Privacy Policy

1. Who we are

Hotel Drop ("we", "us", "the Service") is a Chrome browser extension and accompanying backend that monitors hotel reservations users make on supported online travel agencies (OTAs) and alerts them when the same room, on the same dates, becomes available at a lower price.

For privacy-related correspondence, the controller of your personal data is reachable at privacy@hoteldrop.net.

2. What we collect

Our default posture is to collect the minimum necessary. Concretely, we process the following categories of data:

2.1 Anonymous device identifier

On install, the extension generates a random UUID (version 4) and stores it in your browser's local storage. This identifier links your browser session to its tracked bookings on our backend. It is not derived from any personal information and cannot be used to identify you outside the extension.

2.2 Booking metadata

When you confirm a hotel reservation on a supported OTA, or when you explicitly click the "Track this room" button on a checkout page before confirming, the extension extracts and sends to our backend:

• Hotel name and address
• Check-in and check-out dates
• Room type (when available)
• Number of guests (when available)
• Original price and currency
• Confirmation number (used only to deduplicate bookings)
• The OTA's name and the canonical URL of the hotel listing
• Whether the booking is free-cancellation

This information is publicly available on the OTA's confirmation or checkout page; we collect it to be able to re-check the room's price over time. For tracked rooms that you have not yet confirmed, the data we collect is exactly the same as for confirmed bookings — there is no additional category of information involved.

2.3 Price history

For each tracked booking we record the prices we observe over time (timestamp, price, currency, source). This lets us show you how the price has trended and detect drops.

2.4 Optional email address

If — and only if — you explicitly opt into email alerts via the extension popup, you provide an email address. We store it solely to send you price-drop notifications. You can remove it at any time from the popup or by emailing us.

2.5 Push notification token

If you grant browser-notification permission, we receive a Firebase Cloud Messaging (FCM) token from Google. This token allows us to send you a push notification through Google's infrastructure. The token does not identify you to us; it identifies your browser to FCM.

2.6 Analytics events

We log anonymous behavioral events (extension installed, booking detected, rebook clicked) tied to your anonymous UUID. These events do not contain personal information and exist solely to help us understand which parts of the product are useful.

3. What we don't collect

To be unambiguous about scope, we do not collect or have any access to:

• Your name, address, phone number, age, gender, or other personal identifiers
• Payment card details, bank information, or billing addresses (the OTAs handle payment; we are never in that flow)
• The names or details of fellow travelers
• Your browsing history outside the supported OTA confirmation pages
• The contents of any other website you visit, your email inbox, or other browser tabs
• Geolocation data
• Biometric data or any "special categories" under GDPR Article 9

The Chrome extension's permissions are scoped via Manifest V3 host_permissions to the supported OTAs, our own API, and Google's FCM endpoint. The extension is technically incapable of reading other sites.

4. How we use your data

We use the data described in §2 for the following purposes only:

• To provide the Service. Tracking your bookings, re-checking their prices, and notifying you when a price drops.
• To improve the Service. Aggregated analytics on which OTAs and features users interact with.
• To send you notifications you've opted into (browser, push, email).
• To facilitate rebooking. Generating an affiliate-tagged redirect link when you click "Rebook & Save".
• To comply with legal obligations we are subject to.

We do not use your data for advertising, profiling, or training machine-learning models for unrelated purposes.

5. Legal basis (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, our legal basis for processing your personal data is:

• Performance of a contract (Article 6(1)(b) GDPR) for the core booking-monitoring functionality you install the extension to receive.
• Legitimate interests (Article 6(1)(f)) for limited analytics necessary to operate, secure, and improve the Service. We have weighed these interests against your rights and freedoms.
• Consent (Article 6(1)(a)) for optional features such as email alerts and browser push notifications. Consent can be withdrawn at any time without affecting the lawfulness of prior processing.

6. How we make money

Hotel Drop is free to install and use. We earn revenue through affiliate commissions, paid by the OTAs (Booking.com, Expedia, Hotels.com, Agoda, Vrbo, and others) when you rebook a hotel via a link we generate. At no additional cost to you.

Affiliate links are routed through Stay22, a third-party affiliate network that holds direct commercial agreements with the OTAs. When you click "Rebook & Save":

1. Your click is logged in our system (anonymous UUID, booking ID, click ID, target OTA)
2. You are 302-redirected to stay22.com/allez/booking?aid=...&link=...&subid=...
3. Stay22 attaches the OTA-specific affiliate parameters and forwards you on
4. If you complete a booking within the OTA's attribution window, the OTA pays a commission to Stay22, which pays a share to us

We disclose this relationship plainly. The price you see on the OTA is the same as if you had visited it directly; the commission comes out of the OTA's margin, not your wallet.

We may, in the future, offer a paid Premium tier (additional features such as unlimited bookings and hourly checks). Subscription billing would be processed by Stripe and disclosed at the point of purchase.

