As of: February 2026
Data Controller:
DialogShift GmbH
Torstr. 201
10115 Berlin
Germany
Phone: +49 30 40041715
Email: info@dialogshift.com
Data Protection Officer:
IITR Datenschutz GmbH
Dr. Sebastian Kraska
Marienplatz 2
80331 Munich, Germany
Email: email@iitr.de
Phone: +49 89 18917360
This privacy policy explains how DialogShift GmbH processes personal data on the website dialogshift.com and in the course of its business activities.
DialogShift is also the provider of a SaaS platform for AI-powered communication in the hospitality industry. Information about data processing on the DialogShift platform can be found in Part 2 of this privacy policy.
Our website is hosted by Webflow Inc., 398 11th Street, San Francisco, CA 94103, USA. Webflow automatically stores access logs (server log files) with each page view, containing your IP address, the page accessed, date and time of access, and the browser used.
Webflow uses Cloudflare Inc. as a Content Delivery
Network (CDN). A technically necessary cookie (_cfuvid) is
set to distinguish individual users.
Webflow Inc. and Cloudflare Inc. are certified under the EU-U.S. Data Privacy Framework (DPF), ensuring an adequate level of data protection pursuant to Art. 45 GDPR.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the secure and efficient provision of our website).
Our website uses cookies and similar technologies. Technically necessary cookies are set on the basis of our legitimate interest (Art. 6(1)(f) GDPR). For all non-essential cookies and tracking technologies, we obtain your prior consent (Art. 6(1)(a) GDPR, § 25(1) TTDSG).
We use iubenda (iubenda S.r.l., Via San Raffaele 1, 20121 Milan, Italy) to manage consent. iubenda stores your consent decision so that you do not have to be asked again on each visit.
Detailed information about individual cookies can be found in our cookie policy, accessible via the cookie banner.
We use Google Analytics 4, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses cookies to analyse the use of our website. The information generated is typically transmitted to and stored on a Google server within the EU.
Google Analytics 4 does not log or store individual IP addresses. Manual activation of IP anonymisation is not required in GA4. Google is certified under the DPF.
Legal basis: Art. 6(1)(a) GDPR (consent via cookie banner).
Opt-out: You can prevent data collection by Google Analytics by declining consent in the cookie banner or by installing the Google Analytics Opt-out Browser Add-on.
We use Google Ads for conversion tracking and
remarketing, and Google Tag Manager for managing
website tags. Google sets cookies (including _gcl_au,
_gcl_ls) to measure the success of advertising campaigns
and to show you interest-based advertisements where applicable.
Provider: Google Ireland Limited. Google is certified under the DPF.
Legal basis: Art. 6(1)(a) GDPR (consent via cookie banner).
Videos from YouTube (Google Ireland Limited) are embedded on our website. We use the enhanced privacy mode, in which YouTube only sets cookies and collects data when you play a video.
Legal basis: Art. 6(1)(a) GDPR (consent).
For processing support enquiries and customer communication, we use Front (Front Technologies Inc., San Francisco, USA). When you contact us by email, your message, name and email address are processed in Front. Front is certified under the EU-U.S. Data Privacy Framework (DPF).
Legal basis: Art. 6(1)(b) GDPR (performance of a contract) or Art. 6(1)(f) GDPR (legitimate interest in efficient customer communication).
For booking product demos and consultation calls, we use Calendly (Calendly LLC, Atlanta, USA). When booking an appointment, your name, email address and any additional information you provide are transmitted to Calendly. Calendly is certified under the EU-U.S. Data Privacy Framework (DPF).
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures).
We use our own webchat on our website, through which you can communicate with us directly. Data entered in the chat is processed on our servers at Hetzner in Germany.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing a communication channel).
When you contact us via a contact form or email, the data you provide (name, email address, message content) is processed for the purpose of handling your enquiry.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest).
For sending our newsletter, we use Customer.io (Peaberry Software Inc., Portland, USA). When you subscribe to our newsletter, your email address is transmitted to Customer.io and stored there for the purpose of delivery. Subscription is completed via a double opt-in process: after entering your email address, you will receive a confirmation email containing a link that you must click to actively confirm your subscription. The transfer of personal data to the USA is based on the Standard Contractual Clauses (SCCs) of the European Commission (Decision 2021/914).
Each newsletter contains an unsubscribe link through which you can revoke your consent at any time with effect for the future. After revocation, your email address will be deleted.
Legal basis: Art. 6(1)(a) GDPR (consent).
We maintain company pages on social networks, in particular LinkedIn and Instagram. When you visit our company pages, the operators of these platforms may collect personal data. Please refer to the privacy policies of the respective platforms for details.
Where we jointly determine the purposes and means of data processing with the platform operators (e.g. LinkedIn Page Insights), joint controllership exists pursuant to Art. 26 GDPR. The essence of the arrangement with LinkedIn is available in the LinkedIn Page Insights Joint Controller Addendum. LinkedIn assumes primary responsibility for fulfilling information obligations and data subject rights towards its members.
For internal work processes (e.g. text processing, research, communication), we use the following AI services:
ChatGPT Enterprise (OpenAI Ireland Ltd., Dublin, Ireland) – Enterprise version with contractual guarantee: data entered is not used to train AI models. OpenAI is certified under the DPF. Processing takes place on EU servers.
In the course of this use, personal data of business contacts (e.g. names, email addresses) may be processed.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the efficient conduct of business processes).
In the course of our business relationships with hotel customers and contractual partners, we process personal data of contact persons. This includes: name, position, email address, phone number, company data and, where applicable, payment data.
For managing our customer relationships, we use Pipedrive (Pipedrive OÜ, Tallinn, Estonia). Pipedrive is based in the EU; no third-country transfer takes place.
