UpMarket Privacy Policy
This page brings together two important parts of our privacy framework:
- Guest Privacy Notice – a plain-language summary for guests staying at properties that use UpMarket.
- Full Privacy Policy – the comprehensive, legally compliant policy for customers, regulators, and partners.
Guests should primarily read the Guest Privacy Notice, while property managers, enterprise customers, and regulators should consult the Full Privacy Policy.
Guest Privacy Notice
Your Privacy During Your Stay
When you stay at a property using UpMarket, your personal data is handled carefully and securely. This notice explains the key points about your privacy. For complete details, please see our full Privacy Policy below.
Who Is Responsible?
- Your host (hotel, property manager) is the data controller for your personal data
- UpMarket acts as their data processor to handle your data securely
- For certain purposes (fraud prevention, platform security), UpMarket may also act as a controller
What Data We Collect
- Your contact details (name, email, phone)
- Your booking information (dates, property, reservation number)
- Your ID document, if required by local law (passport, ID card)
- Information about ALL guests including children when required by law (e.g., Spain, Italy, Greece)
- Your messages with the host (email, SMS, chat apps)
- Your preferences and requests (e.g., early check-in, special requests, upsell choices)
- Technical data when you use our digital services (IP address, device type)
Why We Collect It
- To register your stay with local authorities as required by law (including ALL guests regardless of age in many countries)
- To manage your booking and digital check-in/out
- To enable communication with your host
- To process payments securely
- To personalize your stay with relevant offers and local recommendations
- To ensure the safety and security of all guests
- To handle customer service requests and resolve disputes
AI Features and Personalization
Our platform may use AI to:
- Suggest relevant services or upgrades
- Provide automated responses to common questions
- Offer personalized local recommendations
How it works: AI personalization uses your booking metadata, prior interactions with the property, and property context. We do not use biometric or sensitive personal data for personalization.
These are optional features. You can opt out of AI personalization at any time by contacting your host or us directly.
How Long We Keep It
- ID documents: As required by local law (typically 12-24 months in EU countries, up to 3 years in some jurisdictions)
- Check-in data: Minimum 90 days for operational purposes (customer service, disputes, fraud prevention), longer if required by law
- Booking data: Up to 24 months for service improvement and analytics
- Communications: Up to 24 months, then anonymized
- Payment information: 7 years for accounting and tax compliance
Who We Share It With
- Your host (the property)
- Trusted service providers for:
- Secure hosting and data storage
- Payment processing
- Communication delivery
- Authorities only when legally required
We never sell your personal data to anyone.
Cookies
When you use our digital services:
- Essential cookies are used to make the service work
- Optional cookies (analytics, personalization) require your explicit consent
- Our cookie banner provides accept all, reject all, and granular preference options
- Non-essential cookies are off by default until you give consent
You can change your cookie preferences anytime through the cookie settings on our platform.
Your Privacy Rights
You have the right to:
- Access your personal data
- Correct any errors
- Delete your data when no longer needed
- Transfer your data (data portability)
- Object to marketing or automated features
- Withdraw consent for optional processing
How to exercise your rights:
- First step: Contact your host directly for fastest resolution
- If unresolved: Contact UpMarket at [email protected] - we'll respond within 30 days
International Data Transfers
When your data needs to be processed outside the EU/EEA:
- We rely on adequacy decisions or Standard Contractual Clauses (SCCs)
- We apply additional safeguards including encryption, pseudonymization, and strict access restrictions
Jurisdictional Requirements
Different countries have different legal requirements for guest registration:
- Spain, Italy, Greece, Portugal: Must register ALL guests including children
- Netherlands, Germany: Adult guests only
- Some countries: No registration requirement We comply with local laws wherever properties are located.
Children's Privacy
When children (under 18) stay at properties:
- Legal requirements: Many countries (Spain, Italy, Greece, etc.) require us to collect identification data for ALL guests including children for police registration
- Data collected: Only what's legally required (typically name, birthdate, document number)
- Parental involvement: Parents/guardians must provide this information during check-in
- We don't market to children or collect their data beyond legal requirements
Contact Us
For guest data questions:
- First, contact your host directly
- For additional support: [email protected]
To exercise your privacy rights:
Email: [email protected]
Our Data Protection Authority:
Netherlands: Autoriteit Persoonsgegevens
Website: autoriteitpersoonsgegevens.nl
This notice was last updated on January 1, 2025.
