Privacy
Privacy Policy
Effective 2026-05-22 · Reviewed and signed off by the operator before publish (not a template).
This privacy policy explains how Dark Forest Ltd ("we", "us", "the operator") processes personal data when you visit aihotelhub.eu ("the website"). The aihotelhub Telegram bot is a separate service with its own privacy notice inside the bot itself.
1. Controller identity (GDPR Art. 13(1)(a))
Dark Forest Ltd
Chataidzha St 5, 1st floor, 9000 Varna, Bulgaria
Phone: +359 87 826 5088
Email: support@darkforesttarotcards.com
Bulgarian UIK 207107494 · VAT BG207107494
2. Data Protection Officer
We have not appointed a DPO. We assessed Art. 37(1) GDPR criteria: (a) we are not a public authority; (b) our core activities do not consist of regular and systematic monitoring of data subjects on a large scale; (c) we do not process special-category data on a large scale. Therefore appointment is not mandatory. Privacy inquiries are handled by the operator at the contact address above.
3. What we process on this website (Phase 0)
In Phase 0 (the current state of the website), we process the following personal data on aihotelhub.eu:
- Aggregate page-view analytics — collected by self-hosted Plausible on our Frankfurt server. Plausible is cookieless and does not store IP addresses or any cross-site identifier. We see aggregate counts (page views, country at country level, referrer domain). Lawful basis: legitimate interest (GDPR Art. 6(1)(f)) — improving content, operating the site. The interest is balanced against your fundamental rights because we do not identify you, do not cross-link sessions, and do not share data with third parties.
- NGINX server logs — standard HTTP access logs (IP address, requested URL, user-agent, timestamp), retained for 14 days, used for security and abuse detection. Lawful basis: legitimate interest (Art. 6(1)(f)). After 14 days the logs are automatically deleted.
- No cookies of our own in Phase 0. We do not set tracking cookies, advertising cookies, or session cookies on this website. See the Cookies Policy.
4. Future processing (Phase 1) — disclosed now per Art. 13(1)(c)
When Phase 1 of the product launches (Stripe payment integration on this website, user portal for Telegram-deep-linked accounts), we will additionally process:
- Stripe payment data — name, email, payment instrument (token), billing address — collected by Stripe on Stripe-hosted pages. Lawful basis: contract (Art. 6(1)(b)).
- Telegram user ID linkage — to bind your bot account to your website portal session. Lawful basis: contract.
- Billing receipts and invoices — retained for 10 years under Bulgarian commercial and tax law (Закон за счетоводството). Lawful basis: legal obligation (Art. 6(1)(c)).
When Phase 1 ships, this policy will be updated and you will be notified inside the Telegram bot.
5. Recipients of personal data (Art. 13(1)(e))
- Hostinger International Ltd (hosting, Frankfurt data centre) — processor under a data processing agreement.
- Telegram FZ-LLC — only as transport for the bot (not for this website). We treat Telegram as a transport-only layer; we do not rely on Telegram storage as a system of record for user personal data.
- (Phase 1) Stripe Payments Europe Ltd — payment processor.
We do not share data with advertising networks, data brokers, or analytics aggregators.
6. International transfers (Art. 13(1)(f), Arts. 44–49)
- Hostinger Frankfurt: hosting inside the EEA — no third-country transfer.
- Self-hosted Plausible: runs on the same Frankfurt server — no transfer.
- Telegram: Telegram FZ-LLC is incorporated in the UAE. We use Telegram only as a transport channel; PII you submit to the bot is stored in our own EU-based backend (per the bot's privacy policy inside Telegram), not relied upon in Telegram's infrastructure as a system of record.
- (Phase 1) Stripe: where personal data is transferred to Stripe US affiliates, the transfer is covered by Standard Contractual Clauses (Commission Decision 2021/914) and Stripe's EU–US Data Privacy Framework certification, with the SCCs as a fallback in case the DPF adequacy decision is invalidated.
7. Retention (Art. 13(2)(a))
| Category | Retention |
|---|---|
| Aggregate analytics (Plausible) | 12 months |
| NGINX server logs | 14 days, then automatic deletion |
| Phase 1: account / subscription record | Until deletion request, max 10 years for billing records (Bulgarian tax law) |
| Phase 1: payment receipts | 10 years (legal obligation) |
8. Your rights (Arts. 15–22)
As a data subject, you have the following rights under GDPR:
- Right of access (Art. 15) — request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — correct inaccurate or incomplete data.
- Right to erasure (Art. 17) — "right to be forgotten" where applicable.
- Right to restriction of processing (Art. 18).
- Right to data portability (Art. 20) — export your data in a structured, machine-readable format.
- Right to object (Art. 21) — particularly against processing based on legitimate interest (Section 3 above).
- Right to withdraw consent (Art. 7(3)) — where applicable.
- Right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (Комисия за защита на личните данни / КЗЛД) at www.cpdp.bg, or with the supervisory authority of your habitual residence.
To exercise any of these rights, email support@darkforesttarotcards.com. We respond within 30 days per Art. 12(3); complex requests can be extended by 2 months with notice.
9. Automated decision-making (Art. 22)
This website does not perform automated decision-making with legal or similarly significant effect. The aihotelhub bot uses AI to match hotel deals to your filter; this is recommendation, not a decision affecting your legal status, and you can always ignore the suggestion.
10. No Google Fonts from Google's CDN
Web fonts on this site are self-hosted on our Frankfurt server. We do not load fonts from the Google Fonts CDN, because that would transfer your IP address to Google in the United States — a practice ruled inadmissible by the Munich Regional Court (LG München I, 20 January 2022, Az. 3 O 17493/20).
11. Changes to this policy
We will update this policy when material changes occur (new processors, new lawful bases, retention changes, Phase 1 features). Updated versions take effect on the date stamped at the top. For significant changes, we will notify users via the Telegram bot at least 30 days in advance.
Last reviewed: 2026-05-22. This policy is drafted specifically for the Phase 0 data flows of aihotelhub.eu and is not a template. If you spot something unclear or inaccurate, email us.