Privacy Policy

HOLM AI is operated by AI STUDIO 10, LLC, a Florida limited liability company, which is the data controller for the personal data described in this policy. Our principal place of business is 830 Brickell Plaza, Miami, FL 33131.

You can reach our privacy team at privacy@useholm.com.

We collect only what we need to provide the service. The main categories are:

• Account data — name, email, company, role and authentication credentials.
• Operator data — listing information, policies, team members and billing details.
• Guest data — names, contact details, messages, ID verification records (if enabled), stay information. Processed on behalf of operators.
• Usage data — how the platform is used, including logs, device information and diagnostics.
• Payment data — handled by our payment processor. We do not store full card numbers.

We process personal data to:

• Provide HOLM’s features — guest comms, field ops, finance, guest experience, growth and AI supervision.
• Authenticate users, bill for the service and prevent misuse.
• Improve and secure the platform with product analytics and operational monitoring.
• Meet our legal obligations, including fraud prevention, tax reporting and responding to lawful requests.

Legal bases under the UK GDPR / EU GDPR include: contract (to deliver the service), legitimate interests (to operate and improve the service responsibly), consent (where required) and compliance with legal obligations.

HOLM uses AI models to assist with guest communication, field operations, finance and governance. All AI actions are bound by per-property policies set by the operator, logged, and reversible.

Where possible, we route AI workloads to providers offering data-residency options within the EU. Guest messages and operational data are processed for the specific purpose of running the service and are not used to train third-party foundation models.

We share personal data only where necessary to provide the service, with categories of recipients including:

• Sub-processors — cloud hosting, observability, email delivery, AI model providers, payment processors. A current list is available from privacy@useholm.com.
• Operators — guest data is processed on behalf of operators who are data controllers for their guests.
• Authorities — where required by law, valid legal process, or to protect HOLM, operators or guests.

We never sell personal data.

We retain personal data only for as long as needed to provide the service and meet our legal obligations. When an account is closed, personal data is deleted or anonymised according to our retention schedule, typically within 90 days of closure, subject to statutory retention requirements for tax and accounting records.

You have rights over your personal data, including access, rectification, erasure, restriction, portability and objection. You can also withdraw consent where we rely on it and lodge a complaint with your data protection authority.

To exercise any of these rights, email privacy@useholm.com. We respond within one month.

HOLM is built with per-tenant isolation at the database level, AES-256 encryption at rest, TLS 1.3 in transit, and strict access controls. We hold SOC 2 Type II and undergo regular penetration testing. Our security practices are detailed in our DPA.

We host customer data in the EU by default. Where we transfer personal data outside the EEA or UK, we rely on appropriate safeguards such as Standard Contractual Clauses and the UK International Data Transfer Addendum.

We’ll update this policy from time to time. Material changes are announced at least 30 days in advance via email to account admins and on this page.