Privacy Policy

Engine Privacy Policy
Last Updated: December 1, 2024

We, Hotel Engine, Inc., doing business as “Engine,” (“Engine,” “we,” “us,” or “our”) is committed to protecting your privacy. This privacy policy (“Privacy Policy”) describes our processing of personal data in connection with our “Services,” which include:

Our website (“Site”) at engine.com and hotelengine.com.
Our email newsletter,
Our mobile applications (“App”), and
Any other service that links to this Privacy Policy.

Please read this Privacy Policy carefully to understand our practices regarding your personal data and how we will treat it.

ACCESSING OR USING THE SERVICES INDICATES THAT YOU ACCEPT THIS PRIVACY POLICY IN FULL. IF YOU DO NOT ACCEPT THIS PRIVACY POLICY, DO NOT ACCESS OR USE THE SERVICES. You acknowledge (a) that you have read and understood this Privacy Policy; and (b) that by accepting this Privacy Policy, you consent to receive notifications regarding security incidents to the email address we have on file for you.

We consider personal data to be any data that relates to an identified or reasonably identifiable person. Examples include your name, postal address, email address, telephone number, and order history. Some privacy laws also use the terms “personal information” or “personally identifiable information” to refer to personal data, but we will use the term “personal data” in this Privacy Policy.

If you wish to contact us with requests or questions about your personal data or how we process it, you can reach us at:

Hotel Engine, Inc., Attn: Engine Privacy Policy, 1601 Wewatta Street, Suite 250, Denver, CO 80202, USA
[email protected]
Phone: 855-567-4683

This Privacy Policy is subject to occasional revision, and if we make any material changes in the way we process personal data, we will revise this Privacy Policy and notify you by prominently posting notice of the changes in the Services. If we have your email address, we may also notify you of the change via email.
‍

Categories of Personal Data We Collect
‍
We collect and process personal data as described below.
‍‍
1. Categories of Personal Data Provided Directly to Us
  
  Account information. We collect account information from you, such as your name, contact information, and password when you create a member or personal account or otherwise register as a user of the Services. We use this information to allow you to use and personalize the Services.
  
  Profile information. We collect information about you for the purposes of booking travel for you. The information in this category includes name, title, employer affiliation, contact information, nationality, gender, driver’s license, or other identification card information, known traveler number, redress number, passport information, airline, and hotel loyalty program information, contact information, and itinerary information. This information may be provided by you directly or by a designee such as a family member or assistant that uses the Services on your behalf.
  
  Booking information. Depending on the booking that you complete through the Services, we collect the name(s) of (the) traveler(s), email address, phone number, gender, nationality, driver’s license, or other identification card information, known traveler number, redress number, passport information, airline and hotel loyalty program information, itinerary information, and any travel or accommodation preferences (such as accessibility requirements or requests). Although you are not required to include health information when you state your accessibility requirements or requests, if you include such information, we interpret this as providing your consent and direction for us to collect this information and to provide it to the appropriate travel and lodging partners as part of your booking.
  
  ‍Region and language. When you use our Services, we may ask you to select your region and language to provide you with the relevant Services that are available in your region and in your language.
  
  Payment and billing information. To allow you to purchase a booking via our Services, we may ask you to provide your postal and billing address, phone number, and VAT number (to apply VAT discounts). We do not collect or store the credit or debit card or other payment information that you provide to complete a booking via the Services unless you elect to store payment card information with your profile. A third-party payment services provider facilitates payments. At the time of payment, credit or debit card information is sent directly to the payment service provider which operates a secure server to process payment details, encrypting your credit or debit card information and authorizing payment. We use payment processors, such as Elavon and/or Stripe, to process all payments through the Services and your payment transaction will be subject to the payment processors’ privacy policies, including in the case of data breach. Please consult the applicable payment service provider’s privacy policy to learn about the processing of your personal data in that context. We may also collect or maintain personal data such as booking revenue history, direct bill balance, credit limits, and information on your past-due balances with us.
  
  Communications. If you provide us feedback or contact us, we will collect your name, any contact information accompanying the communication, and your communication contents for purposes of understanding your communication and replying.
  
