Cookie Policy
Effective Date: March 1, 2026 Last Updated: March 1, 2026 Company: Hello Native AI, Inc. Platform: Hotel Native (hotelnative.ai)
1. Introduction and Scope
This Cookie Policy ("Policy") explains in detail how Hello Native AI, Inc. ("Company," "we," "our," or "us") uses cookies, web beacons, pixel tags, local storage objects, session storage, and other similar tracking technologies (collectively, "Cookies") on the Hotel Native platform, including the website located at hotelnative.ai and all associated subdomains, tenant hotel websites powered by the Hotel Native platform, the Hotel Native Property Management System (PMS) dashboard, the guest portal, the travel agent portal, the digital check-in kiosk interface, and all other web-based interfaces and applications we operate (collectively, the "Platform").
This Policy is intended to give you clear, complete, and accessible information about:
- What cookies and tracking technologies are and how they work technically
- The specific categories of cookies we use and their precise purposes
- Which third parties set cookies through our Platform and why
- What personal data is processed through cookie-based tracking
- Your rights and choices with respect to cookies, including how to manage, restrict, or delete them
- How our use of cookies interacts with applicable privacy law, including the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), Costa Rican Law No. 8968 on Protection of Persons Regarding the Treatment of Their Personal Data, and other applicable data protection frameworks
This Cookie Policy should be read alongside our full Privacy Policy and our Terms of Service, which together constitute the complete framework governing your relationship with the Hotel Native platform.
Applicability to Hotel Guests: If you are a guest of a hotel, villa, or retreat that uses Hotel Native as its property management and booking system, this Policy applies to cookies set on that hotel's website and guest-facing portals, which are powered by our platform. The specific hotel operator is the data controller for your reservation data; Hotel Native acts as a data processor on their behalf. However, for platform-level analytics and functionality cookies, Hello Native AI, Inc. is the data controller.
Applicability to Hotel Operators: If you are a hotel operator, front desk staff member, management user, or other authorized business user of the Hotel Native PMS dashboard, this Policy applies to cookies set in the administrative and operational interfaces you use.
2. What Are Cookies?
2.1 Definition and Basic Operation
A cookie is a small text file — typically between a few bytes and a few kilobytes in size — that a website or web application places on your computer, smartphone, tablet, or other internet-connected device when you visit it. Cookies are stored in a designated area of your browser or device storage, and they contain information in the form of key-value pairs encoded as plain text.
When you return to a website or make subsequent requests within a session, your browser automatically sends the stored cookies associated with that website back to the server. This mechanism allows websites to "remember" you across requests, which is essential for everything from keeping you logged in during a session to understanding how users navigate through the site.
2.2 Session Cookies vs. Persistent Cookies
Session Cookies exist only in your browser's temporary memory for the duration of your browsing session. They are automatically deleted when you close your browser. Session cookies do not contain an expiration date — they simply expire with the browser session. We use session cookies primarily for authentication (keeping you logged into the PMS dashboard or guest portal during a visit) and for maintaining state during multi-step processes like the booking flow.
Persistent Cookies have a defined expiration date and remain on your device until that date arrives or until you manually delete them. We use persistent cookies for things like remembering your language preference, maintaining authentication across sessions where you have chosen "remember me," and for longer-term analytics measurement.
2.3 First-Party vs. Third-Party Cookies
First-party cookies are set by the domain you are directly visiting (e.g., hotelnative.ai, kchotelsanjose.com). These cookies are controlled directly by Hello Native AI, Inc. or by the hotel operator whose website you are visiting.
Third-party cookies are set by a domain different from the one you are visiting — typically when a third-party service (such as an analytics provider, payment processor, or marketing platform) has components embedded on the page. Third-party cookies can potentially track you across multiple websites that all embed the same third-party service.
In recent years, major browsers have significantly restricted third-party cookies. Safari and Firefox block most third-party cookies by default. Google Chrome has been phasing out support for third-party cookies in favor of privacy-preserving alternatives. We have designed our platform to minimize reliance on third-party cookies and to function effectively even when they are blocked.
