Last Updated: September 11, 2023
Hotels.com, LP, a subsidiary of Expedia, Inc. (“we” or “us”) values you as our customer and recognizes that privacy is important to you. This Privacy Statement explains how we collect, use, and disclose data when you use our platform and associated services, your rights in determining what we do with the information that we collect or hold about you and tells you how to contact us.
This is a summary of our Privacy Statement. To review our Privacy Statement in full, please click here, or scroll down.
What does this Privacy Statement cover?
This Privacy Statement is designed to describe:
What personal information do we collect and use, and how do we collect it?
We collect personal information when:
When you create an account on one of our sites, sign up to receive offers or information, or make a booking using our platform, you give us your personal information. We also collect such information through automated technology such as cookies placed on your browser, with your consent where applicable, when you visit our sites or download and use our Apps. We also receive information from affiliated companies within Expedia Group, as well as business partners and other third-parties, which help us improve our platform and associated tools and services, update and maintain accurate records, potentially detect and investigate fraud, and more effectively market our services.
Your personal information may be shared for several purposes, including: to help you book your travel and/or vacation, assist with your travel and/or vacation stay, communicate with you (including when we send information on products and services or enable you to communicate with travel providers and/or property owners), and comply with the law. The full Privacy Statement below details how personal information is shared below.
You can exercise your data protection rights in various ways. For example, you can opt out of marketing by clicking the “unsubscribe” link in the emails, in your account as applicable, or contacting our customer service. Our Privacy Statement has more information about the options and data protection rights and choices available to you.
More information about our privacy practices is in our full Privacy Statement. You can also contact us as described below in the “Contact Us” section to ask questions about how we handle your personal information or make requests about your personal information.
When you use our platform, Apps, or associated tools or services, we may collect the following kinds of personal information from you as needed:
We collect sensitive personal information either with consent or in accordance with local law. This may include information which could reveal your racial or ethnic origin, religious or philosophical beliefs, sexual orientation and health or disability information.
When you install any of our apps or use our platform, we automatically collect the following types of information from your device (“Automatically Collected Information”):
When you download and use any of our mobile apps, we collect certain technical information from your device to enable the app to work properly and as otherwise described in this Privacy Statement. That technical information includes:
Permissions for Location-Based Services:
Depending on your device’s settings and permissions and your choice to participate in certain programs, we may collect the location of your device by using GPS signals, cell phone towers, Wi-Fi signals, Bluetooth or other technologies. We will collect this information, if you opt in through the app or other program (either during your initial login or later) to enable certain location-based services available within the app (for example, locating available lodging closest to you). To disable location capabilities of the app, you can log off or change your mobile device’s settings.
Depending on your device’s settings and permissions and your choice to participate in certain programs, we may use technology to track where you chose to download our app and to measure advertising effectiveness. When we use this kind of technology, we will use privacy enhancing technologies such as de-identification, pseudonymization, encryption and improved notice where possible.
We use your personal information for various purposes described below, which depend on the site you visit or the app you use.
Your Use of Online Sites, Apps, and Services:
Communications and Marketing:
Other Business Purposes and Compliance
The Expedia company responsible for the Expedia site you are using (including to make your booking) will be the main company responsible for your Personal Information, known as the controller. Where you use multiple Expedia sites, then each controller of those sites may act together to give you access to services such as our combined loyalty program, single account access to all out sites (each as they become available where you are) and for other support functions and operations to manage and improve our services across the Expedia Group companies. These are called joint controllers. This will not affect any marketing preferences that you have made and not updated with any particular Expedia company.
In certain instances, we may use clickstream data to render an illustration of your usage of our site. Clickstream data is the collection of a sequence of events that represent visitor actions on a website. We may reconstruct your site journey modeled on the timing and location of your actions. This data is primarily used for customer service purposes, to verify the legitimacy of a claim, or to defend ourselves. This data may also be used for other internal purposes such as improving the user experience on our website and identifying website malfunctions.
Sensitive Personal Information
We will only use your sensitive personal information for the purposes for which it was collected.
Lawful bases for processing:
We will collect personal information from you only (i) where the personal information is necessary to perform a contract with you (e.g., manage your booking, process payments, or create an account at your request), (ii) where the processing is in our legitimate interests and not overridden by your rights (as explained below), or (iii) where we have your consent to do so (e.g., sending you marketing communications where consent is required). In some cases, we will have a legal obligation to collect personal information from you such as where it is necessary to use your transaction history to complete our financial and tax obligations under the law.
If we ask you to provide personal information to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information). Certain countries and regions allow us to process personal information on the basis of legitimate interests. If we collect and use your personal information in reliance on our legitimate interests (or the legitimate interests of any third-party), this interest will typically be to operate or improve our platform and communicate with you as necessary to provide our services to you, for security verification purposes when you contact us, to respond to your queries, undertaking marketing, or for the purposes of potentially detecting or preventing illegal activities.
We may use artificial intelligence, machine learning, and other automated decision-making to enhance your user experience and keep our site safe.
For example, we may use it in relation to:
Automated decisions may be made by putting your personal information into a system and the decision is calculated using automatic processes.
We will not engage in automated decision-making that involves a decision with legal or similarly significant effects solely based on automated processing of personal information, unless you: (1) explicitly consented to the processing, (2) the processing is necessary for entering into a contract, or (3) when otherwise authorized by applicable law.
