Legal

Privacy Policy

How Kynect Pte. Ltd. (trading as Grevon) collects, uses, and protects personal information.

Operated by Kynect Pte. Ltd. (Grevon)  ·  Version date: 9 June 2026

This Privacy Policy explains how Kynect Pte. Ltd. (UEN 202555619W), a company incorporated in Singapore with its registered office at 8 Marina Boulevard, #29-01, Marina Bay Financial Centre, Singapore 018981, which operates the Grevon platform and brand ("Grevon", "we", "us" or "our"), collects, uses, shares and protects personal information.

1. Who We Are and About This Policy

Grevon provides an AI-agent and integration layer that enables AI Agents to interact with guests and to record bookings in the systems of accommodation and other travel and hospitality providers (each, a "Customer"). This Policy covers our websites, the Grevon platform and services (the "Services"), our APIs, and our dealings with business customers, their authorised users, guests and website visitors.

Contact for privacy matters: privacy@grevon.ai. This Policy forms part of, and should be read with, our Terms of Service, Acceptable Use Policy and Data Processing Agreement, available at www.grevon.ai.

2. Our Two Roles: Controller and Processor

Grevon handles personal information in two different capacities, and which one applies determines who is responsible and how you exercise your rights:

When we are the controller

We act as the controller (we decide why and how data is processed) for: the personal information of our business Customers and their authorised users; people who enquire about or visit our website; and data we process for our own limited purposes such as operating and securing the Services, fraud prevention, billing and legal compliance.

When we are the processor

When a guest interacts with an AI Agent and we process guest personal information to provide the Services to a Customer, the Customer is the controller and Grevon acts as its processor, handling that information on the Customer's behalf and instructions (as set out in our Data Processing Agreement). If you are a guest and you wish to exercise privacy rights over your booking or conversation data, you should contact the Customer (the accommodation or travel provider you booked with); we will assist the Customer as needed. The Customer's own privacy notice governs that data.

3. Personal Information We Collect and Why

(a) Business Customers and their users (we are controller)

Account and contact details (name, business email, phone, role), login credentials, billing and payment-method details, configuration and content you provide, and information about your use of the Services. We use this to provide, secure, support and improve the Services, to manage our relationship and billing, and to comply with law.

(b) Guests (we are processor, on behalf of the Customer)

When guests use AI Agents and the Platform, the following categories of guest personal information may be processed on the Customer's behalf:

This guest information is processed to handle enquiries, create and record bookings into the Customer's systems, support guest communications, and deliver the Services. The Customer determines the purposes of this processing and is responsible for the lawful basis and for informing guests.

(c) Website visitors and enquiries (we are controller)

Contact details you give us, and technical data (such as IP address, device and usage information collected via cookies and similar technologies — see section 13), used to operate our website, respond to enquiries and for analytics and marketing of our own Services.

4. AI Agents, Conversations and Payments

AI interactions. Guests interact with conversational and agentic AI Agents to search, ask questions and complete bookings. The content of interactions with AI Agents operated by Grevon is processed to provide the Services. Conversations conducted through third-party AI Agents take place on those third parties' systems and are not available to Grevon. AI output can be inaccurate or unexpected and is not a substitute for the Customer's own judgement.

Use for improvement and training. Where we analyse use of the Services to operate, secure or improve them — including any training of models — we use aggregated or anonymised data only. We do not use identifiable guest personal information to train our models.

Payments and card data. Payment-card details are captured and tokenised by a PCI DSS-compliant payment provider. Our systems are designed to remain out of scope for full card numbers and other sensitive authentication data, which we do not see, process or store. For voice interactions, payment-card details are captured so that they are not received by the AI Agent and do not enter its prompts, context, logs or training data. The token is stored with the booking record so the Customer's payment processor can take payment.

5. Legal Bases for Processing (where GDPR/UK GDPR applies)

Where we act as controller and the GDPR or UK GDPR applies, we rely on one or more of the following legal bases: contract (to provide the Services and manage our relationship with Customers); legitimate interests (to operate, secure, analyse and improve the Services, prevent fraud, and market our own Services, balanced against your rights); legal obligation (to meet tax, accounting and other legal duties); and consent (for certain cookies and marketing, which you can withdraw at any time). Where we process personal information on behalf of a Customer (for example, guest data processed through the Services), the Customer is responsible for determining and documenting the applicable legal basis for that processing.

