Privacy Policy

This Privacy Policy explains how Ratestellar (“Ratestellar,” “we,” “us,” “our”) collects, uses, shares, and protects personal data when you access or use our website, applications, dashboards, APIs, and related services (the “Services”).

If you do not agree with this Privacy Policy, do not use the Services.

1. Who we are and scope

Ratestellar operates a B2B travel distribution platform. This Privacy Policy applies to personal data processed when:

  • A business partner user (an “Authorized User”) creates an account and uses the Services.
  • A partner transmits end-customer/guest details to us for booking and servicing travel reservations.

In many cases, your company is the data controller for end-customer/guest data you upload to Ratestellar, and Ratestellar acts as a processor/service provider on your behalf. If you are an end customer/guest, your primary relationship is typically with the partner you booked with and the travel service supplier.

2. Definitions

  • Personal data means information relating to an identified or identifiable natural person.
  • Controller means the entity deciding why and how personal data is processed.
  • Processor means an entity processing personal data on behalf of a controller.

3. Data we collect

3.1 Data you provide (Partner users)

  • Account details: name, business email, phone, role, company name.
  • Authentication and security: password (hashed), MFA signals (if used).
  • Billing and commercial details: invoicing contacts, billing address, tax information (where applicable), payment status.
  • Communications: support tickets, emails, messages, feedback.

3.2 Booking and traveler data (End customers/guests)

Depending on the booking flow and partner configuration, we may process:

  1. Guest identity/contact: name, email, phone.
  2. Reservation details: hotel, dates, room, occupancy, special requests.
  3. Travel preferences: bed type, accessibility notes, meal plans, loyalty details (if provided).
  4. Check-in support details: arrival time, remarks to the property.

Sensitive data: Do not upload special categories of data (such as health data) unless strictly necessary for travel services (for example, accessibility requests) and you have a lawful basis to do so.

3.3 Data we collect automatically

  • Device and usage data: IP address, browser type, device identifiers, app version.
  • Log data: access times, pages/endpoints used, error logs, API request metadata.
  • Cookies and similar technologies (see Section 8).

3.4 Data from third parties

  • Suppliers and aggregators: booking status, confirmations, amendments, cancellations.
  • Payment providers: payment confirmation, chargeback/dispute signals (we do not aim to store full card data ourselves).
  • Security providers: fraud and abuse indicators.

4. How we use personal data

We use personal data to:

  • Provide and operate the Services: account creation, authentication, booking processing, customer support.
  • Facilitate reservations and post-booking servicing: confirmations, modifications, cancellations, voucher issuance.

5. Legal bases (EEA/UK)

Where GDPR or similar laws apply, we process personal data under one or more of:

  • Contract: to provide the Services to the Partner and perform bookings.
  • Legitimate interests: security, fraud prevention, service improvement, analytics.
  • Legal obligation: accounting, tax, compliance requests.
  • Consent: for certain cookies/marketing where required; you can withdraw consent.

6. How we share personal data

We may share personal data with:

  • Travel service suppliers (for example, hotels) to fulfill bookings and special requests.
  • Technology and infrastructure providers (hosting, databases, monitoring, communications) that process data to run the Services.
  • Payment processors to handle payments and fraud prevention.
  • Affiliates (if applicable) for internal administration, security, and service delivery.
  • Professional advisors (lawyers, auditors) under confidential.
  • Authorities when required by law, court order, or to protect rights and safety.

7. International transfers

Your data may be processed in countries other than where you live or where it was collected. Where required, we use appropriate safeguards (such as contractual protections) to support cross-border transfers.

8. Cookies and similar technologies

We use cookies and similar tools for:

  1. Essential functionality: login sessions, security, load balancing.
  2. Preferences: language, remembered setting
  3. Analytics: understanding usage and performance.
  4. Marketing (optional): only where enabled and legally permitted.

You can control cookies through browsersettings and, where available, our cookie banner/preferences tool.

9. Data retention

We keep personal data only as long as necessary for the purposes described, including:

  1. Active accounts: for the duration of the partner relationship.
  2. Booking records: as needed for servicing, dispute handling, accounting, and legal compliance.
  3. Logs/security data: typically shorter retention, unless needed to investigate incidents.

Retention periods may vary based on local law and operational needs. Where feasible, we anonymize or aggregate data instead of retaining identifiable daNo system is perfectly secure. You are responsible for safeguarding your credentials and ensuring Authorized Users follow security best practices.

10. Security

We implement administrative, technical, and organizational measures designed to protect personal data, such as:

  1. Access controls and least-privilege permissions
  2. Encryption in transit and, where appropriate, at rest.
  3. Monitoring, logging, and incident response processes.
  4. Vendor risk controls.

No system is perfectly secure. You are responsible for safeguarding your credentials and ensuring Authorized Users follow security best practices.

11. Your rights

Depending on your location, you may haverights such as:

  1. Access, correction, deletion.
  2. Restriction or objection to processing.
  3. Data portability.
  4. Withdrawal of consent (where processing is based on consent).
  5. Complaint to a data protection authority.

If you are an end customer/guest and bookedthrough a Partner, you should typically contact the Partner first, since theycontrol the booking relationship and may be the controller.

12. Children

The Services are not intended for children. We do not knowingly collect personal data from children as Authorized Users. Guest data may include minors when a booking is made by an adult on their behalf, solely to fulfill travel services.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version with a new effective date. If changes are material, we will provide additional notice where required.

14. Contact us