Privacy Policy – HotelsWave (OTA)

Effective date: [DD Month YYYY]

Last updated: [DD Month YYYY]

1) Scope and Purpose

This Privacy Policy describes how personal data is collected, used, disclosed, and protected when the HotelsWave platform, mobile applications, and related services (collectively, the “Services”) are being accessed or used. The Policy applies to visitors, account holders, travelers, guests included in a booking, and representatives of hotel partners and suppliers.

2) Controller and Contact Details

  1. Data Controller: [HotelsWave FZ-LLC / Hotels Wave Co. – confirm legal name]
  2. Registered Address: [Address line, City, Country]
  3. Data Protection Contact / DPO: [Name or Role]
  4. Email: [privacy@hotelswave.com]
  5. Telephone: [+XX-XXXX-XXXX]

Requests regarding this Policy or individual rights should be sent to the contact details above.

3) Definitions

  1. “Personal Data” refers to any information that identifies or relates to an identifiable individual, including booking and payment information.
  2. “Processing” refers to any operation performed on Personal Data (such as collection, storage, use, disclosure, deletion).
  3. “Hotels/Accommodation Partners” refers to hotels, apartments, villas, and other accommodation providers offering inventory via the Services.
  4. “Channel/Connectivity Partners” refers to channel managers, PMS, CRS, GDS, metasearch engines, and other technology or distribution partners.

4) Categories of Personal Data Collected

The following categories may be collected directly, from devices, or from partners:

  1. Identity & Contact Data
  2. Full name, government ID/passport details (where required by law or the accommodation), nationality, date of birth (where needed), telephone, email, address.
  3. Booking & Travel Data
  4. Reservation details, dates of stay, room preferences, number of guests, companion names, special requests (including accessibility needs), loyalty identifiers, voucher codes, booking source, change/cancellation records, check‑in/out confirmations.
  5. Payment & Billing Data
  6. Cardholder name, masked card details or tokens, authorization codes, billing address, payment method identifiers, transaction logs, refund records. (Raw card data is not stored where tokenization is in place; storage is minimized and secured when retention is required for chargebacks, fraud investigation, or legal obligations.)
  7. Account & Usage Data
  8. Username, hashed passwords, authentication tokens, language and currency settings, support tickets, communications via email/WhatsApp/chat, referral information, in‑app actions, notification preferences.
  9. Device & Technical Data
  10. IP address, device identifiers, browser and OS, app version, time zone, cookie identifiers, advertising identifiers (where applicable), diagnostic logs, performance telemetry.
  11. Location Data
  12. Approximate location inferred from IP or precise location when device permissions are enabled in the mobile app.
  13. Marketing & Communications Data
  14. Subscription status, campaign engagement, click‑through and open rates, survey responses, review content, satisfaction scores.
  15. Partner & Supplier Data
  16. Business contact details of hotel or supplier staff, contract documents, payment and reconciliation records, API credentials (secured), performance and service metrics.

5) Sources of Personal Data

  1. Direct inputs via websites, apps, chatbots, call center, and email.
  2. Data from Hotels/Accommodation Partners to confirm bookings and stays.
  3. Data from Channel/Connectivity Partners and distribution networks used for availability, pricing, and reservations.
  4. Payment processors and anti‑fraud providers.
  5. Analytics, advertising, and social sign‑in providers (when enabled).
  6. Publicly available sources and lawful third‑party data providers.

