.svg){kind=small}
Privacy Policy
Effective Date: 01st March 2025
1. Who We Are
dhi Hospitality Solutions Pvt. Ltd. ("dhi","we", "us") is the developer and operator of dhi Insights,a commercial intelligence platform built for independent and boutique hotels.dhi is registered in India and operates under Indian data protection law,including the Information Technology Act 2000 and the Digital Personal Data Protection Act 2023.
dhi Insights is a business-to-business (B2B) software product.Its users are hotel operators, revenue managers, and commercial teams at hospitality properties. It is not a consumer-facing application and does not collect personal data from hotel guests directly.
2. Scope of This Policy
This policy applies to all data processed by dhi Insights,including:
• Data provided by hotel operator accounts during onboarding and use of the platform.
• Data retrieved from connected advertising platforms, including Meta’s Marketing API,under explicit authorisation from the hotel operator.
• Data imported from property management systems (PMS), channel managers, and CRM tools.
• Usage data generated while operators interact with the dhi Insights interface.
This policy does not govern data held in systems owned by the hotel (their PMS, their CRM). dhi processes that data under a data processing agreement with the property.
3. Data We Collect
Account and identity data
Examples: Name,email address, role, property name, contact number
Source: Operatoronboarding
Property configuration data
Examples: Numberof rooms, target markets, active channels, revenue targets
Source: Operator input
Advertising performance data
Examples: Spend,impressions, clicks, conversions, ROAS, campaign IDs, ad set structure
Source: MetaMarketing API, Google Ads API
Booking and revenue data
Examples: ADR,occupancy, booking source, channel mix, OTA commission data
Source: PMS, CSV import or API integration
CRM and guest segment data
Examples: Segmentlabels, LTV estimates, CRM match rates (no individual guest PII without explicit consent)
Source: Operator CRM, CSV upload
Platform usage data
Examples: Pages visited, features used, session duration, browser type
Source: Application telemetry
Note on guest PII: dhi Insights is a commercial allocation engine, not aguest-facing tool. Where individual guest records are imported for CRM matching, they are pseudonymised at the point of ingestion. Raw guest PII isnot retained on dhi infrastructure beyond the time required to generate the match score.
4. Meta Platform Data
Meta API Permissions in Use
dhi Insights requests the following Meta permissions on behalfof authorised hotel operators:
ads_management — create, edit, and manage ad campaigns
ads_read— read campaign performance and structure data
Access is granted per property via Meta’s OAuth flow and isscoped strictly to the ad accounts the operator explicitly selects.
When a hotel operator connects their Meta Business account todhi Insights, the platform accesses the following data from Meta’s MarketingAPI:
Ad account details
API Object: /act_{ad_account_id}
Purpose: Identifyand scope the connected account
Campaigns
API Object: /act_{id}/campaigns
Purpose: Map campaign structure to the capital allocation model
Ad sets and audiences
API Object: /act_{id}/adsets
Purpose: Analyse channel-level efficiency and incrementality
Ad creatives
API Object: /act_{id}/ads
Purpose: Identify active creatives in the Morning Brief
Performance insights
API Object: /act_{id}/insights
Purpose: Calculate ROAS, cannibalisation, and marginal efficiency
Budget and spend data
API Object: Campaignand ad set fields
Purpose: Compare actual spend to recommended allocation
Ad mutations (write)
API Object: POST/campaigns, /adsets, /ads
Purpose: Execute Morning Brief actions where operator has enabled auto-execution
Write access (ad mutations) is used only when the operatorexplicitly enables auto-execution within the Morning Brief feature. Each mutation is logged with a timestamp, the operator user ID, and the specificchange made. Operators can disable auto-execution at any time from the platformsettings.
What We Do Not Do With Meta Data
Meta platform data accessed through dhi Insights is not sold,transferred, or shared with any third party for advertising, profiling, or targeting purposes. It is not used to build audience segments for any purpose other than the hotel operator’s own campaigns. It is not combined with datafrom other Meta users without explicit permission. Use is strictly limited to providing the dhi Insights service to the operator that granted access.
5. How We Use Data
Generating the Capital Plan and allocation recommendations
Data used: Ad performance, PMS, CRM match rate
Executing Morning Brief admutations
Data used: Meta API write access, operator approval state
Demand Map and market scoring
Data used: Booking source data, ADR, market segment data
Incrementality and efficiencyanalysis
Data used: Ad performance, attribution signals
Account management and support
Data used: Account identity, usage logs
Platform improvement(aggregated, anonymised)
Data used: Anonymised efficiency benchmarks across the dhi client base
Legal compliance and fraudprevention
Data used: Identity data, audit logs
dhi Insights does not use hotel operator data or Meta platform data to train AI models for purposes other than the specific property’s ownallocation engine. Property-level ML models are scoped to the property thatprovided the data.
6. Data Sharing
dhi does not sell data. The following categories of third partymay receive data as sub-processors in the course of providing the service:
Cloud infrastructure (AWS /GCP)
Purpose: Hosting,storage, compute
Safeguard: Data Processing Agreement in place
Authentication provider (Auth0/ Clerk)
Purpose: Login,session management, role-based access
Safeguard: DPA in place, SOC 2 certified
Analytics (aggregated only)
Purpose: Platformusage telemetry, anonymised
Safeguard: No individual property data shared
AI inference (Anthropic ClaudeAPI)
Purpose: Scoring,narrative generation within Morning Brief
Safeguard: API data is not used for model training; zero-retention policy applies
Data is not shared with Meta or any other advertising platform except as explicitly instructed by the operator when executing an ad mutation via the Marketing API on their behalf.