  User Testimonials. If you submit a testimonial about our Services, we may use and disclose it along with your first, last name, picture, and job title in accordance with our Terms of Service.
  
  Newsletter. If you sign up to receive emails or information about our Services, then we will collect personal data from you, such as email address.
  
  Careers. If you decide to apply for a job with us, you may submit your contact information and your resume to us via our Services. We will collect the personal data you choose to provide us as part of your job application, such as your contact information, current employment information, and other information you choose to submit with your application and on your resume. If you apply for a job with us through a third-party platform (such as LinkedIn or Greenhouse), we will collect the personal data you make available to us through such third-party platform.
  ‍‍
2. Categories of Personal Data We Collect Automatically As You Use Our Services
  
  Usage Information. To make our Services more useful to you, we collect usage information that may include your browser type, operating system, Internet Protocol (“IP”) address (a number that is automatically assigned to your computer when you use the internet, which may vary from session to session), domain name, internet service provider, clickstream data, navigation history while using the Services, device information, and date/time records related to your use of the Services.
  
  Precise Location. While the App is in use, it may collect your precise location using GPS on your mobile device and possibly through other signals such as nearby wi-fi access points, or Bluetooth-enabled devices in connection with finding nearby travel destinations such as hotels.
  
  Interest Information. Using cookies provided by our targeted advertising partners, we may collect information about your interests to show you relevant advertisements on third party websites and information services. You can disable this collection by turning off “Targeting Cookies” using our Privacy Preferences tool. We have different Privacy Preferences tools based on your location. If you reside in California, please click here, if you are in the United States outside of California, please click here, and if you reside outside the United States, please click here.
  ‍‍
3. Categories of Personal Data Collected From Other Sources
  
  Administrator-Provided Invitation Information. If you are a User who has been invited to use the Services by an Administrator, your Administrator may provide us with your name and email address to facilitate such invitation.
  
  Travel Information. We may receive travel/itinerary information from third parties in connection with bookings made with those third parties.
  ‍‍
Use of Your Personal Data
‍‍
1. To provide the Services. We collect personal data to provide the Services to you, enable your use of the Services, respond to requests that you make, or to aid us in serving you better, including:
  ‍
  - To deliver the Services, including:
    - to facilitate the creation and maintenance of your account;
    - to offer you products and services appropriate for your language, region, and other preferences;
    - to make and manage bookings you make through the Services;
    - to provide incentives and other benefits; and
    - for customer support, troubleshooting, and quality assurance.
  - To manage the Services and to maintain the security of the Services.
  - To respond to correspondence.
  - For our marketing purposes, such as developing and providing promotional and advertising materials that may be useful, relevant, valuable, or otherwise of interest to you. If you send us a testimonial about our Services, we may use and disclose it (including your first and last name) to promote our Services in accordance with our Terms of Service.
  - To understand and analyze how you use our Services and develop new products, services, and features.
  - For compliance purposes, including enforcing our legal rights or defending against legal claims.
  - As may be required by applicable laws and regulations or requested by any judicial process or governmental agency.
  - For other purposes for which we provide specific notice at the time the personal data is collected.‍
Legal Bases for Processing European Personal data
‍
In accordance with the General Data Protection Regulation (GDPR), if you are in the European Economic Area (“EEA”) or the United Kingdom, we only process your personal data when we have a valid “legal basis,” including as set forth below:‍
1. Consent. You have consented to the use of your personal data. For example, we may process your personal data to send you marketing communications. You may withdraw consent you previously provided to us regarding the processing of your personal data at any time and free of charge. We will apply your preferences going forward and this will not affect the lawfulness of processing that occurred before you withdrew your consent.
2. Contractual Necessity. We need your personal data to provide you with our Services. For example, we may need to process your personal data to complete bookings, process payments, and respond to your inquiries or requests.
3. Compliance with a Legal Obligation. We have a legal obligation to use your personal data. For example, we may process your personal data to comply with tax, labor, and accounting obligations.
4. Legitimate Interests. We, or a third party, have a legitimate interest in using your personal data. Specifically, we have a legitimate interest in using your personal data for product development and internal analytics purposes, and otherwise to improve the safety, security, and performance of our Services.
  