2.4 Related Technologies
In addition to cookies, we may use:
Web Beacons (Pixel Tags): Tiny (typically 1×1 pixel), transparent images embedded in web pages or emails that, when loaded, send a request to a server. This request can confirm email opens, page visits, or other actions, and can transmit your IP address and browser information. We use web beacons primarily in transactional emails (booking confirmations, check-in reminders) to confirm delivery.
Local Storage: A web storage mechanism that allows websites to store larger amounts of data (up to 5–10MB) in your browser without expiration dates. Unlike cookies, local storage data is not automatically sent with every HTTP request. We use local storage for storing user interface preferences and offline capabilities within the PMS dashboard.
Session Storage: Similar to local storage but limited to the browser session and automatically cleared when the tab is closed. We use session storage for temporary state in booking flows and multi-step forms.
IndexedDB: A low-level API for client-side storage of significant amounts of structured data. We may use IndexedDB for caching hotel data and content in progressive web application features of the PMS dashboard.
Cache Storage API: Used by service workers to cache network requests for offline functionality in the PMS dashboard application.
Fingerprinting (Limited): Collecting attributes of your browser and device (such as browser type and version, operating system, installed fonts, screen resolution, time zone, and language settings) to create a probabilistic identifier. We do not use aggressive fingerprinting for tracking purposes. We may use limited browser characteristic information for fraud prevention and security purposes.
3. Categories of Cookies We Use
We categorize our cookies into four types based on their purpose and the legal basis for using them under applicable data protection law.
3.1 Strictly Necessary Cookies
Legal Basis: Legitimate interests / necessary for the performance of a contract / exempted from consent requirements under ePrivacy Directive
These cookies are essential for the Platform to function. They cannot be switched off in our systems, and they do not require your consent. Disabling them is not possible through our consent management tools; you can only disable them by changing your browser settings, which will prevent the Platform from working properly.
| Cookie Name | Domain | Expiry | Purpose |
|---|---|---|---|
hn_session | hotelnative.ai | Session | Maintains your authenticated PMS dashboard session. Contains an encrypted session token. No personal data stored in the cookie itself. |
next-auth.session-token | hotelnative.ai | 30 days | NextAuth.js authentication session for PMS dashboard users. Encrypted. |
__Host-next-auth.csrf-token | hotelnative.ai | Session | CSRF (Cross-Site Request Forgery) protection token for authentication flows. |
ta_session | *.hotelnative.ai | 30 days | Travel agent portal authentication session. HTTP-only, encrypted. |
guest_session | *.hotelnative.ai | 7 days | Guest portal authentication session for digital check-in and service requests. HTTP-only, encrypted. |
hn_lang | hotelnative.ai | 1 year | Stores your selected interface language (English/Spanish). Required for bilingual operation. |
hn_cookie_consent | hotelnative.ai | 1 year | Records your cookie consent choices so we do not ask again on every visit. |
hn_theme | hotelnative.ai | 1 year | Stores your selected UI theme preference (light/dark mode) for the dashboard. |
__cf_bm | *.hotelnative.ai | 30 minutes | Set by Cloudflare. Used for bot management and to distinguish between humans and automated requests. Required for DDoS protection. |
cf_clearance | hotelnative.ai | 30 minutes | Set by Cloudflare. Stores the result of a Cloudflare challenge (e.g., CAPTCHA) to avoid repeated challenges. |
3.2 Functional Cookies
Legal Basis: Consent (where required by applicable law)
Functional cookies enable enhanced functionality and personalization. They may be set by us or by third-party providers whose services we have added to our pages. If you do not allow these cookies, some or all of these services may not function properly.
