Privacy Policy

Effective date: 21 April 2026

This Privacy Policy explains how KiBand SAS (“KiBand”, “we”) collects and handles personal data when hotel properties (“Customers”) and their guests (“End Users”) use the KiBand service.

1. Roles

KiBand acts as a data processor on behalf of each Customer for guest data (names, stay information, consumption). Each Customer remains the data controller of its guest data. KiBand is the data controller for staff account data (email, role, authentication logs) and service telemetry.

2. Data collected

2.1 Guest data (processed for Customers)

• Identity: first name, last name, stay dates, room type.
• Stay metadata: reservation number, meal plan, guest type.
• Wristband identifier (NFC UID), wallet balance, coupons, consumption transactions.
• Optionally imported from the Customer's PMS or POS (eZee, ipos247, or equivalent) under the Customer's instruction.

2.2 Staff data

• Email, full name, role, organization membership.
• Authentication events and access logs.

2.3 Technical data

• IP address, user agent, request timestamps.
• We do not set advertising cookies. We use strictly necessary session cookies for authentication (Clerk).

3. Purposes

• Operate the wallet (debit, coupons, meal consumption).
• Authenticate staff and enforce role-based access.
• Generate closing reports and audit trails for the Customer.
• Secure the service (fraud and abuse detection).
• Fulfill our contractual obligations and comply with the law.

We do not sell personal data and we do not use guest data to train machine-learning models.

4. Legal basis

• Contract performance (KiBand ↔ Customer).
• Legitimate interest (service security and integrity).
• Legal obligation (accounting, fraud prevention).
• Consent, where required by law (e.g. optional communications).

5. Retention

• Active guest data: retained for the duration of the stay plus 24 months, then anonymized or deleted, unless a longer period is required by law or explicitly requested by the Customer.
• Staff accounts: retained for as long as the account is active, plus 12 months after deactivation.
• Audit logs and transactional records: retained for 10 years for accounting and fraud prevention.

6. Sharing and sub-processors

We rely on the sub-processors listed on our Legal page. All sub-processors are bound by data processing agreements with appropriate safeguards.

Guest data imported from a Customer's PMS or POS remains within the Customer's responsibility for the portion handled by those external systems. KiBand does not transfer guest data to third parties other than the sub-processors above.

7. International transfers

Guest and staff data is stored in the European Union (Supabase AWS eu-west-3, Paris). If any transfer outside the EU occurs through a sub-processor, it is covered by the European Commission's Standard Contractual Clauses.

8. Your rights

Under applicable law (EU GDPR, Moroccan Law 09-08, and equivalent regulations), End Users have the right to:

• access the personal data we hold about them;
• request rectification of inaccurate data;
• request erasure (subject to retention obligations);
• object to processing or request restriction;
• request portability of the data they provided.

Guests should contact their hotel first, which is the controller of their stay data. Staff and Customers can contact privacy@kiband.app. We respond within 30 days. Users may also lodge a complaint with their local data protection authority (CNDP in Morocco; the relevant supervisory authority in their country of residence in the EU).

9. Security

KiBand applies technical and organizational measures including: row-level security (RLS) isolation per tenant, encryption in transit (TLS 1.2+), encryption at rest (AES-256 managed by Supabase and Vercel), role-based access control, audit logging, and regular backups. Security vulnerabilities can be reported to security@kiband.app.

10. Cookies

We use a strictly necessary authentication cookie (Clerk session) and anonymized usage analytics on the public website only. No advertising cookies. No cross-site tracking.

11. Changes to this policy

Material changes will be notified to Customers by email at least 30 days before taking effect. The current version is always available here.

12. Contact

Data Protection Officer: privacy@kiband.app — KiBand SAS, Casablanca, Morocco.