How long does it take to get going?

We can have you live with your first Flows in 24 hours. We connect your PMS and key systems, build your first Flows with you, and you'll have work landing in your inbox the next morning. No lengthy implementation, no training period — you describe what you want, and it runs.

Does this replace our revenue management system?

No. Otel works alongside IDeaS, Duetto, Lighthouse — whatever you already use. The issue isn't that those systems aren't good. It's that your team doesn't have time to act on everything they surface every single day. One hotel went from 55 pricing adjustments to nearly 500 in the same period. Same system. Just more capacity to act.

Will my team actually use it?

You don't need to be technical. The operators who get the most out of Otel are the ones who know exactly what they want to see each day. We build the first Flows with your team. After that, work just shows up in their inbox, email, or WhatsApp. Nothing to log into. Nothing to learn.

What happens to my data?

Every number Otel surfaces comes directly from your own systems — no black box calculations. Your data stays yours. We're completing SOC 2 Type II and ISO 27001 certification, and every insight is fully traceable back to its source data in one click.

What does the output actually look like?

However you want it. Flows deliver to your email inbox, WhatsApp, Slack, Teams, or directly in the Otel app. Reports come as PDFs, Excel files, or plain-English summaries. Alerts ping you the moment something needs attention. You choose the format and the channel.

How is this different from another dashboard?

Dashboards give you a picture — then you have to dig. Otel gives you the answer. You tell your co-worker what to monitor, what to flag, and what to deliver. Work comes to you, surfaced and summarised, instead of sitting in a dashboard waiting for you to find it.

Legal

Data protection

This Personal Data Processing Schedule ("Schedule") sets out the additional terms which govern the relationship between the Customer and the Supplier when the Supplier processes Personal Data under the terms of the agreement.

1. Definitions and interpretation

The following definitions and rules of interpretation apply.

1.1 Definitions:

Term	Meaning
Controller, Processor, Data Subject, Personal Data, Personal Data Breach, and Processing	have the meanings given to them in the Data Protection Legislation, and in respect of Personal Data, shall mean those terms as defined in the Data Protection Legislation, which are affected by the arrangements between the Customer and the Supplier.
DPC	The Irish Data Protection Commission and any successor regulator of the GDPR and the Data Protection Legislation in Ireland.
Data Protection Legislation	all applicable data protection and privacy legislation in force from time to time in Ireland including without limitation the GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); and the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2003 (SI 336/2011) as amended; and all other legislation and regulatory guidance in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications).
GDPR	the General Data Protection Regulation ((EU) 2016/679).
EEA	the European Economic Area.

1.2 This Schedule is incorporated into the agreement. Interpretations and defined terms set forth in the agreement apply to the interpretation of this Schedule.

1.3 This Schedule shall have effect as if set out in full in the body of the agreement, and the Annexes to this Schedule form part of this Schedule and shall have effect as if set out in full in the body of this Schedule. References to this Schedule include its Annexes.

2. Personal data types and processing purposes

2.1 The Customer and the Supplier agree and acknowledge that for the purpose of the Data Protection Legislation:

2.1.1the Customer is the Controller and the Supplier is the Processor.

2.1.2the Customer retains control of the Personal Data and remains responsible for its own compliance obligations as a data Controller under the Data Protection Legislation.

3. Supplier's obligations

3.1 The Supplier shall only process the Personal Data to the extent, and in such a manner, as is necessary for the provision of the Platform Services under the agreement and in accordance with the Customer's written instructions. The Supplier shall not process the Personal Data for any other purpose or in a way that does not comply with this Schedule or the Data Protection Legislation. The Supplier shall promptly notify the Customer if, in its opinion, the Customer's instructions do not comply with the Data Protection Legislation.

3.2 The Supplier shall maintain the confidentiality of the Personal Data and shall not disclose the Personal Data to third-parties unless the Customer or this Schedule specifically authorises the disclosure, or as required by domestic or EU law, court or regulator (including the DPC).

3.3 The Supplier shall reasonably assist the Customer in fulfilling its obligations under the Data Protection Legislation, taking into account the nature of the Supplier's processing and the information available to the Supplier, including in relation to Data Subject rights, data protection impact assessments and in reporting to and consulting with the DPC under the Data Protection Legislation.

4. Supplier's employees

4.1 The Supplier shall ensure that all of its employees:

4.1.1are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data; and

4.1.2are aware both of the Supplier's duties and their personal duties and obligations under the Data Protection Legislation and this Schedule.

