Skip to content
Guest It
Home
Solutions
HACCP & Compliance Guest Ordering Box Operations Event Auditing Staffing Team Surveys & AI Insights
Contact
Log In

Privacy Policy

The important stuff. This policy explains what we collect, why we collect it, and your rights.

Last updated: 25 March 2026
On this page
Introduction Data we collect How we use your data Legal basis Storage & security Retention Sharing & sub-processors AI & automated processing International transfers Your rights Cookies Children's privacy Changes Contact

Introduction #

Guest It ("we", "us", "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use and store information when you use our platform, including Guest It web portals, manager and staff systems, QR-code interfaces, and related services.

For the purposes of UK data protection law (including the UK GDPR), we act as a Data Controller for the data we process to operate the service. In many cases we also process data on behalf of venues (our customers). Where a venue controls the purpose and means of processing, it may act as Data Controller and we act as Data Processor.

Contact: hello@guestit.co.uk
Address: Guest It LTD, Unit 26g-26m Springfield Mill, Bagley Lane, Farsley, West Yorkshire, United Kingdom, LS28 5LY

Data we collect #

We collect information necessary to operate our platform and provide the services you request. This may include:

  • Account and login data: names, usernames, access codes, roles, and authentication data linked to a venue or event.
  • Contact information: email address, telephone number, and other details used for account setup, communications, alerts, or support.
  • Operational data: information entered into checklists, audits, dockets, orders, forms, and logs created through our system (typically on behalf of venues).
  • Usage and technical data: device type, IP address, browser details, diagnostic logs and activity data used for security and performance.
  • Uploaded media: photos and digital signatures where you choose to upload them (for example, audits, dockets, evidence, or forms).
  • Staff and workforce data: where you use our staffing features, we may collect date of birth, nationality, right-to-work status, bank details (account number, sort code, bank name) for payment purposes, and location data (GPS coordinates) recorded at shift clock-in and clock-out.
  • Guest interaction data: where guests use QR-code chatbots, we may collect name, email address, and phone number as provided by the guest, along with feedback, survey responses, and marketing preferences.

How we use your data #

We use your data to:

  • Provide, operate and maintain the Guest It platform.
  • Authenticate users and manage secure access for staff, managers and authorised users.
  • Record operational data (for example, checklists, audits, orders and reports) and make it available to the venue.
  • Send service messages such as confirmations, alerts and operational notifications via email or SMS (where enabled).
  • Generate AI-powered analytics, summaries and insights from operational data to help venues improve their operations (see AI & automated processing).
  • Process guest interactions through AI-powered chatbots to provide information and collect feedback.
  • Record staff shift attendance, including GPS location at clock-in and clock-out, for workforce management purposes.
  • Deliver push notifications through mobile applications (where enabled by the user).
  • Monitor and improve reliability, usability and security.
  • Comply with legal obligations and protect the integrity of our systems.

We do not sell personal data or share it with advertisers.

We process personal data under one or more lawful bases under UK GDPR:

  • Contract: where processing is necessary to provide the services to a venue or user.
  • Legitimate interests: to operate the service securely, prevent misuse, and improve performance.
  • Consent: where you choose to submit data (for example, surveys or guest submissions), and consent is the appropriate basis.
  • Legal obligation: where we must retain or provide information to comply with law.

Storage & security #

We use appropriate technical and organisational measures designed to protect personal data against loss, misuse, and unauthorised access. This includes access controls, encryption in transit where applicable, and security monitoring.

Files such as images or signatures may be stored in secure cloud storage (for example, AWS S3) and linked to the relevant record.

Retention #

We keep personal data only for as long as necessary for the purposes described in this policy, or as required by law. Specific retention periods include:

  • Account data: retained for the duration of the venue's contract with us, plus 12 months after termination.
  • Operational data (checklists, audits, orders, logs): retained for the duration of the venue contract plus any period required for compliance or record-keeping (typically up to 24 months).
  • Guest interaction data (chatbot submissions, feedback): retained for up to 12 months after the event, unless the venue requires longer retention for compliance.
  • Staff workforce data: retained for the duration of the staffing relationship plus the period required by employment and tax law (typically up to 6 years for financial records).
  • Technical and usage logs: retained for up to 12 months for security and diagnostic purposes.

