HotelsByDay Privacy Policy

Effective Date: March 12, 2026
Last Updated: February 12, 2026

1. Introduction

Hotels By Day LLC ("HotelsByDay," "we," "us," or "our") operates the website www.hotelsbyday.com and related mobile applications (collectively, the "Platform"). We are committed to protecting your privacy and being transparent about how we collect, use, and share your personal information.

Data Controller: Hotels By Day LLC, 64 Beaver Street - Box 514, New York, NY 10004

This Privacy Policy explains:

What personal information we collect and why
How we use and share your information
Your privacy rights and choices
How we protect your information

By using our Platform, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use our services.

2. Information We Collect

We collect information in three ways: (1) information you provide directly, (2) information collected automatically, and (3) information from third parties.

2.1 Information You Provide

Booking Information: When you make or attempt to make a reservation, we collect:

Full name
Email address
Phone number
Billing address
Payment information (credit card details processed through our PCI-DSS compliant payment processor)
Special requests or preferences

Account Information: If you create an account:

Username and password
Profile preferences
Travel history
Saved payment methods

Communications: When you contact us:

Messages, feedback, or inquiries you send
Customer support interactions
Survey responses

Newsletter Subscriptions: Your email address when you subscribe to marketing communications

2.2 Information Collected Automatically

Device Information:

IP address
Browser type and version
Operating system
Device type and identifiers (mobile device ID, advertising ID)
Time zone settings
Referring/exit pages
Date and time stamps
Screen resolution

Usage Information:

Pages viewed and features used
Search queries
Booking patterns
Click-through behavior
Session duration

Location Information:

Approximate location derived from IP address
Precise geolocation (with your consent) when using mobile app features

Collection Technologies:

We use the following technologies to collect information:

Cookies: Small text files stored on your device that help us recognize you, remember preferences, and analyze site usage. See our Cookie Policy below for details.
Web Beacons/Pixels: Invisible images embedded in emails and web pages that tell us when content has been viewed.
Log Files: Server logs that record technical information about your interactions with our Platform.
Session Recording: We use heat mapping and session replay tools to analyze user behavior and improve our Platform. These tools record mouse movements, clicks, scrolling, and pages visited. Each recording captures your IP address and timestamp. Recordings are anonymized and used solely for Platform optimization.
Analytics Tools: We use Google Analytics and similar services to understand Platform usage patterns.

2.3 Information from Third Parties

We may receive information from:

Hotel partners and booking platforms (including Expedia Group): Confirmation details, stay information, loyalty program data
Payment processors: Transaction verification and fraud prevention data
Advertising partners: Campaign performance metrics
Social media platforms: If you connect your social media account
Data verification services: To validate contact information and prevent fraud

3. How We Use Your Information

We use your personal information for the following purposes, based on the legal grounds specified:

3.1 To Provide Our Services (Contractual Necessity)

Process and fulfill hotel reservations
Communicate booking confirmations, modifications, and cancellations
Send reminders and notifications about upcoming stays
Provide customer support
Process payments and prevent fraud

3.2 To Improve Our Platform (Legitimate Interest)

Analyze user behavior and preferences
Conduct research and analytics
Test new features and functionality
Optimize Platform performance
Enhance user experience

3.3 Marketing and Communications (Consent/Legitimate Interest)

Send promotional emails and newsletters (only with your consent)
Provide personalized recommendations
Display targeted advertisements
Conduct surveys and market research
Inform you of special offers relevant to your interests

3.4 Legal and Security (Legal Obligation/Legitimate Interest)

Comply with legal obligations and government requests
Enforce our Terms of Service
Detect, prevent, and investigate fraud and security incidents
Protect the rights, property, and safety of HotelsByDay, users, and third parties
Maintain records for tax and accounting purposes

3.5 Automated Decision-Making

We may use automated systems for:

Fraud detection: Analyzing booking patterns to identify suspicious activity
Dynamic pricing: Adjusting prices based on demand, seasonality, and inventory
Personalized recommendations: Suggesting hotels based on search history and preferences

You have the right to object to automated decision-making that significantly affects you. Contact us to exercise this right.

