Get early access

Privacy

Privacy policy

Bellhop personalizes websites at the edge using search intent and company-level identity, grounded in our customers' own content. This policy explains what data we process, why, and the choices you have.

Last updated: June 22, 2026

Who we are

Bellhop is a product of Dialogue Consulting Pty Ltd ("Bellhop", "we", "us"), an Australian company. Bellhop is a website personalization platform: our customers install a small script on their sites, and we rewrite page content in real time to match each visitor's context. For the personal data we process on behalf of a customer's website visitors, that customer is the data controller and Bellhop acts as their processor. For the data we collect about our own account holders, Bellhop is the controller.

Scope of this policy

This policy covers three kinds of data:

  • Account data — information about the people who sign up for and administer a Bellhop workspace.
  • Visitor data — information processed by the Bellhop runtime when someone visits a website that uses Bellhop, handled on that customer's behalf.
  • Website data — information about how this marketing site (bellhop.marketing) is used.

Data we process

Account data

  • Name and work email address.
  • Workspace and billing details (billing is handled by our payment processor — we do not store full card numbers).
  • Authentication metadata and product usage logs needed to operate and secure the service.

Visitor data (processed for our customers)

  • IP address, used transiently to determine the visitor's likely organization and approximate region. See Company identification.
  • Campaign and intent signals — query parameters such as Google Ads click identifiers and UTM tags, and the referring search context, used to match page content to the visitor's intent.
  • Page and interaction events — the pages viewed, which content zones were personalized, and conversion-style events the customer chooses to track.
  • A first-party identifier stored in the visitor's browser to keep personalization consistent across a session.
  • A salted device-recognition signal. So a returning visitor can be greeted quickly without re-running identification, the runtime derives a short, low-detail signal from the browser (such as its user-agent, language, timezone, and screen size). We never store these raw signals — only a one-way salted hash, kept separately for each customer. See Device recognition.

Bellhop is built for B2B websites. We do not ask customers to send us special-category data, and we do not build cross-site advertising profiles of individuals.

Company identification

A core Bellhop capability is recognizing the organization behind a visit so a page can greet a visitor in context. We resolve a visitor's IP address to a likely company using reputable IP-intelligence providers, then enrich it with public firmographic data such as industry and company size.

This identification is deliberately constrained:

  • Company-level only. We identify the organization, not the individual person. We do not attempt to name, contact, or profile a specific visitor.
  • Confidence-gated. Personalization that references a company name is shown only when our confidence exceeds a customer-configured threshold. Below it, the visitor sees the page's standard content.
  • Public, business-level signals. The firmographic data we use describes organizations, not households or individuals.

Where a customer connects a CRM (for example HubSpot), they may additionally match a known contact identifier they already hold. That matching is performed under the customer's own legal basis and instructions.

Device recognition

A returning visitor is often the same organization we already identified on an earlier visit. To greet them quickly — and to avoid repeatedly querying our identification providers — Bellhop can recognize a returning device from a salted hash of low-detail browser characteristics, and reuse the company or contact context it previously resolved. This accelerates a return visit; it does not identify anyone new.

This is built to be privacy-protective by design:

  • Hashed, never raw. We store only a one-way salted hash, never the underlying signals, and we cannot reverse it back to the device characteristics.
  • Siloed per customer. The hash is salted per customer, so a device is never recognizable across different customers' sites.
  • Short-lived. The recognition record expires automatically — about 30 days by default, and configurable shorter by the customer.
  • Honours opt-out signals. When a browser sends Global Privacy Control (Sec-GPC) or Do Not Track, Bellhop skips computing, reading, and storing the signal entirely — regardless of the customer's settings.
  • Customer-controlled. Customers can turn device recognition off for their site; when off, no signal is computed or stored.
  • Same restraint as company identification. A visible greeting is still confidence-gated, and a coarse first-look match never shows a company name until it is confirmed.

How we use data

  • Personalize pages by matching content to a visitor's search intent and company context.
  • Generate copy grounded in our customer's own content. Bellhop's AI is restricted to the knowledge base a customer provides; it is instructed to use only that material and to cite it. We do not use customer content or visitor data to train third-party foundation models.
  • Run experiments to measure which variations perform best.
  • Provide analytics back to the customer about identified traffic and conversions.
  • Operate, secure, and improve the service, and to bill for it.

Legal bases (GDPR / UK GDPR)

Where European or UK data protection law applies, we and our customers rely on:

  • Legitimate interests — for company-level identification and B2B personalization, balanced against visitor interests. Because identification is company-level, confidence-gated, and free of special-category data, we assess the impact on individuals as low.
  • Contract — to provide the service to our account holders.
  • Consent — where a customer's own cookie or consent banner requires it before personalization runs. Customers are responsible for obtaining any consent their jurisdiction requires.
  • Legal obligation — where we must retain or disclose data to comply with the law.

Cookies & the dataLayer

The Bellhop runtime sets a first-party identifier to keep personalization consistent within a session. It does not set third-party advertising cookies. When a customer enables it, Bellhop can push personalization and identity events into the page's dataLayer so the customer's own analytics and tag manager can use them — those downstream tools are governed by the customer's policies, not this one. This marketing site uses a tag manager for first-party analytics.

Sharing & sub-processors

We do not sell personal data. We share data only with vetted service providers who process it on our instructions:

  • Cloudflare — our infrastructure provider (edge compute, storage, AI inference, and databases).
  • IP-intelligence providers — used to resolve an IP address to a likely organization and enrich firmographics.
  • Payment processor — to handle subscriptions and billing.
  • Email provider — to send transactional and account email.
  • CRM connectors (optional) — only where a customer connects their own CRM, to exchange data they direct us to.

We may also disclose data if required by law, or in connection with a corporate transaction, subject to the protections in this policy.

Retention

We keep account data for as long as a workspace is active and as required to meet legal and accounting obligations. Visitor identification results are cached only for as long as needed to serve consistent personalization and are short-lived by design. We retain aggregated, non-identifying analytics for longer to understand product performance.

Security

Data is encrypted in transit and at rest. Access to production systems is restricted and logged, secrets are encrypted, and each customer's data — including the AI knowledge base used for grounding — is isolated per workspace. No system is perfectly secure, but we work to protect data using industry-standard safeguards.

International transfers

Bellhop runs on globally distributed infrastructure, so data may be processed in countries other than your own. Where we transfer personal data internationally, we rely on appropriate safeguards such as Standard Contractual Clauses.

Your rights

Depending on where you live, you may have the right to access, correct, delete, or port your personal data, to object to or restrict certain processing, and to withdraw consent. For data Bellhop processes on a customer's behalf as a processor, we will forward your request to that customer (the controller) or assist them in responding. For account data, contact us using the details below.

Bellhop also honours browser-level opt-out signals automatically: when your browser sends Global Privacy Control or Do Not Track, we skip device recognition entirely for that visit.

Children's privacy

Bellhop is a business tool and is not directed to children. We do not knowingly collect personal data from anyone under 16.

Changes to this policy

We may update this policy as the product evolves. When we make material changes, we will update the date above and, where appropriate, notify account holders.

Contact us

Questions about this policy, or want to exercise a right? Email [email protected] and we'll respond. Please tell us which website you visited if your request relates to data we process for one of our customers, so we can route it correctly.