UpMarket Privacy Policy

This page brings together two important parts of our privacy framework:

  • Guest Privacy Notice – a plain-language summary for guests staying at properties that use UpMarket.
  • Full Privacy Policy – the comprehensive, legally compliant policy for customers, regulators, and partners.

Guests should primarily read the Guest Privacy Notice, while property managers, enterprise customers, and regulators should consult the Full Privacy Policy.


Guest Privacy Notice

Your Privacy During Your Stay

When you stay at a property using UpMarket, your personal data is handled carefully and securely. This notice explains the key points about your privacy. For complete details, please see our full Privacy Policy below.

Who Is Responsible?

  • Your host (hotel, property manager) is the data controller for your personal data
  • UpMarket acts as their data processor to handle your data securely
  • For certain purposes (fraud prevention, platform security), UpMarket may also act as a controller

What Data We Collect

  • Your contact details (name, email, phone)
  • Your booking information (dates, property, reservation number)
  • Your ID document, if required by local law (passport, ID card)
  • Information about ALL guests including children when required by law (e.g., Spain, Italy, Greece)
  • Your messages with the host (email, SMS, chat apps)
  • Your preferences and requests (e.g., early check-in, special requests, upsell choices)
  • Technical data when you use our digital services (IP address, device type)

Why We Collect It

  • To register your stay with local authorities as required by law (including ALL guests regardless of age in many countries)
  • To manage your booking and digital check-in/out
  • To enable communication with your host
  • To process payments securely
  • To personalize your stay with relevant offers and local recommendations
  • To ensure the safety and security of all guests
  • To handle customer service requests and resolve disputes

AI Features and Personalization

Our platform may use AI to:

  • Suggest relevant services or upgrades
  • Provide automated responses to common questions
  • Offer personalized local recommendations

How it works: AI personalization uses your booking metadata, prior interactions with the property, and property context. We do not use biometric or sensitive personal data for personalization.

These are optional features. You can opt out of AI personalization at any time by contacting your host or us directly.

How Long We Keep It

  • ID documents: As required by local law (typically 12-24 months in EU countries, up to 3 years in some jurisdictions)
  • Check-in data: Minimum 90 days for operational purposes (customer service, disputes, fraud prevention), longer if required by law
  • Booking data: Up to 24 months for service improvement and analytics
  • Communications: Up to 24 months, then anonymized
  • Payment information: 7 years for accounting and tax compliance

Who We Share It With

  • Your host (the property)
  • Trusted service providers for:
    • Secure hosting and data storage
    • Payment processing
    • Communication delivery
  • Authorities only when legally required

We never sell your personal data to anyone.

Cookies

When you use our digital services:

  • Essential cookies are used to make the service work
  • Optional cookies (analytics, personalization) require your explicit consent
  • Our cookie banner provides accept all, reject all, and granular preference options
  • Non-essential cookies are off by default until you give consent

You can change your cookie preferences anytime through the cookie settings on our platform.

Your Privacy Rights

You have the right to:

  • Access your personal data
  • Correct any errors
  • Delete your data when no longer needed
  • Transfer your data (data portability)
  • Object to marketing or automated features
  • Withdraw consent for optional processing

How to exercise your rights:

  1. First step: Contact your host directly for fastest resolution
  2. If unresolved: Contact UpMarket at [email protected] - we'll respond within 30 days

International Data Transfers

When your data needs to be processed outside the EU/EEA:

  • We rely on adequacy decisions or Standard Contractual Clauses (SCCs)
  • We apply additional safeguards including encryption, pseudonymization, and strict access restrictions

Jurisdictional Requirements

Different countries have different legal requirements for guest registration:

  • Spain, Italy, Greece, Portugal: Must register ALL guests including children
  • Netherlands, Germany: Adult guests only
  • Some countries: No registration requirement We comply with local laws wherever properties are located.

Children's Privacy

When children (under 18) stay at properties:

  • Legal requirements: Many countries (Spain, Italy, Greece, etc.) require us to collect identification data for ALL guests including children for police registration
  • Data collected: Only what's legally required (typically name, birthdate, document number)
  • Parental involvement: Parents/guardians must provide this information during check-in
  • We don't market to children or collect their data beyond legal requirements

Contact Us

For guest data questions:

  1. First, contact your host directly
  2. For additional support: [email protected]

To exercise your privacy rights:
Email: [email protected]

Our Data Protection Authority:
Netherlands: Autoriteit Persoonsgegevens
Website: autoriteitpersoonsgegevens.nl


This notice was last updated on January 1, 2025.