  Please note that we do not ordinarily “process special categories of personal data.” This means that we do not process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. We also do not ordinarily process genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a person’s sex life or sexual orientation.
  
  In the process of booking travel or accommodations for you, you may ask for accommodations related to your health or religion for us to pass on to the appropriate travel and lodging partners. To the extent you include special categories of personal data in your accommodation requests for this purpose, we treat your request as your explicit consent for such processing.
  ‍‍
Disclosure of Your Personal Data

We disclose your personal data to the categories of third parties described below:‍
1. Third-Party Services. We may share your personal data with third-party services, for example: to suppliers, such as hotels and airlines, in connection with your confirmed booking of travel services. We use Plaid Technologies, Inc. (“Plaid”) to verify your bank account and confirm your bank account balance prior to approving an ACH transaction. We only share your personal data with Plaid in accordance with this Privacy Policy. Information shared with Plaid is treated by Plaid in accordance with its privacy policy, available at https://plaid.com/legal/.
2. Corporate Customers. If your member account or personal account is associated with a corporate customer, we may share your personal data with our corporate customer for billing and administrative purposes. Your personal data may also be shared with any Administrator who has been granted access to your member account or personal account either by the related corporate customer or through your acceptance of an invitation to the Services from the Administrator.
3. Processors/Service Providers. We share your personal data with third parties that process personal data on our behalf. We engage these kinds of third parties with contracts that require them to use your personal data only for the purpose of delivering the services for which we have engaged the third party and as required by law. These kinds of third parties provide business, professional, administrative, or technical support functions for us, such as payment processing, billing, data storage, quality assurance, and marketing.
4. Corporate Restructuring Recipients. We may share personal data in connection with, or during negotiation of any merger, financing, acquisition, or dissolution transaction or proceeding involving sale, transfer, divestiture, or disclosure of all or a portion of our business or assets. In the event of an insolvency, bankruptcy, or receivership, personal data may also be transferred as a business asset. If another company acquires our shares, business, or assets, that company will possess the personal data collected by us and will assume the rights and obligations regarding your personal data as described in this Privacy Policy.
5. Behavioral Advertisers. Engine discloses personal data to behavioral advertisers, but you may have the right to opt out of these disclosures. See section 8, below, for more information on opting out.
  ‍‍
Retention

We take measures to delete personal data when it is no longer necessary for the purposes for which we collected and process it. When determining the specific retention period, we consider various factors, such as the type of service provided to you, the nature and length of our relationship with you, mandatory retention periods provided by law, and the statute of limitations for legal claims relating to the personal data. We only retain your personal data beyond this retention period if required or permitted by law.
‍‍
1. Social Media Recipients. If you use the social media functionality within the Services, your personal data will be shared with the social media recipient.
2. Analytics. We use Google Analytics to better understand who is using the Services and how people are using them. Google Analytics uses cookies to collect and store information, such as Services pages visited, places where users click, time spent on each Services page, Internet Protocol address, type of operating system used, language preference, location-based data, device ID, search traffic, gender, and age. We use this information to improve the Services and as otherwise described in this Privacy Policy. Please see: https://policies.google.com/technologies/partner-sites for information about how Google Analytics uses this information, and visit: https://tools.google.com/dlpage/gaoptout for information about the Google Analytics Opt-out Browser Add-on. Google may track Your activity over time and across websites. In addition, we use the following analytics and performance providers:‍
  - Amplitude: We use amplitude to better understand our users’ needs and optimize the Services and experience.
  - AB Tasty: We use AB Tasty to improve the user experience delivered on our Services.‍
3. Legal Compliance Recipients. Engine may disclose personal data (a) in connection with any legal investigation; (b) to comply with relevant laws or to respond to subpoenas or warrants served on Engine; (c) to protect or defend the rights or property of Engine or users of the Services; and/or (d) to investigate or assist in preventing any violation or potential violation of the law, this Privacy Policy, or our Terms of Use Agreement.‍
4. Recipients You Approve. We may also disclose your personal data to other recipients with your permission or at your direction.
  ‍‍
International Users
‍
Please be aware that your personal data will be stored and processed in the United States or the Philippines, where our systems are located. If we transfer personal data to the United States from another jurisdiction, we will do so in a way that complies with applicable legal requirements.
‍
‍‍
Personal Data Security
‍
Engine is committed to protecting the security of your personal data. We use a variety of industry-standard security technologies and procedures to help protect your personal data from unauthorized processing.