4. How We Share Your Information

We do not sell your personal information. We share information only as described below:

4.1 Hotel Partners

When you book a reservation, we share necessary information with the hotel:

Your name, contact details, and payment information
Booking dates, room type, and special requests
For non-refundable bookings: credit card details shared directly with hotel
For refundable bookings: payment processed by us; limited information shared

4.2 Service Providers

We engage third-party companies to perform services on our behalf:

Payment processors: Stripe, PayPal (PCI-DSS compliant)
Cloud hosting: AWS, Google Cloud Platform
Email services: SendGrid, Mailchimp
Analytics: Google Analytics, Mixpanel
Customer support: Zendesk, Intercom
Fraud prevention: Sift, Kount
Advertising platforms: Google Ads, Facebook Ads, programmatic advertising networks
Session recording: Hotjar, FullStory

These providers are contractually obligated to protect your data and use it only for specified purposes.

4.3 Booking Platform Partners

We work with distribution partners like Expedia Group to expand our hotel inventory. When you book through our Platform, limited information may be shared with these partners to fulfill your reservation.

4.4 Legal Requirements

We may disclose information when required by law or in response to:

Court orders or subpoenas
Government or regulatory requests
Legal proceedings or investigations
Protection of our rights or the rights of others

4.5 Business Transfers

If HotelsByDay is involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will notify you of any such change.

4.6 With Your Consent

We may share information for other purposes with your explicit consent.

5. International Data Transfers

HotelsByDay is based in the United States. Your information may be transferred to and processed in the United States and other countries where our service providers operate.

For European Economic Area (EEA) Users: When we transfer your data outside the EEA, we ensure appropriate safeguards through:

Standard Contractual Clauses approved by the European Commission
Adequacy decisions for specific countries
Binding Corporate Rules where applicable

For UK Users: We comply with UK GDPR using equivalent transfer mechanisms.

For Other Jurisdictions: We implement appropriate safeguards consistent with applicable data protection laws.

6. Cookies and Tracking Technologies

6.1 What Are Cookies?

Cookies are small text files placed on your device that enable website functionality and collect information about your browsing activities.

6.2 Types of Cookies We Use

Cookie Type	Purpose	Duration	Can Be Disabled?
Strictly Necessary	Enable core Platform functionality (e.g., shopping cart, login)	Session/1 year	No - required for Platform operation
Performance	Analyze Platform usage and performance (e.g., Google Analytics)	2 years	Yes
Functional	Remember preferences and settings	1 year	Yes
Advertising	Deliver targeted ads and measure campaign effectiveness	1-2 years	Yes

6.3 Third-Party Cookies

Our Platform uses third-party cookies from:

Google Analytics (Privacy Policy)
Facebook Pixel (Privacy Policy)
Google Ads (Privacy Policy)

6.4 Managing Cookies

Browser Settings: You can control cookies through your browser settings:

Cookie Consent Manager: Use our cookie preference center (accessible via the cookie banner or footer) to manage non-essential cookies.

Opt-Out Tools:

Google Analytics: Opt-out browser add-on
Network Advertising Initiative: Opt-out tool
Digital Advertising Alliance: Opt-out portal

Note: Disabling cookies may limit Platform functionality.

6.5 Do Not Track and Global Privacy Control

We honor Global Privacy Control (GPC) signals for California residents as an opt-out of the "sale" or "sharing" of personal information.

Traditional "Do Not Track" browser signals are not uniformly implemented across browsers, but we respect GPC and similar standardized privacy signals.

7. Targeted Advertising and Your Choices

We use your information to show you relevant advertisements on our Platform and third-party websites.

