GDPR Compliance | Dimora AI

GDPR, UK GDPR & Dimora AI

The General Data Protection Regulation (GDPR) is a comprehensive European Union privacy law granting individuals significant control over their personal data. The UK GDPR is the retained version of the EU GDPR as it forms part of UK law under the European Union (Withdrawal) Act 2018, supplemented by the UK Data Protection Act 2018. GT1 Partners LLC, a California limited liability company, doing business as Dimora AI processes personal data on behalf of property management companies, including data belonging to EU and UK residents who book or stay at managed properties.

Dimora AI acts as a Processor under both GDPR and UK GDPR. Clients (property managers) are the Controllers. This means Clients determine the purposes and means of processing guest data; Dimora AI processes that data exclusively on documented Client instructions.

For Clients with EU Guests: If your properties receive bookings from EU residents, their data is protected under GDPR. Dimora AI's Data Processing Addendum (DPA), available at dimora.ai/dpa, governs how we handle that data on your behalf and incorporates Module 2 Standard Contractual Clauses (SCCs) as the lawful EU-to-US transfer mechanism.

For UK Clients and Clients with UK Guests: UK personal data is protected under the UK GDPR. Dimora AI provides a UK-specific DPA on signature for UK Controllers, incorporating the EU SCCs (Module 2) supplemented by the UK International Data Transfer Addendum (Version B1.0) issued by the Information Commissioner's Office (ICO) under Section 119A of the Data Protection Act 2018. UK Clients have the right to lodge a complaint with the ICO at ico.org.uk.

UK GDPR — Key Differences from EU GDPR

The UK GDPR is substantively similar to the EU GDPR — the same Article numbering, the same data subject rights, the same lawful bases. The differences that affect Dimora AI Clients in the UK are operational rather than substantive:

Supervisory Authority

The competent supervisory authority for UK personal data is the Information Commissioner's Office (ICO), not an EU member-state authority. UK Data Subjects have the right to complain directly to the ICO at ico.org.uk or by phone at 0303 123 1113.

UK-to-US Transfer Mechanism

Transfers of UK personal data to Dimora AI in the United States are made under the EU SCCs (Module 2) as supplemented by the UK International Data Transfer Addendum (Version B1.0). Several Sub-Processors also hold UK Extension to the EU-US Data Privacy Framework certification, which provides an additional safeguard.

PECR — Privacy and Electronic Communications

In addition to UK GDPR, the Privacy and Electronic Communications Regulations (PECR) regulate call recording and electronic marketing in the UK. Dimora AI's Voice AI module makes a configurable pre-call announcement available so UK Clients can comply with PECR notification requirements. UK Clients are responsible for activating that announcement and confirming the lawful basis for any automated outbound communications sent through the Revenue Engine module.

UK Representative (Article 27)

Dimora AI is not established in the United Kingdom. Where required by Article 27 UK GDPR, Dimora AI will appoint a UK Representative to receive correspondence from the ICO and UK Data Subjects. Until such an appointment is in place, UK Data Subjects may contact the Processor directly at privacy@dimora.ai.

Who GDPR Applies To

GDPR applies when:

EU Residents

The data subject is a resident of an EU member state, regardless of their nationality

Goods or Services Offered to EU

A Controller offers goods or services to individuals in the EU — for example, a property management company accepting EU guest bookings

Monitoring EU Behavior

Processing involves monitoring the behavior of individuals in the EU (for example, behavioral analytics)

EU-Established Controllers

The Controller is established in the EU, regardless of where processing takes place

In Practice: Most Dimora AI Clients are US-based property managers. GDPR applies to the extent their guest base includes EU residents. If you are a Client processing EU guest data, contact legal@dimora.ai to discuss your DPA obligations.

Your GDPR Rights

Under GDPR, data subjects have the following rights regarding their personal data:

Right of Access (Art. 15)

Request a copy of all personal data we hold about you

You may request confirmation of whether we process your data, and receive a copy of that data along with information about the purposes, categories, and recipients.

Right to Rectification (Art. 16)

Correct inaccurate or incomplete personal data

If information we hold about you is incorrect or incomplete, you have the right to request corrections. We will act on valid requests within 30 days.

Right to Erasure (Art. 17)

Request deletion of your personal data

You may request deletion of your data where there is no overriding legal basis for retention. We delete within 30 days of a valid request, subject to our legal retention obligations (e.g., billing records retained 7 years).

Right to Restriction (Art. 18)

Limit how we process your data

You may request restriction of processing while we verify data accuracy, assess the lawfulness of processing, or respond to your objection.

Right to Data Portability (Art. 20)

Receive your data in a machine-readable format

Where processing is based on consent or contract and carried out by automated means, you may receive your data in JSON or CSV format for transfer to another provider.

Right to Object (Art. 21)

Object to processing based on legitimate interests

You may object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, or the processing is necessary for legal claims.

Rights Related to Automated Decision-Making (Art. 22)

Human review of decisions with significant effect

Dimora AI's AI drafts guest communications for human review by Client staff. No fully automated decisions producing legal or similarly significant effects are made solely by Dimora AI's systems without human oversight by the Client.

Legal Bases for Processing (Article 6)

Dimora AI processes personal data under the following GDPR Article 6 legal bases, depending on the processing activity:

Art. 6(1)(b) — Contractual Necessity

Processing is necessary to perform the service agreement between Dimora AI and the Client.

Example: Handling guest phone calls, generating inbox reply drafts, processing upsell offers, syncing with the PMS

Art. 6(1)(f) — Legitimate Interests

Processing is necessary for Dimora AI's legitimate interests or those of the Client, provided those interests are not overridden by data subject rights.

