Legal

Privacy policy

Last updated: 2026-06-07

This policy explains how Paulo Rosario, a sole trader in Tomar, Portugal, trading under the brand interpt("we", "us"), handles personal data in connection with Monsieur. It covers the data for which we are the data controller: your hotel's account and staff-user data, your billing data, and data about visitors to our marketing site.

For the personal data of your hotel's guests that flows through the service, the hotel is the controller and we act only as its processor. That relationship, and the full detail of data-subject rights and our role split, is set out on our GDPR and data protection page. This policy and that page are meant to be read together.

1. Data we collect as controller

When your hotel uses Monsieur, we collect:

  • Account data: your hotel name, the subdomain slug you choose, and the name and email of each staff user you create.
  • Billing data: your chosen plan, billing contact, billing address, and the payment records returned by our payment processor. We do not store full card numbers; those are handled by Stripe.
  • Technical and usage data: server logs that include IP addresses, user-agents, and timestamps, kept on a rolling 30-day window, so we can run the service, troubleshoot, and detect abuse.
  • Support data: the content of messages you send us when you ask for help.

2. Marketing-site visitors

The public marketing site at monsieurapp.io is statically rendered and uses no third-party analytics or advertising trackers. The theme-preview widget makes a one-off server-side fetch of a URL you paste in; we log that URL, the requesting IP, and whether the preview succeeded, for 30 days, to enforce rate limits and detect abuse. That is the only collection on the marketing site.

3. Why we use it, and our legal bases

We use account and billing data to provide the service, take payment, and support you; the legal basis is performance of our contract with you. We use technical and usage data and the marketing-site logs to keep the service secure and working; the legal basis is our legitimate interest in operating and protecting the service. Where we send optional product or marketing emails, the legal basis is your consent or our legitimate interest in contacting an existing customer, and you can opt out at any time. We do not sell personal data and do not use it to train third-party models.

4. Subprocessors

We use a small number of trusted providers to run the service. They process data on our behalf under contract:

  • Amazon Web Services: hosting, database, and email delivery, in the EU (eu-west-1, Ireland).
  • Stripe: payment processing.
  • DeepL: machine translation of hotel content.
  • Oxylabs: a web-unblocking proxy used to fetch a hotel's public website during theme extraction. It only fetches public web pages of the URL the hotel provides.
  • Google Calendar and Calendly: only if a hotel chooses to connect them for service-provider calendar sync.

We keep this list current and you can ask us for the up-to-date version at any time. The purpose and region of each subprocessor is set out on our GDPR and data protection page.

5. Where your data is stored

Your data is hosted in the European Union, in the AWS eu-west-1 (Ireland) region. We keep account and operational data in the EU. If any transfer outside the EU were ever needed, we would rely on an approved safeguard such as the European Commission's standard contractual clauses.

6. Retention

We keep account and billing data for as long as your subscription is active, then for up to 90 days after cancellation or suspension so you can re-subscribe or export it, after which it is deleted. Billing records are kept for as long as tax and accounting law requires. Server logs and marketing-site preview logs are kept 30 days. Backups follow the same schedule, on a maximum 60-day rolling window.

7. Your rights

For the data we hold as controller, you can ask us to give you a copy of it, correct it, delete it, restrict or object to how we use it, or provide it in a portable format. To exercise any of these, email hello@monsieurapp.io; we respond within one calendar month, free of charge. The full list of rights, how guests exercise theirs through their hotel, and how to complain to a supervisory authority are explained on our GDPR and data protection page.

8. Cookies

The marketing site uses no cookies. The staff console uses a single httpOnly session cookie scoped to your tenant subdomain; it expires on logout or after a period of inactivity. The guest-facing ordering surface uses a short-lived signed token to remember the room across the cart flow. We use no third-party or advertising cookies anywhere.

9. Contact and complaints

For any privacy question, write to hello@monsieurapp.io. If you believe we have mishandled your data and we have not resolved it with you, you can complain to a data-protection supervisory authority. In Portugal that is the Comissao Nacional de Protecao de Dados (CNPD).