Privacy Policy

local-hotel.com is operated by COMPANY_NAME (company number COMPANY_NUMBER), registered at OPERATOR_ADDRESS. We're registered with the UK Information Commissioner's Office under registration number ICO_REGISTRATION_NUMBER. Contact: SUPPORT_EMAIL.

• Account data — email, name, hashed password.
• Booking data — hotel choice, dates, guest count, price, refund status, supplier reference.
• Browsing data — searches, hotels viewed, wishlist, price alerts. Used to populate your account history.
• Technical data — IP address (rate-limiting, fraud), browser type, request timestamps.

• Contract performance — to fulfil bookings you make.
• Legitimate interest — to operate, secure, and improve the service.
• Consent — for non-essential cookies (see Cookie Policy).
• Legal obligation — accounting records (6 years), security incident response.

We pass a minimum subset of data to:

• LiteAPI — booking supplier. Receives guest name, dates, hotel, and a payment confirmation token when payment is taken via their hosted payment SDK. (DPA on file.)
• Hotelbeds — booking supplier. Receives guest name, dates, hotel, room type, and our internal client reference. Hotelbeds is a B2B wholesaler — payment is collected on our side and settled to them, so they never receive your card details. (DPA on file.)
• Stripe — payment processor (regulated by the FCA). Receives card details directly from your browser; we never see the full PAN. Stripe also stores a customer reference linked to your email when you buy a pass or subscribe. stripe.com/privacy.
• Resend — transactional email sender. Receives email address + message content (booking confirmations, password resets, etc.). DPA on file.
• Our hosting provider — to run the app and store data at rest.

Each has a Data Processing Agreement with us. None sell your data. We'll update this list before adding any new sub-processor and email registered users 30 days ahead.

• Account data: until you delete your account.
• Booking records: 7 years (UK accounting requirement).
• Browsing data (searches, viewed hotels): 12 months from last activity.
• Server logs: 90 days.

Under UK-GDPR you have the right to:

• Access — download your full data via your account page (Article 15).
• Portability — export is a machine-readable JSON file (Article 20).
• Erasure — delete your account at any time. We will hard-delete all rows we hold. Confirmed bookings retained by suppliers (LiteAPI, Hotelbeds) and your Stripe customer record remain with those processors under their own DPAs — required for compliance, fraud prevention, and dispute handling (Article 17(3)(b) and (e)). Contact the supplier directly to request deletion from their side.
• Rectification — edit your name and email on your account page.
• Restriction / objection — email SUPPORT_EMAIL and we'll action within 30 days.
• Complaint to the ICO — ico.org.uk if you're unhappy with how we handle your data.

Some sub-processors (e.g. Resend) store data outside the UK. We rely on Standard Contractual Clauses + UK Addendum for those transfers, as required under UK-GDPR Article 46.

Passwords are hashed with bcrypt (cost factor 12). All traffic is HTTPS-only with HSTS preload. We use CSRF protection on all mutating endpoints, rate limiting on sensitive endpoints, and standard browser security headers (CSP, X-Frame-Options).

We'll email registered users 30 days before any material change to this policy. Minor wording fixes are pushed silently — see the "Last updated" date above.