7.1 How It Works

We and our advertising partners collect information about your browsing activity to:

Show you ads for hotels you viewed
Display ads based on your interests
Measure ad campaign effectiveness
Limit how many times you see the same ad

7.2 Opting Out of Targeted Advertising

Platform-Specific Opt-Outs:

Facebook: Ad Settings
Google: Ad Settings

Industry Opt-Out Tools:

Digital Advertising Alliance: Consumer Choice Page
Network Advertising Initiative: Opt-Out Tool
European Interactive Digital Advertising Alliance (EU users): Your Online Choices

Mobile App Settings:

iOS: Settings > Privacy > Tracking > Disable "Allow Apps to Request to Track"
Android: Settings > Google > Ads > Opt out of Ads Personalization

Note: Opting out means you'll still see ads, but they won't be personalized based on your activity.

8. Data Retention

We retain your personal information only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required by law.

8.1 Retention Periods

Data Type	Retention Period	Rationale
Booking Information	7 years after transaction	Tax, accounting, legal compliance
Account Information	Until account deletion + 30 days	Service provision, fraud prevention
Marketing Emails	Until you unsubscribe + 30 days	Compliance with opt-out requests
Session Recordings	12 months	Platform optimization
Analytics Data	26 months	Google Analytics default; performance analysis
Customer Support Records	3 years	Quality assurance, legal protection
Payment Information	Not stored (tokenized by processor)	PCI-DSS compliance

8.2 Deletion and Backups

When you request deletion:

Active data is deleted within 30 days
Backup systems may retain data for up to 90 additional days for disaster recovery
Data required for legal compliance (e.g., tax records) is securely archived and deleted when the legal retention period expires
Anonymized and aggregated data may be retained indefinitely

9. Your Privacy Rights

Depending on your location, you have specific rights regarding your personal information.

9.1 Rights for All Users

Access: Request a copy of the personal information we hold about you
Correction: Request correction of inaccurate information
Deletion: Request deletion of your information (subject to legal retention requirements)
Opt-Out of Marketing: Unsubscribe from promotional emails at any time

9.2 Additional Rights for EEA/UK Users (GDPR)

Data Portability: Receive your data in a machine-readable format
Restriction of Processing: Request that we limit how we use your data
Object to Processing: Object to processing based on legitimate interests
Withdraw Consent: Withdraw consent at any time (without affecting prior processing)
Lodge a Complaint: File a complaint with your local data protection authority

Relevant supervisory authorities:

UK: Information Commissioner's Office (ICO) - ico.org.uk
EU: Find your authority at edpb.europa.eu

9.3 Additional Rights for California Residents (CCPA/CPRA)

California residents have the following rights:

Right to Know:

Categories of personal information collected
Sources of personal information
Purposes for collection and use
Categories of third parties with whom we share information
Specific pieces of personal information collected

Right to Delete: Request deletion of personal information (subject to exceptions)

Right to Correct: Request correction of inaccurate personal information

Right to Opt-Out: Opt-out of the "sale" or "sharing" of personal information for targeted advertising

Right to Limit: Limit the use and disclosure of sensitive personal information (we do not use sensitive personal information for purposes beyond service provision)

Right to Non-Discrimination: Not receive discriminatory treatment for exercising CCPA rights

Right to Opt-In: For minors under 16, we obtain affirmative opt-in consent before "selling" or "sharing" personal information (we do not knowingly collect information from users under 18)

Note on "Sale" and "Sharing": Under CCPA, "sale" includes sharing data for monetary or other valuable consideration, and "sharing" includes cross-context behavioral advertising. We share information with advertising partners, which may constitute "sharing" under CCPA. Use the "Do Not Sell or Share My Personal Information" link in our footer to opt out.

Authorized Agents: You may designate an authorized agent to submit requests on your behalf by providing written authorization.

