PRIVACY POLICY

1.1 Data Controller: The data controller responsible for your personal data is Viversio Portal, operating under E-Trader License No. 1543186 issued by the Department of Economy and Tourism (DET) in Dubai, United Arab Emirates.

1.2 Scope: This Privacy Policy applies to all users of the HotelCuration.com website ("Platform") and services, regardless of their location. We are committed to protecting your privacy in accordance with applicable global data protection laws, including the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), the General Data Protection Regulation (GDPR) for EU/EEA users, and the California Consumer Privacy Act (CCPA/CPRA) for US residents.

1.3 Contact: If you have any questions about this policy or your data rights, please contact our Data Privacy Officer (DPO) at: privacy@hotelcuration.com.

We collect and process the following categories of personal data:

• Identity Data: First name, last name, date of birth, gender, and title.
• Contact Data: Email address, telephone number, billing address, and residential address.
• Booking Data: Reservation details, travel dates, hotel preferences, special requests (e.g., dietary needs, accessibility), and names of accompanying guests.
• Payment Data: Payment method details (credit/debit card type, last 4 digits, expiry date). Note: We do NOT store full credit card numbers or CVV codes. All payment data is tokenized and processed securely by Stripe.
• Account Data: Username, password (encrypted/hashed), account settings, and booking history.
• Technical Data: Internet Protocol (IP) address, login data, browser type and version, time zone setting, operating system, device type, and unique device identifiers.
• Usage Data: Information about how you use our Platform, including pages visited, search queries, click patterns, time spent on pages, and navigation paths.
• Communications Data: Records of your correspondence with us via email, chat logs, or customer service inquiries.
• Cookie and Tracking Data: Data collected via cookies, pixels, and similar technologies (see Section 12).
• Geolocation Data: Approximate location based on IP address, or precise location if you enable location services on your device.

To provide our services, we utilize a robust technology stack. We are transparent about the third-party service providers who may process your data on our behalf. Each provider is contractually bound to protect your data.

3.1 Infrastructure and Security

• Cloudflare: Used for content delivery (CDN), DDoS protection, and web security. Collects IP addresses and system configuration information to protect the Platform.
  Privacy Policy: https://www.cloudflare.com/privacypolicy/
• Vercel: Provides our web hosting infrastructure. Processes server logs and performance metrics.
  Privacy Policy: https://vercel.com/legal/privacy-policy
• Square Domains: Provides domain registration services. Processes minimal technical data for DNS resolution.
  Privacy Policy: https://squareup.com/us/en/legal/general/privacy

3.2 Hotel Inventory and Booking

• LiteAPI (Nuitée Travel Limited): Our primary technology partner for hotel inventory. We share your Booking Data (name, dates, preferences) with LiteAPI to facilitate your reservation with the hotel.
  Privacy Policy: https://www.liteapi.travel/privacy/

3.3 Payment Processing

• Stripe: Our secure payment processor. Stripe collects and processes Payment Data directly. We only receive a confirmation token and do not have access to your full card details. Stripe is PCI-DSS Level 1 compliant.
  Privacy Policy: https://stripe.com/privacy

3.4 Analytics and Database

• Google Analytics: Used to analyze website traffic and user behavior. Collects Usage Data and uses cookies. You can opt-out via browser settings.
  Privacy Policy: https://policies.google.com/privacy
• Firestore (Google Firebase): Our cloud database for securely storing User Account Data and Booking records.
  Privacy Policy: https://cloud.google.com/terms/cloud-privacy-notice

3.5 Communications

• Resend: Transactional email service used to send booking confirmations, password resets, and important account notifications. Processes your email address and message content.
  Privacy Policy: https://resend.com/legal/privacy-policy

We process your personal data only when we have a valid legal basis under GDPR, UAE PDPL, and other applicable laws:

4.1 Performance of Contract

We use your Identity, Contact, Booking, and Payment Data to:

• Process and confirm your hotel reservation.
• Process payments and refunds.
• Send you booking confirmations, vouchers, and travel updates.
• Provide customer support related to your booking.

4.2 Legitimate Interests

We use Technical, Usage, and Account Data to:

• Prevent fraud, security breaches, and misuse of our Platform.
• Analyze and improve our website performance and user experience.
• Personalize your search results and recommendations.
• Administer our business operations (troubleshooting, data analysis, testing).

4.3 Legal Compliance

We may process and retain data to:

• Comply with tax, accounting, and financial reporting obligations.
• Comply with anti-money laundering (AML) and know-your-customer (KYC) laws.
• Respond to valid legal requests from law enforcement or regulatory authorities.

4.4 Consent

With your explicit consent, we may use your data to:

• Send you marketing newsletters and promotional offers.
• Place non-essential cookies on your device.

We strictly limit who has access to your data. Your personal data may be shared with:

• Accommodation Providers: The specific hotel you book receives your guest details (name, dates, special requests) to fulfill the reservation.
• Service Providers: Our technology partners listed in Section 3 (LiteAPI, Stripe, Resend, Cloudflare, Vercel, Google) who process data on our behalf.
• Professional Advisors: Lawyers, auditors, accountants, and insurers who provide professional services to us, under confidentiality obligations.
• Legal Authorities: Courts, law enforcement, or government bodies if we are legally required to disclose information or to protect our rights.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred to the acquiring entity.