For payment processing, we use Stripe (Stripe Payments Europe Limited, Dublin, Ireland). Stripe processes the data required for payment processing (billing address, payment information).
For electronic contract signing, we use DocuSign (DocuSign International (EMEA) Limited, Dublin, Ireland). DocuSign processes name, email address and the contract documents.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract and pre-contractual measures).
Retention period: Data is stored for the duration of the business relationship and subsequently retained in accordance with statutory retention periods (6 years pursuant to § 257 HGB, 10 years pursuant to § 147 AO for tax-relevant documents under German law).
On our careers page at dialogshift.com/careers, we publish open positions. When you apply, we process the personal data you provide, in particular: name, email address, CV, cover letter and any additional voluntary information.
The data is processed exclusively for the purpose of conducting the application process and is deleted after the process is completed, unless you have consented to longer retention (e.g. for future job openings).
Legal basis: Art. 88 GDPR in conjunction with § 26 BDSG (German Federal Data Protection Act – data processing for employment purposes) or Art. 6(1)(a) GDPR where consent for longer retention has been given.
Retention period: For the duration of the application process, typically up to 6 months after completion.
Under the GDPR, you have the following rights:
To exercise your rights, please contact: info@dialogshift.com
Right to lodge a complaint: You have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority responsible for us is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
(Berlin Commissioner for Data Protection and Freedom of
Information)
Friedrichstr. 219, 10969 Berlin, Germany
Email: mailbox@datenschutz-berlin.de
Web: datenschutz-berlin.de
We employ technical and organisational security measures to protect your data against loss, destruction, manipulation and unauthorised access. These include:
We reserve the right to amend this privacy policy as necessary to reflect changes in legal requirements, technical developments or changes to our services. The current version can always be found on this page.
Data Controller:
DialogShift GmbH
Torstr. 201
10115 Berlin
Germany
Phone: +49 30 40041715
Email: info@dialogshift.com
Data Protection Officer:
IITR Datenschutz GmbH
Dr. Sebastian Kraska
Marienplatz 2
80331 Munich, Germany
Email: email@iitr.de
Phone: +49 89 18917360
DialogShift provides a SaaS platform for AI-powered guest communication in the hospitality industry. Our products include:
When using our platform, we assume two roles:
a) DialogShift as data controller: For the data of platform users (hotel staff) who register for and use our application, we are the data controller within the meaning of the GDPR.
b) DialogShift as data processor: For the communication data of hotel guests (chat transcripts, phone transcripts, email content, etc.), we act as a data processor pursuant to Art. 28 GDPR on behalf of the respective hotel. The hotel is the data controller in this case. Processing is carried out on the basis of a Data Processing Agreement (DPA) that we conclude with each customer.
All core processing takes place in our data centre at Hetzner in Germany. We use the following service providers to operate our platform:
| Service Provider | Purpose | Server Location | Registered Office |
|---|---|---|---|
| Hetzner Online GmbH | Hosting, data centre | Germany | Germany |
| OpenAI Ireland Ltd. | AI models (LLM) | Ireland | Ireland (US parent: DPF) |
| Google Cloud EMEA Ltd. | AI models, Dialogflow | Ireland | Ireland (US parent: DPF) |
| Microsoft Ireland Operations Ltd. | Cloud infrastructure (Azure) | Ireland | Ireland (US parent: DPF) |
| Amazon Web Services EMEA SARL | Email delivery, AI models | Frankfurt | Luxembourg (US parent: DPF) |
| ElevenLabs Poland LLC | Speech synthesis (Phone AI) | Poland | Poland (US parent: DPF) |
| DeepL SE | Text translation | Germany | Germany |
All data is processed exclusively on servers within the EU.
For specific products, we use additional communication service providers:
| Service Provider | Purpose | Server Location |
|---|---|---|
| sipgate GmbH | Telephony (Phone AI) | Germany |
| Link Mobility Austria GmbH | SMS delivery | Austria |
| tyntec GmbH | WhatsApp delivery (existing customers) | Germany |
All communication service providers are based in the EU.
When registering for and using the platform, we process: name, email address, login credentials and usage data (e.g. login times, features used).
Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
In the course of data processing on behalf of the hotel, the following data may be processed depending on the communication channel:
No guest or user profiles are created. The data is used exclusively to respond to the respective enquiry.
Legal basis: Art. 28 GDPR (data processing on behalf of the hotel). The legal basis vis-à-vis the hotel guest is determined by the hotel as the data controller.
DialogShift uses Large Language Models (LLMs) to respond to guest enquiries, including models from OpenAI, Google and Anthropic. AI is used for the following purposes:
Personal data from guest communication is automatically and irreversibly deleted after 90 days. Within this period, the data is retained exclusively for the provision of our services.
LLM providers do not store input data beyond the duration of the individual request (no logging).
Data of platform users (hotel staff) is stored for the duration of the contractual relationship and deleted after contract termination in accordance with the contractual agreements.
All data is processed on servers within the EU/EEA. Some of our technology partners are subsidiaries of US companies. For all these partners:
The DPF has ensured an adequate level of data protection recognised by the European Commission pursuant to Art. 45 GDPR since July 2023. Certification can be verified at dataprivacyframework.gov.
You are entitled to the rights set out in Section 1.13 (Part 1) under the GDPR. To exercise your rights, please contact: info@dialogshift.com
If you wish to exercise your data protection rights as a hotel guest (access, erasure, etc.), please contact the respective hotel, which acts as the data controller. DialogShift supports the hotel in fulfilling data subject requests.
DialogShift implements comprehensive technical and organisational measures (TOMs) to protect personal data. These include:
A detailed description of the TOMs is contained in the annex to our Data Processing Agreement (DPA).
We reserve the right to amend this privacy policy as necessary. The current version can always be found on this page.
Last updated: February 2026