9.4 Additional Rights for Other Jurisdictions

We respect privacy rights under applicable laws worldwide, including:

Canada (PIPEDA)
Brazil (LGPD)
Australia (Privacy Act)
Other jurisdictions with comprehensive privacy laws

9.5 How to Exercise Your Rights

Self-Service Portal: Access, download, or delete your data by logging into your account and visiting Settings > Privacy & Data

Email Request: Contact us via our Contact Us page

Verification: To protect your privacy, we will verify your identity before processing requests. We may ask for:

Email confirmation
Account credentials
Government-issued ID (for sensitive requests)

Response Time:

GDPR requests: 30 days (extendable by 60 days for complex requests)
CCPA requests: 45 days (extendable by 45 days with notice)

Fees: Requests are generally free. We may charge a reasonable fee for excessive, repetitive, or manifestly unfounded requests.

10. Security Measures

We implement industry-standard security measures to protect your information:

10.1 Technical Safeguards

Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
Payment Security: PCI-DSS Level 1 compliant payment processing; we do not store full credit card numbers
Access Controls: Role-based access; multi-factor authentication for employees
Network Security: Firewalls, intrusion detection, regular vulnerability scans
Secure Development: Security testing integrated into development lifecycle

10.2 Organizational Safeguards

Employee training on data protection and privacy
Confidentiality agreements with staff and contractors
Regular security audits and assessments
Incident response plan
Limited data retention policies

10.3 Data Breach Notification

In the event of a data breach that affects your personal information, we will:

Notify affected users without undue delay (within 72 hours for GDPR; as required by applicable US state laws)
Report to relevant authorities as required by law
Provide information about the breach and steps you can take to protect yourself

While we implement robust security measures, no system is 100% secure. Please use strong passwords and protect your account credentials.

11. Children's Privacy

11.1 Age Restrictions

Our Platform is not intended for individuals under 18 years of age. You must be a legal adult to book hotel accommodations through our services.

11.2 No Knowing Collection from Minors

We do not knowingly collect personal information from anyone under 18. Our booking process includes age verification requiring users to confirm they are 18 or older.

11.3 COPPA Compliance

We do not knowingly collect information from children under 13. If we learn we have collected information from a child under 13, we will delete it immediately.

11.4 Parental Notice

If you are a parent or guardian and believe your child has provided personal information to us, please contact us immediately via our Contact Us page, and we will delete the information within 30 days.

12. Third-Party Links and Services

Our Platform may contain links to third-party websites, including:

Hotel partner websites
Travel review sites
Social media platforms
Affiliate partners

This Privacy Policy does not apply to third-party sites. We are not responsible for the privacy practices of these sites. We encourage you to review their privacy policies before providing personal information.

Hotel Partners: When you book through our Platform, you may be subject to the hotel's own privacy policy. Check with individual hotels for their data practices.

13. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect:

Changes in our practices
New legal requirements
Platform updates
User feedback

13.1 Notice of Changes

Material Changes: We will provide prominent notice at least 30 days before changes take effect, via:

Email notification (to registered users)
Banner notice on our Platform
Updated "Last Updated" date at the top of this policy

Non-Material Changes: Minor updates will be reflected in the "Last Updated" date.

13.2 Continued Use

Your continued use of the Platform after changes take effect constitutes acceptance of the updated Privacy Policy.

We encourage you to review this Privacy Policy periodically.

14. Contact Us

14.1 Privacy Questions and Requests

For privacy-related inquiries, to exercise your rights, or to submit a complaint:

General Contact: Contact Us Page

Legal/IP Matters: [email protected]

Mail:
Hotels By Day LLC
Privacy Officer
64 Beaver Street - Box 514
New York, NY 10004
United States

14.2 Response Time

We aim to respond to all inquiries within 5 business days for general questions and within the timeframes specified in Section 9.5 for rights requests.

14.3 EEA/UK Representative

For data protection matters in the European Economic Area or United Kingdom, you may also contact our EU/UK representative (if appointed) at the address provided on our website.

15. Accessibility

We are committed to making this Privacy Policy accessible to all users. If you need this policy in an alternative format (large print, audio, Braille, etc.), please contact us via our Contact Us page.

16. State-Specific Privacy Rights

16.1 California Privacy Rights

See Section 9.3 for CCPA/CPRA rights.

Shine the Light: California residents may request information about personal information disclosed to third parties for their direct marketing purposes (Cal. Civ. Code § 1798.83). We do not share personal information with third parties for their direct marketing purposes.