Operational data may also be retained at the request of the venue for record-keeping and regulatory compliance. When data is no longer needed, it is securely deleted or anonymised.

Sharing & sub-processors #

We may share limited personal data:

  • With the venue or organisation that manages your account (for example, managers viewing operational logs).
  • With trusted sub-processors who help us deliver the service, under contractual confidentiality and security obligations.
  • If required by law, regulation, or to respond to lawful requests.

Sub-processors

We use the following third-party service providers to operate the platform:

  • Amazon Web Services (AWS) — cloud hosting, data storage (S3), email delivery (SES), content delivery (CloudFront). Data processed in EU (Ireland) region.
  • OpenAI — AI-powered analytics, summaries and operational insights. Operational data may be sent to OpenAI's API for processing. See AI & automated processing.
  • Twilio — SMS messaging for operational alerts and notifications. Phone numbers and message content are processed by Twilio.
  • Google Cloud (Dialogflow) — natural language processing for guest-facing chatbots. Guest messages are processed by Google Cloud services.
  • Expo — push notification delivery for mobile applications. Device push tokens are processed by Expo's notification service.
  • Redis (AWS ElastiCache) — session management and real-time data caching.

We maintain contracts with all sub-processors that include appropriate data protection obligations. If you are a venue customer and require a full sub-processor list for your records, please contact us at hello@guestit.co.uk.

AI & automated processing #

We use artificial intelligence to help venues improve their operations. This includes generating summaries, analytics, and insights from operational data such as guest feedback, sales figures, kitchen operations, and staffing performance.

AI processing is carried out using OpenAI's API. When we send data to OpenAI for analysis:

  • We send only the operational data necessary for the specific analysis (for example, aggregated feedback comments or sales totals).
  • We do not send data for the purpose of training AI models. Our API usage agreement with OpenAI specifies that data sent via the API is not used for model training.
  • Results are returned to the platform and made available to authorised venue users.

We also use Google Cloud's Dialogflow service to power guest-facing chatbots. Guest messages are processed by Google Cloud to understand intent and provide relevant responses. No guest data is retained by Google beyond what is needed to process the request.

The legal basis for AI processing is legitimate interests — specifically, our interest in providing valuable operational insights to venues as part of the service. No solely automated decisions with legal or similarly significant effects are made about individuals.

International transfers #

Your data is primarily stored in the UK and EU (AWS Ireland region). However, some of our sub-processors are based in the United States, which means personal data may be transferred outside the UK.

The following services involve transfers to the United States:

  • OpenAI — AI analytics processing
  • Twilio — SMS messaging
  • Google Cloud — chatbot natural language processing
  • Expo — mobile push notifications

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place. These may include the UK International Data Transfer Agreement (UK IDTA), Standard Contractual Clauses (SCCs) approved by the ICO, or reliance on the service provider's participation in recognised data protection frameworks.

If you require further details about the safeguards in place for any specific transfer, please contact us at hello@guestit.co.uk.

Your rights #

Under UK GDPR, you may have the right to:

  • Access your personal data.
  • Request correction of inaccurate data.
  • Request deletion (where applicable).
  • Object to processing based on legitimate interests.
  • Withdraw consent where processing is based on consent.
  • Request data portability (where applicable).

To exercise any of these rights, email hello@guestit.co.uk. We will respond within one month in accordance with UK GDPR. We may need to verify your identity before responding.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been violated: ico.org.uk/make-a-complaint.

Cookies #

We use cookies that are necessary for the website and platform to function (for example, authentication and session management). We do not use advertising cookies that track personal behaviour across third-party websites.

Children's privacy #

Guest It is designed for venue staff, managers and authorised users. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us and we will take steps to delete it.

Changes to this policy #

We may update this Privacy Policy from time to time. Updates will be posted on this page and the "Last updated" date will change accordingly.

Contact #

If you have questions about this policy or your data, contact us:

  • Email: hello@guestit.co.uk
  • Address: Guest It LTD, Unit 26g-26m Springfield Mill, Bagley Lane, Farsley, West Yorkshire, United Kingdom, LS28 5LY
Plain-English promise
If you have a question about privacy, just email us and we'll explain it clearly — no legal runaround.
Back to top