Effective: 31/03/2026

INTRODUCTION

Our goal at HeyGuest is to be as plain-spoken and understandable in our policies as we possibly can. This Privacy Policy includes important information about how we treat any personal data shared by you with us. We take privacy very seriously as we strive to earn and keep your trust.

HeyGuest is a trading name of iovox Limited (registered address: 4-6 Canfield Place, London, NW6 3B) and its wholly owned subsidiary, iovox Inc. (together, “HeyGuest”, “iovox”, “we”, “us”, or “our”). For customers located in the United States, your contract is with iovox Inc. For all other customers, your contract is with iovox Limited. If you have any questions about this Privacy Policy or our data protection practices, please contact us at privacy@iovox.com.

CONTROLLER VS. PROCESSOR

Importantly, when you use HeyGuest’s services (“Services”), we act as a data processor as defined in the UK General Data Protection Regulation (“UK GDPR”) and as a service provider as defined under applicable U.S. state privacy laws (such as the California Consumer Privacy Act or “CCPA”). A data processor handles information provided to it, and as instructed, by a data controller; in this case, that would be you as our customer (e.g., when you process your guests' data through our platform).

HeyGuest plays the role of data controller (or ‘Business’ under U.S. law) in the limited cases where it relates to managing our contractual relationship with you, to provide support in connection with our website or where we are marketing our Services to you based on your consent.

This Privacy Policy applies to personal data processing where we act as the data controller. Where we act as a data processor on behalf of our customers, we process personal data in accordance with the customer’s instructions and the applicable data processing agreement. Our customers are responsible for ensuring they have a lawful basis for collecting and sharing such personal data with us.

WHAT PERSONAL DATA WE COLLECT

As a data controller, we may collect and process the following categories of personal data/information:

  • Identity Data: First name, last name, username, title, and company name.
  • Contact Data: Billing address, email address, and telephone numbers.
  • Financial & Transaction Data: Financial information needed to process invoices, and a record of invoices
    paid.
  • Technical & Usage Data: IP address, browser type, pages visited, time on site, and interactions with our
    website or Wi-Fi portals.
  • Marketing Data: Your preferences in receiving marketing from us.
  • Voice & Text Data: Your voice captured in call recordings or text in chatbot interactions.
  • Cookie and Tracking Data: Information collected via cookies or similar technologies when you use our website or services. For further information please see our Cookie Policy.

We do not collect any special categories of personal data or ‘Sensitive Personal Information” (e.g., race, religion, health, biometric data) for our own purposes. If such information is provided by our customers in connection with their use of the Services, we process it solely as a processor/service provider on their behalf. We may use aggregated data (such as statistical or demographic information) that does not identify you to analyse website usage and improve our services.

HOW WE COLLECT YOUR PERSONAL DATA

We collect personal data in the following ways:

  • Directly from you when you create an account, request information, purchase services, or communicate with us.
  • Automatically when you use our website or services through cookies, log files, and similar technologies which collect technical and usage data.
  • From third parties, such as analytics providers, payment processors, service providers, or publicly available sources.
  • From our customers, where they use our services to process personal data relating to their guests or users, in which case we process that data as a data processor acting on their instructions.

HOW WE USE YOUR PERSONAL DATA AND WHY

Under UK GDPR and applicable U.S. laws, we rely on the following lawful bases and business purposes for processing:

  • Contractual Necessity: To register you as a customer, manage payments, and provide customer support.
  • Legitimate Interests: To keep the Site and Services secure, prevent fraud, troubleshoot system issues, and provide you with relevant updates about our Services. Where we rely on legitimate interests, we ensure that our interests are not overridden by your rights and freedoms and we carefully consider any potential impact on you before processing your personal data.
  • Compliance with Law: To comply with regulatory or legal reporting obligations.
  • Consent: Where required by law, for example where we send marketing communications to individuals who are not existing customers.
  • Notice at Collection: We collect information to provide the Services, manage your account, and improve our AI insights. We do not “sell” your personal information or “share” it for cross-context behavioral advertising.

INTERNATIONAL TRANSFERS

Some of our service providers or group companies (including iovox, Inc. and iovox Limited) may be located outside your home country. Data may be transferred between our UK and U.S. entities to provide global support and centralized platform management using appropriate safeguards in compliance with country standards. THE USE OF

ARTIFICIAL INTELLIGENCE & ANONYMIZED DATA

We offer certain products powered by artificial intelligence (AI), machine learning, or similar technologies designed to provide value for our customers (e.g., AI insights and chatbot automation). All personal information processed using our AI products is handled in line with this Privacy Policy to safeguard your data.

We do not use personal data to make decisions based solely on automated processing that produce legal or similarly significant effects (including ‘profiling’ under certain U.S. state laws) unless permitted by law and appropriate safeguards are in place.

We may de-identify or anonymize personal data in accordance with applicable data protection laws. Once data is anonymized such that it can no longer reasonably be used to identify an individual, it is no longer considered Personal Data under UK GDPR. We may use this anonymized data for various purposes, including the development, improvement, and training of artificial intelligence and machine learning systems.

WHO WE SHARE YOUR PERSONAL DATA WITH

We do not sell your personal data to third parties. We may share your data with the iovox Group (our parent company), third parties who provide IT, software, system administration, or marketing support and professional advisers and regulators such as lawyers, bankers, auditors, and authorities who require reporting of processing activities.

MARKETING COMMUNICATIONS

We will only send you marketing communications where you have given your consent to receive them. You may withdraw your consent at any time by using the unsubscribe link in our marketing emails. Even if you opt out of marketing, we may still send you service-related communications where necessary for the provision of our services.

DATA SECURITY AND RETENTION

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way. We limit access to your data to those employees and third parties who have a business need to know, all of whom are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting obligations.
When determining retention periods, we consider the amount, nature and sensitivity of the personal data, the purposes for which we process the data, and legal or regulatory requirements.

CHANGES TO THIS PRIVACY POLICY AND KEEPING YOUR INFORMATION UP TO DATE

We keep this Privacy Policy under regular review and may update it from time to time. Where we make material changes to this Privacy Policy, we will take reasonable steps to notify you, for example by posting the updated policy on our website or notifying you through our services. Previous versions may be obtained by contacting us. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address.

CHILDREN’S PRIVACY

Children’s Privacy: Our Services are B2B and are not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If we learn we have collected such data without parental consent, we will delete it promptly.

YOUR RIGHTS

You have various rights under UK and U.S. data protection laws. Depending on your residency, these may include: the right to:

  • Request access to, correction of, or erasure of your personal data.
  • Object to or request the restriction of processing of your personal data.
  • Request the transfer of your personal data (data portability).
  • Withdraw consent at any time where we are relying on consent to process your data.
  • To object to processing based on legitimate interests.
  • U.S. State Rights: Residents of certain states (including California, Virginia, and Colorado) have the right to Know/Access their data, Delete their data, Correct inaccuracies, and Opt-out of automated decision-making. We do not discriminate against users for exercising these rights.

If you wish to exercise these rights, or if you have any concerns regarding our privacy practices, please contact us at privacy@iovox.com and we will seek to address your concerns. You also have the right to lodge a complaint with the ICO (https://ico.org.uk/), although we would appreciate the opportunity to deal with your concerns before you approach the ICO.