Policies
Platform-wide rules. Overrides per org are possible via Feature flags.
Content safety
What Bell AI is allowed (and forbidden) to say to guests.
Never quote competitor prices
Block outputs matching competitor hotel names + price patterns
Never make legal promises
Refuse to guarantee outcomes on claims, refunds, insurance
No medical advice
Redirect to pharmacy / hospital info articles instead
Profanity filter (guest side)
Mask guest profanity before storing; alert staff
PII masking
Patterns auto-masked in logs, analytics, and AI prompts.
Credit cards
PAN detected via Luhn + masked → **** **** **** 1234
IBAN
Masked → FR76 **** **** **** **** **** 123
Passport number
Regex-based detection + mask
Phone numbers
E.164 detection, keep last 4 digits
Data retention
How long each data type is kept before soft then hard delete.
Chat messages
Retained 2 years, then anonymized (GDPR Art. 5)
Audit log
Retained 5 years, immutable, cold-storage-backed
Guest profiles
Retained 3 years after last stay
Webhook payloads
Retained 30 days (debug), then purged
AI model allowlist
Models allowed per plan. Override per-org via Feature flags.
Starter plan
Haiku (cheapest) · Sonnet for escalated chats only
Growth plan
Sonnet default · Opus for 10% of conversations
Scale plan
Opus default · custom fine-tuned per org available
Authentication
Session, MFA and SSO requirements.
MFA for Bell admin
Required — no login without TOTP
Session duration (staff)
8 hours then re-auth required
Session duration (Bell admin)
2 hours then re-auth required
Idle timeout
30 minutes of inactivity → auto logout