Compliance & trust

How GetMyHotels handles privacy, payments, and travel regulation

This page is the single index of every regulation we operate under and every right you have as a user or business customer. Each framework links to the source policy and the underlying controls. Last reviewed 2026-05-27.

Your privacy choices Delete my account

Trust at a glance

Every framework below is detailed further down the page with the specific controls and your rights under it.

GDPREU & UK

CCPA / CPRACalifornia

DPDPAIndia

LGPDBrazil

PCI DSSCard data security

WCAG 2.2Level AA

FTC 16 CFR 464Junk fees rule

DOT 14 CFR 399.84Full-fare rule

EU 261/2004Air passenger rights

SOC 2Type II — planned

ISO 27001Planned 2027

Secure payments

PCI DSS Level 1 processors, tokenized end to end

Card details are entered into payment elements hosted by Stripe (North America) or Adyen (rest of world). We never touch raw card numbers — only a tokenized reference and the last four digits. Razorpay covers UPI + domestic Indian payment methods.

Card networks accepted

UnionPay

Digital wallets

Payment processors

Payment security detail

Frameworks we comply with

EU / UK / Switzerland

GDPR & UK GDPR

EU Regulation 2016/679 and the UK GDPR govern how we process personal data of users in the EEA, UK, and Switzerland. Our lawful bases, retention windows, transfer mechanisms (SCCs + adequacy where available), and your rights of access, rectification, erasure, restriction, portability, and objection are documented in the privacy policy.

Granular consent at signup + persistent cookie banner
Data-subject access / portability / erasure self-serve
Data Protection Impact Assessment on every new processing activity
Sub-processor inventory with SCC clauses for all transfers

California, Colorado, Virginia, Texas, Florida + 16 other US states

CCPA / CPRA & state privacy laws

We honor the Do-Not-Sell-or-Share opt-out for targeted advertising, treat the Global Privacy Control (Sec-GPC: 1) header as an implicit opt-out, and provide CCPA-aligned access + deletion mechanisms for all California residents — extended to all US users for parity.

/privacy-choices opt-out (no login required)
Sec-GPC browser signal honored server-side
Sensitive-info handling limited to what each booking strictly requires
45-day verifiable request response window

India

Digital Personal Data Protection Act (DPDPA)

India's DPDPA Rules 2025 were notified in November 2025; we treat the act as binding for all India-resident users today. Substantive obligations (grievance officer, breach SLA, Consent Manager integration) come into force in November 2026 + May 2027.

Consent ledger captures every grant + withdrawal with timestamp + policy version
Verifiable parental consent path for users flagged as Indian minors
Hindi + regional language privacy notices
Tracked milestones in our internal DPDPA roadmap

Brazil

LGPD

Lei Geral de Proteção de Dados (Law 13.709/2018) applies to Brazilian users. Our privacy ledger, breach-notification process, and data subject rights match the GDPR baseline — LGPD requirements are a subset.

Portuguese privacy notice (pt-BR locale)
ANPD-aligned breach reporting workflow
Lawful-basis register kept current

United States (FTC)

FTC Junk Fees Rule

16 CFR Part 464 ('Trade Regulation Rule on Unfair or Deceptive Fees'), effective May 12, 2025, applies to short-term lodging. We disclose total price plus any mandatory fees at the earliest point in the search journey where the supplier has returned them; where the supplier has not, we render an unambiguous '+ taxes & fees' disclosure adjacent to the headline rate.

All-in nightly price surfaced on hotel cards when supplier returns it
Adjacent '+ taxes & fees' disclosure when not yet known
Full itemized breakdown at checkout and in the booking confirmation

Travel regulators

US DOT 14 CFR 399.84 & EU Regulation 261/2004

Flight result cards headline the total fare (taxes and government fees included), per DOT's full-fare advertising rule. For flights departing the EEA, UK, or Switzerland we surface a passenger-rights disclosure linking to the European Commission's EU 261 explainer.

Total fare (not base fare) headlined on every flight card
EU 261 rights link rendered at point of sale for in-scope departures
Cancellation + refund policies surfaced before payment

Payments

PCI DSS

We never see raw card numbers. Stripe (North America) and Adyen (rest of world) handle every payment under their respective PCI DSS Level 1 certifications. Our integration uses hosted payment elements + tokenized references so we sit in the lowest PCI scope (SAQ-A).

Stripe + Adyen tokenized payments only
No card data in application logs, databases, or backups
TLS 1.2+ enforced on every payment surface

App Store / Play Store

Mobile platform policies

The GetMyHotels mobile app ships a privacy manifest (Apple PrivacyInfo.xcprivacy), targets Android API 36 ahead of the August 31, 2026 Play deadline, and provides in-app account deletion (Apple 5.1.1(v) / Play account-deletion URL requirement).

Sign in with Apple offered alongside Google (Apple 4.8)
Account deletion in-app + at /account/delete on the web
UGC report affordance on chat messages (Apple 1.2)
Privacy manifest declares required-reason API usage + tracking domains

Accessibility

WCAG 2.2 AA target

Our design system aims for WCAG 2.2 Level AA across web and mobile. New screens are reviewed for color contrast, keyboard navigation, semantic structure, focus states, and screen-reader labeling before merge. Existing screens are remediated on a rolling basis.

Semantic HTML + ARIA labels on every interactive surface
Color contrast verified against the design tokens
Keyboard navigation tested on every release
VoiceOver and TalkBack labels on mobile

Documents & self-serve

Full notice covering lawful bases, retention, rights, and contacts.

The contract between you and GetMyHotels.

Your privacy choices

Opt out of sale/sharing for advertising. Honors the GPC signal.

Delete my account

Request permanent deletion of your account and personal data.

Payment security

PCI DSS, tokenization, 3D Secure 2 / SCA, fraud prevention, and accepted networks.

Sub-processors

Every third party that processes data on our behalf, with location + safeguards.

Data processing agreement

Standard DPA + SCCs for business customers transferring EU/UK data to us.

Cookie policy

What cookies we set, why, and how to opt out.

Accessibility statement

Our WCAG 2.2 AA conformance status + how to report a barrier.

Who to contact

Privacy / data rights: privacy@getmyhotels.com
Access, rectification, erasure, portability, restriction, objection.
Data Protection Officer: dpo@getmyhotels.com
EU representative + GDPR Article 38 contact.
Trust & safety: abuse@getmyhotels.com
Report abusive content, fraud, or platform misuse.

Are you a business customer asking about our security posture? Email privacy@getmyhotels.com for SOC 2 / ISO 27001 / penetration test reports under NDA.

Regulators or auditors with formal inquiries should write to dpo@getmyhotels.com — we respond within 5 business days.