This Privacy Policy explains how Me-San Group PTE ("ME-SAN," "we," "us," or "our") collects, uses, shares, and protects personal data when you use the ME-SAN platform. We are committed to safeguarding your privacy and handling your data with transparency and care. By using our services, you acknowledge that you have read and understood this Privacy Policy.
1. Introduction
Me-San Group PTE is a company incorporated in the Republic of Singapore. We operate a global software-as-a-service (SaaS) platform designed for the hospitality industry, connecting hotels, their guests, and local experience and service providers through intelligent automation, AI-powered concierge services, and a curated marketplace.
This Privacy Policy applies to all users of the ME-SAN platform, including hotel operators, guests, and local partners, regardless of their geographic location. It describes the types of personal data we collect, the purposes for which we process it, and the rights available to you under applicable data protection legislation.
We process personal data in compliance with the European Union General Data Protection Regulation (GDPR), the Singapore Personal Data Protection Act 2012 (PDPA), and other applicable privacy laws in the jurisdictions where we operate.
2. Data Controller
For the purposes of applicable data protection legislation, the data controller is:
Me-San Group PTE
Republic of Singapore
Email: privacy@me-san.com
Where ME-SAN processes personal data on behalf of a hotel operator (for example, guest data obtained through a property management system integration), the hotel operator acts as the data controller and ME-SAN acts as the data processor. In such cases, data processing is governed by the terms of our data processing agreement with the hotel operator.
3. Data We Collect
We collect different categories of personal data depending on how you interact with the ME-SAN platform.
3.1 Hotel Operators
When you register as a hotel operator, we collect:
- Contact information: name, email address, phone number, and job title of authorised representatives.
- Property details: hotel name, address, star rating, room types, amenities, and descriptions.
- Commission and settlement information: bank account details for receiving marketplace commission payouts.
- Usage data: login activity, feature usage, dashboard interactions, and platform analytics.
- Onboarding data: information extracted from your publicly available website to assist with account setup.
3.2 Guests
When you interact with the ME-SAN platform as a guest, we may collect:
- Identity information: name, email address, and phone number.
- Stay details: check-in and check-out dates, room type, and booking reference, obtained from the hotel's property management system (PMS) via integrations such as Cloudbeds.
- Booking history: records of services and experiences booked through the platform.
- Preferences: language preferences, dietary requirements, activity interests, and other personalisation data you provide or that is inferred from your interactions.
- Communications: messages exchanged with the AI concierge, including questions, requests, and feedback.
- Payment information: mobile payment details for deposits on marketplace bookings, processed securely via our payment partners.
3.3 Local Partners
When you register as a local partner, we collect:
- Business information: business name, registration number, address, and description of services offered.
- Contact information: name, email address, and phone number of authorised representatives.
- Service listings: descriptions, pricing, availability, images, and terms for listed services and experiences.
- Commission and payment data: commission rates, earnings records, bank account details, and transaction history.
4. How We Use Data
We use the personal data we collect for the following purposes:
- Platform operation: To create and manage accounts, facilitate bookings, process payments, and deliver the core functionality of the ME-SAN platform.
- AI concierge personalisation: To power our AI concierge with relevant guest information, enabling personalised recommendations, responses to enquiries, and proactive service suggestions tailored to each guest's stay.
- Booking management: To process reservations for local experiences and services, manage availability, and coordinate between hotels, guests, and local partners.
- Analytics and reporting: To generate insights for hotel operators through the Intelligence Hub, including upsell revenue tracking, guest engagement metrics, and concierge performance analysis. Analytics data presented to hotel operators is aggregated and does not identify individual guests unless necessary for service delivery.
- Communication: To send transactional messages (booking confirmations, pre-arrival information, post-stay follow-ups), platform notifications, and service-related updates.
- Platform improvement: To analyse usage patterns, diagnose technical issues, and improve the quality and reliability of our services.
- Legal compliance: To comply with applicable laws, regulations, and legal obligations, and to protect the rights and safety of ME-SAN and its users.
5. AI and Automated Processing
The ME-SAN platform includes an AI-powered concierge that uses guest data to provide personalised recommendations, answer questions, and facilitate service bookings. The AI concierge processes the following data to deliver its services:
- Guest stay details and booking history to understand context and preferences.
