Skip to main content

02 · Privacy

Your data.
Our commitments.

What we collect, why, for how long, and with whom. Without the fine-print silence of standard terms.

Last updated · 2 April 2026

This privacy policy describes how Dubai company ("MyKonci", "we") collects, uses and protects your personal data as part of its virtual concierge service for short-term rental owners (WhatsApp/SMS chatbot and voice agent).

01Data controller

The controller of personal data is Dubai company.

Representative in the European Union (article 27 of the GDPR): Nicolas Moussa, privacy@mykonci.com.

Data Protection Officer (DPO): Nicolas Moussa, reachable at privacy@mykonci.com for any question regarding the protection of your personal data and the exercise of your GDPR rights.

02Roles: controller and processor

MyKonci acts in two distinct roles under the GDPR, depending on the type of data being processed:

  • MyKonci is controller for its customers' own data (user account, email, billing, usage logs, prospect data) and for data of visitors of the mykonci.com site.
  • MyKonci is processor (article 28 of the GDPR) for all final guest data processed via the platform on behalf of the professional or individual customer. In that case, the MyKonci customer is the controller vis-à-vis its guests and must inform them in line with articles 13 and 14 of the GDPR. MyKonci provides an information notice template for the customer to integrate on its communication channels.

A data processing agreement (DPA) within the meaning of article 28 of the GDPR is signed at subscription and governs the whole processing relationship. It is available on request at privacy@mykonci.com.

03Data collected

We process the following data categories:

  • Customer identification data: surname, first name, email address, phone number.
  • Professional data: number of apartments, rental type, channel manager used, activity.
  • Connection data: IP address, browser, pages visited, timestamp.
  • Guest data (processed as processor): surname, first name, phone number, language, stay dates, messages exchanged via WhatsApp and SMS, audio recordings and timestamped transcripts of voice calls.
  • Derived analytical data (professional plans with Cortex, processed as processor): satisfaction scores, emotional profiles, extracted signals, behavioural predictions, vector embeddings, cross-stay guest history.
  • Technical logs: AI model calls, latencies, errors, used to improve the service.

Audio recordings and transcripts are accessible to the customer via their dashboard and can be provided or deleted on request at privacy@mykonci.com.

04Processing purposes

  • Delivery of the virtual concierge service (WhatsApp/SMS chatbot and voice agent)
  • Handling contact and demo requests
  • Customer relationship and billing
  • Service improvement and usage analysis
  • Sending commercial information (with your consent)
  • Compliance with our legal obligations

05Cortex: processing specific to professional plans

Professional plans include Cortex, a conversational intelligence engine that analyses conversations between guests and the customer's teams to improve service quality. Cortex performs profiling within the meaning of article 4.4 of the GDPR. These specific processing operations are detailed below.

Nature of Cortex processing:

  • Real-time emotional analysis (satisfaction score out of 100, frustration detection, etc.)
  • Guest psychological profile (assertive, passive, emotional, price-sensitive, etc.)
  • Detection and classification of problems by severity (access, equipment, cleanliness, noise, etc.)
  • Review prediction (positive, negative, escalation risk, rebooking probability)
  • Upsell opportunity detection (late checkout, early check-in, additional services)
  • Preventive maintenance (detection of recurring equipment issues)
  • Real-time coaching of the customer's teams (action recommendations)
  • Cross-stay guest memory (satisfaction history, preferences, past issues)

Legal bases:

  • Performance of the contract (art. 6.1.b GDPR): emotional analysis, review predictions, preventive maintenance, coaching, cross-stay memory.
  • Legitimate interest of the professional customer (art. 6.1.f GDPR): psychological profile, upsell detection. This legitimate interest is balanced against guest rights and only applied when that balance is respected.

No automated decision within the meaning of article 22 GDPR. Cortex produces recommendations, but no decision producing legal or significant effects regarding the guest is taken in a fully automated way. A human operator (concierge, customer manager) keeps oversight and final validation of any action. If the customer later enables an automation feature (e.g. automatic message sending), they become the controller of that automated decision and must provide an opt-out mechanism for the guest.

Right to object to profiling (Art. 21 GDPR). Any guest can object to Cortex profiling. On written request at privacy@mykonci.com or via the professional customer, the guest identifier is flagged as opt-out within 7 days: future messages are still kept (legitimately exchanged with the customer's teams) but excluded from any analysis, scoring and profiling.

Per-tenant learning, no global learning. Calibrations and analyses specific to a customer are never used to improve the service for another customer. Data used for internal service improvement is pseudonymised (guest and conversation identifiers replaced with SHA-256 hashes). No customer data is used to train, fine-tune or evaluate external AI models (OpenAI, Azure OpenAI or any other provider).

06Legal basis

Processing operations are based on:

  • Performance of a contract (delivery of the service)
  • Your consent (commercial prospecting)
  • Our legitimate interest (service improvement, security)
  • Compliance with legal obligations

07Retention period

Data is kept for the period strictly necessary for the purposes for which it was collected, in line with CNIL guidance:

  • User account data (name, email, profile): for the whole contract duration, then 3 years after the last active-base contact for commercial management (commercial prescription).
  • Chatbot conversations (WhatsApp & SMS): for the contract duration, then 13 months beyond for evidence and service improvement, unless early deletion is requested.
  • Voice recordings and call transcripts: for the contract duration, then 13 months beyond, unless early deletion is requested by the customer or the guest concerned.
  • Cortex scores, profiles and derived analyses: same duration as the source conversations (13 months after end of contract).
  • Cross-stay guest memory: 13 months after the last stay, then automatic purge.
  • Product-improvement technical logs (pseudonymised): 12 months maximum.
  • Billing data and accounting records: 10 years from the closing of the relevant financial year (article L.123-22 of the French Commercial Code).
  • Connection and security logs: 12 months (CNIL recommendation and LCEN obligations).
  • Prospect data (contact forms without subscription): 3 years from the prospect's last contact.
  • Cookies: 13 months maximum (CNIL recommendation).
  • Data archived for potential litigation: duration of the applicable legal statute of limitations.

