Is it safe to give Gmail / Outlook access?

Yes. We connect via OAuth — the same technology recommended by Google and Microsoft. We never store your password. You can revoke access at any time with one click.

When does the AI send a reply automatically?

You decide. You can set a confidence threshold: if the AI is confident enough, it sends automatically. If not, you need to approve. For beginners, we recommend manual approval until you get familiar with the system.

What does the AI do if the request is incomplete (e.g. no date)?

It recognises the missing information and politely asks the guest for it in the reply. It won't send an incomplete confirmation.

Does it work with SMTP if I don't have Gmail or Outlook?

Yes. We also support SMTP configuration — if you have your own mail server, we can connect that too.

What if I don't like it? Can I cancel?

Anytime, with one click. No lock-in, no cancellation fee. We don't even ask for a credit card during the 14-day free trial.

Can we manage multiple hotels with one account?

Yes, on the Enterprise plan. For custom solutions, get in touch with us — we'll tailor the system to your needs.

Privacy Policy

Last updated: February 22, 2026

1. Introduction and Identity of the Data Controller

MagicGuest ("we," "our," or "us") operates an AI-powered hotel guest communication and email management platform available at magicguest.com (the "Service"). We take the protection of your personal data seriously and are committed to processing it in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) where applicable.

This Privacy Policy describes what data we collect, why we collect it, how we use it, with whom we share it, and what rights you have in relation to your data. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

For the purposes of GDPR and other applicable data protection laws, MagicGuest acts as the data controller for data you provide as a registered user (hotel operator), and as a data processor for personal data belonging to your hotel guests that you submit to the Service.

2. Information We Collect

We collect several categories of information depending on how you interact with our Service:

2.1 Account and Profile Information

Registration data: Email address, password (stored in hashed form), and display name when you create an account.
Hotel profile data: Hotel name, physical address, country, number of rooms, room categories and descriptions, pricing information, amenities, house rules, check-in/check-out policies, and any other property information you enter into the platform.
Contact information: Phone number or other contact details you voluntarily provide in your profile or during support interactions.

2.2 Guest Email and Communication Data

Incoming guest emails: When you connect your email account (e.g., Gmail, Outlook) to the Service, we access, read, and process emails sent by your hotel guests in order to generate AI-powered draft responses.
Guest personal data within emails: Emails may contain personal data of your guests, such as their names, email addresses, booking references, travel dates, and special requests. This data is processed solely to provide the Service to you.
Sent and draft responses: AI-generated draft responses and emails you send via the platform are stored to enable features such as conversation history, template management, and service analytics.
Email metadata: Subject lines, timestamps, sender/recipient addresses, and message thread identifiers.

2.3 Payment and Billing Information

Payment method data: We use Stripe, Inc. ("Stripe") as our payment processor. When you subscribe to a paid plan, your payment card details (card number, expiry, CVV) are entered directly into Stripe's secure interface and are never stored on our servers. We receive only a tokenized reference and last-four digits from Stripe.
Billing details: Your name, billing address, company name (if applicable), VAT/tax identification number, and country, which are required for invoice generation and tax compliance.
Transaction history: Records of payments made, subscription plan details, invoice amounts, and payment dates, retained for accounting and legal compliance purposes.
Subscription status: Your current plan tier (Basic, Premium, Enterprise), billing cycle (monthly or annual), subscription start and renewal dates.

2.4 Usage and Technical Data

Log data: IP address, browser type and version, operating system, referring URLs, pages visited, features used, time spent, and actions taken within the Service.
Device data: Device type, screen resolution, time zone, and language settings.
Performance data: Response times, error logs, and crash reports used to maintain and improve the Service.
AI interaction data: Prompts submitted to AI models, responses generated, and feedback you provide on response quality, used to improve our AI features.

2.5 Cookies and Similar Tracking Technologies

We use cookies and similar technologies (local storage, session tokens) to operate and secure the Service. These include:

Essential cookies: Required for authentication, session management, and security. Cannot be disabled without losing access to the Service.
Functional cookies: Remember your preferences such as theme (dark/light mode) and language settings.
Analytics cookies: Help us understand how users interact with the Service so we can improve it. Where third-party analytics tools are used, data is anonymized or aggregated where possible.

3. Legal Basis for Processing (GDPR)

Where GDPR applies, we rely on the following legal bases to process your personal data:

Performance of a contract (Art. 6(1)(b) GDPR): Processing your account data, hotel profile, and email data is necessary to provide the Service you have subscribed to.
Legitimate interests (Art. 6(1)(f) GDPR): We process usage data and technical data to maintain, secure, and improve the Service, prevent fraud, and protect our legal rights, where these interests are not overridden by your rights.
Legal obligation (Art. 6(1)(c) GDPR): We retain billing records and transaction history to comply with tax, accounting, and financial regulations.
Consent (Art. 6(1)(a) GDPR): Where we use optional analytics or marketing cookies, we rely on your consent, which you may withdraw at any time.

4. How We Use Your Information

We use the information we collect for the following purposes:

Service delivery: To create and manage your account, provide access to the platform, and deliver all features you have subscribed to.
AI response generation: To analyze incoming guest emails and your hotel profile data in order to generate relevant, contextually appropriate draft email responses using AI models.
Payment processing: To process subscription payments through Stripe, generate invoices, manage plan upgrades and downgrades, and handle subscription renewals and cancellations.
Customer support: To respond to your inquiries, troubleshoot issues, and provide technical assistance.
Service improvement: To analyze usage patterns, identify errors, test new features, and improve the overall quality of the platform.
AI model improvement: Aggregated and anonymized interaction data may be used to improve our AI models and algorithms. We do not use identifiable guest email content to train AI models without appropriate safeguards.
Security and fraud prevention: To detect, investigate, and prevent unauthorized access, abuse, or fraudulent activity on the platform.
Legal compliance: To comply with applicable laws, regulations, and court orders, and to enforce our Terms of Service.
Communications: To send you transactional emails (password resets, payment receipts, subscription confirmations) and, where you have consented, product updates and newsletters.

