Privacy Policy

Arivia Technologies (“Arivia”, “we”, “us”) operates the Arivia platform at arivia.ai — a digital pre-check-in service for hotels.

Arivia acts in two distinct capacities depending on whose data is being processed:

• Data Processor — when processing guest personal data on behalf of a hotel (the Data Controller). The hotel determines the purpose and means of processing; Arivia acts only on documented instructions.
• Data Controller — when processing data of hotel operators, staff, and contact form enquiries for our own business purposes.

Contact: [email protected] · Arivia Technologies, Sofia, Bulgaria

Legal basis: Article 6(1)(b) GDPR — performance of a contract; Article 6(1)(c) — legal obligation

What we collect

• Full name of each guest
• Date of birth
• Nationality and country of residence
• Passport or national ID number
• Personal identification number (e.g. EGN), where applicable
• Email address
• Phone number (optional)
• Arrival and departure dates
• Room number and booking reference
• Digital signature
• Special requests voluntarily provided

Why we collect it

• Hotel registration — to process your check-in, prepare your room, and manage your stay.
• Legal obligation — Bulgarian law (Наредба № РД-02-20-6/2012) and equivalent regulations in other EU member states require hotels to register guests' identity documents with local authorities. The hotel (as Data Controller) is responsible for this obligation.
• Communication — to deliver your check-in confirmation and any necessary stay-related communications.

Retention

Guest registration records are retained for 5 years from the date of stay, as required by Bulgarian accommodation and tax regulations. After this period all records are permanently and securely deleted. The hotel may have its own retention policy — please refer to the hotel's own privacy notice.

Who has access

• Authorised hotel staff at the property where you are staying
• Bulgarian police registration authorities (where legally required)
• Arivia's sub-processors (see Section 6) — only to the extent necessary to operate the platform

We never sell guest data or use it for advertising.

Legal basis: Article 6(1)(b) — contract; Article 6(1)(f) — legitimate interests

What we collect

• Full name and job title
• Business email address
• Hotel / company name
• Phone number (optional)
• Login credentials (password stored as bcrypt hash — never in plain text)
• Usage logs and audit trail within the platform

Why we collect it

• Service delivery — to create and manage your Arivia account and provide access to the platform.
• Communication — to respond to enquiries, send service notifications, and provide support.
• Security & fraud prevention — to monitor for unauthorised access and maintain platform integrity.

Retention

Account data is retained for the duration of your contract with Arivia plus 12 months, after which it is deleted. Contact enquiry data is deleted after 24 months if no contract results.

We use the minimum necessary cookies and browser storage to operate the platform.

We do not use advertising, tracking, or analytics cookies. No third-party cookies are set by Arivia.

Under the General Data Protection Regulation (GDPR) you have the following rights:

• Right of access — Request a copy of the personal data we hold about you.
• Right to rectification — Request correction of inaccurate or incomplete data.
• Right to erasure — Request deletion of your personal data where there is no overriding legal obligation to retain it.
• Right to restriction — Request that we limit processing of your data in certain circumstances.
• Right to data portability — Receive your data in a structured, machine-readable format.
• Right to object — Object to processing based on legitimate interests.
• Right to withdraw consent — Where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any right, email [email protected]. We will respond within 30 days. If you are a guest of a specific hotel, your request may be forwarded to that hotel as the Data Controller.

You also have the right to lodge a complaint with your national supervisory authority. In Bulgaria: Commission for Personal Data Protection (КЗЛД) at www.cpdp.bg.

Arivia uses the following third-party processors. Each has been assessed for GDPR compliance and is bound by data processing agreements:

Where data is transferred outside the EEA (e.g. Resend), appropriate safeguards are in place via Standard Contractual Clauses (SCCs) approved by the European Commission.

We implement appropriate technical and organisational measures to protect personal data, including:

• TLS encryption for all data in transit
• Encryption at rest for database storage
• Row-level security (RLS) ensuring each hotel can only access its own guest data
• Passwords stored as bcrypt hashes — never in plain text
• Access controls limiting data access to authorised staff only
• Regular security reviews

In the event of a personal data breach that poses a risk to individuals, we will notify the relevant supervisory authority within 72 hours and affected parties without undue delay, as required by GDPR Article 33–34.

We may update this policy from time to time. Material changes will be communicated to hotel operators via email at least 14 days before they take effect. The “Last updated” date at the top of this page will always reflect the current version.

For any privacy-related queries or to exercise your rights:
[email protected]
Arivia Technologies, Sofia, Bulgaria