6) Purposes of Processing and Lawful Bases

Personal Data is processed for the following purposes (one or more legal bases may apply depending on the jurisdiction):

  1. Providing the Services
  2. Creating and managing accounts, searching availability, completing bookings, issuing confirmations, handling changes/cancellations, and facilitating check‑in/out.
  3. Legal bases may include contract performance and legitimate interests.
  4. Customer Support and Communications
  5. Responding to inquiries, troubleshooting, sending service updates, and handling complaints.
  6. Contract performance and legitimate interests.
  7. Payments and Fraud Prevention
  8. Processing payments and refunds, detecting and preventing fraud and abuse, managing chargebacks, and performing risk checks.
  9. Contract performance, legitimate interests, and legal obligations.
  10. Compliance with Laws and Regulatory Requests
  11. Meeting record‑keeping, tax, audit, accounting, AML/CFT screening (where applicable), and local guest registration requirements imposed on accommodations.
  12. Legal obligations and public interest where relevant.
  13. Personalization and Service Improvement
  14. Tailoring content and offers, remembering preferences, improving usability, quality assurance, and product development using aggregated or pseudonymized analytics.
  15. Legitimate interests and, where required, consent.
  16. Marketing and Promotions
  17. Sending newsletters, offers, and surveys; conducting referral programs and loyalty or rewards programs.
  18. Consent or legitimate interests, with opt‑out options available.
  19. Security and Platform Integrity
  20. Preventing, investigating, and mitigating security incidents; protecting platform, users, and partners.
  21. Legitimate interests and legal obligations.
  22. Corporate Transactions
  23. Managing mergers, acquisitions, financing, or reorganization.
  24. Legitimate interests and legal obligations.

7) Cookies and Similar Technologies

Cookies, SDKs, pixels, and local storage are used for:

  1. Essential operations (session management, authentication, security).
  2. Performance and analytics (traffic measurement, error diagnosis).
  3. Preferences (language, currency, layout).
  4. Marketing and attribution (campaign performance, retargeting where permitted).

Cookie settings can be managed via the Cookie Preferences panel on the website/app (where available) and through browser/device settings. Opt‑outs may affect certain functionalities.

8) Disclosures and Categories of Recipients

Personal Data may be disclosed to:

  1. Hotels/Accommodation Partners to fulfill reservations, verify guest identity where required, and manage stays.
  2. Channel/Connectivity Partners (channel managers, PMS/CRS/GDS, metasearch) for inventory, pricing, and booking orchestration.
  3. Payment Service Providers and acquiring banks for payment processing, tokenization, and fraud checks.
  4. Customer Communications Providers (email, SMS, WhatsApp, in‑app messaging), survey and NPS tools.
  5. Analytics and Technology Vendors supporting hosting, monitoring, logging, testing, and product analytics.
  6. Professional Advisors (legal, audit, compliance, insurance).
  7. Authorities and Regulators when legally required or to protect rights, safety, and property.
  8. Corporate Transaction Counterparties under appropriate safeguards.

Where Hotels/Accommodation Partners receive Personal Data to provide the stay, they generally act as independent controllers for their own legal compliance (e.g., local guest registration). Their privacy practices should be consulted separately.

9) International Transfers

Where Personal Data is transferred to countries with different data protection standards, appropriate safeguards are implemented, such as contractual protections, recognized transfer mechanisms, or other legally approved tools. Copies of the applicable safeguards can be requested through the contact details in Section 2, subject to redactions for confidentiality.

10) Data Retention

Retention is carried out only for the period necessary for the purposes described above, including:

  1. Transaction Records: retained for statutory periods related to tax, accounting, and regulatory requirements.
  2. Customer Support and Dispute Files: retained for limitation periods to establish or defend legal claims.
  3. Marketing Data: retained until unsubscribing/withdrawing consent or until a reasonable inactivity period has elapsed.
  4. Technical Logs: retained for security, diagnostics, and audit for defined rotation windows.

Upon expiry of retention periods, data is deleted or irreversibly anonymized according to secure data disposal procedures.

11) Security Measures

Appropriate administrative, technical, and organizational measures are applied to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include access controls, encryption in transit, secure development and testing practices, network segmentation, monitoring and alerting, staff confidentiality obligations, and vendor due diligence. Residual risk cannot be fully eliminated, but risk is mitigated through layered controls and continuous improvement.