Full Privacy Policy

UpMarket International B.V.
Effective Date: January 1, 2025
Version: 1.0

1. Who We Are

UpMarket International B.V. ("UpMarket", "we", "our") is a company registered in the Netherlands, providing automation services for hospitality businesses.

Data Controller/Processor Roles:

  • We act as data processor when handling guest data on behalf of our customers (hotels, property managers), who remain the data controllers
  • We act as data controller for:
    • Personal data collected directly from our business customers
    • Guest data processed for our own legitimate purposes (fraud prevention, platform security, service improvement)

2. Contact Information

Address: Van Ostadestraat 306-3, 1073TX Amsterdam, Netherlands
Email: [email protected]
Phone: +351 924 185 001
Supervisory Authority (EU): Autoriteit Persoonsgegevens – autoriteitpersoonsgegevens.nl
Data Protection Officer (Brazil – LGPD): [email protected]

Accessibility: This policy is available in English. Alternative formats or translations are available on request by contacting [email protected].

3. Data Minimization Principle

We collect only the minimum personal data necessary to provide our services effectively. We regularly review our data collection practices to ensure we are not collecting excessive information.

4. Categories of Personal Data Collected

Customers (B2B users): Account credentials, contact information, billing details, support requests, usage analytics.

Guests (end-users of properties):

  • Adult guests: Full identification documents, booking details, communication history, payment metadata, preferences and interaction data through our AI concierge
  • Minor guests: Limited identification data as legally required (typically name, birthdate, document number) collected via parent/guardian

Technical/Usage Data: IP addresses, browser/device type, activity logs, cookie data, session information.

5. Legal Bases for Processing

We rely on:

  • Contractual necessity (to provide services to customers and enable guest check-in/out)
  • Legal obligation (compliance with hospitality regulations, police/immigration reporting for all guests including minors, tax requirements)
  • Legitimate interests (fraud prevention, service improvement, customer support, platform security, operational requirements like dispute resolution)
  • Consent (marketing communications, non-essential cookies, certain AI personalization features)
  • Public interest/legal requests (where required by authorities)

6. Use of Data

We process data to:

  • Deliver and manage our platform functions
  • Facilitate guest onboarding and legal reporting
  • Handle payments securely
  • Enable communication between guests and hosts
  • Provide AI-driven recommendations and service personalization
  • Analyze service usage and detect fraudulent or abusive behavior
  • Ensure the security and integrity of our services
  • Comply with legal obligations

7. Automated Decision-Making and AI

Our AI services provide suggestions (upsells, service recommendations, automated replies).

AI Transparency: Our AI personalization uses booking metadata, prior guest interactions, property context, and aggregated preference patterns. We do not use biometric data, special category data, or other sensitive personal information for AI personalization.

These are assistive features that do not produce legal or similarly significant effects. You have the right to:

  • Object to automated processing
  • Request human review of any automated suggestions
  • Opt out of AI personalization features
  • Request explanation of the logic involved in automated processing

8. Children's Privacy

Legal Compliance for Minor Guests:

  • Many jurisdictions (including Spain, Italy, Greece, Portugal) legally require hotels to register ALL guests including minors for police/immigration reporting
  • When required by law, we collect minimal data about minor guests (name, birthdate, document number) strictly for compliance
  • This data is provided by parents/guardians during the check-in process
  • We process this data under the legal basis of "legal obligation"

General Approach to Children:

  • Our platform and services are not directed at individuals under 18
  • We do not knowingly collect data directly from minors beyond legal requirements
  • We do not market to children or use their data for profiling or personalization
  • If we discover we've collected data from a child without appropriate legal basis or parental consent, we delete it promptly

9. Retention

  • Guest ID/passport data: Retained as required by local law (12-24 months in most EU countries, up to 3 years in some jurisdictions)
  • Check-in operational data: Minimum 90 days for legitimate business purposes (customer service, payment disputes, fraud prevention)
  • Payment data: 7 years for accounting and tax compliance
  • Communications: 24 months for customer service and quality assurance, then anonymized
  • Usage/technical data: 12 months for security and performance analysis
  • AI interaction data: 12 months of inactivity or upon consent withdrawal
  • Customer account data: Duration of business relationship plus 3 years
  • Marketing data: Until consent withdrawal or 3 years of inactivity

Note: Where local laws require longer retention periods, we comply with those requirements. The 90-day minimum for check-in data is necessary for:

  • Payment card chargeback periods (typically 60-120 days)
  • Customer service and dispute resolution
  • Fraud pattern detection and prevention
  • Platform security and abuse prevention

We regularly review and securely delete data that has exceeded its retention period.