We also require you to enter a password to access your member account or personal account information. Please do not disclose your password to unauthorized people. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, while Engine makes reasonable efforts to protect your personal data, Engine cannot guarantee its security.
‍
‍‍
Your Privacy Rights and Choices
‍
This section provides information about the rights and choices you have regarding your personal data based on the jurisdiction in which you reside. This information is not intended to be exhaustive, which means that you may have legal rights other than those described in this section. In some circumstances, the rights described in this section may be qualified or limited in accordance with applicable law. Please refer to section 8.5 to learn how you can exercise your rights and choices.
‍‍
1. Marketing Opt-out.
  ‍
  ‍Regardless of where you live, you may contact us to opt out of some collection or uses of your personal data for marketing purposes, including from receiving direct marketing communications. Despite your indicated preferences regarding direct marketing communications, we may send you other kinds of communications, including notices of any updates to our Terms of Use or Privacy Policy.
  ‍‍
2. Your Privacy Rights (for residents of the United States, including Texas and Nebraska)
  ‍
  If you live in the United States of America, depending on the law in the state where you live, you may have certain rights regarding your personal data under the law. To exercise your rights, please submit a request by contacting us through any of the means outlined below. (California residents should also review the California-specific information below.)
  
  Your rights may include the following:
  - the right to opt-out of the use of personal data for targeted advertising, personal data sales, or profiling resulting in significant consequences;
  - the right to confirm whether we process your personal data and to access a copy (from which we may, for security purposes or as legally required, exclude certain personal data), including a copy that is in a portable data format;
  - the right to the correction of inaccurate personal data;
  - the right to the deletion of your personal data;
  - the right to provide your consent before we process certain personal data considered to be particularly sensitive;
  - the right to appeal the action we take in response to any request to exercise these rights; and
  - the right not to be discriminated against for exercising the legal rights associated with your personal data.
    
    Please note that we “sell” personal data for targeted advertising purposes. To exercise your right to opt-out of the use of personal data for targeted advertising and personal data sales, you can use our consent tool using the Privacy Preferences to link at the bottom of our site to disable the “Targeting Cookies” category. We have different Privacy Preferences tools based on your location. If you reside in California, please click here, if you are in the United States outside of California, please click here, and if you reside outside the United States, please click here.
    
    Nevada residents may direct us to refrain from making any sale of any covered information we have collected or will collect about them. You may submit a request pursuant to this directive by emailing us at [email protected]. We will provide further information about how we verify the authenticity of the request and your identity.
    ‍
3. Your Privacy Rights (for residents of the United Kingdom, European Economic Area, and Switzerland)
  ‍
  If you live in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland you may have the following rights regarding your personal data:
  - ‍Access/Data Export. You may have a right to access the personal data we process and to request it in a common portable format of our choice.‍
  - Rectification. You may request that we correct any personal data that you believe is inaccurate.‍
  - Deletion. You may request that we delete your personal data. We may delete your data entirely, or we may anonymize or aggregate your information so that it no longer reasonably identifies you. ‍
  - Restriction of Further Processing. You may request that we restrict the processing of personal data under certain circumstances. For example, you may make this request if you object to our use of your personal data for particular legitimate business interests.‍
  - Objection. You may have the right under applicable law to object to any processing of personal data based on our legitimate interests. We may not be required to cease or limit processing based solely on that objection, and we may continue processing where our interests in processing are appropriately balanced against individuals’ privacy interests. You also have the right to lodge a complaint with a supervisory authority. In addition to the general objection right, you may have the right to object to processing:
    - for profiling purposes;
    - for direct marketing purposes (we will cease processing upon your objection); and
    - involving automated decision-making with legal or similarly significant effects (if any).‍
4. Your privacy rights and information (for residents of the State of California)
  ‍‍
  1. Privacy rights.
    