Full Privacy Policy
UpMarket International B.V.
Effective Date: January 1, 2025
Version: 1.0
1. Who We Are
UpMarket International B.V. ("UpMarket", "we", "our") is a company registered in the Netherlands, providing automation services for hospitality businesses.
Data Controller/Processor Roles:
- We act as data processor when handling guest data on behalf of our customers (hotels, property managers), who remain the data controllers
- We act as data controller for:
- Personal data collected directly from our business customers
- Guest data processed for our own legitimate purposes (fraud prevention, platform security, service improvement)
2. Contact Information
Address: Van Ostadestraat 306-3, 1073TX Amsterdam, Netherlands
Email: [email protected]
Phone: +351 924 185 001
Supervisory Authority (EU): Autoriteit Persoonsgegevens – autoriteitpersoonsgegevens.nl
Data Protection Officer (Brazil – LGPD): [email protected]
Accessibility: This policy is available in English. Alternative formats or translations are available on request by contacting [email protected].
3. Data Minimization Principle
We collect only the minimum personal data necessary to provide our services effectively. We regularly review our data collection practices to ensure we are not collecting excessive information.
4. Categories of Personal Data Collected
Customers (B2B users): Account credentials, contact information, billing details, support requests, usage analytics.
Guests (end-users of properties):
- Adult guests: Full identification documents, booking details, communication history, payment metadata, preferences and interaction data through our AI concierge
- Minor guests: Limited identification data as legally required (typically name, birthdate, document number) collected via parent/guardian
Technical/Usage Data: IP addresses, browser/device type, activity logs, cookie data, session information.
5. Legal Bases for Processing
We rely on:
- Contractual necessity (to provide services to customers and enable guest check-in/out)
- Legal obligation (compliance with hospitality regulations, police/immigration reporting for all guests including minors, tax requirements)
- Legitimate interests (fraud prevention, service improvement, customer support, platform security, operational requirements like dispute resolution)
- Consent (marketing communications, non-essential cookies, certain AI personalization features)
- Public interest/legal requests (where required by authorities)
6. Use of Data
We process data to:
- Deliver and manage our platform functions
- Facilitate guest onboarding and legal reporting
- Handle payments securely
- Enable communication between guests and hosts
- Provide AI-driven recommendations and service personalization
- Analyze service usage and detect fraudulent or abusive behavior
- Ensure the security and integrity of our services
- Comply with legal obligations
7. Automated Decision-Making and AI
Our AI services provide suggestions (upsells, service recommendations, automated replies).
AI Transparency: Our AI personalization uses booking metadata, prior guest interactions, property context, and aggregated preference patterns. We do not use biometric data, special category data, or other sensitive personal information for AI personalization.
These are assistive features that do not produce legal or similarly significant effects. You have the right to:
- Object to automated processing
- Request human review of any automated suggestions
- Opt out of AI personalization features
- Request explanation of the logic involved in automated processing
8. Children's Privacy
Legal Compliance for Minor Guests:
- Many jurisdictions (including Spain, Italy, Greece, Portugal) legally require hotels to register ALL guests including minors for police/immigration reporting
- When required by law, we collect minimal data about minor guests (name, birthdate, document number) strictly for compliance
- This data is provided by parents/guardians during the check-in process
- We process this data under the legal basis of "legal obligation"
General Approach to Children:
- Our platform and services are not directed at individuals under 18
- We do not knowingly collect data directly from minors beyond legal requirements
- We do not market to children or use their data for profiling or personalization
- If we discover we've collected data from a child without appropriate legal basis or parental consent, we delete it promptly
9. Retention
- Guest ID/passport data: Retained as required by local law (12-24 months in most EU countries, up to 3 years in some jurisdictions)
- Check-in operational data: Minimum 90 days for legitimate business purposes (customer service, payment disputes, fraud prevention)
- Payment data: 7 years for accounting and tax compliance
- Communications: 24 months for customer service and quality assurance, then anonymized
- Usage/technical data: 12 months for security and performance analysis
- AI interaction data: 12 months of inactivity or upon consent withdrawal
- Customer account data: Duration of business relationship plus 3 years
- Marketing data: Until consent withdrawal or 3 years of inactivity
Note: Where local laws require longer retention periods, we comply with those requirements. The 90-day minimum for check-in data is necessary for:
- Payment card chargeback periods (typically 60-120 days)
- Customer service and dispute resolution
- Fraud pattern detection and prevention
- Platform security and abuse prevention
We regularly review and securely delete data that has exceeded its retention period.
