TapStayOnline.com Privacy Policy

Last Updated: [Jan 01, 2025]
Controller: ALADDIN TRAVEL HOLDINGS LIMITED, ROOM 1002, 10/F, Easey Commercial Building, 253-261 Hennessy Road, Wan Chai, Hong Kong
Data Protection Officer: dpo@tapstayonline.com

1. Data We Collect

1.1 Personal Data

We process:

Identity Data: Name, passport details (for hotel registration)
Contact Data: Email, phone number, address
Payment Data: Card details (PCI-DSS compliant), billing address
Booking Data: Stay dates, room preferences, special requests
Technical Data: IP address, device type, cookies (see Section 5)

1.2 Sensitive Data

Health Data: Only if voluntarily provided (e.g., disability access requests)
Payment Fraud Checks: May involve limited credit scoring data

2. Legal Basis & Purposes

We process your data based on the following legal grounds under GDPR Article 6:

Booking Processing: Contract fulfillment (Art. 6(1)(b))
Marketing Emails: Your consent (Art. 6(1)(a))
Fraud Prevention: Our legitimate interests (Art. 6(1)(f))
Tax Compliance: Legal obligations (Art. 6(1)(c))

3. Data Sharing

We disclose data to:

Hotels: Minimum required for reservation (name, dates, payment status)
Payment Processors: Stripe, Adyen (encrypted transactions only)
German Tax Authorities: For VAT/city tax reporting (where applicable)
EU Law Enforcement: Only with valid legal request

4. International Transfers

EU → Hong Kong: Under Standard Contractual Clauses (SCCs)
EU → US: Only to Privacy Shield-certified partners

5. Cookies & Tracking

We use:

Essential Cookies: Session management (no consent required)
Analytics Cookies: Google Analytics (anonymized IPs)
Marketing Cookies: Facebook Pixel (opt-in required in EU)

Manage preferences via: 🔗 Cookie Settings

6. Data Retention

We retain different types of data for specific periods:

Booking Records: 10 years (German tax law requirement)
Marketing Consents: 3 years after last activity
Website Logs: 12 months

7. Your Rights (DSGVO/GDPR)

Under the GDPR, you have the following rights:

Right to Access (Article 15): You can request information about your personal data that we process.
Right to Rectification (Article 16): You can request correction of inaccurate personal data.
Right to Erasure (Article 17): Also known as the "Right to be Forgotten" - you can request deletion of your data.
Right to Restriction of Processing (Article 18): You can limit how we use your personal data.
Right to Data Portability (Article 20): You can request to receive your data in a structured, commonly used format.
Right to Object to Marketing (Article 21): You can opt out of direct marketing at any time.

How to Exercise Your Rights:

Submit requests to: dpo@tapstayonline.com
We will respond within 30 days (free of charge)
We may request verification of your identity

8. Security Measures

Encryption: TLS 1.3 for all data transfers
Access Controls: Role-based access to databases
Audits: Annual penetration testing

9. Children's Data

Services not offered to users under 16 (or national age of consent)
No deliberate collection of children's data

10. Policy Updates

Notified via email for material changes