WHO WE ARE
The Site is operated by Coolstays, a trading name of Big Blue Sea Ltd, a company registered in England and Wales. Our company registration number is 7804381. Our registered office is at 15-17 Middle Street, Brighton, BN1 1AL, UK.
We are registered with the Information Commissioner’s Office as a data controller under number Z3404833.
You must be over 18 years old to use our site and to make booking enquiries with Owners. By using our site you confirm that you are over 18 years of age.
OUR PRIVACY PROMISE
We promise to keep your personal data safe and private, not to sell your personal data, and to give you a simple way to view and manage your marketing and communication choices at any time.
THIS POLICY AND THE GDPR
GDPR stands for the General Data Protection Regulation, a European privacy law approved by the European Commission in 2016. The GDPR will replace a prior European Union privacy directive known as Directive 95/46/EC (the “Directive”), which has been the basis of European data protection law since 1995.
The GDPR is an attempt to strengthen, harmonize, and modernize EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and eliminate personal data. It applies to any organisation processing personal data of EU citizens.
Personal data will now include not only data that is commonly considered to be personal in nature (e.g. names, physical addresses, email addresses), but also data such as IP addresses, behavioral data, location data, financial information, and more.
The GDPR was adopted in April 2016, but will officially be enforceable on 25th May 2018.
CHANGES TO THIS POLICY
INFORMATION WE COLLECT
There are three categories of information we collect:
1. Information you give to us
- a) Information necessary for use of the site.
We ask for this information when you use the site as it is required for proper performance
of our contract with
- i) Account information - When you register with us such as first name, last name and email address.
- ii) Listing information (if you are an Owner) - such as your address, your property address and geo-location, phone number
- iii) Payment information - Payments are processed using our account at Stripe Inc. on their secure platform and will include the method, date and time, amount, card expiry date, billing postcode, your address and other related information. This information is required and necessary for performance of our contract with you. We do not have sight of the card number or CVV code at any time, but this will be held securely by Stripe Inc who are audited and certified as a PCI Service Provider Level 1.
- iv) Communications - If you contact us or use the site to contact Owners we collect information about the communication and any other information you choose to provide in that communication.
- b) Information you choose to give us.
You can choose to give us additional information that is not essential for use of the site
but will enhance your
experience and help us provide a better service to you. This information is processed based
on your consent.
- i) Additional account information (for Owners) - such as a Twitter username, Facebook page or username, Instagram username.
- ii) Review information - If you submit a review on the site we will will collect this information and any personal data you may include in the review and this will be publicly available on the site (once published). We will also publish your name on the review but we give you the option of entering a public profile name that can be different to your full legal name.
- iii) Other information - If you fill out any form on the site or third party sites we may direct you to such as SurveyMonkey or Freshdesk helpdesk, you are choosing to give us this information.
2. Information we automatically collect from your use of the website
When you use the website we automatically collect information, including personal data. This information is necessary for the performance of the contract between you and us, as well a given our legitimate interest to improve the functionality of the site and provide you with a good service.
- i) Site Usage Information - We collect information about pages you visit, your searches, enquiries you make, things you save to your wishlists, and other actions.
- ii) Geolocation information - We collect information that includes your IP address and this can be used to determine your approximate location.
- iii) Log data and device information - We collect log data and device information for when you use the site, even if you are not logged in or registered for an account with us. This information is vital to us for to prevent fraudulent or malicious use of the site.
- v) Payment information (for Owners) - We collect information related to your payments for services provided including the method, date and time, amount, card expiry date, billing postcode, bank account information (IBAN, SWIFTcode, etc), your address and other related information. This information is required and necessary for performance of our contract with you. Card payments are processed securely using our account at Stripe Inc. and will include the method, date and time, amount, card expiry date, card number, CVV code and billing postcode. It may also include your address and other related information. This information is required and necessary for performance of our contract with you. We do not have site, of the card number or CVV code at any time, but this will be held securely by Stripe Inc who are audited and certified as a PCI Service Provider Level 1.
- vi) Payment information (for Voucher purchasers) - We collect information required to process a payment when you purchase a Voucher on our voucher sales page. Payments are processed securely using our account at Stripe Inc. and will include the method, date and time, amount, card expiry date, billing postcode, your address and other related information. This information is required and necessary for performance of our contract with you. We do not have sight of the card number or CVV code at any time, but this will be held securely by Stripe Inc who are audited and certified as a PCI Service Provider Level 1.
- vii) Voucher Redeem information for Voucher Holders - We collect information required to process a voucher refund using a secure form at https://vouchers.coolstays.com/redeem/ where we ask for your booking information, your name and contact email/phone, and your bank account information for the voucher refund payment.
3. Information we collect from third parties
We may collect personal data that other site users may submit to us when they use the website and communicate with us, or we may obtain information from other third parties as detailed below. We have no control how these third parties may themselves control or process this information and any information request relating to the data they might provide to us must be directed to that third party.
- i) Third party services - if you login or connect to us using Facebook, they may send us information such as your registration and profile information. This information is controlled by Facebook and you authorise its processing by us when you connect using their service and via the privacy settings in your Facebook account.
- ii) Reviews - (for Owners) If someone has written a review about your property it may contain your personal data. You will be notified when a review is published about your property and you will have the opportunity to request removal.
- iii) Third party booking information - We may receive personally identifiable information (PII) contained in data feeds that we use to display up-to-date accommodation calendar availability information. Where we receive such PII it is processed according to the 'data minimisation' principles, whereby we will delete the personal data not required and keep only the minimum data needed to provide calendar availability functionality.
HOW WE USE THIS INFORMATION
We may use and disclose personal data only for the following purposes:
- 1. To communicate with Webusers and Owners and provide customer support.