- Previous conversations to maintain continuity and relevance across interactions.
- Hotel-specific information (amenities, policies, local area details) to provide accurate, property-specific responses.
- Local partner listings and availability to recommend relevant experiences and services.
The AI concierge is designed to assist and enhance the guest experience. It does not make fully automated decisions that produce legal effects or similarly significant effects on individuals. All bookings initiated through the AI concierge require guest confirmation before processing.
Hotel operators retain full oversight of AI concierge interactions and can review, configure, or override AI-generated responses at any time through the ME-SAN dashboard.
6. Legal Bases for Processing (GDPR)
Where the GDPR applies, we process personal data on the following legal bases:
- Performance of a contract (Article 6(1)(b)): Processing is necessary to deliver the services you have requested, including account management, booking facilitation, payment processing, and AI concierge interactions.
- Legitimate interests (Article 6(1)(f)): Processing is necessary for our legitimate interests, including platform improvement, fraud prevention, analytics, and ensuring platform security. We balance these interests against your rights and freedoms and do not process data where our interests are overridden by the impact on you.
- Consent (Article 6(1)(a)): Where required, we obtain your explicit consent before processing personal data, such as for optional marketing communications or the use of non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
7. Data Sharing
We share personal data only where necessary for the operation of the platform and in accordance with this Privacy Policy. We do not sell personal data to third parties.
7.1 Between Hotels and Guests
Guest data (name, contact details, stay information, preferences, and concierge interactions) is shared with the hotel where the guest is staying or has a confirmed booking. This sharing is necessary to deliver personalised hospitality services and manage the guest relationship.
7.2 Between Hotels and Local Partners
When a guest books an experience or service through the platform, relevant booking details (guest name, booking date, service specifics, and any special requirements) are shared with the local partner fulfilling the service. Hotels receive transaction and commission data related to bookings made by their guests.
7.3 Payment Processing
When a guest pays a deposit for a marketplace booking via mobile payment, the transaction is processed by our payment partners in accordance with their own privacy policies. ME-SAN does not store full credit card numbers or mobile payment credentials on its servers. Commission settlements to hotels are processed via bank transfer.
7.4 PMS Integration (Cloudbeds)
For hotels that connect their property management system, we integrate with PMS providers such as Cloudbeds to synchronise guest data, booking information, and room availability. Data exchanged through these integrations is used solely to deliver platform services and is processed in accordance with this Privacy Policy.
7.5 No Sale of Personal Data
ME-SAN does not sell, rent, or trade personal data to third parties for their marketing or advertising purposes. We do not participate in data broker networks or share personal data with advertisers.
8. International Transfers
Me-San Group PTE is based in Singapore and operates a global platform. As a result, personal data may be transferred to and processed in countries outside of your country of residence, including Singapore and other jurisdictions where our infrastructure, service providers, or partners are located.
Where personal data is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to a country that does not benefit from an adequacy decision, we implement appropriate safeguards to protect your data, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Data processing agreements with our service providers that include equivalent contractual protections.
- Organisational and technical measures to ensure data security during and after transfer.
You may request a copy of the safeguards we use for international data transfers by contacting us at privacy@me-san.com.
9. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy, or as required by law.
- Active account data: Personal data associated with active hotel operator, guest, and local partner accounts is retained for the duration of the account's active engagement with the platform.
- Guest data: Guest data held on behalf of hotel operators is retained in accordance with the hotel's own data retention policy. Hotels may configure retention periods through the ME-SAN dashboard.
- Post-termination: Upon account termination, ME-SAN provides a 30-day data export window during which you may download your data. After this period, personal data is securely deleted or anonymised, except where retention is required for legal, accounting, or regulatory purposes.
- Transaction records: Financial transaction data may be retained for up to seven years to comply with applicable tax, accounting, and regulatory requirements.
10. Security
ME-SAN implements robust technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. Our security practices include:
- Encryption in transit: All data transmitted between your device and the ME-SAN platform is protected by 256-bit SSL/TLS encryption.
- Encryption at rest: Personal data stored on our servers is encrypted at rest using industry-standard encryption algorithms.