    Under the California Consumer Privacy Act (“CCPA”), residents of California may have the following rights, subject to certain limitations set forth in the CCPA and their submission of an appropriately verified request:
    
    Confirm- Right to confirm whether we process your personal data.
    Access/Know- Right to request any of following: (1) the categories of Personal data we have collected, sold or “shared,” or disclosed for a commercial purpose; (2) the categories of sources from which your personal data was collected; (3) the purposes for which we collected or sold or “shared” your personal data; (4) the categories of third parties to whom we have sold or “shared” your personal data, or disclosed it for a business purpose; and (5) the specific pieces of personal data we have collected about you.
    Portability- Right to request that we provide certain personal data in a readily useable format.
    Deletion- Right to delete certain personal data that we hold about you.
    Correction- Right to correct certain personal data that we hold about you.
    Opt-Out (Sales, Sharing, Targeted Advertising, Profiling)- Right to opt-out of the following:
    - If we engage in sales of data (as defined by applicable law), you may direct us to stop selling personal data.
    - If we engage in targeted advertising (aka “sharing” of personal data or cross-context behavioral advertising, as defined by applicable law) you may opt-out of such sharing.
    - If we engage in certain forms of “profiling” (e.g. profiling that has legal or similarly significant effects), you may opt-out of such profiling.‍
    Opt-out or Limit Use and Disclosure of “Sensitive Personal Information”-This right does not apply because we only use and disclose “Sensitive Personal Information” where necessary and for certain business purposes authorized by applicable law.
    
    Opt-in/Opt-out of Sale/Sharing of Minors’ personal data- To the extent we have actual knowledge that we collect or maintain personal data of a minor under age 16 in California, those minors must opt in to any sales or “sharing” (as defined under CCPA) of personal data, and minors under the age of 13 must have a parent consent to sales or “sharing” of personal data. All minors have the right to opt-out later at any time.
    
    Non-Discrimination- California residents have the right to not to receive discriminatory treatment as a result of their exercise of rights conferred by the CCPA.
    
    ‍List of Direct Marketers- California residents may request a list of personal data we have disclosed about them during the preceding calendar year to third parties for direct marketing purposes and those third parties’ names and addresses.
    
    Remove Minors’ User Content- Residents of California under the age of 18 can delete or remove posts using the same deletion or removal procedures described above, or otherwise made available through the websites. If you have questions about how to remove your posts or if you would like additional assistance with deletion, contact us using the information below. We will work to delete your information, but we cannot guarantee comprehensive removal of that content or information posted through the websites.
    ‍
  2. Collection of personal data.
    The following table lists the categories of personal data we have collected in the last twelve months.

Category under the California Consumer Privacy Act	Description	Collected
A. Identifiers	Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.	Yes
B. Customer records (as defined in Cal. Civ. Code § 1798.80(e))	A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.	Yes
C. Protected classifications	Characteristics of protected classifications under California or federal law, such as race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information), and age over 40.	Yes
D. Commercial information	Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.	Yes
E. Biometric information	An individual’s physiological, biological, or behavioral characteristics, including DNA information that is used or is intended to be used to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a face print, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.	No
F. Usage data	Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement.	Yes
G. Geolocation data	Data intended to locate a customer within a geographic area.	Yes
H. Sensory data	Audio, electronic, visual, thermal, olfactory, or similar information.	Yes
I. Professional or employment information	Your job role, professional and educational qualifications, employment and education history, compensation information and similar data.	Yes
J. Education information	Information that is not publicly available personally identifiable information as defined in the California Family Educational Rights and Privacy Act, including education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.	No
K. Inferences	Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.	Yes

Purposes for which personal data will be used are described in the main portion of this Privacy Policy.