10. Sharing of Data
We share data only with contracted processors for:
- Hosting and infrastructure services
- Payment processing
- Communication platforms
- Property management and distribution systems
- Analytics and monitoring
- Customer support tools
We do not sell, rent, or trade personal data to third parties under any circumstances.
Subprocessor Transparency: We maintain a current list of our subprocessors at upmarket.cloud/legal/subprocessors. Customers are notified at least 30 days before any material changes to our subprocessors via email and platform notification.
11. International Transfers
Where data leaves the EEA or Brazil, we rely on:
- Adequacy decisions where available
- Standard Contractual Clauses (SCCs) with supplementary safeguards
Additional Safeguards: When using SCCs, we apply supplementary measures including:
- End-to-end encryption for data in transit
- Encryption at rest for stored data
- Pseudonymization where feasible
- Strict access controls and authentication
- Regular security assessments of international processors
12. Security
We implement comprehensive security measures:
- AES-256 encryption at rest and TLS 1.3 in transit
- Multi-factor authentication and role-based access controls
- Comprehensive logging and real-time monitoring
- Regular security audits and penetration testing
- Incident response procedures with 24/7 monitoring
- Privacy by design and default principles
- Employee security training and confidentiality agreements
13. Breach Notification
In the event of a personal data breach:
- We notify the Dutch DPA within 72 hours of discovery
- We notify affected customers immediately to enable their own compliance obligations
- We notify affected individuals without undue delay if the breach is likely to result in high risk to their rights and freedoms
- Notifications include: nature of the breach, categories and approximate numbers of affected individuals and records, likely consequences, and measures taken or proposed to address the breach
14. Data Subject Rights
You have the right to:
- Access your personal data
- Rectification of inaccurate data
- Erasure ("right to be forgotten")
- Restriction of processing
- Data portability
- Object to processing
- Withdraw consent at any time (without affecting lawfulness of prior processing)
- Lodge a complaint with your supervisory authority
Guest Rights Process:
- Guests should first contact their host (property) to exercise privacy rights
- If unresolved or for direct UpMarket processing, contact [email protected]
- We respond to all requests within 30 days
For California Residents (CCPA/CPRA):
- Right to know what personal information we collect, use, and disclose
- Right to delete personal information
- Right to correct inaccurate personal information
- Right to opt-out of sharing (we do not sell or share personal data for cross-context behavioral advertising)
- Right to limit use of sensitive personal information
- Right to non-discrimination for exercising privacy rights
California residents may use our "Do Not Sell or Share My Personal Information" link in the site footer to exercise opt-out rights, even though we do not sell or share personal information.
To exercise these rights, contact [email protected]. We respond to verified requests within 45 days.
15. Cookies
Cookie Types:
- Essential cookies: Required for service functionality (no consent needed)
- Analytics cookies: Help us understand usage patterns (explicit consent required)
- Marketing cookies: Enable personalized content (explicit consent required)
Cookie Control:
- Our cookie banner provides accept all, reject all, and granular preference options
- Non-essential cookies are off by default until explicit consent is given
- You can withdraw consent at any time through cookie settings
- We respect Global Privacy Control (GPC) signals where legally required
16. Changes to This Policy
We may update this policy periodically. Material changes will be communicated at least 30 days before taking effect via:
- Email to registered users
- Prominent notice on our platform
- Updates to the "Last Updated" date
We encourage you to review this policy regularly.
17. Privacy by Design
We incorporate data protection principles into our technology development and business practices from the outset, ensuring privacy is embedded throughout our entire data lifecycle. This includes:
- Data protection impact assessments for new features
- Privacy considerations in system architecture
- Regular privacy training for all staff
- Default privacy-protective settings
Last Updated: January 1, 2025