| Cookie Name | Domain | Expiry | Purpose |
|---|---|---|---|
hn_pms_layout | hotelnative.ai | 6 months | Remembers your preferred calendar view (month/week/day), sidebar state, and column preferences in the PMS dashboard. |
hn_pms_filters | hotelnative.ai | 7 days | Preserves your active filters and search parameters in booking lists, housekeeping views, and reports. |
hn_calendar_rooms | hotelnative.ai | 7 days | Remembers which room types are collapsed/expanded in the reservation calendar view. |
hn_db_mode | hotelnative.ai | Session | (Development only) Tracks whether you are connected to the local or remote database in developer mode. Not present in production. |
intercom-session-* | *.intercom.io | 7 days | Set by Intercom if enabled for customer support chat. Identifies your support session. Only set if support widget is active. |
intercom-id-* | *.intercom.io | 9 months | Set by Intercom. Anonymously identifies your device for support history. Only set if support widget is active. |
3.3 Analytics and Performance Cookies
Legal Basis: Consent (required under GDPR, UK GDPR, ePrivacy Directive; California residents have additional rights under CCPA/CPRA)
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our Platform. They help us to know which pages are the most and least popular and see how visitors move around the site. All information collected by these cookies is aggregated and therefore anonymized. If you do not allow these cookies, we will not know when you have visited our site, and will not be able to monitor its performance.
| Cookie Name | Provider | Domain | Expiry | Purpose |
|---|---|---|---|---|
_ga | Google Analytics | *.hotelnative.ai | 2 years | Distinguishes unique users by assigning a randomly generated number as a client identifier. Used to calculate visit, session, and campaign data. |
_ga_* | Google Analytics 4 | *.hotelnative.ai | 2 years | Used to persist session state for GA4. |
_gid | Google Analytics | *.hotelnative.ai | 24 hours | Used to distinguish users for Google Analytics. |
_gat_gtag_* | Google Analytics | *.hotelnative.ai | 1 minute | Used to throttle request rate to Google Analytics. |
hn_visitor_id | Hotel Native (first-party) | *.hotelnative.ai | 365 days | Our proprietary visitor tracking identifier. Stores a randomly generated UUID to track anonymous visitors across sessions for our live visitor analytics dashboard. Does not contain personal data. |
hn_session_id | Hotel Native (first-party) | *.hotelnative.ai | Session | Current browsing session identifier for our proprietary analytics. Links page views within a single session. |
hn_ref_channel | Hotel Native (first-party) | *.hotelnative.ai | 30 days | Stores the marketing channel attribution for the current visit (e.g., "google-organic," "booking.com," "direct"). Used for booking source reporting. |
Our Proprietary Visitor Analytics: Hotel Native operates its own first-party visitor analytics system that records page views, session durations, referral sources, geographic location (country and city, derived from IP address using MaxMind GeoLite2 — the full IP address is not stored), device type, browser, and booking source attribution. This data is stored in our database (visitor_sessions, visitor_page_views, realtime_visitors tables) and used exclusively for operational reporting by the hotel operator. It is not shared with advertising networks. The live visitor panel in the PMS dashboard shows hotel operators real-time anonymous visitor data.
3.4 Marketing and Advertising Cookies
Legal Basis: Consent (required; opt-in for EU/UK users; opt-out for California users under CPRA "Do Not Sell or Share My Personal Information")
These cookies may be set through our Platform by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant advertisements on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Important Note: Marketing cookies are primarily relevant for hotel operator customers using our marketing integrations (Google Ads, Meta/Facebook Ads). If you are visiting a hotel website powered by Hotel Native and have not consented to marketing cookies, you will not receive retargeted advertising.
