction)
- receive it in a portable format (portability)
- object to certain processing
How a request works when you use HiJiffy
Because your hotel is the controller, a guest's formal request should come to you first. We then act on your confirmed instruction. The flow is simple:
- The guest contacts you: ideally at one published privacy address.
- You check and validate the request (identity and scope).
- You send the action to us at support@hijiffy.com.
- We carry it out and confirm within 48 hours.
Make it self-service in the assistant
Add a standing line to your central Knowledge Document so the assistant handles privacy questions the same way every time, for example:
"If a guest asks to review, access or delete their personal data, tell them to email [your privacy contact] and let them know the hotel will handle the request."
This routes requests straight to you, 24/7.
Template — replying to a guest's request
"Thanks for your request about your personal data. As the hotel, we're responsible for handling it, and we've logged it today. We'll respond within the time the GDPR requires. Our guest messaging is run on our behalf by HiJiffy, our technology provider, who will action any access or deletion on our instruction. If you have any questions, contact us at [privacy contact]."
This is general guidance, not legal advice. As the controller, you're responsible for meeting the GDPR response deadline (usually one month) and for verifying who's asking.