5. Hotel Guest Data — Your Role as Data Controller

The emails you process through MagicGuest contain personal data belonging to your hotel guests. In this context:

You (the hotel operator) are the data controller for your guests' personal data.
MagicGuest acts as your data processor, processing that data only on your documented instructions and only to the extent necessary to provide the Service.
You are responsible for ensuring that you have a lawful basis to share your guests' personal data with us and for informing guests about data processing as required by applicable law.
You must not use the Service to process sensitive personal data (as defined under GDPR Art. 9) unless you have explicit consent from the individuals concerned.

Where required by GDPR, we are prepared to enter into a Data Processing Agreement (DPA) with you. Please contact us at support@magicguest.com to request a DPA.

6. Sharing of Information with Third Parties

We do not sell your personal data. We share your data only in the following circumstances and only to the extent necessary:

6.1 Service Providers (Sub-processors)

Supabase: We use Supabase for authentication, database hosting, and real-time data infrastructure. Your account data and hotel profile are stored in Supabase-hosted databases. Supabase acts as a data processor under a Data Processing Agreement.
Stripe, Inc.: We use Stripe to process all subscription payments. Stripe receives your billing information and payment card data directly. Stripe's privacy policy and terms apply to their processing of your data: stripe.com/privacy. Stripe is PCI DSS Level 1 compliant.
OpenAI / AI providers: Email content and hotel profile data are sent to AI model providers (such as OpenAI) to generate response drafts. These providers process data under their own data processing agreements. We configure API requests to disable training on submitted data where such options are available.
Email service providers (Google, Microsoft): When you connect Gmail or Outlook to the Service, we interact with Google's or Microsoft's APIs to read and send emails on your behalf. Your use of those integrations is subject to Google's and Microsoft's respective privacy policies and terms.
Cloud infrastructure providers: Our application runs on cloud hosting providers (such as Vercel) that provide compute, storage, and networking infrastructure.
Analytics providers: We may use third-party web analytics tools to understand Service usage. Where used, data is processed in aggregate or anonymized form where possible.

6.2 Legal Disclosure

We may disclose your information if we believe in good faith that disclosure is required by law, regulation, or legal process; to enforce our Terms of Service; to protect the rights, property, or safety of MagicGuest, our users, or the public; or in connection with fraud prevention or security investigations.

6.3 Business Transfers

If MagicGuest undergoes a merger, acquisition, financing, or sale of assets, your data may be transferred as part of that transaction. We will notify you via email and/or prominent notice on the Service before your data is transferred and becomes subject to a different privacy policy.

7. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA), including in the United States. Where we transfer personal data outside the EEA, we ensure that adequate safeguards are in place, such as:

Standard Contractual Clauses (SCCs) approved by the European Commission
Transfers to providers certified under applicable frameworks (e.g., EU-U.S. Data Privacy Framework)
Other appropriate safeguards as required under applicable law

8. Data Storage and Security

We implement industry-standard technical and organizational security measures to protect your personal data, including:

Encryption of data in transit using TLS/HTTPS
Encryption of sensitive data at rest
Hashed password storage using modern hashing algorithms
Access controls limiting data access to authorized personnel only
Regular security reviews and monitoring
Payment card data is never stored on our servers — Stripe handles all card data directly

Despite our efforts, no system is completely secure. We cannot guarantee absolute security of your data. In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify affected users and relevant supervisory authorities as required by applicable law.

9. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes described in this Privacy Policy:

Account data: Retained for the duration of your account's existence and deleted within 30 days of account deletion, except where longer retention is required by law.
Email and guest communication data: Retained for the duration of your subscription and for up to 90 days after account deletion, to allow for data export and dispute resolution.
Billing and payment records: Retained for a minimum of 5–8 years in accordance with applicable tax and accounting regulations, even after account deletion.
Log and technical data: Typically retained for 12 months for security and diagnostic purposes.
Backup data: May be retained in encrypted backups for up to 90 days after deletion from live systems.

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Right of access (Art. 15 GDPR): You may request a copy of the personal data we hold about you.
Right to rectification (Art. 16 GDPR): You may request that we correct inaccurate or incomplete data.
Right to erasure / "right to be forgotten" (Art. 17 GDPR): You may request deletion of your personal data, subject to our legal obligations to retain certain records.
Right to restriction of processing (Art. 18 GDPR): You may request that we limit how we use your data in certain circumstances.
Right to data portability (Art. 20 GDPR): You may request your data in a structured, machine-readable format.
Right to object (Art. 21 GDPR): You may object to processing based on legitimate interests.
Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence.

To exercise any of these rights, please contact us at support@magicguest.com. We will respond within 30 days. We may need to verify your identity before processing your request.

11. Children's Privacy

The Service is intended for use by hotel operators and business professionals. It is not directed at or intended for children under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us immediately and we will delete that data.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email (to the address associated with your account) and/or by displaying a prominent notice in the Service at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy. If you do not agree with the changes, you may close your account before the effective date.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

MagicGuest

Email: support@magicguest.com

If you are located in the European Union and believe your data protection rights have been violated, you also have the right to lodge a complaint with your local supervisory authority (e.g., the NAIH in Hungary, or your country's equivalent data protection authority).

arrow_back Back to Home