16.2 Nevada Privacy Rights

Nevada residents may opt-out of the "sale" of covered information (NRS 603A). We do not sell covered information as defined by Nevada law. To exercise Nevada rights, contact us at the address in Section 14.

16.3 Virginia, Colorado, Connecticut, Utah Privacy Rights

Residents of states with comprehensive privacy laws (Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA) have rights similar to CCPA, including:

Right to access
Right to delete
Right to correction
Right to opt-out of targeted advertising and sales
Right to data portability

16.4 Other State Rights

Additional state-level privacy laws may apply. Contact us to exercise rights under your state's privacy law.

17. Marketing Preferences

17.1 Email Marketing

Subscription: When you provide your email address for newsletters or promotions, you consent to receive marketing emails from HotelsByDay.

Content: Marketing emails may include:

Special offers and discounts
New hotel listings
Travel tips and inspiration
Platform updates

Frequency: Approximately 2-4 emails per month (you can adjust frequency preferences in your account settings)

Unsubscribe: Click the "unsubscribe" link in any marketing email or update preferences in your account settings. Unsubscribe requests are processed within 48 hours (up to 10 business days as permitted by law).

17.2 Transactional Emails

You will continue to receive essential service emails related to your bookings, account, and security, even if you opt out of marketing emails.

17.3 SMS/Text Messages (If Applicable)

If we offer SMS services in the future, you can opt-out by replying "STOP" to any text message. Standard message and data rates apply.

18. Your California Privacy Rights - "Do Not Sell or Share"

Notice: We share personal information with advertising partners for targeted advertising purposes, which may constitute "sharing" under California law.

Opt-Out: Click the "Do Not Sell or Share My Personal Information" link in our website footer or toggle off advertising cookies in our cookie preference center.

Global Privacy Control: We automatically honor GPC browser signals for California residents as an opt-out request.

Categories of Information Shared:

Device information and identifiers
Browsing behavior and interactions
Demographic information

Categories of Third Parties:

Advertising networks
Social media platforms
Analytics providers

We do not sell or share information of users we know to be under 16.

19. European Economic Area and UK Specific Information

19.1 Legal Basis for Processing

We process your personal information under the following legal bases:

Contract: To fulfill our agreement when you book a hotel
Consent: For marketing communications and non-essential cookies
Legitimate Interest: For Platform improvement, analytics, fraud prevention, and certain marketing activities (balanced against your rights)
Legal Obligation: To comply with tax, accounting, and other legal requirements

You have the right to object to processing based on legitimate interest.

19.2 Data Controller

Hotels By Day LLC is the data controller responsible for your personal information. Contact details are provided in Section 14.

19.3 Data Protection Officer

For complex data protection matters, you may contact our Data Protection Officer (if appointed) at [email protected] or via our Contact Us page.

19.4 Supervisory Authority

You have the right to lodge a complaint with a supervisory authority, particularly in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

UK: Information Commissioner's Office (ICO)
Website: https://ico.org.uk
Phone: 0303 123 1113

EU: Find your Data Protection Authority at https://edpb.europa.eu/about-edpb/about-edpb/members_en

19.5 Automated Decision-Making and Profiling

We use limited automated decision-making for fraud prevention purposes. If a booking is automatically flagged or declined due to suspected fraud, you have the right to:

Obtain human intervention
Express your point of view
Contest the decision

19.6 International Transfers from EEA/UK

When we transfer your data outside the EEA/UK, we use:

Standard Contractual Clauses (SCCs): EU Commission-approved contractual terms that require recipients to protect your data to European standards
Adequacy Decisions: For countries recognized by the EU Commission as providing adequate data protection (e.g., certain countries)
Additional Safeguards: Technical measures such as encryption and access controls

You may request a copy of the safeguards we have in place by contacting us.

20. Data Minimization and Privacy by Design

20.1 Data Minimization Principle

We collect only the personal information necessary to provide our services and fulfill the purposes outlined in this Privacy Policy. We do not collect data "just in case" it might be useful in the future.

