Anana
Book a demo

Policy

Privacy Policy (GDPR)

OMOC INC (Anana) is committed to protecting your personal data under the General Data Protection Regulation (GDPR). This Privacy Policy explains how we collect, use, store, and protect personal data when you use our AI workspace for hospitality commercial teams.

1. Data We Process

We process personal data as a controller (for our users) and processor (for customer data), including:

  • Commercial & Guest Data: Names, emails, phone numbers, booking details, call recordings and transcripts, and other personal data from the systems you connect (e.g., PMS, CRM, telephony, market intelligence tools).
  • User Accounts: Usernames, emails, hashed passwords, login history.
  • Usage Data: Threads, questions, investigation results, and audit logs of actions taken in the workspace.
  • Employee Data: Names, addresses, bank details, job roles for internal HR (small team).

2. Legal Bases (GDPR Art. 6, 9)

  • Contract (Art. 6(1)(b)): To deliver the workspace, process commercial and guest data on your instructions, and provide platform access (user accounts).
  • Legitimate Interests (Art. 6(1)(f)): To secure the service, prevent abuse, and improve product quality (with appropriate safeguards).
  • Consent (Art. 6(1)(a), Art. 9(2)(a)): For user account registration and any special category data, with explicit, revocable consent.

We stop processing if no legal basis applies.

3. How We Use Your Data

  • Answer questions and run investigations across your connected commercial data (bookings, calls, market intelligence, SOPs).
  • Manage user accounts, permissions, and platform access.
  • Secure the service, maintain audit trails, and support customers.
  • Handle HR for our small team.

4. Data Sharing and Transfers

  • Recipients: Internal team; vendors (e.g., AWS, OpenAI, Stytch, Rippling) for processing.
  • International Transfers: Data may transfer to the US (vendors). We use Standard Contractual Clauses (SCCs), Data Processing Agreements (DPAs), and prefer EU-hosted servers (e.g., AWS EU) to ensure GDPR compliance.
  • Safeguards: AES-256 encryption, data minimization, vendor audits.

All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

5. Data Retention

  • Commercial & guest data: For the duration of the customer contract, plus up to 1 year, or sooner on request.
  • User data: Until account deletion or 2 years of inactivity.
  • Usage & audit logs: Up to 2 years for security and compliance.
  • Employee data: 7 years (legal obligations).

6. Your GDPR Rights

You have the right to:

  • Access: Request a copy of your data.
  • Rectification: Correct inaccurate data.
  • Erasure: Request deletion (e.g., when consent is withdrawn).
  • Restriction: Limit processing temporarily.
  • Portability: Receive data in a structured format (e.g., JSON).
  • Objection: Object to processing (e.g., marketing).
  • Automated Decisions: Request human review for AI-driven decisions.

To exercise your rights, email support@getanana.com. We respond within 30 days, with no fee unless requests are excessive.

7. Data Security

We use AES-256 encryption, multi-factor authentication (MFA), access controls, and audit logs to protect your data.

8. Contact Us

For questions or GDPR requests, email: support@getanana.com.

9. Supervisory Authority

You may lodge complaints with an EU supervisory authority.