5. Security

5.1 The Supplier shall at all times implement appropriate technical and organisational measures against accidental, unauthorised, or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data. The Supplier's technical and organisational measures as at the date of this Schedule are set out in Annex 3.

5.2 The Supplier shall implement such measures to ensure a level of security appropriate to the risk involved.

6. Personal data breach

6.1 The Supplier shall within 36 hours and in any event without undue delay notify the Customer in writing if it becomes aware of a Personal Data Breach.

6.2 Where the Supplier becomes aware of a Personal Data Breach, it shall, without undue delay, also provide the Customer with the following written information:

6.2.1description of the nature of the Personal Data Breach, including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;

6.2.2the likely consequences; and

6.2.3a description of the measures taken or proposed to be taken to address the Personal Data Breach including measures to mitigate its possible adverse effects.

Immediately following a Personal Data Breach, the parties shall co-ordinate with each other to investigate the matter. Further, the Supplier shall reasonably co-operate with the Customer at no additional cost to the Customer, in the Customer's handling of the matter, including but not limited to assisting with any investigation, making available all relevant records, and other materials, and taking reasonable and prompt steps to mitigate the Personal Data Breach.

6.3 The Supplier shall not inform any third-party of a Personal Data Breach without first obtaining the Customer's consent, except when required to do so by domestic or EU law.

7. Cross-border transfers of personal data

The Supplier (and any sub-processor) shall not transfer or otherwise process the Personal Data outside the EEA except: (a) on the Customer's documented instructions; or (b) where such transfer is to a sub-processor listed in Annex 2 or otherwise approved by the Customer in accordance with clause 8 of this Schedule. Where Personal Data is transferred outside the EEA, the Supplier shall ensure that an appropriate transfer mechanism is in place as required by Chapter V of the GDPR, including (as applicable) standard contractual clauses adopted or approved by the European Commission, an adequacy decision pursuant to Article 45 of the GDPR, or such other safeguard as is permitted under Article 46 of the GDPR. For the avoidance of doubt, the Customer's approval of the sub-processors listed in Annex 2 as at the date of this Schedule shall constitute a documented instruction to transfer Personal Data to those sub-processors in the locations specified therein, subject to the transfer safeguards required by this clause 7.

The Supplier may utilise third-party AI or large language model service providers as sub-processors in connection with the Platform Services, subject to compliance with clause 8 of this Schedule. The Supplier shall ensure that any such providers: (a) are engaged under written data processing agreements containing terms substantially equivalent to those set out in this Schedule; (b) where located outside the EEA, are subject to an appropriate transfer mechanism in accordance with clause 7 above; (c) process Personal Data solely on the Customer's documented instructions and only to the extent necessary for the provision of the Platform Services; and (d) do not use Personal Data for model training, fine-tuning, or any other independent purpose except as expressly authorised by the Customer in writing.

8. Sub-processors

8.1 The Supplier may only authorise a third-party (sub-processor) to process the Personal Data if:

8.1.1the Customer is provided with an opportunity to object to the appointment of each sub-processor after the Supplier supplies the Customer with full details in writing such as by placing the details of such sub-processors on the Supplier website or otherwise emailing the Customer;

8.1.2the Supplier enters into a written contract with the sub-processor that contains terms substantially the same as those set out in this Schedule;

8.1.3the Supplier maintains control over all of the Personal Data it entrusts to the sub-processor; and

8.1.4the sub-processor's contract terminates automatically on termination of this Schedule for any reason.

8.2 The Supplier's current sub-processors as at the commencement of this Schedule are those listed in Annex 2 and are approved by the Customer as at such date.

8.3 The Supplier may from time to time add, replace, or remove sub-processors listed in Annex 2 by giving the Customer not less than 30 days' prior written notice, such notice to include the identity and location of the proposed sub-processor and the processing activities to be undertaken. If the Customer has a reasonable objection to the appointment of a proposed sub-processor on data protection grounds, the Customer shall notify the Supplier in writing within 15 Business Days of receipt of the Supplier's notice, setting out its specific grounds of objection. The parties shall discuss the Customer's objection in good faith with a view to achieving a commercially reasonable resolution. If the parties are unable to resolve the objection within 30 days of the Customer's notice of objection, the Customer may, as its sole remedy, terminate this Schedule and the data processing arrangements hereunder on 30 days' written notice to the Supplier, without prejudice to any fees due in respect of the Platform Services provided prior to the effective date of such termination.

9. Complaints, data subject requests and third-party rights

9.1 The Supplier shall on an ongoing basis, at no additional cost to the Customer, take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:

9.1.1the rights of Data Subjects under the Data Protection Legislation, including, but not limited to, subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and

9.1.2information or assessment notices served on the Customer by the DPC under the Data Protection Legislation.

