Privacy Policy

Effective date: April 19, 2026 Last updated: April 19, 2026

Kinora ("Kinora," "we," "us," or "our") operates the website at kinorahq.com and provides a software-as-a-service platform that enables independent and boutique hotels ("Hotels") to create branded guest-facing pages, including an AI-powered concierge feature called Clef. This Privacy Policy explains what information we collect, how we use it, and the choices available to you.

This Privacy Policy applies to:

• Hotels and their authorized users who subscribe to Kinora
• Guests of subscribing Hotels who interact with a Kinora-hosted page or with Clef
• Visitors to kinorahq.com

Jurisdictional note. Kinora is currently offered to Hotels located outside the State of California and the European Union / United Kingdom. If you are a California, EU, or UK resident or a business located in those jurisdictions, Kinora is not currently available to you, and we ask that you do not submit personal information through our service. We will expand availability to those jurisdictions in the future with additional privacy notices specific to them.

1. Information we collect

1.1 Information Hotels provide to us

When a Hotel subscribes to Kinora, we collect:

• Hotel name, location, website URL, and contact email
• Name and email of the Hotel's authorized user(s)
• Payment information (processed by Stripe — we do not store full payment card numbers)
• Content the Hotel adds to its Kinora page: links, images, taglines, and configuration
• Hotel website content automatically retrieved by our crawler approximately every 24 hours
• Hotel-configured preferences for Clef (tone, forwarding email, etc.)

1.2 Information we collect from Guests who use a Kinora page

When a guest visits a Hotel's Kinora page or interacts with Clef, we may collect:

• IP address, browser type, device type, and general location (country/region)
• Pages viewed, links clicked, and time spent
• UTM parameters and referral source
• If the guest chats with Clef: the conversation content
• If the guest asks Clef to forward a request to the Hotel: name and one contact method (email or phone number) that the guest voluntarily provides

Clef is instructed not to collect, and we do not knowingly store: payment card details, passport or government ID numbers, health or medical information, date of birth, or Social Security numbers. If a guest volunteers any of these, Clef is instructed not to acknowledge or repeat them and we will remove such content from logs upon discovery or request.

1.3 Information we collect automatically from website visitors

When you visit kinorahq.com, we automatically collect standard server logs (IP address, user agent, referring URL, pages accessed) and analytics data via standard cookies.

2. How we use information

We use the information we collect to:

(a) Provide, maintain, and improve the Kinora service, including generating Clef responses using the content of the Hotel's website (b) Process payments and manage subscriptions (c) Send service-related communications (account notifications, service updates, security alerts) (d) Forward guest requests from Clef conversations to the relevant Hotel (e) Monitor, analyze, and troubleshoot the service, including reviewing flagged Clef conversations to improve guardrails (f) Comply with legal obligations and enforce our Terms of Service (g) Prevent fraud, abuse, and security incidents

We do not use guest personal data or Hotel content to train AI models, sell to data brokers, or send marketing messages to guests.

3. How information is shared

3.1 Service providers (sub-processors)

We share information with trusted third-party service providers who process data on our behalf under contractual confidentiality obligations. Our current sub-processors are:

| Provider | Purpose | Data processed | |---|---|---| | Anthropic, PBC | AI inference for Clef | Conversation content + crawled website content | | Supabase Inc. | Database hosting | All stored data | | Vercel Inc. | Web hosting and cron | Server logs, request data | | Stripe Inc. | Payment processing | Hotel billing information | | Resend Inc. | Email delivery | Email addresses for magic links and notifications | | Google LLC | Places API (Google reviews) | Hotel identifier, retrieved reviews | | Cloudflare Inc. | CDN / edge hosting for landing page | Visitor IP, request metadata |

This list may be updated as our infrastructure evolves. Current list is always available at kinorahq.com/subprocessors.

3.2 Between Hotel and Kinora

The Hotel has access to guest conversation logs, analytics, and any contact details a guest voluntarily shared through Clef. Hotels are responsible for handling this data in accordance with their own privacy practices and applicable law.

3.3 Legal requirements

We may disclose information if required by law, court order, or valid legal process, or to protect the rights, property, or safety of Kinora, our users, or others.

3.4 Business transfers

If Kinora is involved in a merger, acquisition, or sale of assets, information may be transferred as part of that transaction. We will provide notice before any such transfer.

We do not sell personal information to third parties.

4. Your choices and rights

4.1 Hotels

Hotels can update account information, modify their Kinora page, change Clef configuration, and request deletion of their account at any time via the dashboard or by emailing hello@kinorahq.com.

4.2 Guests

Guests who have interacted with a Hotel's Kinora page or Clef can:

• Request a copy of their conversation history
• Request correction of inaccurate data
• Request deletion of their data

To exercise any of these rights, contact the Hotel directly or email hello@kinorahq.com with the request, the Hotel name, and your email address or name as it appeared in the conversation. We will respond within 30 days.

4.3 Do Not Track

Kinora does not respond to Do Not Track signals, as there is no common industry standard for how to interpret them.

5. Data retention

• Hotel account data: retained while the account is active, plus 12 months after cancellation for billing records
• Guest conversation logs: retained for 24 months from the date of the last message, after which they are automatically deleted
• Analytics events: retained for 24 months
• Server logs: retained for 90 days

Hotels or guests may request earlier deletion at any time (see Section 4).

6. Security

We implement industry-standard security measures to protect information, including encryption of data in transit (TLS), encryption at rest for sensitive fields, access controls, and regular security reviews of our sub-processors. No system is perfectly secure, however, and we cannot guarantee absolute security. If we become aware of a security incident affecting your data, we will notify you in accordance with applicable law.

7. Cookies and similar technologies

Kinora uses cookies and similar technologies on kinorahq.com and on Hotel Kinora pages for:

• Authentication (to keep you signed in)
• Session management
• Basic analytics (which pages are viewed)
• If the Hotel has enabled them: Meta Pixel, Google Analytics, or TikTok Pixel (UTM tracking)

You can control cookies through your browser settings. Disabling cookies may affect the functionality of the service.

8. Children's privacy

Kinora is not directed to children under 16. We do not knowingly collect personal information from children under 16. Clef is instructed to refuse substantive engagement with anyone who identifies as under 16 and to route them to ask a parent or guardian. If we learn that we have collected information from a child under 16, we will delete it promptly. If you believe a child has provided information to us, contact hello@kinorahq.com.

9. International data transfers

Kinora is currently operated from the United States and data is primarily processed in the United States. Because Kinora is currently offered only to Hotels located outside California, the EU, and the UK, we do not currently rely on Standard Contractual Clauses or equivalent transfer mechanisms. If you access Kinora from a jurisdiction with different data protection laws, by using the service you consent to the transfer and processing of information in the United States.

10. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top will reflect the most recent revision. For material changes, we will notify active Hotels by email. Continued use of the service after a change constitutes acceptance of the revised Privacy Policy.

11. Contact

Questions about this Privacy Policy or your data:

Kinora Email: hello@kinorahq.com Support: hello@kinorahq.com Website: kinorahq.com

This Privacy Policy is written for clarity and reflects our actual practices. It is not a substitute for legal advice. We recommend reviewing this policy periodically and reaching out with questions.