Data Processing Statement
Last updated: 5 May 2026
Atlantic AI is a SaaS product and trading name of Bice AG, Switzerland.
Blegistrasse 25, 6340 6340, Switzerland
UID: CHE-114.433.601 · Commercial Register No.: CH-170.3.032.464-4
1. Purpose
This Data Processing Statement describes how Atlantic AI processes customer and operational data when providing SaaS services including onboarding, direct-booking infrastructure, payment orchestration, integrations, analytics, automation, and AI-assisted workflows.
2. Roles
For hotel guest data, booking data, and operational property data, the Customer is generally the controller and Bice AG acts as processor or technical service provider. For billing, tax, security, fraud prevention, accounting, and legal compliance data, Bice AG may act as an independent controller.
3. Processing activities
| Activity | Data involved | Purpose |
|---|---|---|
| Onboarding | Contact, company, billing, hotel, Apaleo setup data | Customer setup, eligibility, subscription creation, configuration |
| Payment and billing | Stripe references, invoice data, VAT details, billing address | Subscription billing, reconciliation, accounting, tax compliance |
| IBE and PMS integration | Inventory, booking, reservation, guest and service data | Direct booking flow, PMS synchronization, folio and service handling |
| Analytics | Aggregated website and booking interaction data | Performance measurement, ROI analysis, service improvement |
| Automation and AI workflows | Operational data, messages, workflow inputs and outputs | Authorized automation, assistance, communication, and execution |
4. Categories of data subjects
- Customer representatives and billing contacts.
- Hotel staff and operational users.
- Hotel guests and booking users where data is processed through connected systems.
- Website visitors and Client Portal users.
5. Sub-processors and third-party systems
Atlantic AI may use third-party systems to provide the Services, including hosting providers, Stripe, Apaleo, Matomo, email providers, n8n workflows, databases, security tools, and infrastructure monitoring. The exact sub-processor list may evolve as the platform develops.
6. Hosting and storage
The platform is designed for European hosting, including infrastructure in Germany and Finland. Databases and operational services may be separated by environment, tenant, service, or integration layer. Backups and logs may be retained for operational resilience, security, and compliance.
7. Security measures
- Role-based access and restricted operational access.
- Encrypted transport via HTTPS/TLS where applicable.
- Database-level access control and operational separation.
- Monitoring of infrastructure health, workflow execution, and error states.
- Best-effort hardening of integrations and credentials.
8. Customer responsibilities
The Customer is responsible for lawful collection and use of guest data, PMS configuration, consent and notice obligations toward guests, access rights in connected systems, staff permissions, business rules, automation configuration, and internal security practices.
9. Deletion and return of data
Upon termination or justified request, data may be deleted, exported, anonymized, or retained where necessary for legal, billing, accounting, dispute, backup, or security reasons. Exact procedures may depend on the connected systems and the Customer’s subscription status.
10. Incidents
If Bice AG becomes aware of a security incident affecting Customer data, it will take reasonable steps to investigate, mitigate, and notify affected Customers where legally required and operationally feasible.
11. Data processing agreement
This statement is a public summary. Enterprise customers may request a dedicated Data Processing Agreement where required for procurement, compliance, or controller-processor documentation.
This statement is prepared for website publication and should be reviewed by Swiss counsel before production use.