Privacy Policy

Effective Date: March 30, 2026

1. Introduction

StayRewards ("we", "us", or "our") is a loyalty program management platform operated by an individual (sole proprietor) based in Mexico. We provide SaaS services to hotels, enabling them to automatically manage guest loyalty programs through our native integration with Cloudbeds.

This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with our services. It applies to:

  • Hotel clients who subscribe to StayRewards ("Hotel Partners").
  • End guests of those hotels whose data is processed through our platform ("Guests").
  • Visitors to our website and related digital properties.

2. Role as Data Controller and Processor

StayRewards acts in a dual capacity:

2.1 Data Controller

We act as a Data Controller for personal information we collect directly from Hotel Partners (e.g., account credentials, billing contact information, usage data).

2.2 Data Processor

We act as a Data Processor for personal information belonging to Guests, which is shared with us by Hotel Partners through the Cloudbeds integration. In this capacity, we process Guest data only on the documented instructions of the Hotel Partner.

Hotel Partners are independently responsible for ensuring their collection and sharing of Guest data complies with applicable laws, including obtaining any required consents from Guests.

3. Information We Collect

3.1 From Hotel Partners

We collect the following information when Hotel Partners register and use our platform:

  • Full name and business email address of the account holder.
  • Hotel property name and contact details.
  • Billing and payment information (processed securely by a third-party payment provider).
  • Usage logs, configuration settings, and support communications.

3.2 From Hotel Partners About Guests

Through the Cloudbeds integration, Hotel Partners may transmit the following Guest data to StayRewards for loyalty program processing:

  • Guest full name.
  • Guest email address.
  • Stay history and transaction records (check-in/check-out dates, room category, total spend).
  • Loyalty points balance and redemption history.

We do not collect Guest payment card data or government-issued identification numbers.

3.3 Automatically Collected Data

When you visit our website or use our platform, we may automatically collect:

  • IP address and approximate geolocation.
  • Browser type, operating system, and device identifiers.
  • Pages visited and actions taken (via cookies or similar technologies).

4. How We Use Information

We use the information we collect to:

  • Provide, operate, and improve the StayRewards platform.
  • Process and manage Guest loyalty points and rewards on behalf of Hotel Partners.
  • Authenticate users and maintain account security.
  • Communicate with Hotel Partners about their accounts, updates, and support.
  • Comply with legal obligations applicable in Mexico and other relevant jurisdictions.
  • Analyze platform performance and detect fraudulent or abusive behavior.

We do not sell personal information to third parties. We do not use Guest data for advertising purposes.

5. Legal Bases for Processing

5.1 Mexico — LFPDPPP

Processing is based on the consent of data subjects, the fulfillment of a contractual relationship with Hotel Partners, and compliance with legal obligations.

5.2 European Economic Area — GDPR

For individuals located in the EEA, we rely on the following legal bases:

  • Performance of a contract (Art. 6(1)(b)) — for Hotel Partners.
  • Legitimate interests (Art. 6(1)(f)) — for platform security and improvement.
  • Consent (Art. 6(1)(a)) — where explicitly obtained.
  • Legal obligation (Art. 6(1)(c)) — for compliance purposes.

Where we process Guest data as a Processor on behalf of Hotel Partners established in the EEA, we do so pursuant to a Data Processing Agreement (DPA). Hotel Partners may request a DPA by contacting us at the address below.

5.3 United States

We comply with applicable U.S. state privacy laws, including the California Consumer Privacy Act (CCPA) and its amendment (CPRA), to the extent they apply. California residents may have additional rights as described in Section 8.

6. Sharing of Information

We may share personal information with:

  • Cloudbeds: Our primary integration partner, which provides property management system data. Cloudbeds processes data under its own privacy policy.
  • Payment processors: For billing of Hotel Partners (e.g., Stripe). Payment data is handled directly by the processor and not stored by StayRewards.
  • Cloud infrastructure providers: We use reputable cloud hosting services to store and process data securely.
  • Legal authorities: When required by applicable law, court order, or to protect our legal rights.

We do not share Guest data with any third party except as strictly necessary to deliver the loyalty program services instructed by the Hotel Partner.

7. International Data Transfers

Your data may be processed in countries other than your own, including Mexico, the United States, and other jurisdictions where our service providers operate. Where required by law (e.g., GDPR), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or other valid transfer mechanisms.

8. Your Rights

8.1 For all users — Mexico (LFPDPPP)

You have ARCO rights: Access, Rectification, Cancellation, and Opposition. To exercise them, contact us at the address in Section 10.

8.2 For EEA residents — GDPR

  • Right to access your personal data.
  • Right to rectification of inaccurate data.
  • Right to erasure ("right to be forgotten").
  • Right to restriction of processing.
  • Right to data portability.
  • Right to object to processing based on legitimate interests.
  • Right to lodge a complaint with your local supervisory authority.

8.3 For California residents — CCPA/CPRA

  • Right to know what personal information is collected, used, or disclosed.
  • Right to delete personal information.
  • Right to opt out of the sale or sharing of personal information (we do not sell data).
  • Right to non-discrimination for exercising your rights.

To exercise any of the above rights, please contact us using the details in Section 10.

9. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this policy, or as required by law:

  • Hotel Partner account data: retained for the duration of the contract and up to 5 years thereafter for legal and tax compliance.
  • Guest loyalty data: retained for the duration of the Hotel Partner's subscription and deleted within 90 days of contract termination, unless a longer retention period is required by applicable law or requested by the Hotel Partner.
  • Website usage logs: retained for up to 12 months.

10. Security

We implement industry-standard technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, or destruction. These measures include encrypted data transmission (TLS), access controls, and regular security reviews.

No method of transmission over the Internet is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

11. Cookies and Tracking Technologies

Our platform and website may use cookies and similar technologies to maintain sessions, remember preferences, and analyze usage. You may configure your browser to refuse cookies; however, some features may not function correctly without them.

12. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such data, please contact us immediately.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify Hotel Partners by email or through a notice on our platform. The revised policy will be effective as of the updated Effective Date shown at the top of this document. Continued use of our services after the changes take effect constitutes acceptance of the revised policy.

14. Contact Us

If you have questions, requests, or complaints regarding this Privacy Policy or our data practices, please contact us at:

StayRewards
Operated by a sole proprietor based in Mexico
📧 support@stayrewards.io

We will respond to your request within 20 business days in compliance with Mexican law (LFPDPPP), or within 30 days for GDPR-related requests.