GuestIdenty

Privacy Policy

Under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR"), Zenyon s.r.o. adopts this Privacy Policy.

This Privacy Policy applies to all users (hereinafter "You") of the online identity verification service operated by Zenyon s.r.o. (hereinafter the "Service"), marketed as GuestIdenty, who, upon receiving a personalised verification link from an accommodation provider ("Host"), submit a photograph of their identity document and a selfie for the purpose of guest registration.

This document provides information on the following:

I. Roles and Contact Information

Data Controller of guest registration data

The Host (the accommodation provider — hotel, guesthouse, short-term rental operator, or similar) who provided You with the verification link is the Data Controller of the personal data extracted from Your identity document and required for fulfilling their legal obligation of guest registration under the Convention Implementing the Schengen Agreement and the applicable national law of the country in which You are accommodated.

The Host is solely responsible for informing You of the purposes of processing of Your guest-registration data, for any subsequent storage, transmission to competent authorities, and retention of that data after it is delivered to them.

Data Controller of the biometric verification process

For the biometric verification step itself — namely the matching of Your selfie against the photograph on Your identity document, liveness detection, deepfake detection and video injection attack detection — the Data Controller is:

Zenyon s.r.o., Továrenská 14, Bratislava, Slovak Republic.

For inquiries regarding data protection, please use the following contact details:

Sub-processors

In delivering the Service, Zenyon s.r.o. relies on the following sub-processors:

Personal data of guests is not transferred to any third country outside the European Economic Area.

II. Purpose of Processing, Legal Basis, and Scope of Data

Purpose

The purpose of the Service is twofold:

  1. Biometric identity verification of the natural person submitting an identity document, by comparing biometric data (the facial image on the document) with a current photograph (selfie) of that person, including detection of liveness, deepfake and video injection attacks, in order to provide assurance that the document is genuine and that the person presenting it is its rightful holder.
  2. Extraction of the legally required guest-registration data from the identity document and transmission of only those fields to the Host, who needs them in order to comply with their statutory guest-registration obligation.

The verification result is an automated decision made by biometric algorithms. As the Service merely produces an assurance score that the Host then uses to decide whether to accept You as a guest under their own normal procedures, this does not constitute automated decision-making with legal or similarly significant effects within the meaning of Article 22 GDPR.

Legal basis

The legal basis for processing differs by category of data:

You may withdraw Your consent to biometric processing at any time by contacting us at the addresses provided above. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal. If You withdraw consent before completing verification, the verification session will be terminated and any data already collected will be deleted. If You decline to provide consent, the Service cannot be used; the Host may then ask You to verify Your identity by other lawful means.

If You are submitting personal data on behalf of another data subject (for example, a family member or co-traveller), You are fully responsible for ensuring that the data subject has provided their explicit consent for processing their data for the purposes set out in this Privacy Policy and has been informed of all necessary details, including the recipients of the personal data.

Scope of data processed

Upon uploading the identity document and selfie, the Service temporarily processes:

From the data above, only the minimum set of fields legally required for guest registration is transmitted to the Host. Typically these are: first name, surname, date of birth, nationality, document type, document number, document expiry date, and the verification timestamp. The selfie, the document images, the extracted document portrait and the full machine-readable zone (MRZ) raw content are not transmitted to the Host and are not made available to the Host in any form.

III. Retention and Deletion

The Service is designed to operate on a near-stateless basis. Your images and biometric data are processed only for the duration strictly necessary to complete the verification and are deleted immediately upon completion of the verification process, in particular:

What Zenyon does retain, for the purposes of accountability and fraud prevention, is an operational audit log containing no personal data of guests — only metadata such as a verification identifier, timestamp, anonymous outcome (pass / fail), and which Host the link belonged to. This log is retained for 12 months and then deleted.

After the guest-registration data has been delivered to the Host, all further retention, storage, sharing with competent authorities, and eventual deletion of that data is the sole responsibility of the Host as the Data Controller for that processing.

IV. Hosting, Security, and Transfers

The Service runs on cloud infrastructure provided by Lovable AB, with processing resources located within the European Union. The biometric processing components provided by Innovatrics are operated on infrastructure within the European Union. No personal data of guests is transferred outside the European Economic Area.

Zenyon s.r.o. has implemented adequate technical, organisational, and security measures to protect personal data, taking into account the risks, the nature of processing, the latest technology and the cost of implementation, including:

Personal data will not be disclosed to any third party other than the Host (as described above) and the disclosed sub-processors, unless legally required (for example, in response to a lawful order from a competent supervisory or law-enforcement authority).

V. Your Rights

As a data subject under GDPR, You have the right:

Because Zenyon s.r.o. does not retain Your document images, selfie, biometric data or extracted guest-registration data after the verification has been completed and delivered, requests for access, rectification, portability or erasure relating to data already transmitted to the Host should be addressed directly to the Host as the Data Controller for that data.

You may exercise Your rights in respect of the biometric verification step by contacting Zenyon s.r.o. at the contact details provided above.

If You believe that the processing of Your personal data violates Your rights or the Data Protection Act or the GDPR, You may submit a complaint to Zenyon s.r.o. at Továrenská 14, Bratislava, Slovak Republic, or to the Office for Personal Data Protection of the Slovak Republic at Hraničná 12, 820 07 Bratislava 27, Slovak Republic; www.dataprotection.gov.sk; statny.dozor@pdp.gov.sk.

VI. Changes to this Privacy Policy

Zenyon s.r.o. may change or modify this Privacy Policy at any time, in particular with regard to legislative changes in the area of personal data protection. If we do so, we will inform You by posting the modified Privacy Policy in the Service or by other appropriate means of communication.

This Privacy Policy is governed by the laws of the Slovak Republic.

Effective date: 28 May 2026.