12) Children’s Privacy

The Services are not directed to children below the minimum age required by applicable law to provide online consent. Reservations that include minors should be created and managed by adults. If data regarding a child has been provided without appropriate authorization, removal can be requested via the contact details in Section 2.

13) Rights of Individuals

Depending on the jurisdiction, the following rights may be available:

  1. Access to Personal Data and information about processing.
  2. Rectification of inaccurate or incomplete Personal Data.
  3. Erasure (“deletion”) of Personal Data in specified circumstances.
  4. Restriction of processing in specified circumstances.
  5. Objection to processing based on legitimate interests and to direct marketing.
  6. Portability of Personal Data in a structured, commonly used, machine‑readable format.
  7. Withdrawal of Consent where processing is based on consent, without affecting prior lawful processing.
  8. Complaint to a supervisory authority or relevant regulator.

Requests should be submitted using the contact details in Section 2. Additional information or identity verification may be requested to protect individuals’ data.

California‑Specific Disclosures (where applicable)

  1. “Selling” or “Sharing” personal information (as defined by California law) is not intended to be performed. Where advertising technologies could be interpreted as “sharing,” opt‑out mechanisms are provided via the Cookie Preferences panel and the email contact in Section 2.
  2. Categories of personal information collected, purposes, and disclosures correspond to Sections 4–8 of this Policy.
  3. Rights under California law, including the right to know, delete, correct, and opt out of certain “sharing,” are respected.

EEA/UK‑Specific Disclosures (where applicable)

  1. The lawful bases described in Section 6 are applied.
  2. For cross‑border transfers, appropriate safeguards are implemented as noted in Section 9.
  3. Contact details for an EU/UK representative (if appointed) can be found here: [Insert Representative Details].

KSA/UAE‑Specific Notes (where applicable)

  1. Local regulatory obligations for guest records and identity verification at accommodations may require disclosure to accommodation partners or authorities.
  2. Local data protection requirements are honored in line with applicable national laws and guidance.

14) Automated Decision‑Making and Profiling

Personalization and risk scoring may be applied to improve search relevance, pricing recommendations, fraud prevention, and service quality. Decisions with legal or similarly significant effects are not made solely by automated means without appropriate human involvement, unless such processing is permitted by law and suitable safeguards are in place.

15) Marketing Communications

Subscription to marketing communications can be managed through unsubscribe links or by contacting the address in Section 2. Service‑critical messages (e.g., booking confirmations, changes, and security notices) will continue to be sent as they are necessary for the Services.

16) Third‑Party Links and Social Sign‑In

Links to third‑party sites and services may be provided. Their privacy practices are not governed by this Policy and should be reviewed separately. Social sign‑in, when used, results in receipt of certain profile attributes under the relevant provider’s terms and privacy settings.

17) Vendor and Partner Management

Service providers and partners are engaged under written contracts imposing confidentiality and data protection obligations aligned with the Services. Sub‑processors handling Personal Data are assessed for security and compliance. A current list of material sub‑processors can be requested via the contact details in Section 2.

18) Changes to this Policy

This Policy may be updated from time to time to reflect changes in the Services, legal requirements, or industry practices. The “Effective date” at the top will indicate the latest version. Continued use of the Services after an update indicates that the updated Policy has been noted.

19) How to Contact Us

Questions, requests, or complaints regarding this Policy or the handling of Personal Data can be directed to:

Email: [privacy@hotelswave.com]

Address: [Address line, City, Country]

Data Protection Contact / DPO: [Name or Role]

Implementation Notes (for publication readiness)

  1. Replacing all placeholders (legal entity, address, DPO, dates) would be required.
  2. Linking a Cookie Preferences center and a concise Privacy Summary for in‑app display would be considered best practice.
  3. Publishing accommodation partners’ independent controller status in a short FAQ (“Who receives my data?”) would improve transparency.
  4. Adding jurisdiction‑specific annexes (EEA/UK, KSA, UAE, California) can be performed if the platform targets or serves residents in those regions.