Privacy Policy
Effective Date: 1 January 2025 · Last Updated: 1 April 2026
Spotinga Host ("we", "us", or "our") operates a SaaS booking and distribution platform for tour operators, activity providers, and experience businesses, available at host.spotinga.com and related subdomains ("Platform"). We are committed to protecting the privacy and personal data of everyone who uses our Platform, regardless of where in the world they are located.
This Privacy Policy explains what personal data we collect, how we use and protect it, with whom we share it, and what rights you have. By accessing or using the Platform, you acknowledge that you have read and understood this Policy. If you do not agree, please do not use the Platform.
The data controller responsible for personal data collected through the Platform is Spotinga Host, a product operated by Kenoli Systems. All data collected through the Platform is stored and processed on servers located in the United States of America. For all data privacy matters, please contact us.
We collect the following categories of personal data:
First name, last name, email address, phone number, and business name provided during registration or profile setup.
Username, hashed password, organisation profile, subscription plan, and account settings.
Product listings, pricing, availability calendars, booking records, and other content you publish through the Platform.
Billing address and payment method details for Platform subscription fees. We do not store full card numbers — payment processing is handled entirely by third-party PCI-DSS compliant providers (Stripe, Razorpay, or PayPal).
IP address, browser type and version, device information, operating system, pages visited, session duration, and diagnostic data collected automatically when you access the Platform.
Records of your communications with us via email or support channels, and your marketing communication preferences.
If you sign in using Google, Facebook, or Microsoft (Azure AD), we receive basic profile information (name, email) from those providers, subject to your consent and their own privacy policies.
We use personal data for the following purposes:
- Account creation and management — to register your account and provide access to the Platform.
- Platform service delivery — to operate, maintain, and improve Platform features, including publishing products to connected distribution channels on your behalf.
- Billing and payments — to process subscription fees, issue invoices, and manage payment records.
- Customer support — to respond to enquiries, resolve disputes, and provide technical assistance.
- Security and fraud prevention — to detect, investigate, and prevent unauthorised access or fraudulent activity.
- Product improvement — to analyse usage patterns and user feedback to improve the Platform.
- Communications — to send transactional emails (booking confirmations, account alerts), product updates, and, where you have opted in, marketing communications.
- Legal compliance — to comply with applicable laws, regulations, and lawful governmental orders.
We process personal data on the following lawful bases, which are aligned with internationally recognised privacy standards including the EU General Data Protection Regulation (GDPR) and equivalent frameworks:
- Consent — where you have given clear, affirmative consent (e.g., opting into marketing communications). You may withdraw consent at any time without affecting the lawfulness of prior processing.
- Performance of a contract — where processing is necessary to deliver the Platform service you have subscribed to, including account management, billing, and product publishing.
- Legal obligation — where we are required to process data to comply with applicable law.
- Legitimate interests — where processing serves our legitimate business interests (e.g., platform security, fraud prevention, usage analytics) and does not override your fundamental rights and freedoms.
Where you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with equivalent data protection law, these bases apply as required by the applicable framework in your jurisdiction. For California residents, we comply with the California Consumer Privacy Act (CCPA) as set out in Section 11 below.
We do not sell your personal data. We may share your data with:
- Payment processors (Stripe, Razorpay, PayPal) to process subscription fees. These providers are PCI-DSS compliant and operate under their own privacy policies.
- Connected distribution channels (e.g., Google Things To Do) — product listing data (name, description, pricing, availability) is transmitted to these channels on your instruction.
- Cloud infrastructure providers — we use Amazon Web Services (AWS) for hosting, storage, and email delivery (SES, S3). AWS operates under its own compliance certifications including ISO 27001 and SOC 2.
- Analytics providers for aggregated, anonymised platform usage analytics.
- Legal and regulatory authorities where required by applicable law, court order, or lawful governmental request.
- Business successors — in the event of a merger, acquisition, or sale of business assets, your data may be transferred to the successor entity. We will provide notice where practicable.
All third-party service providers with whom we share personal data are contractually required to process it only for the specified purposes and in accordance with appropriate data protection standards.
Where you use the Platform to collect personal data from your End Customers (booking details, contact information, special requests), you are the data controller for that data and Spotinga Host acts as a data processor on your behalf. As an Operator, you are responsible for:
- Having a lawful basis for collecting and processing your End Customers' data.
- Providing your End Customers with a clear and adequate privacy notice that discloses data processing in the United States.
- Responding to data subject rights requests from your End Customers.
- Using End Customer data only for purposes disclosed to those customers.
