Legal

Privacy Policy

Last updated: May 23, 2026

Note: This is a starter draft of Goho's privacy policy. Before publishing it on your live site, we strongly recommend having it reviewed by qualified legal counsel familiar with the data protection laws in the jurisdictions where you operate (GDPR, CCPA, and any sector-specific obligations relevant to hospitality data). Placeholders marked with [ ] need to be filled in with your actual company details.

1. Definitions

To keep things simple, the terms below have specific meanings throughout this policy:

  • "Goho," "we," "us," "our" — refers to [Goho Inc. / Goho Ltd.], the entity that controls the processing of personal data described in this policy.
  • "You," "your," "data subject" — any individual whose personal data we process. This includes visitors to our website, account holders on our platform, and people we communicate with.
  • "Platform" or "Service" — Goho's AI-powered review platform for hotel brand standards, including the web application, dashboards, APIs, and any associated reports we generate.
  • "Website" — Goho's marketing and product website at [goho.ai] and any subdomains we operate.
  • "Personal data" — any information that identifies you directly or that can reasonably be combined with other data to identify you.
  • "Processor" — a third-party service provider that processes personal data on our behalf under our instructions and a written data-processing agreement.

2. Who we are and how to contact us

Data controller

The data controller for your personal data is:

  • Company name: Goho Inc.
  • Registered address: 45 Park Ln S, Jersey City, 07310

Getting in touch

For any privacy-related question, including requests to exercise your rights, you can reach us at privacy@goholabs.com. We aim to respond within 30 days.

3. When, why, and how we process your data

We process personal data in a few distinct situations. For each, we describe what we collect, why we collect it, the legal basis (under the GDPR where applicable), and how long we keep it.

3.1 When you visit our website

When you browse [goho.ai], we use cookies and similar technologies to keep the site secure, measure how it's used, and improve the experience. The data collected may include your IP address, device and browser information, the pages you visit, and the path you take through the site.

Our legal bases:

  • Strictly necessary cookies — Article 6(1)(f) GDPR, our legitimate interest in operating a functional, secure website.
  • Analytics and marketing cookies — Article 6(1)(a) GDPR, your explicit consent collected via our cookie banner.

For details about specific cookies and their lifetimes, see our Cookie Policy [link]. You can withdraw your cookie consent at any time through the cookie settings link in our footer.

3.2 When you create an account on the Platform

To create a Goho account, we collect your name, work email address, company affiliation, job title, and a password you choose. If you subscribe to a paid plan, we also collect billing details — though full payment card information is handled by our payment processor (Stripe) and never stored on Goho's systems.

We use this data to provide you access to the Platform, secure your account, support your team's use of the Service, send service-related notifications, and bill you correctly.

Legal basis: Article 6(1)(b) GDPR — the processing is necessary to perform our contract with you and your organization.

Retention: We keep account data for as long as your account remains active, plus 24 months after deactivation to handle billing reconciliation, tax/accounting obligations, and to allow account restoration if you change your mind. Some accounting records may be retained longer where required by applicable tax law.

3.3 When you upload floor plans, drawings, or design documents

Goho's core function is to review architectural drawings, floor plans, and design specification packets against hotel brand standards. When you upload a document, we extract its visual and textual contents and send them to one or more of our AI processors (listed in section 5) for analysis.

Floor plans and architectural drawings typically do not contain personal data, but in rare cases they may include items such as the name of the architect of record, contact details on a title block, or annotations by named reviewers. We process this incidental personal data only insofar as it is contained in documents you choose to upload.

  • We do not use your uploaded documents to train our models or our providers' models.
  • Our AI processors process the document in real time and do not retain it after the review is complete.
  • Generated reports are stored on the Platform and remain available to your team for the duration of your subscription.

Legal basis: Article 6(1)(b) GDPR — performance of our contract with you.

Retention: Uploaded documents and generated reports are retained for the lifetime of your subscription plus a 90-day grace period after termination, to allow data export. You can delete a project at any time from your dashboard.

Before uploading material containing sensitive personal data, please redact it. Goho's review service is not designed to process special categories of personal data under Article 9 GDPR.

3.4 When you communicate with us

If you contact us by email, through a form on our website, via chat, or through any other channel, we process the contents of your message and your contact details to handle your inquiry. Common reasons include support requests, sales conversations, partnership outreach, and press inquiries.

