Privacy Policy

Introduction

Guestrix AB is deeply committed to privacy and the protection of Personal Data that we handle. We value your personal integrity and actively work to safeguard it.

This Privacy Policy ("Policy") outlines how we collect, use, and protect your Personal Data, the legal basis for such Processing, and how you can exercise your rights related to our Processing of your Personal Data.

Guestrix AB, with registration number 559413-3489 ("Guestrix", "we", "us", "our"), is the Data Controller for the Personal Data described in this Policy.

This Policy describes only the processing where Guestrix acts as Controller.
When Guestrix processes personal data on behalf of customers (e.g., restaurants) using our analytics platform, Guestrix acts as Processor. That processing is governed by a separate Data Processing Agreement (DPA) and is not covered in this Policy.

This Policy applies when you interact with us, use our Services, or visit our website guestrix.app ("Functions").

Target Audience:

Users of our Services
Employees of potential customers

Definitions

The definitions provided here apply throughout this Policy:

"Applicable Law" refers to laws applicable to the Processing of Personal Data, including the GDPR and relevant national legislation, alongside guidelines issued by national or EU regulatory bodies.
"Controller" determines the purposes and means of Processing Personal Data.
"Data Subject" is the individual whose Personal Data is being processed.
"Personal Data" encompasses all information that can directly or indirectly identify a natural person.
"Processing" covers any operation performed on Personal Data, such as collection, storage, alteration, and dissemination.
"Processor" processes Personal Data on behalf of the Controller, following the Controller's instructions and Applicable Law.
"Services" include our platform designed for data analysis, monitoring, and collaboration.

Role of Guestrix as a Controller

This Policy focuses on the Personal Data for which Guestrix acts as the Controller, meaning we determine the purpose and methods of Processing. It does not cover our role as a Processor when handling data on behalf of our customers.

Examples of situations where Guestrix is Controller include:

creating and managing user accounts for customer organizations,
billing and customer communication,
monitoring service usage for security and performance,
marketing, website operation and analytics.

Processing of Personal Data

Our commitment is to clearly explain how we meet the obligations regarding your Personal Data Processing. This includes detailing the types of Personal Data we process, the reasons for processing, and our legal basis for doing so.

Duration of Personal Data Storage

We retain your Personal Data only as long as necessary for its intended purpose. The retention period may be determined by a contract, consent, legal requirements, or our legitimate interest assessment. We regularly delete or anonymize unnecessary Personal Data and strive to keep our records accurate and up-to-date.

Where Guestrix acts as a Processor on behalf of a customer, retention periods are defined by the customer and governed by the applicable Data Processing Agreement.

Collection and Usage of Personal Data

We collect Personal Data:

Directly from you
Through your employer
Via our logs and internally generated information

We primarily process the following Personal Data:

Contact details for identity verification, communication, and service improvement
Usage information to enhance service offerings
Payment details to facilitate various payment methods

When we act as Controller, we do not process detailed guest data (e.g., booking history, spend, visit data). Such information, when processed within the Guestrix platform, is handled strictly as Processor under instructions from the customer and is not part of Guestrix’s own Controller-based processing.

Lawful Basis for Processing

We process your Personal Data based on:

Consent: Processing based on your explicit consent.
Contract performance: Necessary Processing to fulfill a contract with you or to take steps at your request before entering into a contract.
Legal obligations: When required by law.
Legitimate interests: Where our legitimate interests justify the Processing, and these interests are not overridden by your rights.

Your Rights

You maintain control over your Personal Data and have rights including access, rectification, erasure, objection, restriction, and data portability. You can withdraw consent at any time for future Processing. To exercise these rights, please contact us at legal@guestrix.com.

When Guestrix acts as Processor (for example, when processing restaurant guest data), requests relating to access, rectification, deletion or objection must be directed to the customer who is the Controller. We support our customers in fulfilling such requests according to the Data Processing Agreement.

Data Sharing and Processors

We may share your Personal Data with selected third parties and Processors to facilitate our Services. Transfers outside the EU/EEA are conducted under adequate protections, such as adequacy decisions, standard contractual clauses, or other suitable safeguards.

When acting as Processor, we may engage sub-processors for hosting, storage, security and analytics infrastructure. We ensure that all sub-processors are bound by GDPR-compliant agreements and meet appropriate technical and organizational requirements.

Security Measures

Guestrix employs both organizational and technical measures to secure your Personal Data against unauthorized access, loss, and misuse. Typical security measures may include:

pseudonymization and masking of identifiers in the platform,
tenant-level data separation,
strict role-based access control,
audit logging of user access,
encryption in transit and at rest.

These measures apply both to Guestrix’s Controller-based processing and, where relevant, to Processor-based processing conducted on behalf of customers.

Feedback and Complaints

Should you feel we are not Processing your Personal Data correctly, you are entitled to lodge a complaint with the Swedish Authority for Privacy Protection at imy@imy.se or visit their website for more information.

Policy Changes

We reserve the right to modify this Policy and will notify you of significant changes, ensuring you have the opportunity to review the updated policy.