Hotelinking Privacy Policy for
WhatsApp Business Platform Services

Hotelinking SL
Tax ID: B57943185
Parc Bit, Carrer Isaac Newton, Edificio Disset – 3ª planta, D9
07120 Palma de Mallorca, Balearic Islands, Spain

Hotelinking SL (“Hotelinking”, “we”, “us”, or “our”) is a technology company providing enterprise communication solutions to the hospitality industry. We are a registered Meta WhatsApp Business Tech Provider, authorized to help hotels and hospitality businesses communicate with their guests through the WhatsApp Business Platform.

This Privacy Policy explains how we collect, use, disclose, and safeguard information when you interact with our WhatsApp Business Platform services. This policy applies to: (a) business clients (hotels and hospitality companies) using our platform, and (b) end-users (guests) receiving messages from businesses that use our services.

Compliance Framework: We operate in full compliance with the General Data Protection Regulation (GDPR), the Spanish Organic Law 3/2018 on Personal Data Protection (LOPDGDD), Meta’s Platform Terms, WhatsApp Business Policy, and WhatsApp Business Messaging Policy.

As a WhatsApp Business Tech Provider, Hotelinking operates in dual capacities:

• Data Controller: For information we collect directly about our business clients and their platform usage.
• Data Processor: When processing end-user (guest) data on behalf of our business clients. Each hotel or hospitality business remains the Data Controller for their guest communications.

Data Controller Contact:
Company: Hotelinking SL
Tax ID: B57943185
Address: Parc Bit, Carrer Isaac Newton, Edificio Disset – 3ª planta, D9, 07120 Palma de Mallorca, Spain
Privacy Email: privacy@hotelinking.com
Data Protection Officer: dpo@hotelinking.com

3.1 Information from Business Clients

When hotels and hospitality businesses register for and use our WhatsApp Business Platform services, we collect:

• Business registration information (company name, legal entity details, business address)
• Contact details for authorized representatives
• WhatsApp Business Account (WABA) identifiers and configuration settings
• Meta Business Portfolio information required for WhatsApp integration
• Message templates submitted for approval
• Platform user credentials and access logs

3.2 Information from End-Users (Guests)

When guests communicate with hotels through our platform, the following information may be processed:

• Phone number (required to establish WhatsApp communication)
• WhatsApp display name and profile photo (as set by the user)
• Text message content exchanged with the business
• Message metadata (timestamps, delivery and read status)
• Conversation history with the specific business

3.3 Media and Document Handling

Important: When guests share media files (images, videos, audio) or documents within conversations, the following applies:

• Media and documents are processed solely to facilitate the conversation between the guest and the business
• Files are stored only for the duration necessary to support the messaging relationship and service delivery
• We do not analyze, scan, or process media content for any purpose other than message delivery and storage
• Media files are subject to the same retention periods as text messages (see Section 9)
• Guests should avoid sharing sensitive personal documents directly in chat; businesses may provide secure upload links for such documents

3.4 Technical Information

We automatically collect certain technical information for platform operation:

• API request logs and webhook delivery records
• IP addresses of business platform users (not end-users)
• Device and browser information for web dashboard access
• System performance and error logs

In compliance with WhatsApp Business Policy, we explicitly DO NOT:

• Request or collect full payment card numbers, CVV codes, or complete financial account numbers via WhatsApp messages
• Request or collect government-issued ID numbers (passport numbers, national ID numbers, social security numbers) via WhatsApp messages
• Request or collect login credentials, passwords, or PINs via WhatsApp messages
• Request or collect biometric data via WhatsApp messages
• Access or read the content of end-to-end encrypted messages during transmission (this is technically impossible due to WhatsApp’s encryption)
• Share information from one customer’s conversation with any other customer
• Use message data to build advertising profiles or target advertising
• Sell, rent, or trade personal data to third parties for marketing purposes
• Use conversation data to train machine learning models without explicit consent

Our business clients are contractually prohibited from requesting sensitive identifiers listed above through our platform. Any such requests would violate our Terms of Service and WhatsApp’s policies.

5.1 Primary Service Purposes

We use collected information exclusively for:

• Facilitating WhatsApp messaging between businesses and their guests
• Managing WhatsApp Business Accounts on behalf of our clients
• Processing, delivering, and storing message templates
• Providing customer support and technical assistance
• Enabling automation features (chatbots, automated responses, AI assistants)
• Maintaining conversation history for service continuity

5.2 Platform Operations

• Ensuring platform security, preventing fraud and abuse
• Monitoring system performance and reliability
• Generating aggregated, anonymized analytics for service improvement
• Troubleshooting technical issues

5.3 Compliance

• Complying with Meta’s Platform Terms and WhatsApp Business Policy
• Meeting legal and regulatory requirements
• Responding to lawful requests from authorities
• Enforcing our terms of service

We process personal data under the following legal bases:

• Contract Performance (Article 6(1)(b)): Processing necessary to provide our services to business clients and facilitate guest communications.
• Legitimate Interests (Article 6(1)(f)): Processing for platform security, fraud prevention, and service improvement, balanced against individual rights.
• Consent (Article 6(1)(a)): Where end-users have explicitly opted in to receive communications from businesses.
• Legal Obligation (Article 6(1)(c)): Processing required to comply with applicable laws and regulations.