| Cookie Name | Provider | Domain | Expiry | Purpose |
|---|---|---|---|---|
_fbp | Meta (Facebook) | *.hotelnative.ai | 90 days | Used by Meta to deliver advertisement products such as real-time bidding from third-party advertisers. Set only when Facebook Pixel is active for a hotel. |
_fbc | Meta (Facebook) | *.hotelnative.ai | 2 years | Stores the click ID from Facebook ads. Set only when a visitor arrives from a Facebook ad link. |
fr | Meta (Facebook) | .facebook.com | 90 days | Used by Meta for targeted advertising and to measure ad effectiveness. Third-party cookie. |
IDE | Google (DoubleClick) | .doubleclick.net | 13 months | Used by Google DoubleClick to register and report the actions taken by users after viewing or clicking one of the advertiser's advertisements. |
_gcl_au | Google (Ads) | *.hotelnative.ai | 90 days | Google Ads conversion linker cookie. Links clicks on Google Ads with on-site conversions (bookings). Set only when Google Ads tracking is configured. |
_gcl_aw | Google (Ads) | *.hotelnative.ai | 90 days | Stores the Google Click Identifier (GCLID) for tracking ad-originated bookings. |
ads/ga-audiences | google.com | Session | Used by Google AdWords to re-engage visitors who are likely to convert based on behavior. | |
test_cookie | .doubleclick.net | 15 minutes | Used to check whether your browser supports cookies. | |
NID | google.com | 6 months | Contains a unique ID Google uses to remember your preferences and other information. |
4. How We Obtain Your Consent
4.1 Consent Management Platform
When you first visit the Hotel Native platform or any hotel website powered by Hotel Native, we present a Cookie Consent Banner that:
- Clearly explains that we use cookies
- Provides a brief description of each category of cookies
- Offers you a genuine choice: you can accept all cookies, reject non-essential cookies, or customize your preferences by category
- Links to this full Cookie Policy
- Does not use dark patterns such as pre-ticked boxes, hiding the reject option, or making the reject option significantly harder to access than the accept option
Your consent preferences are recorded in our hn_cookie_consent cookie (a strictly necessary cookie) so that we do not repeat the consent request on every page load. Your preferences are also stored server-side when you are authenticated.
4.2 Consent Standards by Jurisdiction
European Union and EEA (GDPR + ePrivacy Directive): We apply opt-in consent for all non-strictly-necessary cookies. We do not set analytics, functional, or marketing cookies before you have given your free, specific, informed, and unambiguous consent. Consent is obtained through an affirmative action (clicking "Accept" or customizing preferences and clicking "Save"). Consent is not bundled with our terms of service.
United Kingdom (UK GDPR + PECR): Same standard as the EU. Opt-in consent required for non-essential cookies.
California, USA (CCPA/CPRA): For California residents, functional and analytics cookies that do not involve selling or sharing personal information for cross-context behavioral advertising do not require opt-in consent. However, marketing/advertising cookies that involve sharing personal information with advertising networks require honoring Global Privacy Control (GPC) signals and providing a "Do Not Sell or Share My Personal Information" opt-out mechanism. We honor GPC signals automatically.
Costa Rica (Law No. 8968): We apply opt-in consent standards consistent with GDPR for visitors and users in Costa Rica.
Other Jurisdictions: We apply our default consent banner as described above, with opt-in for analytics and marketing cookies.
4.3 Withdrawing Consent
You can withdraw or change your consent at any time by:
- Clicking the "Cookie Preferences" link in the footer of any Hotel Native page
- Clearing your browser's cookies and reloading the page (you will be presented with the consent banner again)
- Using your browser's cookie management settings (see Section 7)
- For California residents, using the "Do Not Sell or Share My Personal Information" link in the footer
Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
5. Legal Bases for Processing
Under the GDPR and UK GDPR, we process personal data collected through cookies on the following legal bases:
| Cookie Category | Legal Basis | Details |
|---|---|---|
| Strictly Necessary | Article 6(1)(b) — Necessary for performance of a contract; Article 6(1)(f) — Legitimate interests (security and fraud prevention) | Authentication, CSRF protection, load balancing, and security cookies are necessary to provide the Platform. Our legitimate interest in platform security applies to Cloudflare cookies. |
| Functional | Article 6(1)(a) — Consent | We rely on consent for functional cookies that are not strictly necessary for the service to operate. |
| Analytics | Article 6(1)(a) — Consent | We rely on consent for analytics cookies. For aggregated, anonymized analytics where no personal data is processed, we may rely on legitimate interests. |
| Marketing | Article 6(1)(a) — Consent | We always rely on consent for marketing and advertising cookies. |
For users in California, the legal basis concepts differ. Under the CCPA/CPRA:
- Service provider relationship: Cookies used solely for providing the service to the business are not "sales" or "shares" of personal information.