- 2. To send you information and promotional material to you by email. You will only receive this information if you have positively opted in and you can stop receiving this content at any time.
- 3. To send you alerts and notifications by email based on transactions you make on the site - such as making an enquiry, adding or modifying a wishlist or leaving a review. These are essential for the performance of our contract and you cannot opt out of receiving these messages, but you will only receive them if you make such transactions.
- 4. To charge and collect money from our customers. This includes sending you notices and alerts by email or telephoning. We use a third party (Stripe) for secure card payment processing, and we send billing information to them for processing orders and payments. We use third party accounting systems (Quickbooks) to manage our financial accounts. We send them billing information for this purpose. We may send messages to you directly from Quickbooks email system. Quickbooks also offer payment for invoices by card using Paypal.
- 6. To provide suggestions to you. We use data to suggest properties or other content that we think will be of interest to you. For example suggesting properties similar to those you may have made an enquiry at, or that are on your wishlist.
- 8. To protect the rights and safety of our customers, site visitors and third parties.
- 9. To meet legal requirements, comply with the law, court orders, respond to legal requests or an official investigation.
- 10. To provide information to our advisors or agents, such as lawyers and accountants.
- 11. We may share your data with a third party if we choose to sell, transfer or merge part or all of our business - or we we seek to acquire another business or merge with them. We will only share your data with a third party in this case if they agree to keep your data safe and private and have the appropriate safeguards in place. In any such event we will notify you of the change either by sending you an email or posting a notice on our Website.
THIRD PARTY LINKS
RECIPIENTS OF THE YOUR DATA (WHO WE MAY SHARE IT WITH)
1. Other Site Users:
- a) Making an Enquiry- If you interact with the site to make a booking enquiry with a property owner or agent, we will share with that owner/agent any information you need to provide such as your name, your email address, dates of your proposed stay, how many people are in your group. This is necessary for the adequate performance of our contract with you. When you make a booking enquiry you may choose to provide further information in the contact form and any subsequent message using our messaging system such as your phone number and any other personal data you choose. This information is provided with your consent.
- b) Leaving a review - If you choose to leave a review on the site for a property you have stayed at, we may publish this information on the site and it will be visible to all site users and the general public. We will publish your “public name” which is your name as provided to us on registration or a pseudonym if you choose to change it (your “public name”). We will also publish the star rating and any other information you choose to provide. By leaving a review you acknowledge and agree that this information is provided and may be published with you consent.
- c) Uploading Property Information - If you are a property owner or agent your use of the site is governed by the Owner Terms, to which you must agree in order to use our service to promote your property. Any information you upload to our Owners Area may include your personal data and may be provided to the Webusers and the general public as displayed on your property listing with your consent. You always have the opportunity to review the listing and can request changes or removal to this information at any time.
- d) Responding to an Enquiry - If you are a property owner or agent, when you respond to an enquiry from a webuser using our messaging system, any information you submit (including personal data you choose to submit) will be provided to the enquirer and will be stored on our platform for review by that Webusers at any time. This information is provided by you with your consent.
- 3. Service Providers:
- 4. Other Third Parties: We may share your data with a third party if we choose to sell, transfer or merge part or all of our business - or we we seek to acquire another business or merge with them. We will only share your data with a third party in this case if they agree to keep your data safe and private and have the appropriate safeguards in place.
TRANSFERS TO THIRD PARTY PROCESSORS AND OUTSIDE THE EU
Examples of TPPs we use include (but are not limited to): Hosting - Amazon Web Services (AWS), Rackspace Email - Sendgrid, Postmark, Mailchimp SaaS - Freshworks (Freshdesk), Zapier, Slack, Feefo, Quickbooks, Stripe, Hotjar
Safeguards - EU-US Privacy Shield The EU-US Privacy Shield is a framework that protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes. Our TPPs are certified and comply with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework. They comply with the Privacy Shield Principles for all transfers of personal data from the EU and Switzerland. Where appropriate we have signed Data Processing Addendums with TPPs to be confident that any data from the EEA that is being transfered outside of the the EEA will be subjected to the same high levels of security, privacy control, and data protection that it would receive in the EU.
The GDPR provides the following rights for individuals:
- 2. Right of access You have the right to access your personal data and supplementary information. You can access and update some of your personal data through your account settings. If you have chosen to register and log in via Facebook you can manage those permissions in your account settings at Facebook.
- 3. Right to rectification You have the right to ask us to have inaccurate personal data rectified, or completed if it is incomplete, where you cannot do this yourself in your account settings.
- 4. Right to erasure You have a right to have your personal data erased. This is also known as the “right to be forgotten”. You can ask us to delete your data by emailing us at firstname.lastname@example.org We will respond to a request for erasure within one month. We may ask you to verify your identity.
- 5. Right to restrict processing In certain circumstances, you have a right to restrict the way we may process your personal data, as an alternative to erasing it, if you have a particular reason for wanting it restricted
- 6. Right to data portability Your right to data portability entitles you to obtain personal data you have provided to us - in a commonly used, structured format - and request that we send it to another another service provider (if technically feasible).
- 7. Right to object or withdraw consent You have the right to object to our processing of your personal data where the use is based on our legitimate interests (including profiling), or where it is used for direct marketing. You may at any time ask us to stop processing of your information for direct marketing purposes, by emailing us at email@example.com or by changing the email preference settings in your account.
HOW LONG WE MAY KEEP YOUR DATA
We generally retain your information for as long as your account is active or as long as necessary to provide you with our service. We may also retain and use your information in order to comply with our legal obligations, resolve disputes, prevent abuse, and enforce our Agreements.
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.