Categories of sources from which personal data is collected

Advertising/Marketing Providers
Analytics Providers
Business Administrators
Consumers
Lodging and Travel Partners
Recruiting Platforms
Social Media Platforms
Video Hosting, Sharing, and Services Platforms

8.4.3 Collection of “Sensitive Personal Information”

In the past year, we have collected the following personal data that are considered “sensitive personal information” as that term is defined in the CCPA:

Sensitive Personal Information Category	Purpose for Collection/Use	Whether Sold or Shared for Cross-Context Behavioral Advertising
Social security numbers, driver’s license numbers, state identification card numbers, and passport numbers.	To complete travel bookings for which this information is required.	No
Individuals’ account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.	To complete travel bookings for which this information is required.	No
Racial or ethnic origin, citizenship, or immigration status, religious or philosophical beliefs, or union membership.	To complete travel bookings for which this information is required.	No
Individual health conditions, treatment, diseases, diagnosis, or dietary restrictions in the context of a booking, event registration, or emergency contact form.	To accommodate health conditions in connection with bookings or events and to assist in event of a medical emergency at an event.	No
Precise geolocation	To identify travel-related locations near you such as hotels when using the App.	No

8.4.4 Disclosure of Personal Data

As required by the CCPA, the following table lists the categories of personal data that we have “sold” or “shared for cross-context behavioral advertising” with third parties or disclosed for our business purposes in the past twelve months. The categories of third parties to which the information was sold, shared, or disclosed for commercial purposes or business purposes are described in the main portion of this Privacy Policy.

California Consumer Privacy Act Category	Sold or Shared in the Last 12 Months	Disclosed for a Business Purpose in the Last 12 Months
A. Identifiers	Yes	Yes
B. Customer records (as defined in Cal. Civ. Code § 1798.80(e))	Yes	Yes
C. Protected classifications	No	Yes
D. Commercial information	Yes	Yes
E. Biometric information	No	No
F. Usage data	Yes	Yes
G. Geolocation data	No	No
H. Sensory data	No	No
I. Professional or employment information	Yes	Yes
J. Education information	No	No
K. Inferences	Yes	Yes

Categories of third parties to which we disclose personal data

Advertising/Marketing Providers
Analytics Providers
Corporate Customers
Payment Providers
Recruiting Platforms
Social Media Platforms and Users
Video Hosting, Sharing, and Services Platforms
Lodging and Travel Partners

8.5. Submission of Requests

To exercise your right to opt out of the selling/sharing of your personal data, targeted advertising, or profiling, or to request to limit the use and disclosure of Sensitive Personal Information, you may call us at 855-567-4683 or email us at [email protected]. You may also go to our Do Not Sell/Share My Personal Information form. We have different Privacy Preferences tools based on your location. If you reside in California, please click here, if you are in the United States outside of California, please click here, and if you reside outside the United States, please click here.

To exercise any of the other rights described above, please submit a verifiable consumer request by calling us at 855-567-4683 or emailing us at [email protected]. You will not need to create an account to exercise your rights.

8.6. Verification of Requests

Before we can act on any requests relating to your personal data, we may need to verify your identity. If you have a password-protected account with us, we may be able to verify your identity through our existing authentication procedures for your account. However, we may need to require you to re-authenticate yourself before we can act on your request.

If you do not have a password-protected account with us, we may require you to provide us with your name, telephone number, business address, and email address, together with a signed declaration under penalty of perjury that you are the consumer whose personal data is the subject of the request. We will match this information with the personal data we maintain.

You can also authorize another person, called an agent, to exercise your rights on your behalf. You must provide the authorized agent written and signed permission to act on your behalf. We may deny requests to opt out from an authorized agent who does not submit proof that he or she has been authorized to act on your behalf. Furthermore, we may require you to verify your identity directly with us. We may also require you to directly confirm with us that you have provided the authorized agent permission to submit a request on your behalf. An authorized agent can make a request on your behalf by either calling us at 855-567-4683 or emailing us at [email protected]. Additionally, an authorized agent can make a request to opt out of the sale of personal data on your behalf by accessing our Privacy Preferences tools. We have different Privacy Preferences tools based on your location. If you reside in California, please click here, if you are in the United States outside of California, please click here, and if you reside outside the United States, please click here.

8.7. Exercising Your Rights

If you would like to contact us to request to exercise any of the rights in relation to your personal data, please contact us using the information at the top of this Privacy Policy.

You may also appeal the decision we make on your request by contacting us using the contact information at the top of this Privacy Policy. If you contact us to appeal, please explain what you believe we did improperly in connection with your request. We will respond to your appeal in accordance with the timelines set forth in applicable law.

