GDPR Compliance

At Lodgestory (operated by MARRG GLOBAL TECH PVT LTD), we are committed to ensuring that our platform complies with the General Data Protection Regulation (EU) 2016/679 (“GDPR”). This page outlines how we collect, process, and store personal data, the rights available to you as a data subject, and how you can exercise those rights.

1. Data Collection

We collect personal data only when it is necessary to provide and improve our services. The types of personal data we collect include:

• Account Information: Name, email address, phone number, and company name provided during registration.
• Usage Data: Information about how you interact with our platform, including pages visited, features used, and time spent.
• Communication Data: Messages, conversations, and interactions managed through the Lodgestory platform on behalf of your business.
• Technical Data: IP address, browser type, device information, and cookies used for authentication and analytics.
• Payment Data: Billing information processed securely through our payment processors (Razorpay and PayPal). We do not store full payment card details on our servers.

We do not collect sensitive personal data (such as health data, racial or ethnic origin, or political opinions) unless explicitly required for a specific service and with your explicit consent.

2. Data Processing

We process your personal data based on the following lawful bases as defined under Article 6 of the GDPR:

• Contract Performance: Processing necessary to provide the Lodgestory platform and services you have subscribed to or requested.
• Legitimate Interests: Processing for purposes such as improving our services, ensuring platform security, preventing fraud, and conducting analytics — provided these interests do not override your fundamental rights.
• Consent: Where required, we obtain your explicit consent before processing data for specific purposes such as marketing communications. You may withdraw consent at any time.
• Legal Obligation: Processing required to comply with applicable laws, regulations, or legal processes.

We limit data processing to what is strictly necessary for the stated purpose (data minimization) and do not use personal data for purposes incompatible with the original collection purpose without notifying you.

3. Data Storage

Your personal data is stored securely in data centers that employ industry-standard physical, technical, and organizational security measures:

• All data at rest is encrypted using AES-256 encryption.
• Data in transit is protected using TLS 1.2 or higher.
• Database backups are encrypted and stored in geographically redundant locations.
• Access to production data is restricted to authorized personnel on a need-to-know basis.

Data Retention: We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Typically, account data is retained for up to 12 months after account deactivation. You may request earlier deletion at any time.

International Transfers: Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, to protect your data.

4. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of Access (Article 15): You have the right to request a copy of the personal data we hold about you.
• Right to Rectification (Article 16): You may request correction of inaccurate or incomplete personal data.
• Right to Erasure (Article 17): You may request deletion of your personal data, subject to legal retention requirements.
• Right to Restriction (Article 18): You may request restriction of processing in certain circumstances.
• Right to Data Portability (Article 20): You may request your personal data in a structured, commonly used, machine-readable format for transfer to another controller.
• Right to Object (Article 21): You may object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.

To exercise any of these rights, please contact our Data Protection Officer using the details provided below. We will respond to your request within 30 days, as required by the GDPR.

5. Contact Our Data Protection Officer

If you have any questions about our GDPR compliance, wish to exercise your data subject rights, or need to report a concern, please contact our Data Protection Officer:

We are committed to working with data protection authorities to resolve any complaints that cannot be resolved directly. If you are located in the EEA, you may also contact your local supervisory authority.