GetMyHotels.comBeta
DestinationsHow it worksGet the appClaude & ChatGPT
GetMyHotels.com

AI-native hotel and flight booking. Tell us where, we handle the rest.

Discover

  • Search hotels
  • Destinations
  • Get the app
  • Claude & ChatGPT
  • Blog

Help

  • Help center
  • FAQs
  • Contact support

Company

  • About
  • Careers
  • Press

Legal

  • Terms
  • Privacy
  • Cookies
© 2026 GetMyHotels. All rights reserved.
TermsPrivacyYour privacy choicesComplianceLegalDelete accountSitemap
Compliance & trust

How GetMyHotels handles privacy, payments, and travel regulation

This page is the single index of every regulation we operate under and every right you have as a user or business customer. Each framework links to the source policy and the underlying controls. Last reviewed 2026-05-27.

Your privacy choicesDelete my account

Trust at a glance

Every framework below is detailed further down the page with the specific controls and your rights under it.

European Union flag
GDPREU & UK
California state flag
CCPA / CPRACalifornia
Flag of India
DPDPAIndia
Flag of Brazil
LGPDBrazil
PCI DSSCard data security
WCAG 2.2Level AA
Flag of the United States
FTC 16 CFR 464Junk fees rule
Flag of the United States
DOT 14 CFR 399.84Full-fare rule
European Union flag
EU 261/2004Air passenger rights
SOC 2Type II — planned
ISO 27001Planned 2027
Secure payments

PCI DSS Level 1 processor, tokenized end to end

Card details are entered into payment elements hosted by Stripe. We never touch raw card numbers — only a tokenized reference and the last four digits.

Card networks accepted

VisaMastercardAmerican ExpressDiscoverDiners ClubJCBUnionPay

Digital wallets

Apple PayGoogle Pay

Payment processor

Stripe
Payment security detail

Frameworks we comply with

EU / UK / Switzerland
GDPR & UK GDPR
EU Regulation 2016/679 and the UK GDPR govern how we process personal data of users in the EEA, UK, and Switzerland. Our lawful bases, retention windows, transfer mechanisms (SCCs + adequacy where available), and your rights of access, rectification, erasure, restriction, portability, and objection are documented in the privacy policy.
  • Granular consent at signup + persistent cookie banner
  • Data-subject access / portability / erasure self-serve
  • Data Protection Impact Assessment on every new processing activity
  • Sub-processor inventory with SCC clauses for all transfers
California, Colorado, Virginia, Texas, Florida + 16 other US states
CCPA / CPRA & state privacy laws
We honor the Do-Not-Sell-or-Share opt-out for targeted advertising, treat the Global Privacy Control (Sec-GPC: 1) header as an implicit opt-out, and provide CCPA-aligned access + deletion mechanisms for all California residents — extended to all US users for parity.
  • /privacy-choices opt-out (no login required)
  • Sec-GPC browser signal honored server-side
  • Sensitive-info handling limited to what each booking strictly requires
  • 45-day verifiable request response window
India
Digital Personal Data Protection Act (DPDPA)
India's DPDPA Rules 2025 were notified in November 2025; we treat the act as binding for all India-resident users today. Substantive obligations (grievance officer, breach SLA, Consent Manager integration) come into force in November 2026 + May 2027.
  • Consent ledger captures every grant + withdrawal with timestamp + policy version
  • Verifiable parental consent path for users flagged as Indian minors
  • Hindi + regional language privacy notices
  • Tracked milestones in our internal DPDPA roadmap
Brazil
LGPD
Lei Geral de Proteção de Dados (Law 13.709/2018) applies to Brazilian users. Our privacy ledger, breach-notification process, and data subject rights match the GDPR baseline — LGPD requirements are a subset.
  • Portuguese privacy notice (pt-BR locale)
  • ANPD-aligned breach reporting workflow
  • Lawful-basis register kept current
United States (FTC)
FTC Junk Fees Rule
16 CFR Part 464 ('Trade Regulation Rule on Unfair or Deceptive Fees'), effective May 12, 2025, applies to short-term lodging. We disclose total price plus any mandatory fees at the earliest point in the search journey where the supplier has returned them; where the supplier has not, we render an unambiguous '+ taxes & fees' disclosure adjacent to the headline rate.
  • All-in nightly price surfaced on hotel cards when supplier returns it
  • Adjacent '+ taxes & fees' disclosure when not yet known
  • Full itemized breakdown at checkout and in the booking confirmation
Travel regulators
US DOT 14 CFR 399.84 & EU Regulation 261/2004
Flight result cards headline the total fare (taxes and government fees included), per DOT's full-fare advertising rule. For flights departing the EEA, UK, or Switzerland we surface a passenger-rights disclosure linking to the European Commission's EU 261 explainer.
  • Total fare (not base fare) headlined on every flight card
  • EU 261 rights link rendered at point of sale for in-scope departures
  • Cancellation + refund policies surfaced before payment
Payments
PCI DSS
We never see raw card numbers. Stripe handles every payment under its PCI DSS Level 1 certification. Our integration uses hosted payment elements + tokenized references so we sit in the lowest PCI scope (SAQ-A).
  • Stripe tokenized payments only
  • No card data in application logs, databases, or backups
  • TLS 1.2+ enforced on every payment surface
App Store / Play Store
Mobile platform policies
The GetMyHotels mobile app ships a privacy manifest (Apple PrivacyInfo.xcprivacy), targets Android API 36 ahead of the August 31, 2026 Play deadline, and provides in-app account deletion (Apple 5.1.1(v) / Play account-deletion URL requirement).
  • Sign in with Apple offered alongside Google (Apple 4.8)
  • Account deletion in-app + at /account/delete on the web
  • UGC report affordance on chat messages (Apple 1.2)
  • Privacy manifest declares required-reason API usage + tracking domains
Accessibility
WCAG 2.2 AA target
Our design system aims for WCAG 2.2 Level AA across web and mobile. New screens are reviewed for color contrast, keyboard navigation, semantic structure, focus states, and screen-reader labeling before merge. Existing screens are remediated on a rolling basis.
  • Semantic HTML + ARIA labels on every interactive surface
  • Color contrast verified against the design tokens
  • Keyboard navigation tested on every release
  • VoiceOver and TalkBack labels on mobile

Documents & self-serve

Privacy policy
Full notice covering lawful bases, retention, rights, and contacts.
Terms of service
The contract between you and GetMyHotels.
Your privacy choices
Opt out of sale/sharing for advertising. Honors the GPC signal.
Delete my account
Request permanent deletion of your account and personal data.
Payment security
PCI DSS, tokenization, 3D Secure 2 / SCA, fraud prevention, and accepted networks.
Sub-processors
Every third party that processes data on our behalf, with location + safeguards.
Data processing agreement
Standard DPA + SCCs for business customers transferring EU/UK data to us.
Cookie policy
What cookies we set, why, and how to opt out.
Accessibility statement
Our WCAG 2.2 AA conformance status + how to report a barrier.

Who to contact

Privacy / data rights
privacy@getmyhotels.com

Access, rectification, erasure, portability, restriction, objection.

Data Protection Officer
dpo@getmyhotels.com

EU representative + GDPR Article 38 contact.

Trust & safety
abuse@getmyhotels.com

Report abusive content, fraud, or platform misuse.

Are you a business customer asking about our security posture? Email privacy@getmyhotels.com for SOC 2 / ISO 27001 / penetration test reports under NDA.

Regulators or auditors with formal inquiries should write to dpo@getmyhotels.com — we respond within 5 business days.