Privacy Policy

Version 2.0 - Effective April 2025

VistaLink Technologies Ltd ("VistaLink," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit our websites, use our services, or interact with our products. This policy applies to all VistaLink products and services, including but not limited to:

• vistalink.com and all associated subdomains
• The Parley consumer application (web, iOS, and Android)
• The VistaLink Hotel Extranet (extranet.vistalink.com)
• The VistaLink Developer API, MCP (Model Context Protocol) server, and developer portal
• VistaLink Voice Services (self-hosted telephony infrastructure)
• Any other VistaLink product or service that references this policy

VistaLink Technologies Ltd is a company registered in England and Wales. Please read this policy carefully. By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you have any questions, please contact us using the details provided at the end of this document.

1. Data Controller and Data Processor Roles

The role VistaLink plays in the processing of personal data depends on how you interact with our Services:

• Data Controller: VistaLink Technologies Ltd acts as the data controller for personal data collected directly through our Services - including website visits, Parley account registrations and usage, Hotel Extranet accounts, Developer account registrations, voice calls initiated through Parley, and contact form submissions. As data controller, we determine the purposes and means of processing your personal data.
• Data Processor: Where Developers use the VistaLink API or MCP server and transmit their End Users' personal data to VistaLink for processing, VistaLink acts as a data processor on behalf of the Developer. In this scenario, the Developer remains the data controller for their End Users' personal data and is responsible for ensuring that appropriate legal bases, consents, and privacy notices are in place.

If you are an End User of a third-party application that integrates with VistaLink Services, please refer to that application's privacy policy for information about how your data is handled. This Privacy Policy covers VistaLink's processing activities in its capacity as data controller.

2. Personal Data We Collect

The categories of personal data we collect depend on which Services you use and how you interact with them.

2.1 vistalink.com and Subdomains

• Usage and analytics data: IP address, browser type and version, operating system, referring URLs, pages viewed, time spent on pages, and the dates and times of your visits.
• Device information: Device type, screen resolution, unique device identifiers, and mobile network information.
• Contact information: Name, email address, and any other details you provide when submitting enquiry or contact forms.
• Cookies and tracking data: Data collected through cookies, web beacons, and similar technologies as described in our Cookie Policy.

2.2 Parley (Web, iOS, and Android)

• Account data: Name, email address, and authentication credentials when you create a Parley account.
• Search and conversation data: Chat messages, hotel search queries, travel preferences, destination selections, date ranges, and interaction history with the AI assistant.
• Booking data: Travel dates, guest details, hotel preferences, room selections, and payment information where applicable.
• Device and usage data: Device type, operating system version, app version, unique device identifiers, push notification tokens, session duration, and feature usage patterns.
• Location data: Approximate location derived from IP address or, where you grant permission, more precise location data to support nearby hotel searches.

2.3 Developer API and MCP Server

• Developer account data: Name, email address, organisation name, and billing information provided during API key registration.
• API usage data: API request logs, endpoint usage, request and response metadata, latency metrics, error rates, and rate-limit counters.
• Authentication credentials: API keys and associated security metadata.

When Developers transmit End User data through the API, VistaLink processes that data solely to fulfil the API request and does not retain it beyond what is necessary for request processing and short-term logging (see Section 8 on data retention).

2.4 Voice Services

• Call recordings: Audio recordings of calls placed through VistaLink Voice Services to hotels on your behalf. Recordings are used for quality assurance, service improvement, dispute resolution, and compliance purposes.
• Call metadata: Call duration, timestamps, destination phone numbers, call outcome (connected, failed, voicemail), and the hotel property associated with the call.
• Conversation transcripts: Automated transcriptions of voice calls, which may include personal data spoken during the call such as guest names or booking details.
• User instructions and preferences: The preferences, instructions, and parameters you provide to the AI agent before and during the call (for example, desired rates, date ranges, or room requirements).

Where required by applicable law, the hotel or other receiving party is informed at the start of the call that it may be recorded.

2.5 Hotel Extranet

• Hotel partner account data: Contact name, email address, job title, hotel property details, and business information provided during registration.
• Platform interaction data: Login activity, property management actions, booking enquiry responses, and usage patterns within the Extranet.