Strict Opt-In Policy: In compliance with WhatsApp Business Policy, we enforce the following requirements:

• Business clients must obtain explicit, informed consent from end-users before initiating any WhatsApp communication
• Consent must be collected through legitimate channels (website forms, booking confirmations, in-person requests)
• The purpose of communication must be clearly stated at the time of consent collection
• We do not permit unsolicited messaging or spam
• Business clients must maintain records of consent obtained

End-User Controls: End-users can at any time:

• Block any business on WhatsApp directly through the app
• Request the business to stop all communications
• Report spam or inappropriate messages through WhatsApp’s reporting feature
• Contact us directly to request removal from all communications

8.1 Sharing with Meta

As a WhatsApp Business Tech Provider, we share certain information with Meta Platforms, Inc. as required to operate on the WhatsApp Business Platform. This includes: business account identifiers, phone number registration data, message delivery metadata (timestamps, delivery status), and aggregated usage statistics. Important: Message content is protected by end-to-end encryption using the Signal Protocol. Neither Hotelinking nor Meta can read the content of encrypted messages during transmission.

8.2 Sharing with Business Clients

We provide end-user conversation data exclusively to the specific business (hotel) with which the end-user is communicating. We never share one business’s customer data with another business. Each business client is independently responsible for their privacy practices regarding guest data.

8.3 Third-Party Service Providers

We engage trusted service providers who assist in operating our platform:

• Cloud infrastructure providers (servers located within the EU/EEA)
• Security monitoring and threat detection services
• Customer support and ticketing systems

All third-party providers are bound by Data Processing Agreements (DPAs) that require them to process data only according to our instructions and maintain appropriate security measures.

8.4 Legal Requirements

We may disclose information when required by law, valid court order, or governmental authority, or when necessary to protect our legal rights, safety, or property, or to prevent fraud or abuse of our services.

We retain personal data only for as long as necessary for the purposes described:

• Business client account data: Duration of the service agreement plus 5 years for legal and tax compliance.
• Message content and conversation history: According to each business client’s configuration, typically between 90 days and 2 years. Businesses can request shorter retention periods.
• Media files (images, videos, documents): Same retention period as associated message content.
• Technical and security logs: Up to 12 months for security monitoring and troubleshooting.
• Aggregated analytics: May be retained indefinitely in fully anonymized form.
• Meta’s retention: WhatsApp/Meta retains undelivered messages for up to 30 days for delivery attempts, after which they are deleted from Meta’s servers.

Our primary data processing and storage occurs within the European Economic Area (EEA). When data is transferred outside the EEA (such as to Meta’s servers in the United States for WhatsApp functionality), we ensure appropriate safeguards are in place:

• EU-U.S. Data Privacy Framework certifications
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Binding Corporate Rules where applicable
• Transfer Impact Assessments for high-risk transfers

We implement comprehensive technical and organizational security measures:

• Encryption in Transit: All WhatsApp messages are protected by end-to-end encryption using the Signal Protocol. Platform communications use TLS 1.2 or higher.
• Encryption at Rest: Stored data is encrypted using AES-256 encryption.
• Access Controls: Role-based access control, multi-factor authentication, and principle of least privilege.
• Infrastructure Security: Firewalls, intrusion detection systems, DDoS protection, and regular vulnerability scanning.
• Security Monitoring: 24/7 monitoring for suspicious activities and potential security incidents.
• Regular Audits: Periodic security assessments and penetration testing.
• Employee Training: All staff receive regular data protection and security awareness training.
• Incident Response: Documented procedures for detecting, reporting, and responding to data breaches.

Under the GDPR and Spanish data protection law, individuals have the following rights:

• Right of Access (Article 15): Request a copy of your personal data we hold.
• Right to Rectification (Article 16): Request correction of inaccurate or incomplete data.
• Right to Erasure (Article 17): Request deletion of your data (“right to be forgotten”).
• Right to Restriction (Article 18): Request limitation of processing in certain circumstances.
• Right to Data Portability (Article 20): Receive your data in a structured, commonly used, machine-readable format.
• Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing.
• Right to Withdraw Consent (Article 7): Withdraw consent at any time where processing is based on consent.

How to Exercise Your Rights:

• Business clients: Contact us directly at privacy@hotelinking.com.
• End-users (guests): Contact the hotel or business you communicated with directly, as they are the Data Controller for your conversation data. You may also contact us to facilitate your request.

We respond to all valid requests within 30 days. In complex cases, we may extend this period by an additional 60 days with notification.

Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. In accordance with WhatsApp’s Terms of Service, users must be at least 16 years old (or the minimum age in their country) to use WhatsApp. If we become aware that we have collected data from a child under the applicable age without appropriate parental consent, we will take immediate steps to delete that information.

Our web-based business dashboard may use cookies and similar technologies:

• Essential cookies: Required for authentication, security, and platform functionality. Cannot be disabled.
• Analytics cookies: Help us understand platform usage to improve our services. Can be disabled.
• Preference cookies: Remember user settings and preferences. Can be disabled.

Business users can manage cookie preferences through their browser settings or our cookie consent banner.

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or Meta’s platform policies. When we make material changes, we will: (a) update the “Last Updated” date at the top of this policy, (b) notify business clients via email or platform notification, and (c) where required by law, obtain consent for material changes. We encourage you to review this policy periodically.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. In Spain:

Agencia Española de Protección de Datos (AEPD)
Address: C/ Jorge Juan, 6, 28001 Madrid, Spain
Website: www.aepd.es
Phone: +34 901 100 099
Email: ciudadano@aepd.es

For questions, concerns, or requests regarding this Privacy Policy or our data practices:

Hotelinking SL

Address: Parc Bit, Carrer Isaac Newton, Edificio Disset – 3ª planta, D9, 07120 Palma de Mallorca, Balearic Islands, Spain
Privacy Inquiries: privacy@hotelinking.com
Data Protection Officer: dpo@hotelinking.com
General Inquiries: info@hotelinking.com

© 2026 Hotelinking SL. All rights reserved.
This Privacy Policy is provided in compliance with Meta Platform Terms and WhatsApp Business Policy.