This Data Processing Agreement ("DPA") forms part of the Terms of Service between the hotel client ("Controller", "you") and Specter Automations ("Processor", "Specter", "we") and governs the processing of personal data in connection with the Specter AI platform.
This DPA is designed to meet the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Roles and Responsibilities
You (the Hotel) are the Data Controller. You determine why and how personal data is collected from your guests and staff.
Specter is the Data Processor. We process personal data on your behalf, solely to deliver the Service as described in our Terms.
Specter will only process personal data on your documented instructions (i.e., to deliver the Service as described in the Terms of Service). We will not process personal data for any other purpose, including marketing, profiling, or selling data to third parties.
2. Personal Data Processed
| Data Category | Data Elements | Data Subjects |
|---|---|---|
| Guest information | Name, room number, phone number, check-in/out dates | Hotel guests |
| Message content | WhatsApp message text, timestamps, media attachments | Guests and staff |
| Staff information | Name, role, department, phone number, email | Hotel staff |
| Classification data | AI-assigned department, category, urgency, sentiment | Derived from messages |
| Dashboard users | Email, name, role, login timestamps | Hotel managers and HODs |
We do not collect or process special category data (health, religion, ethnicity, etc.) intentionally. If guests include such information in messages, it is processed only for classification and routing purposes and not used for any other purpose.
3. Sub-Processors
We use the following sub-processors to deliver the Service. By entering into this DPA, you authorise our use of these sub-processors:
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Anthropic | AI message classification and response generation | Message content (text only, no phone numbers or names sent unless in message body) | United States |
| Twilio | WhatsApp message sending and receiving | Phone numbers, message content | United States (with EU data processing) |
| Supabase | Database hosting and authentication | All data listed in Section 2 | EU (Frankfurt region) |
| Stripe | Payment processing | Hotel billing email, payment card details (processed by Stripe directly) | United States (PCI DSS compliant) |
| Cloudflare | Website hosting and CDN | IP addresses, page requests (no personal data stored) | Global CDN |
International Transfers
Where personal data is transferred to sub-processors outside the UK/EU (Anthropic, Twilio, Stripe), transfers are protected by Standard Contractual Clauses (SCCs) or equivalent safeguards as maintained by each sub-processor. Anthropic's data processing terms explicitly state that API inputs are not used to train their models.
We will notify you before adding or replacing any sub-processor, giving you the opportunity to object.
4. Data Retention
| Data Type | Active Retention | Archive Period | Deletion |
|---|---|---|---|
| Messages | 90 days | Duration of subscription | 30 days after subscription ends |
| Guest records | 90 days after checkout | Duration of subscription | 30 days after subscription ends |
| Daily briefs | 14 days (dashboard view) | Duration of subscription | 30 days after subscription ends |
| Staff records | Duration of subscription | N/A | 30 days after subscription ends |
| Dashboard user accounts | Duration of subscription | N/A | 30 days after subscription ends |
"Active retention" means the data is available in dashboards and operational systems. "Archive" means the data is stored but not displayed in active views. After the deletion period, data is permanently removed from all systems including backups.
5. Data Subject Rights
As Data Controller, you are responsible for handling data subject requests from your guests and staff. We will assist you in fulfilling these requests.
You may request the following at any time by emailing hello@specterai.co.uk:
- Data export: A full export of all personal data we hold for your hotel, in CSV or JSON format. Provided within 14 days.
- Data deletion: Deletion of specific guest records, messages, or all data for your hotel. Completed within 30 days.
- Data rectification: Correction of inaccurate personal data in our systems.
- Processing restriction: Temporary suspension of data processing for specific data subjects while a query is resolved.
If we receive a data subject request directly from one of your guests or staff, we will redirect them to you and notify you promptly.
6. Security Measures
We implement the following technical and organisational measures to protect personal data:
Technical Measures
- Encryption in transit: All data transmitted between systems uses TLS 1.2 or higher (HTTPS).
- Encryption at rest: Database storage is encrypted using AES-256 via Supabase's managed encryption.
- Access controls: Database access requires authenticated service role keys. No service role keys are exposed in client-facing code.
- Row-level security: Database policies ensure hotel data is isolated — one hotel cannot access another hotel's data.
- API authentication: All Edge Function endpoints require valid authentication tokens.
- Webhook signature verification: Stripe and Twilio webhooks are verified using HMAC signatures to prevent spoofing.
Organisational Measures
- Access to production data is limited to authorised Specter team members on a need-to-know basis.
- All Specter team members with data access have signed confidentiality agreements.
- We maintain audit logs of data access and modifications.
- We conduct regular reviews of access permissions and security configurations.
7. Data Breach Notification
In the event of a personal data breach, we will:
- Notify you without undue delay and no later than 72 hours after becoming aware of the breach.
- Provide details of the breach including: the nature and scope of the breach, categories of data affected, approximate number of data subjects affected, likely consequences, and measures taken to address and mitigate the breach.
- Cooperate fully with your investigation and any notification obligations you have to the Information Commissioner's Office (ICO) or affected data subjects.
- Take immediate steps to contain and remediate the breach.
8. Audit Rights
You have the right to audit our compliance with this DPA. Audits may be conducted:
- By written request with 30 days' notice
- No more than once per 12-month period (unless a breach has occurred)
- During normal business hours
- At your cost, unless the audit reveals a material breach by Specter
We will provide reasonable access to relevant documentation, systems information, and personnel to support the audit.
9. Term and Termination
This DPA remains in effect for the duration of your subscription to the Service. On termination:
- We will cease processing personal data except as needed for data export or deletion.
- We will delete all personal data within the timeframes specified in Section 4.
- We will provide written confirmation of deletion on request.
10. Governing Law
This DPA is governed by the laws of England and Wales and is subject to the jurisdiction of the English courts. Where there is any conflict between this DPA and the Terms of Service, this DPA takes precedence in relation to data protection matters.
For data protection queries, contact us at hello@specterai.co.uk.