20.2 Privacy by Design

Our Platform is built with privacy considerations at every stage:

Default settings are privacy-protective
Data protection impact assessments for new features
Regular privacy audits
Employee privacy training
Vendor privacy due diligence

20.3 Purpose Limitation

We use your information only for the purposes disclosed in this Privacy Policy. If we wish to use your data for a new purpose not covered here, we will update this policy and, where required, obtain your consent.

21. Sensitive Personal Information

21.1 Definition

Sensitive personal information includes data such as:

Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic or biometric data
Health data
Sex life or sexual orientation
Social Security numbers or government identifiers (beyond what's required for booking)

21.2 Limited Collection

We do not intentionally collect sensitive personal information except in specific circumstances:

Health/Accessibility Requests: If you voluntarily provide information about disabilities or health conditions to arrange accessible accommodations
Payment Information: Account numbers may be processed by our payment processor but are immediately tokenized

21.3 Consent and Protection

When we process sensitive information:

We obtain your explicit consent (where required by law)
We implement enhanced security measures
We limit access to authorized personnel only
We retain it only as long as necessary

22. Business Transfers and Corporate Transactions

22.1 Mergers and Acquisitions

If HotelsByDay is involved in a merger, acquisition, reorganization, asset sale, bankruptcy, or similar corporate transaction, your personal information may be transferred to the successor entity.

22.2 Notice of Transfer

In such events, we will:

Provide notice via email (to registered users) and Platform announcement at least 30 days before the transfer
Inform you of your options, including data deletion before transfer (subject to legal retention requirements)
Require the successor entity to honor the commitments in this Privacy Policy or provide you with notice of changes

22.3 Due Diligence

During negotiations, we may share information with potential buyers under strict confidentiality agreements.

23. Marketing Analytics and Attribution

23.1 How We Track Marketing Effectiveness

To understand which marketing channels bring users to our Platform, we use:

UTM Parameters: URL tags that identify traffic sources
Referral Tracking: Information about which website or ad led you to us
Conversion Tracking: Pixels and cookies that track whether you complete a booking after seeing an ad
Multi-Touch Attribution: Analysis of all marketing touchpoints in your journey

23.2 Marketing Partners

We work with these types of marketing service providers:

Search engine advertising platforms (Google Ads)
Social media advertising (Facebook, Instagram, Twitter)
Affiliate networks
Email marketing platforms
Influencer and content marketing platforms

23.3 Opting Out of Marketing Analytics

To limit marketing tracking:

Use browser privacy settings and ad blockers
Opt out of cookie-based tracking via our cookie preference center
Use the opt-out links in Section 7.2

24. Account Deletion and Data Erasure

24.1 Deleting Your Account

You may delete your HotelsByDay account at any time:

Self-Service: Log in to your account > Settings > Account > Delete Account

Request Deletion: Contact us via our Contact Us page

24.2 What Happens When You Delete Your Account

When you delete your account:

Your profile and preferences are immediately deactivated
Personal information is deleted within 30 days
Booking history is retained for 7 years for legal/accounting purposes but is disassociated from your account
Anonymized analytics data may be retained indefinitely
Backup copies are purged within 90 days

24.3 Information We Must Retain

Even after deletion, we may retain certain information:

Transaction records (legal/tax requirements)
Fraud prevention records
Information necessary for legal claims or compliance
Anonymous or aggregated data

24.4 Reactivation

If you attempt to create a new account with the same email address within 30 days of deletion, you may be able to reactivate your previous account instead.

