How long does it take to get going?

We can have you live with your first Flows in 24 hours. We connect your PMS and key systems, build your first Flows with you, and you'll have work landing in your inbox the next morning. No lengthy implementation, no training period — you describe what you want, and it runs.

Does this replace our revenue management system?

No. Otel works alongside IDeaS, Duetto, Lighthouse — whatever you already use. The issue isn't that those systems aren't good. It's that your team doesn't have time to act on everything they surface every single day. One hotel went from 55 pricing adjustments to nearly 500 in the same period. Same system. Just more capacity to act.

Will my team actually use it?

You don't need to be technical. The operators who get the most out of Otel are the ones who know exactly what they want to see each day. We build the first Flows with your team. After that, work just shows up in their inbox, email, or WhatsApp. Nothing to log into. Nothing to learn.

What happens to my data?

Every number Otel surfaces comes directly from your own systems — no black box calculations. Your data stays yours. We're completing SOC 2 Type II and ISO 27001 certification, and every insight is fully traceable back to its source data in one click.

What does the output actually look like?

However you want it. Flows deliver to your email inbox, WhatsApp, Slack, Teams, or directly in the Otel app. Reports come as PDFs, Excel files, or plain-English summaries. Alerts ping you the moment something needs attention. You choose the format and the channel.

How is this different from another dashboard?

Dashboards give you a picture — then you have to dig. Otel gives you the answer. You tell your co-worker what to monitor, what to flag, and what to deliver. Work comes to you, surfaced and summarised, instead of sitting in a dashboard waiting for you to find it.

product

How Otel AI uses AI — securely.

An overview for IT, cybersecurity, and procurement teams: how Otel AI handles your hotel's data, where it lives, and why it's never used to train AI models.

Nikhil Patil

CTO

“Is my data safe at rest and in transit? Is your model training on my data, or is my data only for me?”

— Regional IT Manager, multi-property hotel operator (Middle East & Europe)

Most hotels ask the same three questions in the first call: Is our data encrypted? Where is it stored? And is it being used to train AI models — yours or anyone else’s?

These are the right questions. This document answers them in plain English, the way we would on a call with your IT team. Full detail on every control referenced here is published at trust.otelai.com, and we’re ISO 27001 certified.

“Is our data used to train AI models?”

Short answer: no. The longer answer is worth understanding, because the confusion is usually between using a model and training one.

Otel AI uses foundation models from Anthropic and OpenAI for chat, Flows, and analysis. When an operator asks the co-worker a question, the relevant context is sent to the model and an answer comes back. That is inference — the model reads your data in the moment and moves on. Nothing is retained.

Training is the opposite: your data gets absorbed into the model’s weights and shapes future behaviour for every other user. This is what people are rightly nervous about, and it is not what we do. We have this guarantee in writing from our AI providers, covered under our DPA.

We also don’t pool your data with other hotels to generate benchmarks or “market insights” — your data is logically ring-fenced to your group at both the database and application layer, with no cross-tenant access and no blended dataset underneath. If you want comp-set benchmarking, you plug in STR, we don’t reverse-engineer it from other clients.

“How does the AI actually see our data?”

Fair question, and the one most people skip over. If a model is analysing your payroll or your revenue numbers, it has to see them at some point — so where does it go, who sees it along the way, and what happens to it after? Here’s the full path a single query takes:

The operator asks a question. “Why is pickup down this week?” The query hits our platform over HTTPS.
We pull only what’s needed. Otel AI queries your ring-fenced database for the specific rows that answer the question — not the whole dataset, just the relevant pickup, segment, and comp-set data. No other group’s data is ever in scope.
Our Skills do the analytical work. Skills are Otel's business logic, written and reviewed by humans who know hotels, built and maintained by us. They carry the interpretation logic — how to read a pickup trend, how to compare against comp set, how to draft a GM briefing. The model doesn't decide how analysis is done. Our Skills do.
That context is sent to the model over TLS. Anthropic or OpenAI, depending on the task. Encrypted end-to-end. The model reads it, produces the answer.
The answer comes back. The input is discarded. We operate both providers under Zero Data Retention agreements: prompts and responses are not stored, not logged for human review, and never enter any training pipeline. Nothing persists on their side after the response is returned.

Two things worth calling out explicitly, because they’re the specific fears behind this question:

No human at Anthropic or OpenAI ever reads your data. ZDR means no logging, no abuse-monitoring review queue, no engineer dipping into requests. It goes in, it comes back, it’s gone.
Data minimisation by design. The model never sees your database. It sees the specific context required to answer the question in front of it — and nothing else.

