Last updated: 2026-05-10
This policy explains what personal data GetMyHotels collects, why we collect it, how we use it, who we share it with, and the rights you have under GDPR, UK-GDPR, the California CCPA/CPRA, and India's Digital Personal Data Protection Act (DPDPA).
GetMyHotels B.V. is the data controller for personal data processed through our website, mobile app, and customer support channels.
Registered address: [legal team to confirm registered address] — Netherlands.
Data Protection Officer: privacy@getmyhotels.com.
Supervisory authorities you can contact in our markets: Information Commissioner's Office (ICO, UK), Commission Nationale de l'Informatique et des Libertés (CNIL, France), Garante per la protezione dei dati personali (Italy), Datatilsynet (Denmark), Agencia Española de Protección de Datos (AEPD, Spain), Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI, Germany), Autoriteit Persoonsgegevens (AP, Netherlands), and other EU member-state authorities. India: the Data Protection Board of India (DPDPA).
Account data: name, email, hashed password, optional phone number (verified via Telnyx OTP), avatar, language/currency/country preference, and address fields you choose to add.
Booking data: travel dates, destinations, traveller details, room/flight/transfer choices, and tokenised payment method references. We never store raw card numbers.
Usage data: device type, OS version, browser, approximate IP-derived location, screens or pages visited, and AI chat interactions. Voice transcripts are kept only for the length of the AI response and then discarded.
Communications: support tickets, AI chat history, and messages exchanged with hotels.
Technical: cookies (essential, preferences, analytics, marketing) — see the cookie policy for details.
Special categories: we do not collect health, biometric, racial, religious, or political data.
Performance of contract (GDPR Art. 6(1)(b)): booking, payment, fulfilment, and customer support.
Legitimate interest (Art. 6(1)(f)): fraud prevention, platform security, anonymised product analytics, and improving our AI assistant. You can object at any time.
Consent (Art. 6(1)(a)): marketing email/SMS/push, non-essential cookies, and using your chat content for AI training. AI training is opt-out by default — toggle the "ai.training" consent in settings to opt in.
Legal obligation (Art. 6(1)(c)): tax and accounting records, sanctions screening (OFAC/EU/UN), and anti-money-laundering checks for high-value bookings.
Booking partners (suppliers): HotelTrader, Xeni, TBO, and Uber (transfers). They receive only what is needed to fulfil your booking — guest names, dates, and itinerary details.
Hotels and airlines: as data recipients to honour your reservation.
Payments: Stripe (North America), Adyen (EU/UK), Razorpay (India). PCI-DSS compliant. Card data is tokenised and never reaches our servers.
Email delivery: Resend (US) — transactional and (with consent) marketing email.
SMS: Telnyx LLC (US) — phone verification, time-sensitive booking alerts, and (with consent) marketing.
AI inference: Anthropic (US), OpenAI including GPT and Whisper (US), Groq (US), Baseten (US), and Braintrust (US, evals/observability).
Maps and search: Mapbox (US), Google Places (US), and Tavily (US, web search for the assistant).
Hosting and infrastructure: Cloudflare (Workers + Hyperdrive, global), PlanetScale (PostgreSQL, US), and Upstash (Redis cache, global).
Authentication: Better Auth — self-hosted on our infrastructure. No third party receives your credentials.
Authorities: when we are legally required to disclose, or to prevent fraud or harm.
Every sub-processor operates under a data processing agreement. We do not sell your personal data.
Most of our sub-processors are based in the United States. For transfers from the EEA we rely on the European Commission's 2021 Standard Contractual Clauses (SCCs) plus supplementary measures where required.
For transfers from the UK we use the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the SCCs.
For transfers from India we rely on Section 16 of the DPDPA — once the Government of India publishes a list of restricted countries, we will publish our updated transfer mechanism here.
Where adequacy decisions exist (e.g. Canada, Japan, South Korea, the UK as recognised by the EU) we rely on those.
Profile data: while your account is active, plus 30 days after a deletion request to allow recovery.
Booking and invoice records: 10 years, to satisfy tax and accounting obligations across our markets.
Voice transcripts: discarded after the AI response is generated — typically less than 30 seconds.
Anonymised analytics: retained indefinitely.
Consent records: 7 years (DPDPA requirement).
Audit logs: 7 years.
Sanctions-screening matches: 5 years.
Marketing suppression list (unsubscribes / STOP requests): retained indefinitely so we don't accidentally re-contact you.
Access (GDPR Art. 15) — "Download my data" in your profile produces a machine-readable JSON export.
Rectification (Art. 16) — edit your profile directly in the app or web.
Erasure (Art. 17) — "Delete my account" in your profile. There is a 30-day grace period before personal identifiers are removed; bookings and financial records are retained for legal/accounting obligations.
Restriction (Art. 18) — email privacy@getmyhotels.com.
Portability (Art. 20) — same JSON export as Access.
Object (Art. 21) — opt out of marketing in settings; opt out of AI training via the "ai.training" consent toggle.
No solely automated decisions with legal effect (Art. 22) — see section 8.
Withdraw consent (Art. 7(3)) — anytime via settings or by writing to us.
Lodge a complaint with a supervisory authority — ICO (UK), CNIL (FR), Garante (IT), Datatilsynet (DK), AEPD (ES), BfDI (DE), AP (NL), or your local EU member-state authority.
California (CCPA/CPRA): right to know, right to delete, right to correct, right to opt out of sale (we do not sell), right to limit the use of sensitive personal information (we do not collect it).
India (DPDPA): rights to access, correction, erasure, grievance redressal, and the right to nominate a person to exercise your rights in case of incapacity.
Our AI assistant suggests trips, hotels, flights, and itineraries. A human (you) always reviews and confirms the final booking — we do not make solely automated decisions with legal or similarly significant effects.
Voice input is transcribed by OpenAI Whisper and discarded after the response is generated.
Chat content is used to improve our AI assistant only with your explicit consent (the "ai.training" purpose, opt-out by default).
Inference providers (Anthropic, OpenAI, Groq, Baseten, Braintrust) process your queries under enterprise no-training agreements where available.
We use four cookie categories: strictly necessary (always on), preferences, analytics, and marketing. The cookie banner lets you accept all, reject non-essential, or customise per category.
You can change your choices at any time from the "Manage cookies" link in the footer or from settings.
GetMyHotels is not directed at children under 13 (United States) or 16 (European Economic Area). We confirm age at signup.
If we learn that we have collected personal data from a child below the applicable age, we delete the account and any associated data.
Encryption in transit: TLS 1.2 or higher for all client connections.
Encryption at rest: PostgreSQL transparent data encryption on PlanetScale.
Tokenised payments: PCI-DSS compliant via Stripe, Adyen, and Razorpay. Raw card data never touches our infrastructure.
Rate limiting and bot detection on authentication and booking endpoints.
Two-factor authentication available for all accounts (web).
Audit logs of administrative actions, retained for 7 years.
If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of it, as required by GDPR Art. 33.
Where the breach is likely to result in a high risk to you, we will notify you directly without undue delay, in line with Art. 34.
This policy is dated at the top. We plan to email registered users when we make material changes; until that mailer is live, please check this page periodically.
Non-material edits (typos, clarifications) may be made without notice.
Privacy questions, data subject requests, or DPO contact: privacy@getmyhotels.com.
Postal address: [legal team to confirm postal address for written requests].