Last updated: March 23, 2026
This Privacy Policy describes how rapidbounce ("we", "us", "our", or the "Company"), operating the Steganomos platform ("Steganomos", the "Platform", or the "Service"), collects, uses, stores, shares, and protects personal data. Steganomos is an AI-powered property management platform designed for hotels and accommodation providers, accessible at https://steganomos.com.
rapidbounce is a company registered in Athens, Greece, and serves as the Data Controller for all personal data processed through the Platform. We are committed to compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and all applicable data protection laws.
By accessing or using Steganomos, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, please discontinue use of the Platform.
For the purposes of this Privacy Policy:
The Data Controller responsible for processing your Personal Data is:
As a company with fewer than 250 employees, we are not required to appoint a Data Protection Officer (DPO) under Article 37 of the GDPR. However, all data protection inquiries may be directed to the email address above, and we will respond within the timeframes prescribed by applicable law.
We collect and process different categories of Personal Data depending on your role and interaction with the Platform:
| Data Category | Examples | Purpose |
|---|---|---|
| Identity data | Full name, business name, MHTE registration number | Account creation, regulatory compliance |
| Contact data | Email address, phone number, business address | Account management, communication, support |
| Authentication data | Hashed passwords, session tokens | Secure access to the Platform |
| Business data | Property details, room configurations, rate settings, financial reports | Service delivery, revenue management |
| Billing data | Invoice details, transaction history (payment card data is processed exclusively by Stripe and never stored by us) | Billing, tax compliance |
| Data Category | Examples | Purpose |
|---|---|---|
| Identity data | Full name, nationality | Reservation management, legal obligations |
| Contact data | Email address, phone number | Reservation confirmations, guest communication |
| Reservation data | Check-in/check-out dates, room type, special requests, booking channel | Service fulfillment |
| Communication data | Emails, WhatsApp messages, web chat transcripts with the Property | Guest support, AI-assisted response generation |
| Payment data | Transaction amounts and status (card details are processed by Stripe and never stored on our servers) | Payment processing, refunds |
When guest communications are processed through our AI pipeline, the following derived data may be generated:
This data is generated to assist Property staff and is always subject to human review before any outbound communication is sent to guests. See Section 6 for more details on AI processing.
Under the GDPR, we process Personal Data only when we have a valid legal basis. The following table outlines the legal bases we rely upon:
| Processing Activity | Legal Basis (GDPR Article) |
|---|---|
| Providing the Platform and its features to Property owners | Performance of a contract (Art. 6(1)(b)) |
| Processing guest reservations and communications | Performance of a contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)) |
| AI-assisted analysis of guest messages | Legitimate interests (Art. 6(1)(f)) - improving service quality and response times |
| Sending transactional emails (e.g., reservation confirmations) | Performance of a contract (Art. 6(1)(b)) |
| Sending marketing communications | Consent (Art. 6(1)(a)) |
| Maintaining financial records and tax compliance | Legal obligation (Art. 6(1)(c)) |
| Website analytics and performance monitoring | Legitimate interests (Art. 6(1)(f)) |
| Fraud prevention and platform security | Legitimate interests (Art. 6(1)(f)) |
| Responding to legal requests from authorities | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interests, we have conducted balancing tests to ensure our interests do not override the fundamental rights and freedoms of Data Subjects. You may request details of these assessments by contacting us.
We use the Personal Data we collect for the following purposes:
We do not sell, rent, or trade your Personal Data to any third party for marketing or advertising purposes.
Steganomos incorporates artificial intelligence to help Property staff respond to guest communications more efficiently. We are committed to transparent and responsible use of AI. This section explains how AI processes your data.
The Platform does not make any decisions with legal or similarly significant effects on individuals based solely on automated processing. AI outputs serve as recommendations for human staff. Guests have the right to contest any communication they receive and to request human review by contacting the Property directly or by reaching out to us at the contact details provided in Section 16.
We share Personal Data only with third-party service providers ("Sub-Processors") who are necessary for the operation of the Platform. Each Sub-Processor is bound by a Data Processing Agreement (DPA) and is required to process data only as instructed by us.
| Sub-Processor | Purpose | Data Location |
|---|---|---|
| Google Cloud Platform (Google LLC) | Cloud infrastructure, database hosting, serverless compute, AI services (Vertex AI, Gemini), analytics (BigQuery), task scheduling | EU (europe-west1, Belgium) |
| Anthropic (Anthropic PBC) | AI text analysis and response generation (Claude models) | United States (with EU Standard Contractual Clauses) |
| Stripe (Stripe, Inc.) | Payment processing, Stripe Connect Express accounts for Properties | EU infrastructure; certified PCI DSS Level 1 |
| Mailgun (Sinch Email) | Transactional and operational email delivery | EU |
| Meta Platforms (Meta Platforms, Inc.) | WhatsApp Business messaging channel | EU/US (Meta's data processing terms apply) |
| WebHotelier (WebHotelier Technologies Ltd.) | Reservation synchronization and channel management | EU |
| Freshdesk (Freshworks, Inc.) | Customer support ticketing (being migrated to in-house solution) | EU/US |
| Google Analytics (Google LLC) | Website traffic analytics and user behavior analysis | EU |
| Google Tag Manager (Google LLC) | Tag management for analytics and marketing scripts | EU |
Beyond our Sub-Processors, we may disclose Personal Data in the following limited circumstances:
All primary data processing and storage occurs within the European Union, specifically in the europe-west1 (Belgium) region of Google Cloud Platform. This includes our databases, application servers, AI processing infrastructure, task queues, and analytics pipelines.