Example: Improving AI model accuracy, preventing fraud, maintaining service security, AI learning from feedback (Client-controlled)

Art. 6(1)(a) — Consent

Processing is based on clear, affirmative consent from the data subject.

Example: Analytics cookies and marketing tracking on the Dimora AI website (loaded only after consent via cookie banner)

Art. 6(1)(c) — Legal Obligation

Processing is necessary to comply with a legal obligation to which Dimora AI is subject.

Example: Retaining billing records for tax compliance (7 years), responding to lawful government requests

What Data We Process

Voice AI (created by Dimora AI)

•Call recordings and transcripts — retained 90 days
•Call metadata (duration, date, phone numbers)
•AI-generated response content

Inbox AI (read from PMS, not stored long-term)

•Guest names and message content — processed to generate reply drafts, not permanently stored
•Reservation and booking details — read via PMS API
•AI reply drafts — retained 90 days post-termination

Revenue Engine

•Reservation check-in/check-out times — read from PMS to identify upsell windows
•Upsell offer records and guest acceptance data

Not Accessed

•Payment card data or financial transaction details
•Booking financial information
•Special-category data under Art. 9 (health, biometric, etc.) — not intentionally collected

For a complete list of sub-processors and the data each accesses, see dimora.ai/sub-processors.

International Data Transfers

Dimora AI is based in the United States. EU-to-US personal data transfers are governed by the following mechanism:

EU → US: Standard Contractual Clauses (Module 2)

The 2021 Standard Contractual Clauses, Module 2 (controller-to-processor), are incorporated into Dimora AI's DPA and govern all EU-to-US transfers of personal data. These SCCs are executed upon Client signature of the Service Agreement. A signed PDF is available via DocuSign upon request.

UK → US: EU SCCs + UK International Data Transfer Addendum

Transfers from the United Kingdom are governed by the EU SCCs (Module 2) supplemented by the UK International Data Transfer Addendum (Version B1.0), issued by the ICO under Section 119A of the Data Protection Act 2018. UK Clients receive a UK-specific DPA that incorporates both documents and selects England and Wales as the governing law of the Addendum.

Primary Storage Location

AWS us-east-1 (N. Virginia, USA) — primary operational database (Supabase). VAPI infrastructure on GCP United States. Workflow execution on Railway (United States).

Data Privacy Framework Certifications

Several sub-processors (OpenAI, Deepgram, Google, Supabase, Stripe, DocuSign, Netlify) hold EU-US Data Privacy Framework (DPF) certification and the UK Extension to the DPF, providing an additional transfer safeguard for both EU and UK transfers. See the sub-processor list for per-provider certification status.

EU Representative & UK Representative

Dimora AI does not currently have a designated EU representative under GDPR Article 27 or a designated UK representative under UK GDPR Article 27. These designations are under evaluation. Pending appointment, EU and UK data subjects and supervisory authorities may direct inquiries to privacy@dimora.ai.

Data Retention

Dimora AI retains personal data only as long as necessary for the purposes of processing:

Call recordings & transcripts

90 days

Retained for quality review; deleted automatically after 90 days

AI reply drafts, offers, sessions

90 days post-termination

Operational data retained during service; deleted after contract ends

Billing records

7 years

Tax compliance and financial audit obligations

Support logs and correspondence

2 years post-termination

Legal and dispute resolution purposes

Backup data

Up to 30 days after primary deletion

Disaster recovery; purged on rolling basis aligned with primary retention

How to Exercise Your Rights

To exercise any of your GDPR rights:

Request Process

1.
Submit Request
Email privacy@dimora.ai with a description of your request and the right you wish to exercise
2.
Provide Information
Include your full name, email address, the specific right you are invoking, and sufficient information to locate your data (e.g., phone number used for a call)
3.
Identity Verification
We may request additional verification to protect your data from unauthorized requests
4.
Response
We respond within 30 days per GDPR requirements. Complex requests may be extended by up to two additional months with notice.

First Request: Free

Your first request per 12-month period is free of charge

Excessive Requests

We may charge a reasonable fee for manifestly unfounded or excessive requests, or decline to act on them

Supervisory Authority & Complaints

If you believe Dimora AI has not adequately addressed your GDPR rights or data protection concerns, you have the right to file a complaint with your local supervisory authority without prejudice to any other legal remedy.

UK Data Subjects — Information Commissioner's Office (ICO)

For UK Data Subjects and Clients established in the United Kingdom: Information Commissioner's Office (ICO) → (telephone: 0303 123 1113)

Spanish Data Subjects — AEPD

For Clients established in Spain or whose primary EU operations are in Spain: Spanish Data Protection Agency (AEPD) →

Other EU Data Subjects

EU data subjects may lodge complaints with their local data protection authority:

European Data Protection Board — List of EU Supervisory Authorities →

Try Us First: We encourage you to contact privacy@dimora.ai before filing a supervisory authority complaint. We commit to responding to privacy inquiries within 10 business days.

Privacy Contact

Dimora AI does not meet the Article 37 GDPR thresholds requiring mandatory appointment of a Data Protection Officer (DPO) — our processing does not involve large-scale systematic monitoring of individuals or processing of sensitive data as a core activity. Privacy and data protection inquiries are handled directly by Dimora AI management:

GDPR Rights Requests & Privacy Inquiries

privacy@dimora.ai

Response within 30 days (GDPR requirement); complex requests within 3 months

Legal & DPA Inquiries

legal@dimora.ai

Mailing Address

GT1 Partners LLC, a California limited liability company, doing business as Dimora AI
72-811 HWY 111, Suite 1030, Palm Desert, CA 92260, USA

GDPR & UK GDPR Compliance

Table of Contents