6.1 Global Processing: As an international travel platform, your data may be transferred to and processed in countries outside your country of residence. Specifically, your data is processed in the United Arab Emirates (our headquarters), the United States (our technology providers), and the country where your booked hotel is located.

6.2 Transfer Mechanisms: We ensure appropriate safeguards for international transfers in compliance with GDPR Articles 44-50 and UAE PDPL:

• EU/EEA Users: Transfers to the UAE and US are protected by Standard Contractual Clauses (SCCs) or reliance on adequacy decisions where applicable.
• US Providers: Our US-based providers (Stripe, Google, Vercel) participate in the Data Privacy Framework or use SCCs.
• Hotel Transfers: Transfers to hotels are necessary for the performance of the contract between you and the accommodation provider (Derogation under GDPR Art. 49).

We retain your personal data only as long as necessary to fulfill the purposes for which we collected it:

• Booking Records: Retained for 7 years after the transaction to comply with tax, accounting, and legal liability periods.
• Account Data: Retained as long as your account is active. If inactive for 3 years, we may delete or anonymize your account data.
• Marketing Data: Retained until you withdraw your consent (unsubscribe).
• Technical Logs/Analytics: Retained for 26 months (Google Analytics default retention period).
• Payment Data: We do not store full card data. Transaction tokens are retained by Stripe in accordance with their retention policy.

Depending on your location, you have specific rights regarding your personal data:

8.1 GDPR Rights (EU/EEA Users)

• Right to Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Correct inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your data where no legal ground for retention exists.
• Right to Restrict Processing: Suspend processing of your data in certain scenarios.
• Right to Data Portability: Receive your data in a structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests or direct marketing.
• Right to Withdraw Consent: Withdraw consent at any time for consent-based processing.

8.2 CCPA/CPRA Rights (California Residents)

• Right to Know: Request disclosure of the categories and specific pieces of personal information collected.
• Right to Delete: Request deletion of your personal information.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out: Opt-out of the "sale" or "sharing" of personal information (see Section 9).
• Right to Limit Use of Sensitive Info: Limit the use of sensitive personal information.
• Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

8.3 UAE PDPL Rights

• Right to Access: Obtain information on processing and access to your data.
• Right to Rectification/Erasure: Request correction or deletion of data.
• Right to Restriction/Objection: Restrict or object to processing.
• Right to Lodge Complaint: File a complaint with the UAE Data Office.

To Exercise Your Rights: Please email us at privacy@hotelcuration.com. We will respond within 30 days.

9.1 No Sale of Data: Viversio Portal does NOT sell your personal information for monetary value.

9.2 Sharing for Advertising: Under California law, "sharing" may include sharing data with third parties (like Google Analytics) for cross-context behavioral advertising. We may share technical data for this purpose. You have the right to opt-out.

9.3 Global Privacy Control (GPC): Our Platform is designed to recognize and honor Global Privacy Control (GPC) signals from your browser, automatically opting you out of such sharing.

Our Platform is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we discover that we have inadvertently collected data from a minor, we will delete it immediately. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@hotelcuration.com.

We implement robust technical and organizational measures to protect your data:

• Encryption: All data in transit is encrypted using TLS/SSL protocols. Data at rest in our databases (Firestore) is also encrypted.
• Access Controls: Access to personal data is restricted to authorized personnel with a business need-to-know, enforced via strong authentication.
• Payment Security: We use Stripe for payment processing, which is certified as a PCI-DSS Level 1 Service Provider. We never store raw credit card data.
• Network Security: Cloudflare provides DDoS protection and web application firewall (WAF) services to defend against cyber threats.
• Audits: We conduct regular security assessments of our infrastructure.
• Breach Notification: In the event of a data breach, we have an incident response plan to notify affected users and regulators within legally required timeframes (e.g., 72 hours under GDPR).

We use cookies and similar tracking technologies to track activity on our Service and hold certain information.

• Necessary Cookies: Essential for the website to function (e.g., session management, security). Cannot be switched off.
• Functional Cookies: Enable enhanced functionality and personalization (e.g., remembering your currency preference).
• Analytics Cookies: Help us understand how visitors interact with the website (Google Analytics).
• Advertising Cookies: Used to deliver relevant advertisements and track ad performance.

You can manage your cookie preferences through your browser settings or our Cookie Consent Manager. For full details, please refer to our Cookie Policy.

13.1 Opt-In: We will only send you marketing emails (newsletters, offers) if you have explicitly opted in to receive them.

13.2 Opt-Out: You can unsubscribe from marketing communications at any time by clicking the "Unsubscribe" link at the bottom of any email or by contacting us.

13.3 Transactional Emails: You cannot opt-out of transactional emails related to your bookings (e.g., confirmation, cancellation, payment receipt) as these are necessary for the performance of our contract with you.

Our Platform may contain links to third-party websites, plug-ins, and applications (e.g., hotel websites, social media buttons). Clicking on those links may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. We encourage you to read the privacy policy of every website you visit.

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will post the new Privacy Policy on this page and update the "Last Updated" date. If we make material changes, we will notify you via email or a prominent notice on the Platform. Your continued use of the Platform after such changes constitutes your acknowledgment and acceptance of the updated policy.

If you have any questions, concerns, or complaints regarding this Privacy Policy or our data practices, please contact us:

You have the right to lodge a complaint with a data protection authority if you believe we have violated your rights:

• UAE: UAE Data Office
• EU/EEA: List of Data Protection Authorities
• California: California Attorney General