Legal

Privacy Policy

Last updated: April 13, 2026

Foxtcon One LLC (“FoxtInn,” “we,” “us,” or “our”) is committed to protecting the privacy of personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our FoxtInn platform and related services. This Policy applies to all users, including account holders, authorized users, and guests whose data is processed through the Service.

1. Information We Collect

1.1 Information You Provide

  • Account Information: Name, email address, phone number, business name, role, property details, and billing address.
  • Staff/Employee Information: Names, contact details, roles, departments, profile photos, schedule preferences, and employment-related data entered by account holders.
  • Guest Data: Names, contact information, room numbers, service requests, feedback, complaints, and other information submitted by or about guests through QR code portals, guest request systems, or other Service mechanisms. Note: Guest Data is controlled by our Customers (property owners/operators). FoxtInn processes Guest Data as a data processor on their behalf.
  • Operational Data: Tasks, schedules, time clock entries, shift records, chat messages, announcements, housekeeping statuses, and maintenance requests.
  • Financial Data: Revenue figures, expense reports, P&L data, night audit reports, Z-reports, and other financial information input or forwarded to the Service for AI-powered analysis.
  • Communications: In-app chat messages, support requests, and feedback.
  • Payment Information: Processed by our PCI Level 1 compliant payment processor. FoxtInn does not store full card numbers.

1.2 Information Collected Automatically

  • Usage Data: Pages viewed, features used, clickstream data, actions taken, timestamps, and session duration.
  • Device Information: Device type, operating system, browser type, screen resolution, and unique identifiers.
  • Network Information: IP address, approximate geolocation (city/region), referring URLs.
  • Cookies: Session identifiers, CSRF tokens, login state, language preferences. See our Cookie Policy.
  • Analytics: Google Analytics 4 (GA4) and Microsoft Clarity for usage patterns. GA4 collects event data with anonymized IPs. Clarity records session replays with sensitive inputs masked.
  • Marketing Pixels: Meta Pixel, LinkedIn Insight, and Google Ads on our marketing website only (not within the authenticated app).

1.3 Information from Third Parties

We may receive information from authorized integrations (calendars, payroll, POS, STR benchmarking) and from business partners for fraud prevention.

2. How We Use Information

  • Providing, operating, and maintaining the Service, including AI Features.
  • Processing transactions and billing communications.
  • Delivering AI-powered insights through LALA Virtual GM (financial analysis, operational recommendations, predictive maintenance).
  • Facilitating guest request management, housekeeping workflows, and staff communication.
  • Authenticating users (OTP-based login, JWT session management).
  • Service-related notifications, security alerts, and administrative messages.
  • Analyzing usage patterns to improve the Service and develop new features.
  • Customer support and inquiry response.
  • Compliance with legal obligations and Terms enforcement.
  • Fraud detection, prevention, and security.
  • Marketing (with consent where required).

3. Legal Bases for Processing (GDPR)

For individuals in the EEA, UK, and Switzerland:

  • Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Service, including account management, billing, and core functionality.
  • Legitimate Interests (Art. 6(1)(f)): Service improvement, analytics, fraud prevention, and security. We have conducted balancing tests confirming these interests do not override data protection rights.
  • Consent (Art. 6(1)(a)): Marketing communications, non-essential cookies, and optional AI features. Withdrawable at any time.
  • Legal Obligation (Art. 6(1)(c)): Compliance with applicable laws, regulations, and court orders.

For Guest Data, our Customers (as data controllers) determine the legal basis. FoxtInn processes Guest Data under Customer instructions per our DPA.

4. AI Features and Data Processing

  • Scope: AI Features process Customer Content to generate insights, summaries, alerts, and recommendations within the Customer’s account.
  • No Model Training: We do not use Customer Content, Guest Data, or personal information to train or improve general-purpose AI models.
  • Third-Party AI Infrastructure: Certain features use third-party LLM APIs. Data is transmitted encrypted (TLS 1.2+), under agreements prohibiting training or retention beyond the session. Providers are listed in our DPA.
  • Data Minimization: AI processes only the data necessary for the requested function. Financial data requires OTP-secured access.
  • No Automated Decisions: AI provides advisory recommendations only - no automated decisions producing legal or significant effects. Human oversight is maintained.
  • Opt-Out: Disable AI Features anytime through account settings without affecting core functionality.