25. Cookies and Similar Technologies - Extended Details

25.1 First-Party vs. Third-Party Cookies

First-Party Cookies: Set by HotelsByDay to enable basic Platform functionality

Session management
Shopping cart
Authentication
Preferences

Third-Party Cookies: Set by our partners for analytics and advertising

Google Analytics (performance tracking)
Facebook Pixel (ad targeting)
Advertising network cookies

25.2 Cookie Duration

Session Cookies: Deleted when you close your browser Persistent Cookies: Remain until they expire or you delete them

Cookie Name	Type	Purpose	Duration	Provider
hbd_session	Strictly Necessary	Maintains login session	Session	HotelsByDay
hbd_preferences	Functional	Saves user preferences	1 year	HotelsByDay
_ga	Performance	Google Analytics tracking	2 years	Google
_fbp	Advertising	Facebook ad personalization	3 months	Facebook
hbd_consent	Strictly Necessary	Stores cookie consent choices	1 year	HotelsByDay

This is a partial list. For a complete cookie inventory, visit our cookie preference center.

25.3 Local Storage and Similar Technologies

Beyond cookies, we may use:

Local Storage: Browser-based storage for user preferences and cache
IndexedDB: For offline functionality in our mobile app
Device Fingerprinting: For fraud prevention (limited use)

25.4 Mobile App Tracking

Our mobile app may collect:

Advertising IDs (IDFA on iOS, AAID on Android)
App usage analytics
Crash reports
Push notification tokens

You can control mobile tracking through your device settings (see Section 7.2).

26. User Generated Content and Public Features

26.1 Reviews and Ratings (If Applicable)

If we offer hotel review features in the future:

Your name or username may be displayed publicly
Reviews are publicly visible
We moderate reviews for inappropriate content
You can request deletion of your reviews

26.2 Social Media Integration

If you connect social media accounts:

We may access profile information you've made available
You can revoke access through your social media settings
Your HotelsByDay activity may be shared to connected accounts (with your permission)

26.3 Public Information

Any information you choose to make public (e.g., in a profile, review, or social media post) can be seen, collected, and used by others. Exercise caution when sharing personal information publicly.

27. Employment and Vendor Privacy

27.1 Job Applicants

This Privacy Policy does not cover job applicants. If you apply for employment at HotelsByDay, a separate applicant privacy notice applies, available during the application process.

27.2 Hotel Partners and Vendors

If you represent a hotel or vendor, separate business privacy terms may apply to information we collect about our business relationships.

28. Accessibility and Language

28.1 Accessible Formats

This Privacy Policy is available in alternative formats upon request:

Large print
Screen reader compatible (WCAG 2.1 AA compliant)
Audio format
Plain language summary

Request alternative formats via our Contact Us page.

28.2 Language Versions

This Privacy Policy may be translated into other languages. In case of conflicts between versions, the English version controls.

29. Dispute Resolution

29.1 Informal Resolution

We encourage you to contact us first with any privacy concerns. We will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information.

29.2 Binding Arbitration

Disputes may be subject to binding arbitration as outlined in our Terms of Service. Privacy disputes may be exempt from arbitration in certain jurisdictions.

29.3 Regulatory Complaints

You always retain the right to file complaints with relevant data protection authorities (see Section 19.4).

30. Privacy Policy for Specific Jurisdictions

30.1 Canada (PIPEDA)

For Canadian residents:

We comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
You have the right to access and correct your information
You may file complaints with the Office of the Privacy Commissioner of Canada
Contact: https://www.priv.gc.ca

30.2 Brazil (LGPD)

For Brazilian residents:

We comply with Brazil's Lei Geral de Proteção de Dados (LGPD)
You have rights to access, correction, deletion, anonymization, portability, and more
You may file complaints with the Autoridade Nacional de Proteção de Dados (ANPD)
Contact us to exercise LGPD rights

30.3 Australia (Privacy Act)

For Australian residents:

We comply with the Australian Privacy Principles
You may file complaints with the Office of the Australian Information Commissioner
Contact: https://www.oaic.gov.au

30.4 Other Jurisdictions

We comply with applicable privacy laws worldwide. Contact us to exercise rights under your local law.

31. Definitions and Glossary

Personal Information/Personal Data: Information that identifies, relates to, or could reasonably be linked to you.

Processing: Any operation performed on personal information, including collection, storage, use, disclosure, and deletion.

