Assiraj Hotels emblem

LEGAL

Privacy Policy

Last updated: 14 June 2026

1. Data Controller

ASSIRAJ VOYAGES OÜ ("Assiraj Hotels", "we", "us"), registered in Estonia, is the data controller for personal data processed via assirajhotels.com. Contact: support@assirajhotels.com.

2. Data We Collect

  • Identity & contact: name, email, phone, billing address.
  • Account: hashed password, language and currency preferences, VIP tier, wallet balance, gift-card ownership.
  • Booking: travel dates, guest names, special requests, booking history.
  • Payment: handled by PCI-DSS certified processors (Stripe, Airwallex, PayPal). We receive only a token, the last 4 digits, card brand and a fraud-risk score.
  • Technical & security: IP address, approximate country (via Cloudflare), browser, device, log timestamps, sign-in attempts.
  • Communications: emails sent and delivery status, support messages.

3. IP-Based Geolocation (Cloudflare)

Our infrastructure runs behind Cloudflare. We read the country code that Cloudflare attaches to each request to suggest your default currency and language. We do not derive a precise location from your IP and we do not share IP-derived data for marketing. Server access logs are retained for up to 30 days.

4. Language & Currency Preferences

Your selected language and display currency are stored in your browser and, when you are signed in, also in your account profile. These preferences are used solely to localise your experience and convert displayed prices from EUR using daily-refreshed FX rates. See our Cookies Policy.

5. Payment Processing

Card payments are processed by third-party providers — primarily Stripe Payments Europe Ltd (Ireland), and where applicable Airwallex and PayPal. The card form is hosted by the payment provider; we never see or store full card data. See stripe.com/privacy.

6. Logs, Analytics & Security Monitoring

  • Application logs: kept up to 90 days for debugging and reliability.
  • Security: failed sign-in attempts and fraud signals — kept up to 12 months.
  • Analytics: only if enabled by you via the cookie banner. Disabled by default.

7. Legal Basis & Purpose (GDPR Art. 6)

  • Performance of contract — booking, wallet, gift cards, customer support.
  • Legal obligation — accounting, tax, anti-money-laundering, fraud reporting.
  • Legitimate interest — security monitoring, fraud prevention, service improvement.
  • Consent — analytics cookies, marketing emails (separately opt-in).

8. Sharing

We share booking data with the hotel partner and our supplier channels (Hotelbeds, Expedia, WebBeds) strictly to fulfil your reservation, and payment data with Stripe / Airwallex / PayPal. We use Cloudflare for security and Lovable Cloud for hosting. We do not sell personal data.

9. Retention

  • Booking and accounting records: 7 years (Estonian law).
  • Account profile: until you delete your account, plus 30 days backup retention.
  • Marketing consent: until withdrawn.
  • Security logs: up to 12 months.

10. Your Rights (GDPR)

You have the right of access, rectification, erasure, restriction, data portability and objection, and the right to withdraw consent at any time. Contact support@assirajhotels.com. You may lodge a complaint with the Estonian Data Protection Inspectorate (AKI).

11. International Transfers

Where data is transferred outside the EEA, we rely on Standard Contractual Clauses approved by the European Commission and additional safeguards as required.

12. Cookies

See our dedicated Cookies Policy for the full inventory and how to manage your choices.

13. Changes

We may update this Privacy Policy. The "last updated" date above always reflects the current version. Material changes are notified by email or in-app notice.