7. Third-party services

We share data only with the third parties strictly necessary to run the Service. Each is a data processor under our instructions; we do not sell personal data to anyone.

• Laravel Forge / DigitalOcean — hosts our backend infrastructure (Frankfurt or US East region).
• Mailgun (Sinch) — sends email price-drop alerts when you opt in. Only receives your email address and the message content. Privacy policy.
• Firebase Cloud Messaging (Google) — delivers browser push notifications. Receives only the FCM token assigned to your browser. Privacy policy.
• SerpAPI — queries Google Hotels to re-check the current price of your tracked bookings. Receives only the hotel name, dates and currency — no personal identifiers. Privacy policy.
• Stay22 — affiliate redirector for rebook links. Receives the click ID and target URL when you click "Rebook & Save". Privacy policy.
• AWS (S3 + CloudFront) — serves the marketing site you are reading right now.
• Cloudflare — DNS and edge routing.
• Sentry — optional error monitoring of our backend. Receives technical stack traces with no personal information.

8. Data retention

• Bookings: retained while marked active. Soft-deleted (status flag) when you remove them; permanently purged 30 days after.
• Price history: retained for the life of the booking, then deleted with it.
• Email address: retained until you remove it or delete your data. We do not maintain a marketing list.
• FCM tokens: rotated by Google; we drop tokens that fail to deliver.
• Analytics events: retained for 90 days, then deleted.
• Server logs: retained for 30 days for security and debugging, then deleted.

9. Your rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access — request a copy of the data we hold about your anonymous UUID
• Rectification — correct inaccurate data
• Erasure ("right to be forgotten") — delete all data associated with your installation
• Restriction — limit how we process your data
• Portability — receive your data in a machine-readable format (JSON)
• Objection — object to processing based on legitimate interests
• Withdraw consent at any time for optional features (email/push)
• Lodge a complaint with your local data-protection authority

The easiest way to exercise the right to erasure is to use the "Clear data" option in the extension popup, then uninstall. For any other request, email privacy@hoteldrop.net with the anonymous UUID shown in the popup's settings (or describe enough context to identify your records). We respond within 30 days.

California residents (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we collect, to delete it, and to opt out of any "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under CCPA/CPRA. Exercise your rights by emailing the address above.

10. Security

We implement industry-standard technical and organizational measures to protect your data:

• HTTPS-only transport with modern TLS for all API traffic
• Database access restricted to the application server; no public network exposure
• Secrets stored in a managed vault, never committed to source control
• Principle of least privilege for staff and third-party access
• Two-factor authentication on all administrative accounts

No system is perfectly secure. If a breach occurs that materially affects your rights, we will notify the relevant authorities within 72 hours and you as soon as practicable, in line with GDPR Article 33.

11. Children's privacy

Hotel Drop is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please email us and we will delete it.

12. International data transfers

Our processors operate in the United States and the European Union. Where personal data is transferred outside the EEA / UK, we rely on Standard Contractual Clauses (SCCs) or adequacy decisions to ensure equivalent protection.

13. Compliance with Chrome Web Store & OTA policies

Hotel Drop is designed to comply with the platforms and partners it depends on:

• Chrome Web Store Developer Program Policies. The extension uses the narrowest permissions necessary (storage, alarms, notifications, and host_permissions scoped only to the supported OTAs, our API, and Google's FCM endpoint). We provide a clear privacy disclosure (this page) and the in-product link to it. We do not collect data unrelated to the single purpose of the extension. We do not bundle unrelated functionality.
• Limited Use of user data. Personal data collected through the extension is used solely to provide and improve the Service. We do not transfer, sell, use for advertising, or use for credit-scoring purposes, in line with Google's Limited Use requirements.
• OTA terms of service. The extension reads booking metadata only from confirmation pages you have already loaded yourself, after you have completed your purchase. It does not scrape OTA inventory, automate searches, or otherwise create load on OTA infrastructure. Price re-checks performed by our backend run through Google Hotels via SerpAPI (governed by Google's terms with SerpAPI), not against the OTAs directly. Affiliate redirects route through Stay22, which holds direct partner agreements with the major OTAs covering use in browser extensions — including Booking.com, whose standard affiliate program forbids extension-based traffic.
• No price manipulation, account abuse, or bot behavior. The extension does not log into your OTA accounts, place bookings on your behalf, fake user interactions, or attempt to circumvent any OTA's rate limits.

14. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top and, for material changes, announce the update in the extension popup. Continued use of the Service after a change means you accept the updated policy. If you do not agree, please uninstall the extension and email us to delete your data.

15. Contact

For privacy questions, data-subject requests, or to report a security issue:

• Email: privacy@hoteldrop.net
• Postal mail: available on request — email first and we'll provide it
• Data-protection authority: if you are in the EU, you may also lodge a complaint with your local DPA (a list is available at edpb.europa.eu).

This Privacy Policy is provided for general informational purposes. It is not legal advice. We're a small team trying to be transparent — if anything here is unclear, please email us.