Data Controller: The entity that determines the purposes and means of processing personal information.

Data Processor: An entity that processes personal information on behalf of a data controller.

Consent: Freely given, specific, informed, and unambiguous indication of your wishes.

Anonymization: Processing that renders data non-identifiable and not subject to privacy laws.

Pseudonymization: Processing that replaces identifying information with pseudonyms, reducing privacy risks.

32. Updates and Version History

Current Version: 2.0
Effective Date: January 22, 2026
Previous Version: 1.0 (prior to January 22, 2026)

Major Changes in Version 2.0:

Added comprehensive CCPA/CPRA compliance section
Expanded cookie policy with detailed tables
Added state-specific privacy rights (Virginia, Colorado, Connecticut, Utah, Nevada)
Included data breach notification procedures
Enhanced third-party data sharing disclosures
Added security measures section
Included automated decision-making disclosures
Updated contact information and corporate address
Added data retention schedule
Implemented Global Privacy Control (GPC) support

33. Additional Resources

33.1 Related Policies

Terms of Service: https://www.hotelsbyday.com/en/terms
Cookie Policy: Accessible via cookie preference center
Security Policy: https://www.hotelsbyday.com/en/security
Accessibility Statement: https://www.hotelsbyday.com/en/accessibility

33.2 Privacy Education

Learn more about privacy:

Electronic Frontier Foundation: https://www.eff.org
Privacy Rights Clearinghouse: https://privacyrights.org
All About Cookies: https://www.allaboutcookies.org
Your rights under GDPR: https://gdpr.eu/what-is-gdpr/
Your rights under CCPA: https://oag.ca.gov/privacy/ccpa

33.3 Industry Certifications (If Applicable)

We are committed to maintaining industry privacy certifications. Current certifications will be listed here as obtained:

[ ] TRUSTe Privacy Certification
[ ] Privacy Shield (or successor framework)
[ ] ISO 27001 (Information Security)
[ ] SOC 2 Type II Compliance

34. Acknowledgment and Consent

By using the HotelsByDay Platform, you acknowledge that:

You have read and understood this Privacy Policy
You consent to the collection, use, and sharing of your information as described
For marketing communications, you can opt-out at any time
For cookies, you can manage preferences through our cookie consent manager
You can exercise your privacy rights as outlined in Section 9

For California Residents: Your use of our Platform after seeing the "Do Not Sell or Share My Personal Information" link constitutes notice under CCPA. Exercise your opt-out right via that link.

For EEA/UK Residents: Where we rely on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

Final Contact Information

Privacy Inquiries:
Contact Us Page: https://www.hotelsbyday.com/en/contact

Legal/IP Matters:
Email: [email protected]

Mailing Address:
Hotels By Day LLC
Privacy Officer
64 Beaver Street - Box 514
New York, NY 10004
United States

Data Protection Officer (EU/UK):
Email: [email protected]

Phone: Available through Contact Us page

Business Hours: Monday - Friday, 9:00 AM - 5:00 PM EST

Quick Reference: Your Privacy Rights Summary

Your Right	What It Means	How to Exercise
Access	See what data we have about you	Account Settings or Contact Us
Correct	Fix inaccurate information	Account Settings or Contact Us
Delete	Remove your data	Account Settings or Contact Us
Opt-Out (Marketing)	Stop promotional emails	Click unsubscribe in emails
Opt-Out (Cookies)	Control tracking cookies	Cookie preference center
Opt-Out (Sale/Share)	Stop targeted ads (CA)	Footer link or GPC signal
Portability	Download your data	Account Settings
Object	Challenge our use of data	Contact Us
Complaint	Report privacy concerns	Supervisory authority

Response Time: 30-45 days
Cost: Free (except for excessive requests)
Verification: May require identity confirmation

This privacy policy was last updated on February 12, 2026 and is effective immediately for new users. For existing users, it takes effect 30 days from the "Last Updated" date.

For questions about this Privacy Policy or to exercise your privacy rights, please visit our Contact Us page.