5. Sharing of Information

5.1 We Do Not Sell Personal Information

FoxtInn does not sell, rent, or trade personal information. We do not share personal information for cross-context behavioral advertising.

5.2 Service Providers

We share information with service providers under written data protection agreements:

  • Cloud infrastructure (AWS - U.S. regions)
  • Payment processing (PCI Level 1 compliant)
  • AI infrastructure providers (for LALA features)
  • Analytics (Google Analytics 4, Microsoft Clarity)
  • Email delivery and communications
  • Customer support tools

A current subprocessor list is maintained in our DPA.

5.3 Legal Requirements

We may disclose information if required by law, court order, or governmental request, or to protect rights, property, or safety.

5.4 Business Transfers

In mergers, acquisitions, or asset sales, personal information may transfer to the acquiring entity with prior notice.

6. Data Retention

  • Active Accounts: Retained while the account is active.
  • Post-Termination: 30-day export window, then production deletion within 30 days. Backups purged within 90 days.
  • Guest Data: Retained per Customer’s instructions; default 12 months from collection, then archived and deleted within 30 days.
  • Financial Records: Retained for account duration plus 7 years for tax/accounting compliance.
  • Audit Logs: Minimum 180 days.
  • Marketing Opt-Outs: Retained indefinitely to honor your preference.
  • Legal Holds: Data may be retained longer if required by law or legal proceedings.

7. Security

  • Encryption in transit: TLS 1.2+ for all data
  • Encryption at rest: AES-256 via AWS KMS with automatic key rotation
  • Authentication: OTP-based login, JWT 15-minute sessions, MFA for admins
  • Access control: RBAC with least-privilege defaults
  • Infrastructure: AWS U.S. regions, multi-AZ redundancy, network segmentation
  • Monitoring: 24/7 infrastructure monitoring, anomaly detection, audit logging
  • Testing: Regular third-party penetration testing and vulnerability scanning

No method is 100% secure. See our Security & Trust Center for details.

8. International Data Transfers

FoxtInn is based in the United States. For transfers from the EEA, UK, or Switzerland, we rely on:

  • EU-U.S. Data Privacy Framework (where applicable)
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Addendum

We conduct transfer impact assessments and implement supplementary measures (encryption, access controls, contractual commitments).

9. Your Rights

9.1 GDPR Rights (EEA, UK, Switzerland)

  • Access: Request a copy of your personal data.
  • Rectification: Request correction of inaccurate data.
  • Erasure: Request deletion (“right to be forgotten”).
  • Restrict Processing: Limit how we use your data.
  • Data Portability: Receive data in a structured, machine-readable format.
  • Object: Object to processing based on legitimate interests.
  • Withdraw Consent: At any time for consent-based processing.
  • Automated Decisions: Right not to be subject to solely automated decisions with legal effects.

Contact privacy@foxtcon.com. Response within 30 days (extendable by 60 days). You may also lodge a complaint with your supervisory authority.

9.2 CCPA/CPRA Rights (California)

  • Right to Know: Categories and specific pieces of personal information collected.
  • Right to Delete: Request deletion (subject to exceptions).
  • Right to Correct: Request correction of inaccurate information.
  • Right to Opt-Out: We do not sell or share for cross-context behavioral advertising.
  • Right to Limit Sensitive PI: Limit use of sensitive personal information.
  • Non-Discrimination: No penalties for exercising rights.

Contact privacy@foxtcon.com. Response within 45 days (extendable by 45 days). Authorized agents may make requests on your behalf.

9.3 Canadian Rights (PIPEDA & Quebec Law 25)

Canadian residents may access, correct, and withdraw consent. Quebec residents have enhanced rights under Law 25, including data portability and the right to de-indexation. Contact privacy@foxtcon.com. Response within 30 days.

9.4 Brazil (LGPD)

Brazilian residents have rights under the Lei Geral de Proteção de Dados (LGPD), including: confirmation of processing, access, correction, anonymization/blocking/deletion of unnecessary data, data portability, deletion of consent-based data, information about third parties, consent withdrawal, and the right to petition the ANPD. Contact privacy@foxtcon.com with subject “LGPD Request.” Response within 15 business days.

9.5 South Africa (POPIA)

South African residents may exercise rights under the Protection of Personal Information Act: access, correction, deletion, objection to processing, objection to direct marketing, and complaint to the Information Regulator. FoxtInn has appointed an Information Officer reachable at privacy@foxtcon.com.

