Privacy policy

This policy covers otasystems.ai, live.otasystems.ai, and every Multisystems account that accesses OTA Systems features. It does not cover sibling Multisystems products (ImageSystems, ReputationSystems, HotelSystems) — those have their own policies linked from their sites.

• Account data. Name, email, phone, hotel/property name and address, role, billing address, payment method.
• Property configuration. Expedia HTID, Booking.com chain IDs, PMS login credentials, rate-shopper login credentials (all encrypted at rest with AES-256).
• Messages you send us. Support tickets, demo form submissions, in-app chat.

When you share credentials for an external system, we read data from that system strictly to power the features you enabled. We do not write back unless you explicitly ask us to.

• Expedia Partner Central. Reservation records (guest name, email, check-in/out, amount, commission), rate records, invoice PDFs.
• Booking.com Extranet. The same reservation stream.
• Your PMS. Folio line items, housekeeping status, cancellation metadata. Read-only.
• Your rate shopper (if connected). Competitor rate snapshots; no property-identifying data written back.

We use your data to:

• Run the reclaim workflow (identify eligible commission, compute the dollar amount, pre-assemble dispute packages).
• Show you the multi-OTA operations console and per-property analytics.
• Train property-specific rate-recommendation models — never across properties or customers.
• Send transactional emails (billing receipts, claim-deadline reminders, product updates).
• Answer support requests and troubleshoot connection issues.

We do not use your data to train general-purpose AI models, sell anonymised data to third parties, or enrich any external database.

Only with subprocessors under written DPAs, and only to the minimum extent needed to run the service (hosting, email delivery, error reporting, analytics). A current subprocessor list is available on request — email legal@multisystems.ai. We share no data with advertisers, data brokers, or AI-training datasets.

Law-enforcement requests are reviewed by counsel; we require valid legal process and we notify you unless legally prohibited.

• Account data: for the life of your subscription + 90 days after cancellation.
• Reservation and reclaim records: for 7 years (US IRS audit window) unless you request earlier deletion.
• Support tickets: 2 years for quality assurance.
• Aggregated, de-identified metrics: retained indefinitely (no personal data).

Depending on your location (GDPR for EU/UK, CCPA/CPRA for California, and equivalent laws elsewhere) you can request access to, correction of, or deletion of your personal data. Contact privacy@otasystems.ai. We respond within 30 days.

All credentials are encrypted at rest (AES-256). All traffic in transit uses TLS 1.3. Infrastructure runs on SOC 2-compliant cloud providers. Engineering access to production data is logged, reviewed, and audited quarterly. We run incident-response drills twice a year.

Privacy questions: privacy@otasystems.ai. General: hello@otasystems.ai.