In limited cases, data may be processed by Sub-Processors with infrastructure outside the EU (e.g., Anthropic Claude for AI text analysis). Where such transfers occur, we ensure that appropriate safeguards are in place, including:
Additionally, before any guest message content is sent to AI models that may be processed outside the EU, personally identifiable information is masked (see Section 6.2), reducing the sensitivity of any data that crosses jurisdictional boundaries.
We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. The following retention periods apply:
| Data Type | Retention Period | Basis |
|---|---|---|
| Guest messages (email, WhatsApp, web chat) | 90 days from creation | GDPR data minimization principle (Art. 5(1)(e)) |
| AI-generated suggestions and sentiment scores | 90 days (aligned with message retention) | GDPR data minimization |
| Property owner account data | Duration of the contractual relationship plus 12 months | Contractual necessity and legitimate interests |
| Reservation data | Duration of the contractual relationship plus up to 5 years | Greek tax law and regulatory requirements |
| Financial records and invoices | Up to 10 years | Greek tax law (Art. 13 of the Greek Tax Procedures Code) |
| Usage analytics and logs | 26 months | Platform improvement and security |
| Cookie data | See Section 12 (varies by cookie type) | Consent or legitimate interests |
Message deletion is automated via a scheduled task that runs weekly and removes messages older than the 90-day retention period. Anonymized or aggregated data that cannot be used to identify individuals may be retained indefinitely for analytical purposes.
We implement appropriate technical and organizational measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include:
In the event of a Personal Data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the competent supervisory authority (the Hellenic Data Protection Authority - HDPA) within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR. Where the breach is likely to result in a high risk, we will also notify the affected Data Subjects without undue delay, in accordance with Article 34 of the GDPR.
As a Data Subject, you have the following rights under the GDPR. You may exercise any of these rights by contacting us at achilleas@karydis.com.
| Right | Description |
|---|---|
| Right of access (Art. 15) | You may request a copy of the Personal Data we hold about you, along with information about how it is processed. |
| Right to rectification (Art. 16) | You may request correction of inaccurate or incomplete Personal Data. |
| Right to erasure (Art. 17) | You may request deletion of your Personal Data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent. This right is subject to legal retention obligations. |
| Right to restriction (Art. 18) | You may request that we limit the processing of your Personal Data in certain circumstances (e.g., while we verify the accuracy of your data). |
| Right to data portability (Art. 20) | You may request to receive your Personal Data in a structured, commonly used, machine-readable format and to transmit it to another controller. |
| Right to object (Art. 21) | You may object to processing based on legitimate interests, including profiling. You may also object to processing for direct marketing purposes at any time. |
| Right not to be subject to automated decisions (Art. 22) | You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Steganomos does not make such decisions (see Section 6.3). |
| Right to withdraw consent (Art. 7(3)) | Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal. |
We will respond to all valid requests within 30 days of receipt. In complex cases, or where we receive a high volume of requests, this period may be extended by a further 60 days, in which case we will inform you of the extension and the reasons for it.
If you believe that our processing of your Personal Data infringes the GDPR, you have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA):
The Platform uses cookies and similar technologies to ensure proper functionality, enhance user experience, and collect analytics data. A cookie consent banner is displayed on your first visit, and you may manage your preferences at any time.
| Cookie Type | Purpose | Duration | Legal Basis |
|---|---|---|---|
| Strictly necessary | Authentication, session management, CSRF protection, security | Session or up to 14 days | Exempt from consent (ePrivacy Directive Art. 5(3)) |
| Functional | Language preferences, UI settings, selected property | Up to 12 months | Consent |
| Analytics | Google Analytics (page views, session duration, feature usage) | Up to 26 months | Consent |
You may disable or delete cookies through your browser settings at any time. Please note that disabling strictly necessary cookies may impair the functionality of the Platform. Most browsers allow you to:
For more information on managing cookies, visit www.aboutcookies.org.
Steganomos is a business-to-business platform designed for hospitality professionals. The Platform is not directed at individuals under the age of 16. We do not knowingly collect Personal Data from children. If we become aware that we have inadvertently collected data from a child under 16, we will take prompt steps to delete such data. If you believe we may have collected data from a minor, please contact us immediately.
The Platform may contain links to third-party websites or services (for example, booking engines, payment portals, or social media platforms). We are not responsible for the privacy practices or content of these external sites. We encourage you to review the privacy policy of any third-party service before providing your Personal Data.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other operational reasons. When we make material changes, we will:
We encourage you to review this page periodically to stay informed about how we protect your data.
If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your Personal Data, please contact us:
We aim to respond to all inquiries within 5 business days and to all formal data protection requests within 30 days, as required by the GDPR.
© 2026 rapidbounce. All rights reserved.
Steganomos is a registered trademark of rapidbounce.