- Ensuring any required cross-border transfer consents are obtained from your End Customers where required by the laws of the jurisdiction in which you operate.
The Platform is hosted on cloud infrastructure located in the United States of America. All personal data collected through the Platform — including account information, product data, booking records, and usage data — is stored and processed on US-based servers, regardless of your country of residence or where your business is located.
By creating an account or using the Platform, you acknowledge and consent to the transfer and processing of your personal data in the United States. Data processing on the Platform is governed by US law. We apply technical and organisational safeguards to protect your data consistent with internationally recognised standards.
For users in the EEA and United Kingdom: Transfers of personal data to the United States are made on the basis of Standard Contractual Clauses (SCCs) adopted by the European Commission, or equivalent transfer mechanisms where applicable, to ensure your data receives an adequate level of protection.
For users in Australia and New Zealand: We handle your personal data in a manner consistent with the Australian Privacy Act 1988 and the New Zealand Privacy Act 2020 to the extent applicable, and apply equivalent safeguards.
For users in the Middle East and Southeast Asia: We apply the same security and data protection standards to your data regardless of origin and do not transfer or disclose personal data beyond what is described in this Policy.
The Platform uses cookies and similar technologies to maintain session state, authenticate users, remember preferences, and collect usage analytics. Cookie categories:
- Essential cookies — required for core Platform functions (authentication tokens, session management). Cannot be disabled without impairing Platform use.
- Analytics cookies — collect aggregated usage data to help us understand how the Platform is used. You may opt out via your browser settings.
- Preference cookies — remember your configuration and settings within the Platform.
Most browsers allow you to manage cookie settings. For EEA/UK users, we obtain consent for non-essential cookies where required by applicable law.
We retain personal data only for as long as necessary for the purposes described in this Policy:
- Account data — retained for the duration of your account and for thirty (30) days after deletion, then permanently removed unless a longer period is required by law.
- Billing records — retained for seven (7) years for financial record-keeping and audit purposes.
- Usage data — retained in aggregated, anonymised form for Platform performance analysis.
- Support communications — retained for two (2) years after resolution.
We implement industry-standard technical and organisational security measures, including:
- TLS/HTTPS encryption for all data in transit.
- Encryption of sensitive data at rest on AWS infrastructure.
- Password hashing using industry-standard algorithms (bcrypt or equivalent).
- JWT-based authentication with token invalidation on logout.
- Rate limiting and security headers to mitigate common web vulnerabilities.
- Access controls restricting production system access to authorised personnel only.
No system is completely secure. If you become aware of a security vulnerability in the Platform, please notify us immediately. In the event of a data breach affecting personal data, we will notify impacted users as required by applicable law.
Depending on your location, you may have the following rights regarding your personal data. To exercise any of these rights, contact us. We will respond within thirty (30) days and may require identity verification. Requests are free of charge unless manifestly unfounded or excessive.
- Access — request a copy of the personal data we hold about you.
- Correction — request correction of inaccurate or incomplete data.
- Deletion — request deletion of your personal data, subject to legal retention obligations.
- Portability — request a machine-readable export of your data.
- Withdrawal of consent — withdraw consent at any time where consent is the lawful basis.
In addition to the above, you have the right to object to processing based on legitimate interests, the right to restrict processing, and the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or the relevant EU data protection authority in your member state).
California residents have the right to know what personal information is collected and how it is used, the right to delete personal information, the right to opt out of the sale of personal information (we do not sell personal data), and the right not to be discriminated against for exercising these rights. To make a verifiable consumer request, contact us.
Users in Australia may lodge a complaint with the Office of the Australian Information Commissioner (OAIC). Users in New Zealand may contact the Office of the Privacy Commissioner. We will cooperate with any investigation or enquiry from these authorities.
The Platform is not directed to individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will promptly delete that data.
We send marketing communications only where you have opted in, or where permitted by applicable law. You may opt out at any time by clicking the unsubscribe link in any marketing email or by contacting us. Transactional emails (account alerts, billing notices, booking confirmations) cannot be opted out of while your account is active.
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated Policy on the Platform and, where required by applicable law, by email, at least fourteen (14) days before changes take effect. Continued use of the Platform after that date constitutes acceptance of the updated Policy.
For any privacy questions, data subject rights requests, or complaints relating to this Policy, please contact us:
We will acknowledge your request within 48 hours and respond within thirty (30) days.
Statutory disclosure: The Platform is operated by Kenoli Systems, a company incorporated under the laws of India (registered office: Bangalore, India). All data processing occurs on infrastructure in the United States and is governed by US law.