- Cross-context behavioral advertising: Sharing data with ad networks through cookies may constitute "sharing" under CPRA and requires the ability to opt out.
6. Data Processed Through Cookies
6.1 Categories of Personal Data
Through cookies and related tracking technologies, we may process the following categories of data:
Identifiers:
- IP address (processed to derive geographic location; not stored in full in our visitor analytics — we store only country and city)
- Device identifiers assigned by cookies (randomly generated UUIDs)
- Browser fingerprint elements (for security purposes only)
- Authenticated user ID (linked to your PMS dashboard account or guest portal account)
Usage Data:
- Pages visited, including timestamps
- Time spent on pages
- Click paths and navigation patterns
- Search queries within the Platform
- Actions taken (e.g., booking initiation, form submissions)
- Errors encountered
Technical Data:
- Browser type and version
- Operating system and version
- Device type (desktop, mobile, tablet)
- Screen resolution
- Preferred language
- Referring URL
- Internet Service Provider (general)
Location Data:
- Country and city derived from IP address using MaxMind GeoLite2 database (processed in-memory; we store only the derived location, not the raw IP, in our visitor analytics)
Booking Attribution Data:
- Marketing channel that referred the visit (organic search, paid search, social media, OTA referral, direct)
- Specific OTA source where identifiable from referrer
- Google Click Identifier (GCLID) where present
6.2 Data Retention
| Data Category | Retention Period | Location |
|---|---|---|
| Authentication session tokens | Duration of session (session cookies) or 30 days (persistent) | Encrypted in browser + database |
| Guest session tokens | 7 days from creation | Database (hotel_guest_app_tokens) |
| Travel agent session tokens | 30 days from creation | Database (hotel_agent_portal_tokens) |
| Analytics session data | 12 months (raw), then aggregated | Database (visitor_sessions, visitor_page_views) |
| Real-time visitor data | 30 minutes (rolling window) | Database (realtime_visitors) |
| Google Analytics data | 14 months (configured in GA4) | Google servers |
| Meta Pixel data | 90 days | Meta servers |
| Consent records | 5 years from consent | Database |
7. How to Manage and Control Cookies
You have several options for managing and controlling cookies. Note that restricting cookies may affect the functionality of the Platform.
7.1 Our Cookie Preference Center
The easiest way to manage your cookie preferences is through our Cookie Preference Center, accessible via:
- The cookie banner displayed on your first visit
- The "Cookie Preferences" link in the footer of any Platform page
7.2 Browser Settings
You can control cookies through your browser's settings. The following links provide instructions for the most popular browsers:
Google Chrome:
- Click the three dots (⋮) menu → Settings
- Click "Privacy and security" → "Cookies and other site data"
- Choose your preferred setting: "Allow all cookies," "Block third-party cookies," "Block third-party cookies in Incognito," or "Block all cookies"
- To delete specific cookies: Click "See all cookies and site data," search for "hotelnative," and delete
Alternatively, navigate to: chrome://settings/cookies
Mozilla Firefox:
- Click the menu (☰) → Settings → Privacy & Security
- Under "Enhanced Tracking Protection," choose "Standard," "Strict," or "Custom"
- For custom control, select "Custom" and configure specific cookie types
- To delete cookies: Click "Manage Data," search for "hotelnative.ai," and delete
Apple Safari (macOS):
- Click Safari → Preferences → Privacy
- Check "Prevent cross-site tracking" to block third-party cookies
- Check "Block all cookies" to block all cookies (will break login)
- To manage specific cookies: Click "Manage Website Data" → search for "hotelnative"
Apple Safari (iOS/iPadOS):
- Open Settings → Safari → Privacy & Security
- Toggle "Prevent Cross-Site Tracking" on/off
- Toggle "Block All Cookies" on/off
Microsoft Edge:
- Click the three dots (⋯) menu → Settings → Cookies and site permissions
- Click "Cookies and site data"
- Toggle settings or manage specific sites
- Navigate to:
edge://settings/content/cookies
Opera:
- Click the Opera menu → Settings → Advanced → Privacy & security
- Click "Site settings" → "Cookies and site data"
- Configure preferences or manage individual sites
Brave:
- Click the Brave icon (lion) in the address bar
- Adjust shields settings for the current site
- Or: Settings → Privacy and security → Cookies and other site data
7.3 Mobile Device Settings
Android (Chrome): Open Chrome → tap ⋮ → Settings → Site settings → Cookies
Android (Firefox): Open Firefox → tap ⋮ → Settings → Privacy and Security → Cookies
iOS (Safari): Settings → Safari → Privacy & Security
7.4 Opt-Out Tools for Specific Third Parties
Google Analytics: Install the Google Analytics Opt-out Browser Add-on for most browsers. Alternatively, manage Google's data use at myaccount.google.com.
