Privacy Policy
Effective Date: May 2026 · Updated: 17 May 2026
1. Introduction
This Privacy Policy explains how Hostli Ltd. ("Hostli") processes personal data. It covers our marketing website (www.hostli.ai) and our application (app.hostli.ai). On the marketing website we are the Data Controller. In the application we act as a Data Processor on behalf of our client hotels, who are the Controllers for their guest data. This Policy complies with the Israeli Protection of Privacy Law (PPL) 5741-1981 and its Amendment 13, the Privacy Protection Regulations (Instructions for Data Transferred to Israel from the EEA) 2023, and the EU General Data Protection Regulation (GDPR) where applicable. The detailed obligations we accept toward our hotel customers as a processor — including security measures, sub-processor list, retention timelines, and international transfer mechanisms — are set out in our Data Processing Agreement at /en/legal/dpa.
2. Our Role: Controller or Processor
Marketing website (www.hostli.ai): Hostli is the Data Controller for data collected directly from website visitors and prospects (contact form submissions, demo requests, analytics events). Hostli application (app.hostli.ai): each hotel is the Data Controller for guest data uploaded to or generated within the platform. Hostli is the Data Processor. The hotel is responsible for ensuring it has the legal right and necessary consent to collect that guest data and share it with Hostli. Hostli processes such data only on the hotel's documented instructions, as set out in our Data Processing Agreement at /en/legal/dpa.
3. What We Collect
From marketing website visitors: contact information you provide (name, work email, phone, hotel name) and technical metadata (IP address, browser/device, pages viewed) collected with your consent where required. From hotel guests, processed on behalf of the hotel: contact information uploaded by the hotel (name, email, phone), public Facebook/Instagram comments on the hotel's posts, and public reviews of the hotel that we aggregate to support analytics and AI features. From hotel staff: account information (name, work email, phone for authentication), and login and audit events. A complete description of categories, purposes, and processing operations for guest data is in Annex 1 of our DPA at /en/legal/dpa.
4. Who We Share Data With
We share data with third parties only as necessary to deliver the service. These recipients fall into the following categories: advertising and messaging platforms (e.g., Meta, Google), cloud hosting and infrastructure, managed database and object storage, AI model providers, and transactional communication providers. Our detailed, current list of sub-processors — including each vendor, the data they receive, and the legal mechanism for any international transfer — is provided to our hotel customers as part of their service agreement, and active customers receive 30 days’ advance notice of changes. Joint controllership with Meta: when the hotel uses Hostli's audience-sync feature, hashed email addresses are transmitted to Meta to create a Custom Audience. For that specific transmission, Hostli and Meta act as joint controllers under GDPR Article 26, as established by Fashion ID (CJEU C-40/17) and Wirtschaftsakademie (CJEU C-210/16). Meta's subsequent use of the audience for ad delivery is governed by Meta's own Data Policy and the Meta Business Tools Terms. The hotel, as the upstream Controller, is responsible for ensuring guests have been informed of this joint processing in the hotel's own guest-facing privacy notices.
5. How Long We Keep Data
We retain personal data only as long as necessary to deliver the service, comply with legal obligations, or as instructed by the hotel customer. Specific retention timelines for categories of data processed on behalf of hotels are set out in Annex 1 of our DPA at /en/legal/dpa. Marketing leads are retained for the duration of the commercial relationship plus a reasonable archival period not exceeding two years. Hotel guests may request deletion of their personal data ("Right to be Forgotten") by contacting [email protected] or by directing the request to the hotel (Controller).
6. Your Rights
Under the Israeli PPL, the GDPR where applicable, and other relevant laws, you have the right to: access the personal data we hold about you, rectify inaccurate or incomplete information, erase your personal data where retention is no longer required, restrict processing in certain circumstances, port your data to another service in a machine-readable format, object to processing for direct marketing purposes, and withdraw consent at any time where processing is based on consent. For guest data held by Hostli on behalf of a hotel, please direct your request to the hotel (the Controller). Alternatively, you may contact us at [email protected] and we will forward the request to the relevant hotel without unreasonable delay. For data we hold as Controller (marketing leads, website visitors, hotel staff accounts), please contact [email protected]. We will respond within 30 days (Israeli PPL) or one month (GDPR Art. 12), extendable by a further two months for complex requests. We maintain technical and organisational measures appropriate to the risk of processing; the specific measures we apply when processing data on behalf of hotels are set out in Annex 2 of our DPA at /en/legal/dpa.
8. Law Enforcement & Government Requests
Hostli may disclose personal data to law enforcement or government authorities only when legally required. We review every request to verify it is legally valid, properly scoped, and issued by a competent authority before any data is disclosed. We will challenge or reject requests we believe to be overbroad, vague, or otherwise unlawful. We disclose only the minimum data necessary to comply with the specific legal obligation and do not provide bulk or unrestricted access to user data. We maintain records of all government data requests, our responses, the legal basis relied upon, and the parties involved. We will notify affected users of a data request unless prohibited by law or court order from doing so.
9. International Data Transfers
Hostli is headquartered in Israel and processes data primarily within Israel and the European Union. Some processing takes place in the United States via our sub-processors. Israel benefits from a European Commission adequacy decision, so transfers from the EEA to Hostli in Israel require no additional mechanism. Where we or our sub-processors transfer EEA personal data to the United States or other third countries, we rely on appropriate safeguards (EU Standard Contractual Clauses, EU-US Data Privacy Framework where applicable, and supplementary technical measures). The specific transfer mechanism for each sub-processor is provided to our hotel customers as part of their service agreement.
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. The current version is always available at https://www.hostli.ai/privacy. Material changes will be communicated to active customers via email or in-app notification at least 30 days before they take effect.
11. Contact
For privacy inquiries, to exercise your rights, or to submit a data subject request, contact us at [email protected]. For security incidents or suspected vulnerabilities: [email protected]. Data subjects who are not satisfied with our response may contact the Israeli Privacy Protection Authority (Reshut HaGanah Al HaPrivatsiut) or, for EEA residents, their local data protection supervisory authority.