In a regulatory or legal requirement scenario, dhi will notifythe affected operator before disclosing data to authorities unless prohibitedby law.
7. Data Retention
Account identity data
Retention: Duration of contract + 12 months
Rationale: Contractual obligations, dispute resolution
Meta ad performance data
Retention: 36 months from retrieval date
Rationale: Historicalallocation modelling requires multi-season data
PMS and revenue data
Retention: 36 months from upload date
Rationale: Seasonal and year-on-year comparison
Guest PII (CRM matching)
Retention: Deletedwithin 24 hours of match computation
Rationale: Not retained post-processing; only match scores are stored
Platform usage logs
Retention: 12months rolling
Rationale: Debugging,support, security audit
Ad mutation logs
Retention: 36months
Rationale: Accountability and operator audit trail
On account termination, all property-specific data is deletedwithin 30 days of the final invoice date, subject to any outstanding legalhold. Meta API tokens are revoked immediately upon disconnection or accountclosure.
8. Security
• All datain transit is encrypted using TLS 1.3. All data at rest is encrypted usingAES-256.
• Meta APIaccess tokens and other credentials are stored in AWS Secrets Manager. They are never stored in application code, environment variables, or version control.
• Access to operator data within dhi’s internal systems is role-restricted and logged. Only personnel with a documented operational need have read access.
• Multi-tenancy isolation is enforced at the database level. No property can access another property’s data.
• dhi is pursuing SOC 2 Type II certification, targeted for completion in Year 2 of operations. GDPR-compatible data processing agreements are executed for all EU-sourced property data.
• Security incidents affecting operator data will be reported to the affected operatorwithin 72 hours of discovery, in line with DPDP Act 2023 obligations.
9. Your Rights
As the operator of a hotel property using dhi Insights, you havethe following rights in relation to data we hold:
Right of access
Request a copy of all data we hold for your property account.
Right of correction
Request correction of inaccurate account or propertyconfiguration data.
Right of deletion
Request deletion of your property data at any time. Deletiontakes effect within 30 days, subject to legal retention obligations.
Right to revoke Meta access
Disconnect your Meta ad account from dhi Insights at any timefrom the platform settings. Revoking access terminates API data retrievalimmediately.
Right to data portability
Request an export of your property’s data in CSV or JSON format.
Right to object
Object to processing based on legitimate interest. We will ceasethat specific processing unless we can demonstrate a compelling reason tocontinue.
To exercise any of these rights, contactprivacy@dhihospitality.com. Requests are acknowledged within 2 business daysand resolved within 30 days.
10. Meta-Specific Obligations
dhi Insights operates as a Meta Platform developer and is boundby Meta’s Platform Terms, Developer Policies, and Marketing API Terms of Service. Where this privacy policy is silent on a matter governed by thoseterms, Meta’s terms take precedence.
In compliance with Meta’s Platform Terms and developerrequirements, dhi Insights commits to the following:
• Metaplatform data is used only to provide and improve the dhi Insights service tothe operator that granted access. It is not used for any purpose outside thisscope.
• Data obtained via Meta’s API is not sold, transferred, or licensed to any thirdparty, including data brokers, advertising networks, or analytics providersoperating outside this service.
• Meta data is not used to create or augment audience profiles for targeting beyond thehotel operator’s own declared ad campaigns.
• dhi Insights does not use Meta data to discriminate against users based on anyprotected characteristic as defined under applicable law or Meta’s policies.
• All API tokens are stored securely as specified in Section 8. Token scope is limited to the minimum permissions required for the stated functionality.
• dhicomplies with Meta’s data deletion requirements. When an operator revokes APIaccess, the associated Meta data is deleted within 30 days, or within thetime frame Meta specifies in its Platform Terms.
• dhiprovides this publicly accessible privacy policy at a permanent URL, asrequired by Meta’s developer programme terms, and will update it whenever thescope of data use changes materially.
• dhi does not use Meta login data for purposes other than authentication within dhiInsights.
12. Changes to This Policy
dhi will update this policy when the scope of data collection orprocessing changes materially, or when required by changes to applicable law orMeta’s Platform Terms. Operators will be notified by email at least 14 daysbefore a material change takes effect. The effective date at the top of thisdocument will be updated with each revision.
Continued use of dhi Insights after the effective date of arevised policy constitutes acceptance of the updated terms. Where a changereduces operator rights or expands data use, dhi will seek explicitre-confirmation before proceeding.
13. Contact and Data Requests
dhi Hospitality Solutions Pvt. Ltd.
Privacy enquiries: hello@dhihospitality.com
Website: www.dhihospitality.com
Phone: +91-9965669369
Address: Block 1a, 111, 2nd Main Rd, 1st Block Koramangala, Bengaluru, Karnataka 560034
For urgent data deletion or security incident reports, mark thesubject line: DATA REQUEST — URGENT. Response within 24 hours during businessdays.
For Meta platform-specific data enquiries including API access,token revocation, or data portability from Meta systems, operators may alsocontact Meta directly via the Meta Business Help Centre:https://www.facebook.com/help/contact/861937627253138