Trust & Compliance
GDPR Compliance
How FoxtInn protects personal data under EU & UK GDPR
Last updated: April 13, 2026
Foxtcon One LLC (“FoxtInn”) is committed to compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the UK General Data Protection Regulation. This page details our GDPR-specific commitments, data processing practices, and how we help our Customers meet their own GDPR obligations.
1. Our Role: Processor & Controller
When FoxtInn is a Data Processor:
When our Customers (hotels, restaurants, salons, clinics, etc.) use the FoxtInn platform to manage staff data, guest data, schedules, and operational content, FoxtInn acts as a data processor under GDPR Article 28. The Customer is the data controller who determines the purposes and means of processing.
When FoxtInn is a Data Controller:
FoxtInn acts as an independent data controller for: website visitor data, account registration data, billing and payment data, platform usage analytics, marketing communications, and data processed for service security and fraud prevention.
2. Lawful Bases for Processing
FoxtInn relies on the following lawful bases under GDPR Article 6:
| Lawful Basis | Processing Activity |
|---|---|
| Contract (Art. 6(1)(b)) | Providing the Service, account management, billing, customer support |
| Legitimate Interest (Art. 6(1)(f)) | Service improvement, security, fraud prevention, analytics (balancing tests conducted) |
| Consent (Art. 6(1)(a)) | Marketing emails, non-essential cookies, optional AI features |
| Legal Obligation (Art. 6(1)(c)) | Tax compliance, regulatory requirements, law enforcement requests |
3. Data Processing Agreement (DPA)
FoxtInn offers a comprehensive Data Processing Agreement to all Customers, covering:
- Categories of data processed and data subjects
- Technical and organizational security measures (GDPR Article 32)
- Subprocessor management with 30-day advance notification
- Data subject rights assistance
- Breach notification within 72 hours
- Data deletion and return upon termination
- Audit rights for compliance verification
To request a signed DPA, contact privacy@foxtcon.com.
4. International Data Transfers
FoxtInn is headquartered in Missouri, United States. When personal data is transferred from the EEA, UK, or Switzerland to the United States, we implement the following safeguards:
- EU Standard Contractual Clauses (SCCs): We have adopted the SCCs approved by the European Commission (Decision 2021/914), Module Two (Controller to Processor). These are incorporated into our DPA.
- UK International Data Transfer Addendum: For transfers from the UK, we apply the UK ICO’s International Data Transfer Addendum to the EU SCCs.
- Swiss Transfers: SCCs apply with modifications required by the Swiss Federal Act on Data Protection (FADP).
- Transfer Impact Assessment (TIA): We have conducted a TIA confirming that U.S. legal protections, combined with our supplementary measures (AES-256 encryption, strict access controls, contractual prohibitions on government data access beyond what is legally required), provide an adequate level of protection.
5. Data Storage & Infrastructure
| Category | Details |
|---|---|
| Primary Cloud Provider | Amazon Web Services (AWS) |
| Data Center Regions | United States (us-east-1, us-west-2) |
| Encryption at Rest | AES-256 via AWS KMS with automatic key rotation |
| Encryption in Transit | TLS 1.2+ for all connections |
| Backup Frequency | Daily automated backups with point-in-time recovery |
| Backup Retention | 90 days post-deletion from production |
| Multi-Tenancy | Logical isolation at database level; property-scoped access controls |
6. Data Subject Rights
FoxtInn supports the exercise of all GDPR data subject rights:
| Right | GDPR Article | How to Exercise |
|---|---|---|
| Right of Access | Article 15 | Contact privacy@foxtcon.com |
| Right to Rectification | Article 16 | Self-service in platform or contact privacy@foxtcon.com |
| Right to Erasure | Article 17 | Contact privacy@foxtcon.com; processed within 30 days |
| Right to Restrict Processing | Article 18 | Contact privacy@foxtcon.com |
| Right to Data Portability | Article 20 | In-app export (CSV, JSON, PDF) or contact privacy@foxtcon.com |
| Right to Object | Article 21 | Contact privacy@foxtcon.com; marketing opt-out in app settings |
| Automated Decision-Making | Article 22 | No solely automated decisions with legal effects; AI is advisory only |
Response timeline: Within 30 days of verified request. May be extended by 60 days for complex requests, with notification.
Guest/Visitor Rights: If you are a guest, visitor, or patron of a FoxtInn Customer, please contact the business directly. They are the data controller for your information. FoxtInn assists Customers in fulfilling data subject requests.
7. Data Protection Officer (DPO)
Data Protection Officer Contact:
Email: dpo@foxtcon.com
Mailing Address: Foxtcon One LLC, Missouri, United States
8. EU Representative
In accordance with GDPR Article 27, FoxtInn has appointed an EU Representative for data protection inquiries from EEA data subjects and supervisory authorities:
EU Representative Contact:
Email: eu-representative@foxtcon.com
Address: [EU member state physical address — to be designated prior to processing EEA personal data at scale, per GDPR Article 27(3)]
If you are an EU supervisory authority or data subject wishing to exercise your rights, you may contact our EU Representative directly. Physical mailing address will be published once our EU representation agreement is finalized.
9. Breach Notification
In the event of a personal data breach:
- 72-hour notification: Affected Customers are notified within 72 hours of FoxtInn becoming aware of the breach (GDPR Article 33).
- Content of notification: Nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to address the breach.
- Supervisory authority: FoxtInn assists Customers in notifying relevant supervisory authorities as required.
- Individual notification: When the breach is likely to result in a high risk to rights and freedoms, FoxtInn assists Customers in notifying affected individuals (Article 34).
10. AI Features & GDPR
FoxtInn’s AI features (LALA Virtual GM) are designed with GDPR principles at their core:
- No model training: Customer data is never used to train or improve AI models (data minimization principle).
- Purpose limitation: AI processes data solely to deliver requested functionality within the Customer’s account.
- No automated decisions: AI outputs are advisory only — no automated decisions with legal or significant effects (Article 22 compliance).
- Opt-out available: Customers can disable AI features entirely without affecting core service functionality.
- Third-party AI providers: Bound by Data Processing Agreements prohibiting data retention or model training. See our subprocessor list.
11. Subprocessors
A current list of subprocessors is maintained at foxtinn.com/subprocessors.html. Customers are notified 30 days before any new subprocessor is engaged and may object per the terms of our DPA.
12. Data Protection Impact Assessments
FoxtInn conducts Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to data subjects, including new AI features and changes to data processing scope. We provide reasonable assistance to Customers conducting their own DPIAs (GDPR Articles 35–36).
13. Supervisory Authorities
Data subjects in the EEA have the right to lodge a complaint with their local supervisory authority. A directory is maintained by the European Data Protection Board at edpb.europa.eu.
14. Contact
Privacy: privacy@foxtcon.com
DPO: dpo@foxtcon.com
EU Representative: eu-representative@foxtcon.com
Security: security@foxtcon.com