9.2 The Supplier shall notify the Customer immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.

9.3 The Supplier shall notify the Customer promptly if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.

9.4 The Supplier shall give the Customer, at no additional cost to the Customer, its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.

9.5 The Supplier shall not disclose the Personal Data to any Data Subject or to a third-party other than in accordance with the Customer's written instructions, or as required by domestic or EU law.

10. Data return and destruction

10.1 At the Customer's request, the Supplier shall give the Customer, or a third-party nominated in writing by the Customer, a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.

On termination of the agreement for any reason or expiry of its term, the Supplier shall securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any of the Personal Data related to this Schedule in its possession or control, except for one copy that it may retain and used for such period of time as deemed permissible under the GDPR for appropriate purposes only.

11. Records

11.1 The Supplier shall keep detailed, accurate and up-to-date written records regarding any processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, approved sub-processors, the processing purposes, categories of processing, and a general description of the technical and organisational security measures used to protect the Personal Data.

11.2 The Supplier shall ensure that the records are sufficient to enable the Customer to verify the Supplier's compliance with its obligations under this Schedule and the Data Protection Legislation and the Supplier shall provide the Customer with copies of the records upon request.

12. Audit

12.1 At least once a year, the Supplier shall conduct site audits and generate a report of its Personal Data processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this Schedule.

12.2 On the Customer's written request, the Supplier shall make completed audit reports available to the Customer for review, which may be redacted as necessary or desirable in the circumstances.

Annex 1. Processing details

This Annex 1 includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR.

Subject matter and duration of processing

The subject matter and duration of the Processing of Personal Data are set out in the agreement and this Schedule.

Nature and purpose of processing

The Supplier will process Personal Data as necessary to perform the Platform Services under the agreement, as further instructed by the Customer in its use of the Platform Services. The purpose of the processing specifically includes:

1.Provision of the Platform Services;
2.Comply with the documented instructions provided by the Customer where such instructions are consistent with the terms of this agreement;
3.Performing and enforcing the agreement, this Schedule and/or other contracts executed by the parties;
4.Providing support and responding to customer requests;
5.Complying with applicable laws and regulations;
6.Any other tasks related to any of the above.

Categories of data subjects

The categories of data subjects will be users of the Platform Services pursuant to the agreement between the Supplier and the Customer, which may include:

(a)The Customer's customers making hotel reservations;
(b)Customer's employees.

Categories of personal data

The personal data may include the following categories of data:

Booking analytics:

Direct identifying information (first name, last name);
Booking details (booking ID).

Employee analytics:

Direct identifying information (first name, last name);
Employment details (job role, wages, hours worked).

Sensitive data or special categories of data

The Supplier does not knowingly collect any special categories of data (as defined under the Data Protection Legislation).

Annex 2. Authorised sub-processors

Sub-processor name	Location	Purpose of processing
Amazon Web Services	EU	Cloud infrastructure hosting and data storage services for the Platform Services.
Anthropic	US	Provision of large language model services used to generate AI Outputs within the Platform Services.
OpenAI	US	Provision of large language model services used to generate AI Outputs within the Platform Services.

Annex 3. Technical and organisational measures

Restricted user access and authentication management

Otel AI follows industry best practices to prevent unauthorised access to data and protect data from unauthorised actions such as input, reading, copying, removal, modification, or disclosure. Such measures include that employee access is restricted in accordance with least privilege principles based on personnel job functions. Otel AI further strengthens security through the enforcement of Multi-Factor Authentication (MFA), providing an additional layer of protection against unauthorised access.

Third party risk management

Otel AI maintains industry best practices for managing third-party security risks, including ensuring that all third parties undergo a formal vendor due diligence assessment and all vendors are required to have a written contract in place to ensure that any agent agrees to maintain reasonable and appropriate safeguards to protect customers' data.

Data protection and encryption

Otel AI maintains comprehensive data protection measures to safeguard sensitive information throughout its lifecycle. All client data is protected with TLS encryption during transmission, and data at rest is encrypted in storage systems. Otel AI leverages industry-standard key management services for encryption management, ensuring cryptographic controls meet industry standards. These measures work together to maintain data confidentiality and integrity across all environments.

Monitoring and incident management

Otel AI maintains centralised logging systems to provide comprehensive visibility across its infrastructure. Security-relevant logs, including failed login attempts, identity and access management changes, and anomalous activities, are actively monitored with alerts configured for immediate response. Otel AI has established defined log retention periods to support security investigations and compliance requirements.