HotelBuddy Technology OÜ, registry code 16202409, address Pärnu mnt 105, 11312, Tallinn, Harju county, Republic of Estonia (also referred to as “we”, “us” or “our”) is either the controller or processor of personal data of the users of our website. This privacy policy describes how we collect and process users' personal data as a data controller. In case we are operating in the capacity of a data processor, we are operating under the regulation of the relevant data processing agreements in place between ourselves and the data controllers, and in accordance with any applicable legal regulations. For the sake of clarity, as a data processor we only process personal data, which is necessary for our partners (hotels and other accommodation providers) to offer you accommodation and supplementary services. In addition to ensuring any processing of personal data we undertake either as a controller or a processor is in full compliance with applicable legal acts, we are also committed to keep confidential and safe any other data disclosed to us in connection with providing our services.

​Please carefully read this privacy policy before accessing and using our website or any of our services. If you to any extent object to this privacy policy, please discontinue using the website and our services.

We may unilaterally update this privacy policy from time to time, notifying you of such updates on our website and/or through e-mail.

1. PERSONAL DATA WE COLLECT AND PROCESS

In order to achieve the purposes of personal data processing set out in this privacy policy, we may process some or all of the following personal data, whereas the exact set of personal data varies case by case, and whereas we will always follow among other principles the principle of data minimisation, i.e. we will only process what is adequate, relevant and limited to what is necessary in relation to the purposes for which personal data is processed:

• Name;

• Contacts (e-mail address, physical address, phone number)

• Identification document information (photos, document number, expiry date, issuing state);

• Signature;

• Payment details;

• Room number;

• Activity log (regarding use of digital room key, extra services and chat);

• Additional information provided by the user in connection with the booking;

• Feedback;

• Personal data exchanged and disclosed in e-mail correspondence with the user or other relevant third parties in the regular course of providing our services;

• Personal data otherwise exchanged and disclosed in the regular course of providing our services;

We also collect non-personally identifiable information, such as data regarding the length of website visits, click counts and user behaviour, in order to make the website more convenient and for analytical purposes. We only use secure services, for example Google Analytics. We also compile relevant statistical summaries for business purposes, whereby your personal data is converted into non-personal data and stored on secure media. 

2. PURPOSES AND LEGAL BASIS FOR DATA PROCESSING

We process the above personal data as a data processor on behalf of our partners in order to enable them to provide you accommodation and supplementary services and to fulfil their legal obligations. The purposes and legal basis for such processing of personal data are determined by our respective partner (data controller).

We may process the above personal data as a data controller (i.e. in addition to processing personal data as a data processor on behalf of our partners) in order to provide our partners information and statistics related to your preferences, activity history and other personal data processed by us and to provide our users with a user account with all of its functionalities (user preferences, booking history etc.) and to send you newsletters, blog updates, promotional, marketing, and other information. Such processing of personal data takes place only upon your prior consent and you can at any time withdraw your consent. Among other things, you can at any time request the deletion of your user account (see under “Your Rights”) and unsubscribe from our mailing lists by clicking the “unsubscribe” button found in the e-mail. 

In addition, we may process personal data in order to provide our services under our terms of service, e.g. in order to send e-mails or other notices concerning the services we offer, respond to your comments, questions and requests, and to send you technical notices, updates and administrative messages.

In case you send us e-mails, you acknowledge and agree it is necessary for us to process your personal data (including to retain the contents of such e-mails and queries) in order to reply to your e-mails and queries. In such case, your personal data is processed on the basis of our legitimate interest and in order to ensure a smooth customer support process.

We may also process your personal data to fulfil our lawful obligations, e.g. to ensure the protection of your personal data, retain personal data for any periods necessary to fulfil obligations arising from law, and to fulfil any other obligations arising from applicable legal acts.

We may process your personal data in any cases of contractual or other disputes in order to protect our legitimate interests.

We will always ask for your prior consent for the processing of personal data for purposes other than those set out herein. 

3. SECURITY MEASURES

We process personal data only if there is a legal basis and only for legitimate purposes. We use measures and store personal data in a way that ensures the security and confidentiality of personal data. Personal data is accessed only by persons for whom it is necessary in connection with the performance of work duties or to whom the disclosure of personal data is in accordance with this privacy policy or legislation.

We are not responsible for any misuse of your personal data caused by malware on your own computer or other device.

4. RECIPIENTS

We have the right to disclose and transfer personal data without your prior consent to data processors acting on behalf of us and under relevant data processing agreements, and to fulfil our obligations under the law. For the protection of our rights, we have the right to disclose the personal information to third parties, including legal counsels, auditors, etc.

Upon your consent and in compliance with this privacy policy, we may disclose and transfer personal data to our partners (hotels and other accommodation service providers).

5. DELETION AND RETENTION

We retain personal data only for as long as it is necessary for the fulfilment of the purposes described herein, for the protection of our rights or for the fulfilment of our obligations arising from legislation. We limit the processing of your personal data and only process personal data under a strict need basis. 

For the period of 2 years, we retain the above personal data in order to fulfil our obligations before our partners as a data processor. After the above period, we retain your personal data on the basis of your consent and until you have withdrawn your consent by requesting the deletion of your personal data or user account or until you have not used your account for at least 2 years. Upon deletion of your user account, your personal data linked to your user account (user-ID, name, e-mail address, user preferences, booking history etc.) will be permanently deleted. In case there has been e-mail correspondence and/or other communication between us, the personal data in such e-mail correspondence and/or other communication between us will be stored up to 3 years in accordance with our archiving rules, and will be permanently deleted thereafter.

6. YOUR RIGHTS

You may at any time request information from us regarding the processing of your personal data. As further prescribed in applicable legislation, you have or may have the right to:

• request deletion of your personal data and user account, however, we cannot delete personal data which we process as a data processor, unless we are authorised by the data controller; 

• request the rectification of your personal data;

• request the restriction of processing your personal data;

• object to the use of your personal data;

• right to receive the personal data concerning you, which you have provided us, in a structured, commonly used and machine-readable format, and to transmit this data to another controller.

In case we use your personal data on the grounds of your consent, you may at any time withdraw your consent. This will not affect the legality of any previous processing of your personal data.

We will respond to your requests as soon as possible, taking into account the requirements set forth in the applicable law.

7. COOKIES

We use cookies on our website. Cookies are small files that are stored on your computer in order for your web browser to “remember” you and your preferences, so that we can provide you with relevant information, suggestions and to improve user experience. We only use cookies that are necessary for the functioning of the website. 

8. QUESTIONS AND COMPLAINTS

If you have any questions or complaints regarding the processing of your personal data, you can contact us HotelBuddy Technology OÜ (Pärnu mnt 105, 11312, Tallinn, Harju county, Republic of Estonia; hello@hotelbuddy.eu or the Estonian Data Protection Inspectorate (info@aki.ee; +372 627 4135).