9.6 India (DPDP Act 2023)

Indian residents (Data Principals) may exercise rights under the Digital Personal Data Protection Act: access to a summary of personal data processed, correction, erasure, grievance redressal, and nomination of a representative. Parental/guardian consent required for children’s data. Contact privacy@foxtcon.com with subject “DPDP Request.”

9.7 Asia-Pacific Rights

Residents of Japan (APPI), South Korea (PIPA), Singapore (PDPA), Thailand (PDPA), Australia (APPs), New Zealand (Privacy Act), Malaysia (PDPA), Philippines (DPA 2012), Indonesia (PDP Law), and Vietnam (PDPD) have rights under their respective frameworks including access, correction, deletion, and withdrawal of consent. See our International Privacy Rights page for jurisdiction-specific details and response timelines.

9.8 Middle East & Africa Rights

Residents of the UAE (PDPL), Saudi Arabia (PDPL), Turkey (KVKK), Kenya (DPA 2019), Nigeria (NDPA 2023), and Egypt (Law 151/2020) may exercise data protection rights under their applicable frameworks. See International Privacy Rights for details.

9.9 Additional US State Privacy Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Oregon, Montana, Delaware, New Hampshire, New Jersey, Nebraska, Maryland, Minnesota, Indiana, Kentucky, Rhode Island, Iowa, Tennessee, and Utah have rights under their respective state privacy laws including access, deletion, correction, and opt-out of targeted advertising. FoxtInn honors Global Privacy Control (GPC) signals from all US jurisdictions. Response within 45 days.

9.10 Guest Rights

Guests, visitors, or patrons should contact the business (our Customer) directly to exercise data protection rights. FoxtInn will assist Customers in responding to data subject requests.

Complete global rights reference: For full jurisdiction-specific details including response timelines, transfer mechanisms, and supervisory authority contacts, see our International Privacy Rights page.

10. Breach Notification

In the event of a confirmed personal data breach likely to risk individuals’ rights:

  • Customers notified within 72 hours of awareness (GDPR Art. 33).
  • Details provided: nature, categories/numbers affected, consequences, and mitigation measures.
  • Cooperation with Customers in notifying authorities and individuals.
  • California residents notified “without unreasonable delay” per Civil Code §1798.82.

11. Children’s Privacy

The Service is not directed to children under 16. We do not knowingly collect their personal information. If a child has provided data, contact privacy@foxtcon.com for prompt deletion. If Customer’s business serves minors, Customer is responsible for COPPA and GDPR age-of-consent compliance.

12. Marketing Communications

Opt out anytime by: (a) clicking “unsubscribe” in any marketing email; (b) adjusting notification preferences in account settings; or (c) contacting privacy@foxtcon.com. Service-related communications (security alerts, billing) will continue.

13. Changes to This Policy

Material changes are communicated via email or in-app notification at least 30 days before taking effect. The “Last Updated” date reflects the most recent revision.

14. Contact Us

Privacy: privacy@foxtcon.com
Data Protection Officer: dpo@foxtcon.com
EU Representative: eu-representative@foxtcon.com
Mailing Address: Foxtcon One LLC, Missouri, United States

15. Additional Disclosures

15.1 Do Not Sell / Do Not Share

FoxtInn does not sell personal information as defined by the CCPA/CPRA, LGPD, or any other applicable privacy law. We do not share personal information for cross-context behavioral advertising. Marketing analytics pixels (Meta, LinkedIn, Google) are loaded only with explicit cookie consent and can be disabled via Cookie Settings. When consent is not granted, no marketing pixel data is transmitted.

15.2 Financial Incentive Disclosure

Founding Member pricing is based on early adoption commitment, not on the value of personal information. There is no financial incentive program tied to the collection or retention of personal data.

15.3 Automated Decision-Making

FoxtInn does not make automated decisions that produce legal or similarly significant effects on individuals. All AI features are advisory only. See our AI Governance page for details.

15.4 Sensitive Personal Information

FoxtInn may process the following categories of sensitive personal information solely as a data processor on behalf of Customers: employee government identifiers (where required for payroll), health information (clinics operating under HIPAA), and biometric data (if Customer enables fingerprint timekeeping). Processing occurs only on Customer instruction with appropriate legal basis.

15.5 Data Retention

For complete retention schedules by data type, see our Data Retention Schedule.

15.6 International Transfers

For complete details on transfer mechanisms by jurisdiction, see our International Privacy Rights page and Data Processing Agreement.