10. Sharing of Data

We share data only with contracted processors for:

  • Hosting and infrastructure services
  • Payment processing
  • Communication platforms
  • Property management and distribution systems
  • Analytics and monitoring
  • Customer support tools

We do not sell, rent, or trade personal data to third parties under any circumstances.

Subprocessor Transparency: We maintain a current list of our subprocessors at upmarket.cloud/legal/subprocessors. Customers are notified at least 30 days before any material changes to our subprocessors via email and platform notification.

11. International Transfers

Where data leaves the EEA or Brazil, we rely on:

  • Adequacy decisions where available
  • Standard Contractual Clauses (SCCs) with supplementary safeguards

Additional Safeguards: When using SCCs, we apply supplementary measures including:

  • End-to-end encryption for data in transit
  • Encryption at rest for stored data
  • Pseudonymization where feasible
  • Strict access controls and authentication
  • Regular security assessments of international processors

12. Security

We implement comprehensive security measures:

  • AES-256 encryption at rest and TLS 1.3 in transit
  • Multi-factor authentication and role-based access controls
  • Comprehensive logging and real-time monitoring
  • Regular security audits and penetration testing
  • Incident response procedures with 24/7 monitoring
  • Privacy by design and default principles
  • Employee security training and confidentiality agreements

13. Breach Notification

In the event of a personal data breach:

  • We notify the Dutch DPA within 72 hours of discovery
  • We notify affected customers immediately to enable their own compliance obligations
  • We notify affected individuals without undue delay if the breach is likely to result in high risk to their rights and freedoms
  • Notifications include: nature of the breach, categories and approximate numbers of affected individuals and records, likely consequences, and measures taken or proposed to address the breach

14. Data Subject Rights

You have the right to:

  • Access your personal data
  • Rectification of inaccurate data
  • Erasure ("right to be forgotten")
  • Restriction of processing
  • Data portability
  • Object to processing
  • Withdraw consent at any time (without affecting lawfulness of prior processing)
  • Lodge a complaint with your supervisory authority

Guest Rights Process:

  • Guests should first contact their host (property) to exercise privacy rights
  • If unresolved or for direct UpMarket processing, contact [email protected]
  • We respond to all requests within 30 days

For California Residents (CCPA/CPRA):

  • Right to know what personal information we collect, use, and disclose
  • Right to delete personal information
  • Right to correct inaccurate personal information
  • Right to opt-out of sharing (we do not sell or share personal data for cross-context behavioral advertising)
  • Right to limit use of sensitive personal information
  • Right to non-discrimination for exercising privacy rights

California residents may use our "Do Not Sell or Share My Personal Information" link in the site footer to exercise opt-out rights, even though we do not sell or share personal information.

To exercise these rights, contact [email protected]. We respond to verified requests within 45 days.

15. Cookies

Cookie Types:

  • Essential cookies: Required for service functionality (no consent needed)
  • Analytics cookies: Help us understand usage patterns (explicit consent required)
  • Marketing cookies: Enable personalized content (explicit consent required)

Cookie Control:

  • Our cookie banner provides accept all, reject all, and granular preference options
  • Non-essential cookies are off by default until explicit consent is given
  • You can withdraw consent at any time through cookie settings
  • We respect Global Privacy Control (GPC) signals where legally required

16. Changes to This Policy

We may update this policy periodically. Material changes will be communicated at least 30 days before taking effect via:

  • Email to registered users
  • Prominent notice on our platform
  • Updates to the "Last Updated" date

We encourage you to review this policy regularly.

17. Privacy by Design

We incorporate data protection principles into our technology development and business practices from the outset, ensuring privacy is embedded throughout our entire data lifecycle. This includes:

  • Data protection impact assessments for new features
  • Privacy considerations in system architecture
  • Regular privacy training for all staff
  • Default privacy-protective settings

Last Updated: January 1, 2025

© 2024 Upmarket. All rights reserved.