In short: the AI sees your data only for the seconds it takes to answer the question. It’s scoped, encrypted in transit, discarded immediately after, and never available to a human at the provider.

“Where does our data live?”

Every piece of customer data — production databases, backups, reports, cached queries — sits in AWS eu-west-1 (Ireland). That means it stays inside the EU/EEA at all times. No third-country transfers. No SCCs required for European or UK hotels. For regions that require in-country residency (for example KSA), we offer dedicated regional deployment.

Encryption is table stakes, but IT teams always ask, so:

At rest — RDS PostgreSQL encrypted with AWS KMS (AES-256). S3 buckets use SSE-AES256, with unencrypted uploads blocked at the bucket policy level. Backups and snapshots inherit the same KMS encryption. Employee laptops have full-disk encryption enforced.
In transit — All client traffic uses HTTPS with TLS 1.2+. Internal service-to-service calls, database connections, and cache traffic are all TLS-encrypted. Your data is never in the clear on the wire, even internally.

Access, traceability, and governance

Secure storage is one half of the picture. The other half is who can see what, and whether you can prove where a number came from. Four things worth flagging:

Ring-fenced to your group. Every hotel group sits in its own logical tenant, scoped by group ID at the database layer. Per-user permissions layer on top — so a revenue manager at Property A can’t see Property B unless you grant it. Payroll and HR data are permissioned tighter again: typically GM, senior finance, or HR only.
Every number traceable. We don’t believe in black-box AI for hotels. If Otel AI surfaces an ADR figure, a pickup variance, or a payroll flag, you click through and see the source system, date, and query that produced it. No ticket, no waiting on us.
You stay in control of actions. Sending an email, publishing a rate, triggering an outbound action — these happen on your terms. In chat, the agent waits for your confirmation. In Flows, it does exactly what you configured when you built the flow.
ISO 27001 certified, SOC 2 Type I in progress. External auditor’s stamp that the controls above are actually in place and followed. All policies — access control, incident response, sub-processors, DPIA — are published on trust.otelai.com.

Quick reference: IT and cybersecurity Q&A

Question	Answer
Is data encrypted?	Yes — at rest (AWS KMS, AES-256 on RDS and S3) and in transit (HTTPS / TLS 1.2+, including internal service-to-service).
Where is data stored?	AWS eu-west-1 (Ireland). Inside the EU/EEA. No third-country transfers. Dedicated regional deployment available for KSA or other residency-sensitive regions.
Is our data used to train models?	No. Not ours, not any third-party foundation model. Covered in our DPA, available on request.
Does a human at Anthropic or OpenAI ever see it?	No. We operate both under Zero Data Retention. Prompts and responses are not logged, not reviewed by humans, and never used for training.
Is data pooled with other hotels?	No. Logically ring-fenced to your group at the database and application layer. No cross-tenant access, no blended benchmarking dataset.
Certifications?	ISO 27001 certified. SOC 2 Type I in progress. Full trust centre at trust.otelai.com.
Can we trace a number back to source?	Yes. Every figure in a report, alert, or chat response can be clicked through to the source system and query. No black box.

Question

Is data encrypted?

Answer

Yes — at rest (AWS KMS, AES-256 on RDS and S3) and in transit (HTTPS / TLS 1.2+, including internal service-to-service).

Question

Where is data stored?

Answer

AWS eu-west-1 (Ireland). Inside the EU/EEA. No third-country transfers. Dedicated regional deployment available for KSA or other residency-sensitive regions.

Question

Is our data used to train models?

Answer

No. Not ours, not any third-party foundation model. Covered in our DPA, available on request.

Question

Does a human at Anthropic or OpenAI ever see it?

Answer

No. We operate both under Zero Data Retention. Prompts and responses are not logged, not reviewed by humans, and never used for training.

Question

Is data pooled with other hotels?

Answer

No. Logically ring-fenced to your group at the database and application layer. No cross-tenant access, no blended benchmarking dataset.

Question

Certifications?

Answer

ISO 27001 certified. SOC 2 Type I in progress. Full trust centre at trust.otelai.com.

Question

Can we trace a number back to source?

Answer

Yes. Every figure in a report, alert, or chat response can be clicked through to the source system and query. No black box.

The bottom line

Your data is yours. We process it to run the product — we don’t train on it, we don’t pool it, we don’t sell insights from it. Everything sits in the EU, encrypted, ring-fenced, and auditable.

Questions we haven’t covered? Book a demo/call or check out our Trust centre: trust.otelai.com

← Back to Resources

Share this articleLinkedIn Twitter / X