Privacy Policy

Last updated: 12 May 2026

This Privacy Policy explains how Isla collects, uses, and protects personal information. By using the Isla website, services, or messaging interfaces (including WhatsApp), you agree to the practices described here.

1. Who we are

Isla is a sole proprietorship registered in the Province of Ontario, Canada.

  • Business name: Isla
  • Business Identification Number (BIN): 1001560775
  • Registered owner: Brett Rosenberg
  • Contact: hello@hireisla.com (registered address available on request)

For the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR, Isla acts in two distinct roles depending on the context:

  • Data Controller for visitors to hireisla.com and prospects who contact us directly.
  • Data Processor for personal data processed on behalf of our clients (hospitality operators), where the operator is the Data Controller of their own guests' data.

2. What we collect

2.1 Information you give us directly

  • Name, email address, phone number, and company details when you book a demo, contact us, or sign up.
  • Communications you send us (email, WhatsApp, demo calls).

2.2 Information our clients' guests share via WhatsApp

When you message an Isla-powered WhatsApp number operated by one of our clients (for example, Lucia at a villa portfolio), we process on behalf of that client:

  • Your name and WhatsApp phone number, as provided by Meta.
  • The content of your messages, including text, voice notes, images, and documents.
  • Booking-related information shared in conversation (dates, party size, preferences).
  • Any other information you choose to share.

The hospitality operator you are staying with is the Data Controller of this information. Isla processes it on their behalf strictly to deliver the service.

2.3 Information collected automatically

  • Standard website analytics (page views, referrer, approximate location, device type).
  • Error and performance monitoring (we use Sentry to detect application errors).
  • Cookies strictly necessary for the site to function.

3. How we use information

We use personal information to:

  • Deliver the Isla service: respond to guest messages, coordinate operations, handle marketing tasks on behalf of our clients.
  • Communicate with clients and prospects about Isla.
  • Improve the product (in aggregate, never using client or guest data to train AI models).
  • Meet legal, tax, and contractual obligations.
  • Detect, prevent, and respond to fraud, abuse, or security incidents.

We do not sell personal information. We do not use client or guest data to train AI models.

4. Legal basis for processing (GDPR / UK GDPR)

Where GDPR applies, we rely on the following legal bases:

  • Contract — to deliver services to clients and respond to enquiries.
  • Legitimate interests — to operate, secure, and improve our service, where not overridden by your rights.
  • Consent — for marketing communications and any optional cookies, where required.
  • Legal obligation — to comply with tax, accounting, and other applicable law.

For guest data processed on behalf of operators, the operator is responsible for establishing the legal basis (typically contract and legitimate interests) and for obtaining any required consents at intake.

5. Sharing your information

We share personal information only with:

  • Subprocessors that help us deliver the service, under written data processing agreements. Current key subprocessors include:
    • Meta Platforms / WhatsApp Business Platform — message delivery
    • Twilio — WhatsApp Business API infrastructure
    • Anthropic — AI model inference (with zero-retention agreements where applicable)
    • Supabase — database and authentication
    • Vercel — application hosting
    • Inngest — background job processing
    • Sentry — error monitoring
  • Our clients — guest data is shared with the operator whose property you are staying at.
  • Professional advisors — legal, accounting, and similar advisors, under confidentiality.
  • Authorities — where legally required.

A current list of subprocessors is available on request.

6. International transfers

Isla is based in Canada and processes data in Canada, the European Union, the United States, and other jurisdictions where our subprocessors operate. Where personal data is transferred from the EEA or UK to a country without an adequacy decision, we rely on Standard Contractual Clauses or equivalent safeguards.

7. Data retention

  • Prospect and marketing data — retained while the relationship is active and for a reasonable period afterwards, then deleted or anonymised.
  • Client data — retained for the duration of the service contract and for the period required by Canadian and applicable tax law (typically 7 years for financial records).
  • Guest data processed on behalf of operators — retained according to the operator's instructions and deletion policy, and deleted on the operator's request.
  • Website analytics and error logs — retained for up to 12 months.

8. Your rights

Depending on where you live, you may have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate information.
  • Request deletion of your information.
  • Object to or restrict certain processing.
  • Withdraw consent at any time, where consent is the legal basis.
  • Receive your data in a portable format.
  • Lodge a complaint with a supervisory authority (in the EU/UK) or the Office of the Privacy Commissioner of Canada.

To exercise any of these rights, email hello@hireisla.com. If your data is held on behalf of an operator (e.g. you are a guest), we will forward your request to the operator, who is the Data Controller, and assist them in fulfilling it.

9. Security

We use industry-standard measures to protect personal information, including encryption in transit and at rest, isolated per-client data storage, access controls, and audit logging. No system is perfectly secure; if you believe your data has been compromised, contact hello@hireisla.com immediately.

10. Children

Isla is not intended for children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be communicated to clients directly.

12. Contact

Questions, requests, or complaints:

Isla Attn: Brett Rosenberg hello@hireisla.com