Legal basis: Article 6(1)(f) GDPR — our legitimate interest in responding to inquiries and maintaining our business relationships.

Retention: Correspondence is retained for up to 5 years after the most recent contact, then deleted unless we have a specific reason to keep it longer (for example, an ongoing dispute or legal obligation).

3.5 When you receive marketing communications

If you opt in to our newsletter or product updates, we use your name, email address, and any role or company information you've provided to send relevant communications about Goho's product, hospitality industry insights, and events.

Legal basis: Article 6(1)(a) GDPR — your consent. You can withdraw consent at any time by clicking the unsubscribe link in any marketing email, or by emailing us.

Retention: Your subscription data is retained until you unsubscribe, plus 24 months to honor suppression-list obligations and avoid re-marketing to you in error.

3.6 When you interact with us on social media

When you follow, message, or engage with Goho's presence on platforms such as LinkedIn, X (Twitter), or YouTube, we may see and process the information those platforms make available to us, including your profile information, comments, and reactions.

Please note that each social media platform also processes your data under its own privacy policy, separate from this one.

Legal basis: Article 6(1)(f) GDPR — our legitimate interest in maintaining a professional presence on industry platforms.

4. How we keep your data safe

We take reasonable organizational, technical, and administrative measures to protect personal data. These include:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256) on our managed infrastructure.
  • Role-based access control and least-privilege principles for our team's access to production data.
  • Audit logging of access to systems containing personal data.
  • Encrypted, geographically redundant backups with defined retention periods.
  • Regular review of security practices and dependencies, including periodic third-party assessment.
  • Employee training on data protection and incident response.

No internet-connected system is perfectly secure. If you transmit confidential or sensitive information to us, please use the secure channels available within the Platform rather than unencrypted email.

5. Processors and international transfers

We rely on a small set of carefully vetted third-party providers to operate Goho. Each processor is bound by a data-processing agreement that obligates them to handle your data only on our instructions and to maintain appropriate security measures.

Amazon Web ServicesCloud hosting & storage
StripePayment processing
OpenAILLM & VLM processing
AnthropicLLM processing
Google CloudInfrastructure & models
HubSpotCRM & email
Google WorkspaceInternal collaboration
GitHubSource code & CI

If we engage a new processor, we'll update this list with a reasonable opportunity for you to object before they begin processing your data.

5.1 International transfers

Some of our processors are based outside the European Economic Area (EEA), primarily in the United States. When we transfer personal data to such locations, we rely on one of the following safeguards:

  • An adequacy decision adopted by the European Commission under Article 45 GDPR;
  • The European Commission's Standard Contractual Clauses (SCCs) adopted under Article 46 GDPR, together with supplementary measures where appropriate.

You can request a copy of the safeguards we rely on for a specific transfer by emailing privacy@goholabs.com.

5.2 Business changes

If Goho is involved in a merger, acquisition, financing, or sale of assets, your personal data may be transferred to the relevant counterparty as part of that transaction. Where required, we will notify you in advance.

6. Your rights

Subject to the applicable data protection laws, you have the rights listed below. To exercise any of them, contact us at privacy@goholabs.com. We may need to verify your identity before responding.

RightWhat it means
AccessRequest a copy of the personal data we hold about you.
RectificationAsk us to correct inaccurate or incomplete personal data.
ErasureAsk us to delete your personal data, where there is no overriding reason for us to keep it.
RestrictionAsk us to limit how we process your personal data in specific circumstances.
PortabilityReceive certain personal data in a structured, machine-readable format and have it transferred to another controller where technically feasible.
ObjectionObject to processing based on our legitimate interests, including for direct marketing purposes.
Withdraw consentWhere processing is based on your consent, withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.
Automated decisionsNot be subject to a decision based solely on automated processing that produces legal or similarly significant effects, except as permitted by law.

7. Filing a complaint

If you believe we have not handled your personal data properly, we'd appreciate the chance to address it directly — please reach out at privacy@goholabs.com.

You also have the right to lodge a complaint with the data protection supervisory authority in your country of residence, work, or where the alleged infringement occurred. For users in the European Union and EEA, contact details for each national supervisory authority are listed on the European Data Protection Board's website at edpb.europa.eu/members.

8. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes to our practices, new product features, or legal requirements. The "Last updated" date at the top of the page will reflect the most recent revision. If we make material changes, we'll notify active users through the Platform or by email before the changes take effect.