If we fall short of your expectations in processing your personal data, or if you wish to raise a concern or complaint about our privacy practices, please tell us because it gives us an opportunity to address the problem.

9. Consumer Health Data Privacy Policy

A. Categories of Consumer Health Data We Collect

We may collect the following categories of personal data defined as consumer health data under Washington’s My Health My Data Act (“MHMDA”) and similar laws (“Consumer Health Data”), for the following purposes:

Categories of Consumer Health Data	Purposes of Collecting, Using and Sharing	How Consumer Health Data will be Used or Processed
Individual health conditions, treatment, diseases, diagnosis, or dietary restrictions	To relay health-related accommodation needs or requests in connection with bookings	To share requests for health-related accommodations with travel and lodging partners
Biometric data (voice recordings and facial images)	Operating webinars and video conferences Promotions and feedback Customer service and quality assurance	For webinars and video conferences To complete and record phone interviews with customers To provide customer service To respond to voicemail messages To provide quality assurance
Precise location	While you are using the App to identify travel-related locations near you such as hotels	To provide services through the App

Third parties may collect consumer health data over time and across different Internet websites or online services when you use our website or other information services.

B. Sources of Consumer Health Data We Collect

We may collect, use, and share Consumer Health Data from various sources, which include: from you, from emergency personnel, from family members, from social media.

C. Sharing of Consumer Health Data

Categories of Consumer Health Data We Share

‍We may share the following categories of Consumer Health Data with third parties and specific affiliates: Health information provided in connection with a request for an accommodation, voice recordings, and facial images.

‍Categories of Third Parties with Whom We Share

‍We may share Consumer Health Data with the following categories of third-party recipients: hotel and lodging partners.

‍Specific Affiliates with Whom We Share

‍We may share Consumer Health Data with the following Affiliates: None.

D. Washington and Nevada Health Data Rights

Your Rights

‍Under the Washington State My Health My Data Act, Wash. Code Ann. § 19.373.005 et seq., and Nevada Rev. Stat. § 603A.400 et seq., Washington and Nevada residents and natural persons whose Consumer Health Data is collected in Washington and Nevada may have the following rights, subject to verification, exceptions, and limitations:

‍Right to Confirm/Access/Know: Up to twice annually, you have the right to (a) confirm whether we are collecting, sharing, or selling your Consumer Health Data, and (b) access such data, including a list of all third parties and affiliates with whom we have shared or sold the consumer health data and an active email address or other online mechanism that you may use to contact these third parties.

‍Right to Delete: You have the right to request deletion of the Consumer Health Data held by us and our affiliates, processors, contractors, and other third parties.

‍Right to Withdraw Your Consent/Opt-Out: You may withdraw any consent you have provided at any time. The consequence of your withdrawing consent might be that we cannot perform certain services for you, such as location-based services, personalizing or making relevant certain types of advertising, or other services conditioned on your consent or choice not to opt-out.

‍Right to Non-Discrimination: You have the right to not to receive discriminatory treatment because of your exercise of rights conferred by the My Health My Data Act and Nevada NRS 603A.400 et seq.

‍How to Exercise Your Rights

‍You may submit requests as follows (please our review verification requirements below).

You may send an email to [email protected] with your email address, phone number or address on file, along with your request.

If you have any questions or wish to appeal any refusal to act in response to a health data rights request, contact us at [email protected]. We will respond to any request to appeal within the period required by law. Washington Residents: If your appeal is unsuccessful, you can raise a concern or lodge a complaint with the Washington State Attorney General here.Nevada Residents: If your appeal is unsuccessful, you can raise a concern or lodge a complaint with the State of Nevada Attorney General here.

‍Verification of Consumer Health Data Rights RequestsIf you submit a request, we typically must verify your identity to ensure that you have the right to make that request, to reduce fraud, and to ensure the security of Consumer Health Data. If an agent is submitting the request on your behalf, we reserve the right to validate the agent’s authority to act on your behalf. We may require that you match Consumer Health Data we have on file to adequately verify your identity. If you have an account, we may require that you log into the account to submit the request as part of the verification process. We may not grant access to certain Consumer Health Data to you if prohibited by law.