6. How We Share Information

We do not sell or rent personal information. We share it only as follows:

7. International Data Transfers

Grevon hosts the Platform using third-party cloud infrastructure providers and may process personal information in, or access it from, the hosting region(s) it uses and the locations of Grevon and its sub-processors (listed at grevon.ai/subprocessors). Where Grevon operates regional hosting, it will seek to host personal information in, or near, the geographic region selected for the relevant Customer. Personal information may nonetheless be accessed from, or processed in, other locations, including for support, security, maintenance, operations and administration purposes, or by certain sub-processors. Where a transfer of personal information protected by European, UK or other data protection laws constitutes a restricted transfer, Grevon uses an appropriate lawful transfer mechanism under applicable data protection laws — such as the Standard Contractual Clauses and the UK International Data Transfer Addendum (and, for Swiss data, the relevant adaptations) — together with supplementary safeguards such as encryption and access controls. Further detail is set out in our Data Processing Agreement.

8. Data Retention

We keep personal information only as long as necessary. For business Customers, we retain account and billing data for the duration of the relationship and as required for legal, tax and operational purposes. For guest data we process on a Customer's behalf, retention is governed by the Customer's instructions and our Data Processing Agreement: on the end of the relationship we delete it (or make it available for retrieval and then delete it), except that we may retain limited data where necessary for the establishment, exercise or defence of legal claims (for no longer than necessary, and ordinarily no more than two years, extended only until a relevant claim is resolved), where required by law, or in routine backups that are deleted on a rolling basis. Aggregated or anonymised data that no longer identifies anyone is not subject to these limits.

9. How We Protect Information

We use appropriate technical and organisational measures designed to protect personal information, including encryption in transit and at rest, access controls, tokenisation of payment-card data, and selecting suppliers that offer appropriate security credentials. No method of transmission or storage is completely secure, but we work to protect information using measures appropriate to the risk.

10. Your Privacy Rights

Depending on where you live and the applicable law (including the EU and UK GDPR, the California Consumer Privacy Act (CCPA/CPRA) and other US state laws, Canada's PIPEDA, the Australian Privacy Act, and Singapore's PDPA), you may have rights to: access the personal information we hold about you; correct or update it; delete it; restrict or object to certain processing; data portability; withdraw consent; and not be subject to decisions based solely on automated processing that produce legal or similarly significant effects. You also have the right to lodge a complaint with your local data-protection authority.

How to exercise your rights. If we are the controller, contact us at privacy@grevon.ai and we will respond within the time required by applicable law, after verifying your identity. If you are a guest, the Customer (the accommodation or travel provider you booked with) is the controller of your booking and conversation data — please direct your request to that Customer, and we will assist it. We do not discriminate against you for exercising your rights.

11. California and Other US State Privacy Rights

Where the CCPA/CPRA or another US state privacy law applies and we act as a business, you have the rights described in section 10, including to know, delete and correct your personal information and to opt out of any "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under the CCPA. Where we process personal information on a Customer's behalf, we do so as a "service provider" and only for the business purposes set out in our agreement with that Customer.

12. Marketing Communications

We may send business Customers and prospects service updates and marketing about our own Services on an opt-out basis; you can unsubscribe at any time via the email footer or by contacting privacy@grevon.ai. We do not send marketing communications directly to guests; any guest marketing is managed by the Customer.

13. Cookies and Analytics

Our websites and booking pages use essential cookies (for core functionality such as session and login) and analytics cookies to understand and improve performance. We do not use cookies to share data with third parties for cross-context behavioural advertising. You can manage cookies through your browser settings, though some features may be affected. Where required, we obtain consent for non-essential cookies.

14. Children

The Services are intended for use by adults and are not directed to children. Grevon does not knowingly collect personal information directly from children. A guest may nonetheless provide information relating to a child when interacting with an AI Agent (for example, the number or ages of people in a travelling party, room occupancy requirements, or special requests). Such information is ordinarily provided by an adult acting on behalf of the travelling party. Grevon does not have a direct relationship with the child and is generally not in a position to verify parental responsibility or obtain separate parental or guardian consent where information about a child is voluntarily provided during a booking or conversation. Where Grevon processes information relating to a child as part of the Services, it does so on behalf of the relevant Customer in connection with the booking, reservation or guest services being provided. The Customer is responsible for determining the lawful basis for such processing where required by applicable privacy laws. If you believe that information relating to a child has been provided or processed inappropriately, please contact us at privacy@grevon.ai and we will investigate the matter and, where appropriate, assist the relevant Customer in correcting or deleting the information.

15. Changes to This Policy

We may update this Policy from time to time. Where changes are material, we will provide notice (for example via the Platform or by email). The "version date" above shows when it was last updated, and continued use of the Services after an update constitutes acceptance.

16. Contact Us and Complaints

For any privacy question, request or complaint, please contact our privacy team at privacy@grevon.ai, or write to Kynect Pte. Ltd. (Grevon), 8 Marina Boulevard, #29-01, Marina Bay Financial Centre, Singapore 018981. We will investigate privacy complaints and respond to privacy requests within the timeframes required by applicable law. If you are located in the EEA or the UK and are not satisfied with our response, you may also lodge a complaint with your local supervisory authority.