Summary: Hanna AI is built with UK GDPR compliance at its core — not bolted on. Guest data is held securely, access-controlled by venue, automatically flagged for erasure after 24 months of inactivity, and exportable or deletable on request within 30 days.
Data controller and processor roles
When you use the Hanna AI platform as a venue operator, two separate data relationships exist:
- Hanna AI as data controller — for data you provide to us directly (your account details, billing information, demo requests)
- Hanna AI as data processor — for your guests' personal data, which we process on your behalf. You (the venue) are the data controller for your guests' data.
A Data Processing Agreement (DPA) is available on request for venue customers. Email [email protected].
What guest data Hanna AI holds
On behalf of venues using the platform, Hanna AI stores:
- Contact information (name, email, phone)
- Booking history (dates, times, party sizes, occasions)
- Dietary requirements and allergens (explicitly provided by guests)
- Preferences and notes added by venue staff
- Consent records (where applicable)
Hanna AI does not store payment card data — this is handled directly by our payment processor (Paymentsense/Dojo) and is PCI DSS compliant.
Data retention and automated erasure
Hanna AI includes an automated data lifecycle management system:
- Guest records inactive for 24 months are automatically flagged for scheduled erasure
- Flagged records are scheduled for deletion 30 days after flagging
- Venue managers receive notification of flagged records and can act on them
- Financial records required for legal compliance are retained for 7 years
Guest rights — how venues handle them via Hanna AI
The Hanna AI platform includes a Data Subject Rights (DSR) management module that allows venue operators to:
- Access requests — export a complete guest profile including all stored data
- Erasure requests — permanently delete a guest record ("right to be forgotten")
- Rectification — update or correct guest information
- Portability — export guest data in a structured, machine-readable format
Venues are required to respond to guest data requests within 30 days under UK GDPR. The Hanna AI DSR module is designed to make this straightforward.
Data storage and security
- Location: Data is stored on Railway cloud infrastructure. Data residency is subject to Railway's data processing terms — see railway.com/legal/privacy
- Encryption: All data is encrypted in transit (TLS) and at rest
- Access control: Row-Level Security ensures each venue can only access their own guest data
- Staff access: Role-based permissions — kitchen staff cannot access guest personal data
- Audit: All data access and changes are logged
Sub-processors
Hanna AI uses the following sub-processors for guest data:
- Railway — database hosting and infrastructure
- Resend — transactional email delivery (confirmation, cancellation emails)
- Anthropic — AI processing for the Hanna chatbot. Conversation content is processed but not stored by Anthropic
Your rights as a venue operator
As a customer of Hanna AI, you have the same rights over your own account data as described in our Privacy Policy. You also have the right to request a Data Processing Agreement and an audit of how we process your guests' data on your behalf.
ICO registration
Hanna AI Ltd is in the process of completing ICO registration as a data controller. If you have concerns about how we handle personal data, you have the right to contact the ICO directly at ico.org.uk.
Data protection enquiries: [email protected]