3. How We Use Your Personal Data

We use the personal data we collect for the following purposes:

• Providing and operating our Services: To deliver hotel search results, facilitate bookings, process voice calls, serve API requests, and operate the Hotel Extranet.
• Account management: To create and manage your account, authenticate your identity, and administer your access to our Services.
• Service improvement: To analyse usage patterns, improve our AI search algorithms, conversational models, and voice infrastructure, and to develop new features and products.
• Communication: To respond to your enquiries, provide customer support, send service notifications, and - where you have consented - send marketing communications about our products and services.
• Quality assurance and dispute resolution: To review voice call recordings and transcripts for quality assurance purposes, and to resolve disputes between users and hotels arising from calls or bookings.
• Security and fraud prevention: To detect, prevent, and address technical issues, unauthorised access, fraud, and abuse of our Services.
• Analytics and reporting: To monitor and analyse usage trends, generate aggregate statistics, and produce internal reports on service performance.
• Legal compliance: To comply with applicable legal obligations, enforce our Terms of Use, and protect our rights, property, and safety.

4. Legal Bases for Processing

Under the UK General Data Protection Regulation (UK GDPR) and, where applicable, the EU GDPR, we process your personal data on the following legal bases:

• Performance of a contract (Article 6(1)(b)): Processing that is necessary to provide the Services you have requested - for example, creating your Parley account, fulfilling hotel search queries, processing bookings, serving API requests under your Developer agreement, or operating your Hotel Extranet account.
• Consent (Article 6(1)(a)): Where you have given clear consent for specific processing activities - for example, opting in to marketing communications, enabling precise location tracking in the Parley app, or consenting to voice call recording. You may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
• Legitimate interests (Article 6(1)(f)): Where processing is necessary for our legitimate interests, provided those interests are not overridden by your rights and freedoms. Our legitimate interests include improving our Services, ensuring security, preventing fraud, conducting analytics, and maintaining the quality of our voice and AI systems.
• Legal obligation (Article 6(1)(c)): Where processing is necessary to comply with a legal obligation to which we are subject, such as financial record-keeping, tax obligations, or responding to lawful requests from public authorities.

5. Data Sharing and Disclosure

We do not sell your personal data. We may share your information with the following categories of recipients:

• Hotel partners: When you make a booking or when a voice call is placed to a hotel on your behalf, we share the information necessary to complete the reservation or enquiry - such as guest names, travel dates, room preferences, and contact details.
• Payment processors: When you make a payment through our Services, your payment information is transmitted to our authorised payment processing partners. We do not store full payment card details on our servers.
• Cloud infrastructure providers: We use third-party cloud hosting and infrastructure services to operate our platform. These providers process data on our behalf under contractual obligations that require them to protect your data.
• Analytics providers: We use analytics services to understand how our websites and applications are used. These services may collect usage data as described in our Cookie Policy.
• Service providers and sub-processors: We engage third-party vendors for services such as email delivery, customer support tooling, error monitoring, and telephony infrastructure. These providers are contractually obligated to process data only for the purposes we specify and to implement appropriate security measures.
• Legal requirements: We may disclose your personal data if required to do so by law, regulation, or legal process, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of VistaLink, our users, or the public.
• Business transfers: In connection with any merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred as part of the transaction. We will notify you of any such change and any choices you may have regarding your data.

6. Cross-Border Data Transfers

Your personal data may be transferred to and processed in countries outside the United Kingdom and the European Economic Area. This may occur when our cloud infrastructure providers, sub-processors, or hotel partners are located in other jurisdictions. Where such transfers take place, we ensure that appropriate safeguards are in place to protect your personal data, including:

• Transfers to countries that have been deemed to provide an adequate level of data protection by the UK Secretary of State or the European Commission.
• Standard Contractual Clauses (SCCs) approved by the relevant authorities, supplemented by additional technical and organisational measures where necessary.
• Other lawful transfer mechanisms as permitted under applicable data protection laws.

You may request a copy of the safeguards we use for international transfers by contacting us at the details provided in Section 13.

7. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS) and at rest where appropriate.
• Access controls and authentication mechanisms to restrict access to personal data to authorised personnel.
• Regular security assessments and vulnerability testing.
• Secure storage of voice call recordings with access limited to authorised staff for legitimate purposes.
• API key hashing and secure credential management for Developer accounts.

However, no method of transmission over the internet or method of electronic storage is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security.

8. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. The following retention periods apply:

• Account data (Parley, Developer, Hotel Extranet): Retained for the duration of your active account and for up to 24 months following account closure to comply with legal obligations and resolve any outstanding matters.
• Website analytics and usage data: Retained for up to 26 months from the date of collection.
• Search and conversation history (Parley): Retained for the duration of your account. You may delete individual conversations at any time through the app.
• Booking data: Retained for up to 6 years following the completion of the booking to comply with financial and tax record-keeping obligations.
• API request logs: Retained for up to 90 days. Aggregate usage statistics that do not contain personal data may be retained indefinitely.
• Voice call recordings: Retained for up to 12 months from the date of the call, unless a longer retention period is required for dispute resolution, legal compliance, or ongoing investigations.
• Voice call metadata and transcripts: Retained for up to 12 months from the date of the call.
• Contact form submissions: Retained for up to 24 months from the date of submission.

When personal data is no longer required for any of the above purposes, it is securely deleted or anonymised.

9. Your Rights

Under the UK GDPR (and, where applicable, the EU GDPR), you have the following rights regarding your personal data:

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may request correction of inaccurate or incomplete personal data.
• Right to erasure: You may request deletion of your personal data, subject to certain legal exceptions (for example, where we are required to retain data for legal compliance).
• Right to restriction of processing: You may request that we restrict the processing of your personal data in certain circumstances - for example, while we verify the accuracy of data you have contested.
• Right to data portability: You may request to receive your personal data in a structured, commonly used, and machine-readable format, and to have it transmitted to another controller where technically feasible.
• Right to object: You may object to the processing of your personal data where we are relying on legitimate interests as the legal basis for processing. You also have the right to object to processing for direct marketing purposes at any time.
• Right to withdraw consent: Where processing is based on consent, you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
• Right not to be subject to automated decision-making: You have the right not to be subject to a decision based solely on automated processing - including profiling - that produces legal effects concerning you or similarly significantly affects you, except where such processing is necessary for a contract, authorised by law, or based on your explicit consent.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one calendar month. In certain circumstances, we may extend this period by up to two additional months, in which case we will inform you of the extension and the reasons for it.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data protection rights have been violated. If you are located in the European Economic Area, you may also lodge a complaint with the supervisory authority in your country of residence.

10. Cookies

Our websites and services use cookies and similar tracking technologies to enhance your browsing experience, analyse site traffic, and support our marketing efforts. For full details about the specific cookies we use, their purposes, and how to manage or disable them, please see our Cookie Policy.

11. Information for API Developers

If you are a Developer integrating with the VistaLink API or MCP server, the following additional provisions apply:

• Your role as controller: When you transmit End User personal data to VistaLink through the API, you are the data controller for that data. You are responsible for ensuring that you have a lawful basis for collecting and transmitting End User data, that you have provided appropriate privacy notices to your End Users, and that you have obtained any necessary consents.
• Our role as processor: VistaLink processes End User data transmitted through the API solely to fulfil your API requests. We do not use End User data for our own independent purposes.
• Data Processing Agreements: Where the processing relationship requires it, VistaLink may require execution of a Data Processing Agreement (DPA) that sets out the parties' responsibilities regarding data protection, security measures, sub-processor management, and breach notification. Enterprise-tier Developers should contact [email protected] to request a DPA.
• Security and data minimisation: You must implement appropriate technical and organisational security measures to protect personal data and only transmit the minimum personal data necessary to fulfil each API request.
• Breach notification: You must promptly notify VistaLink of any data breach that may affect personal data processed through the API.

12. Children's Privacy

Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe that your child has provided personal data to us without your consent, please contact us at [email protected]. If we become aware that we have collected personal data from a child under 16 without appropriate parental consent, we will take steps to delete that information promptly.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, products, or applicable laws. When we make material changes, we will:

• Post the updated policy on our website with a revised version number and effective date.
• Notify registered users by email where the changes are significant and may affect your rights or how we process your data.
• Where required by law, obtain your consent to any material changes in processing before they take effect.

We encourage you to review this policy periodically. Your continued use of our Services after the effective date of a revised policy constitutes your acceptance of the changes.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

VistaLink Technologies Ltd
Email: [email protected]

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Website: ico.org.uk
Helpline: 0303 123 1113