- SOC 2 compliance: ME-SAN maintains SOC 2 Type II compliance, demonstrating our commitment to security, availability, processing integrity, confidentiality, and privacy.
- Access controls: Access to personal data is restricted to authorised personnel on a need-to-know basis, with multi-factor authentication and role-based permissions enforced across our systems.
- Regular audits: We conduct periodic security assessments, penetration testing, and vulnerability scans to identify and address potential threats.
- Incident response: We maintain a documented incident response plan and will notify affected users and relevant authorities in the event of a data breach, in accordance with applicable legal requirements.
11. Your Rights (GDPR)
If you are located in the European Economic Area, the United Kingdom, or another jurisdiction that provides equivalent data protection rights, you have the following rights regarding your personal data:
- Right of access: You may request a copy of the personal data we hold about you.
- Right to rectification: You may request correction of inaccurate or incomplete personal data.
- Right to erasure: You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent.
- Right to data portability: You may request that we provide your personal data in a structured, commonly used, and machine-readable format, or transmit it directly to another controller where technically feasible.
- Right to restriction: You may request that we restrict the processing of your personal data in certain circumstances, such as while we verify the accuracy of data you have contested.
- Right to object: You may object to processing based on legitimate interests or for direct marketing purposes. Where you object, we will cease processing unless we demonstrate compelling legitimate grounds.
- Right to withdraw consent: Where processing is based on consent, you may withdraw your consent at any time.
To exercise any of these rights, please contact us at privacy@me-san.com. We will respond to your request within 30 days. If we require additional time, we will notify you of the extension and the reasons for the delay.
You also have the right to lodge a complaint with your local data protection supervisory authority.
12. PDPA (Singapore) Compliance
As a Singapore-incorporated company, ME-SAN complies with the Personal Data Protection Act 2012 (PDPA) and its amendments. Under the PDPA:
- We collect, use, and disclose personal data only for purposes that a reasonable person would consider appropriate in the circumstances and for which we have obtained consent, or as otherwise permitted under the Act.
- We provide individuals with access to their personal data held by ME-SAN and the ability to request corrections, in accordance with the Access and Correction Obligations under the PDPA.
- We protect personal data in our possession with reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, or disposal.
- We do not retain personal data longer than necessary for the purposes for which it was collected, and we dispose of it in a manner that prevents unauthorised access.
- We do not transfer personal data outside of Singapore unless we ensure that the receiving jurisdiction provides a comparable standard of protection, or adequate contractual safeguards are in place.
Our Data Protection Officer can be reached at privacy@me-san.com for any enquiries or complaints related to the handling of personal data under the PDPA.
13. Cookies
The ME-SAN platform uses cookies and similar technologies to enhance your experience. We categorise our cookies as follows:
- Essential cookies: These are strictly necessary for the platform to function. They enable core features such as authentication, session management, and security. These cookies cannot be disabled without impacting platform functionality.
- Analytics cookies: We use analytics cookies to understand how users interact with the platform, which features are most used, and where improvements can be made. Analytics data is collected in anonymised or aggregated form and is not used to identify individual users.
- No third-party advertising cookies: ME-SAN does not use third-party advertising cookies. We do not serve targeted advertisements on the platform, and we do not permit third-party advertisers to place cookies through our services.
You can manage your cookie preferences through your browser settings. Please note that disabling essential cookies may affect your ability to use the platform.
14. Children
The ME-SAN platform is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a person under 18, we will take prompt steps to delete that data from our systems.
If you are a parent or guardian and believe your child has provided personal data to ME-SAN, please contact us at privacy@me-san.com so we can take appropriate action.
15. Changes to This Policy
ME-SAN may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will provide at least 30 days' advance notice by email or through a prominent notice on the platform before the changes take effect.
Your continued use of the platform after the updated Privacy Policy takes effect constitutes your acceptance of the changes. If you do not agree with the revised policy, you may terminate your account before the changes become effective.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.
16. Contact
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Me-San Group PTE
Republic of Singapore
Email: privacy@me-san.com
Data Protection Officer
Email: privacy@me-san.com
We aim to respond to all enquiries within 30 days. For urgent data protection matters, please include "URGENT" in your email subject line.