You may have rights in relation to automated decision making, including the ability to request a manual decision-making process instead or contest a decision based solely on automated processing. If you want to know more about your data protection rights, please see the Your Rights and Choices section below.
We share your personal information as described below and in this Privacy Statement, and as permitted by applicable law.
You have certain rights and choices with respect to your personal information, as described below:
Certain countries and regions provide their residents with additional rights relating to personal information. These additional rights vary by country and region and may include the ability to:
For more information on what data subject rights may be available to you, please click here.
For questions about privacy, your rights and choices, and in order for you, or (where applicable) your authorized agent to make a request to amend or update your information, or to inquire about deletion of your information, please contact us here.
In addition to the above rights, you may have the right to complain to a data protection authority about our collection and use of your personal information. However, we encourage you to contact us first so we can do our best to resolve your concern. You may submit your request to us using the information in the Contact Us section.
We respond to all requests we receive from individuals wanting to exercise their personal data protection rights in accordance with applicable data protection laws. Should you have the right to appeal a decision to not take action on a request under applicable law, instructions on how to make that appeal will be included in our response to you.
The personal information we process may be accessed from, processed or transferred to countries other than the country in which you reside. Those countries may have data protection laws that are different from the laws of your country. Such cross-border transfer of your personal information is necessary for us to service your transaction with us, and for the purposes outlined in this Privacy Statement.
The servers for our platform are located in the United States, and the Expedia Group companies and third-party service providers operate in many countries around the world. When we collect your personal information, we may process it in any of those countries. Our employees may access your personal information from various countries around the world. The transferees of your personal information may also be located in countries other than the country in which you reside.
We have taken appropriate steps and put safeguards in place to help ensure that any access, processing and/or transfer of your personal information remains protected in accordance with this Privacy Statement and in compliance with applicable data protection law. Such measures provide your personal information with a standard of protection that is at least comparable to that under the equivalent local law in your country, no matter where your data is accessed from, processed and/or transferred to. We will comply with obligations regarding personal information cross-border transfer in accordance with application data protection laws, regulations, and conditions set by the competent authorities. This may include fulfilling obligations such as security assessments and/or certifications and signing agreements with overseas recipients in accordance with the standard contract established by the competent authorities.
Some measures that we have in place include the following:
Carrying out periodic risk assessments and implement various technological and organization measures to ensure compliance with relevant laws on data transfer.
All wholly owned U.S. affiliates of Expedia, Inc. (part of the Expedia Group of brands) have certified to the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF and Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) (“the DPF Frameworks”) and that we adhere to the DPF Framework Principles of Notice, Choice, Accountability for Onward Transfers, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability for personal information from the EU, Switzerland, and the United Kingdom. The Federal Trade Commission has jurisdiction over such Expedia Group U.S. affiliates’ compliance with the DPF Frameworks. In addition, Expedia Group maintains intra-group Standard Contractual Clauses where applicable to cover the transfer of EU personal information to the U.S. Our certifications can be found here. For more information about the DPF Frameworks principles, please visit: https://www.dataprivacyframework.gov.
In compliance with the DPF Frameworks, Expedia, Inc. U.S. affiliates (part of the Expedia Group of brands) commit to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), the Gibraltar Regulatory Authority (GRA) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the DPF Frameworks. Under certain circumstances, you may have the possibility to invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanisms. Please visit this link for more information: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2.
Expedia, Inc. commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the DPF Frameworks should first contact us via our Contact Us below.
Hotels.com, LP’s privacy practices, described in this Privacy Statement, comply with the APEC Cross Border Privacy Rules System. The APEC CBPR system provides a framework for organizations to ensure protection of personal information transferred among participating APEC economies. More information about the APEC framework can be found here.
We want you to feel confident about using our platform and all associated tools and services, and we are committed to taking appropriate steps to protect the information we collect. While no company can guarantee absolute security, we do take reasonable steps to implement appropriate physical, technical, and organizational measures to protect the personal information that we collect and process.
Our cybersecurity team develops and deploys technical security controls and measures to ensure responsible data collection, storage, and sharing that is proportionate to the data’s level of confidentiality or sensitivity. We take efforts to continuously implement and update security measures to protect your information from unauthorized access, loss, destruction, or alteration. We hold our data-handling partners to equally high standards.
We will retain your personal information in accordance with all applicable laws, for as long as it may be relevant to fulfill the purposes set forth in this Privacy Statement, unless a longer retention period is required or permitted by law. We will deidentify, aggregate, or otherwise anonymize your personal information if we intend to use it for analytical purposes or trend analysis over longer periods of time.
When we delete your personal information, we use industry standard methods to ensure that any recovery or retrieval of your information is impossible. We may keep residual copies of your personal information in backup systems to protect our systems from malicious loss. This data is inaccessible unless restored, and all unnecessary information will be deleted upon restoration.
The criteria we use to determine our retention periods include:
If you have any questions or concerns about our use of your personal information, or wish to inquire about our personal information handling practices, and exercise your rights to access, correct or inquire about deletion of personal information, please contact us via the Privacy Section on our Customer Services Portal here. For a list of the Expedia Group companies, click here.
For more information about the data controller(s) (and joint controllers, where applicable) and/or Representative for personal information we process, please click here.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
We may update this Statement in response to changing laws or technical or business developments. If we propose to make any material changes, we will notify you by means of a notice on this page. You can see when this Privacy Statement was last updated by checking the “last updated” date displayed at the top of this Statement.