At the end of these periods, data is either permanently deleted or irreversibly anonymised for statistical purposes. The customer can at any time request a shorter retention period via their account settings or by written request.

08Hosting and security

Data is hosted within the European Union, with Hetzner Online GmbH (Germany, Gunzenhausen and Falkenstein sites). Hetzner is a European GDPR-compliant host.

Technical and organisational measures:

  • Encryption at rest (AES-256) on databases and storage systems.
  • Encryption in transit (TLS 1.3) on all communications (API, dashboard, integrations).
  • Centralised key and secret management, annual rotation, logged access.
  • Encrypted backups with geographic replication within the EU.
  • Strict tenant isolation: every customer has a dedicated identifier; all requests are filtered at the application level and by PostgreSQL Row-Level Security. Within normal operation of the Service, no customer can access another customer's data.
  • Data access logs: every access to conversations (customer operator or authorised MyKonci support employee) is logged (identity, date, resource, IP address). These logs are kept for 12 months and are accessible by the administrator customer on request.

Data breach notification (art. 33-34 GDPR): in case of an incident affecting personal data, MyKonci commits to notifying the customer concerned within 48 hours of detection, with a first preliminary report. A full report is provided within 7 days.

09Your rights

Under the GDPR, you have the following rights:

  • Right of access to your data
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to portability
  • Right to object, including to profiling performed by Cortex
  • Right to withdraw your consent at any time

Guest access right: any guest can request a full export of their data (messages, recordings, scores, profiles, predictions about them) within 30 days, in JSON or legible PDF format. Written request at privacy@mykonci.com with proof of identity, or via the professional customer acting as controller.

Routing of guest requests. For guest data, MyKonci acts as processor for the professional or individual customer (controller). Guest requests are in principle addressed to the controller. When a request is received directly by MyKonci, it is handled within GDPR time limits and the controller is informed. MyKonci may, depending on the nature of the request, pass it on to the controller, who remains the final decision-maker.

To exercise these rights, contact our DPO at privacy@mykonci.com. We reply to any request within a maximum of one month (Art. 12 GDPR). You can also lodge a complaint with the CNIL (France) or any competent supervisory authority.

10Sub-processors

To operate our services, we rely on the following sub-processors. The up-to-date list is appended to the DPA provided to each customer.

  • Hetzner Online GmbH (Germany). Server and data hosting. Transfer: none, data within the EU.
  • OpenAI Ireland Ltd / OpenAI, L.L.C. (Ireland / United States). Natural language processing (message analysis, Cortex scoring, reply generation). DPA signed. No-training commitment on customer data. Transfers outside the EU framed by Standard Contractual Clauses (SCC) and the EU-US Data Privacy Framework (DPF). A switch to Azure OpenAI Service Europe region (France Central or Sweden Central, 100% EU processing) is available on request from the professional customer.
  • Embedding models (sentence-transformers, run locally on MyKonci servers in the EU). No external transfer.
  • Stripe Payments Europe, Ltd. (Ireland). Customer payment processing. DPA in place.
  • Twilio Ireland Limited (Ireland / United States). SMS, WhatsApp Business and voice telephony transport. DPA in place, SCC and DPF.
  • Retell AI or equivalent. Conversational voice platform for the voice agent (if enabled). DPA in place.
  • Migadu Mail Services (SA) (Switzerland). Transactional email service. Switzerland benefits from an adequacy decision from the European Commission (no SCC needed).

Every sub-processor is bound by a data processing agreement (DPA) compliant with article 28 of the GDPR. Any change in the list of sub-processors is subject to prior notice to the customer, with a motivated right to object within 30 days in line with article 28.2 of the GDPR.

11Data transfers outside the EU

Some data may be transferred outside the European Union via the sub-processors mentioned above (OpenAI, Twilio, Stripe). These transfers are framed by:

  • The EU-US Data Privacy Framework (DPF) for certified sub-processors;
  • The European Commission's Standard Contractual Clauses;
  • Additional measures (encryption, pseudonymisation) when necessary.

For customers who want 100% EU processing, a switch to Azure OpenAI Europe is available on request.

12End of contract and reversibility

At the end of the contract, the customer can choose (in line with the DPA):

  • Full export of their data (JSON format and SQL dump) within 30 days;
  • Or permanent deletion within 30 days;
  • Purge of backups containing customer data within 90 days maximum.

A deletion certificate can be provided on request.

13Audits (professional customers)

Professional customers can audit MyKonci's GDPR compliance, up to once a year, with 30 days' notice. The audit is performed, at the customer's choice, by standard written questionnaire or by on-site visit / videoconference on motivated request. On-site audit costs are borne by the customer. MyKonci will eventually provide an independent audit report that may be used in place of an individual audit.

14Changes to this policy

This privacy policy may be updated to reflect legal, regulatory, technical or organisational changes. Any substantial change is notified to customers by email and/or via the dashboard at least 30 days before it takes effect. The date of last update is indicated at the top of this page. Previous versions are archived and available on request at privacy@mykonci.com.

15Contact

For any question regarding this privacy policy, contact our DPO at privacy@mykonci.com. For any general question, contact@mykonci.com.