Google Advertising: Manage your Google ad settings at adssettings.google.com. Opt out of interest-based advertising through the Google Ads settings.
Meta/Facebook: Manage your Facebook ad preferences at facebook.com/ads/preferences. Opt out of off-Facebook activity tracking at facebook.com/off-facebook-activity.
Network Advertising Initiative (NAI): Opt out of interest-based advertising from NAI member companies at optout.networkadvertising.org.
Digital Advertising Alliance (DAA): Opt out of targeted advertising from DAA member companies at optout.aboutads.info.
European Interactive Digital Advertising Alliance (EDAA): Opt out from EDAA member companies at youronlinechoices.eu.
7.5 Global Privacy Control (GPC)
We honor the Global Privacy Control (GPC) signal, which is a technical browser-level signal that indicates you want to opt out of the sale or sharing of your personal information. When our platform detects a valid GPC signal from your browser, we automatically:
- Disable marketing and advertising cookies
- Stop sharing your data with advertising networks
- Record your opt-out in our consent management system
To enable GPC, use a browser or extension that supports it, such as DuckDuckGo Privacy Browser, Brave browser with shields enabled, Firefox with the Privacy Badger extension, or the Global Privacy Control browser extension.
8. Cookies and the Hotel Native PMS Dashboard
If you are a hotel operator or staff member accessing the Hotel Native PMS dashboard, additional considerations apply:
8.1 Authentication and Security
The PMS dashboard requires authentication cookies to function. The next-auth.session-token cookie and related CSRF cookies are essential and cannot be disabled without losing access to the dashboard. These cookies contain only encrypted session identifiers and do not contain your personal data in readable form.
8.2 Dashboard Preference Cookies
The PMS dashboard uses several cookies to remember your UI preferences, such as your preferred calendar view, sidebar state, column configurations, and filter settings. These cookies store only your interface preferences, not operational data or guest information. You can delete these cookies without losing access to the dashboard; doing so will simply reset your preferences to defaults.
8.3 Analytics in the Dashboard
When you use the Hotel Native PMS dashboard, we collect usage analytics to improve the platform. This includes which features you use, how often, and where you encounter errors. This data is processed by us (Hello Native AI, Inc.) as part of our legitimate interest in improving our software-as-a-service platform. This processing is disclosed in our Privacy Policy.
9. Cookies and Third-Party Integrations
Hotel Native integrates with various third-party services. When these integrations are active, those third parties may set their own cookies:
9.1 Channex (Channel Manager)
Channex is our primary channel manager integration for syncing availability and rates with OTAs like Booking.com and Expedia. Channex does not set cookies directly in end-user browsers. The Channex integration operates via server-to-server API calls from our backend.
9.2 RoomCloud (Alternative Channel Manager)
RoomCloud is an alternative channel manager integration. Like Channex, RoomCloud operates via server-to-server API calls and does not set cookies in end-user browsers.
9.3 Stripe (Payment Processing)
When payment forms are displayed on booking pages, Stripe may set the following cookies:
__stripe_mid: Fraud prevention. Lasts 1 year.__stripe_sid: Fraud prevention. Lasts 30 minutes.m: Fraud prevention device fingerprinting. Lasts 2 years.
These are strictly necessary for payment processing and fraud prevention. We cannot disable them when payment functionality is in use.
9.4 Tilopay (Costa Rica Payment Processing)
Tilopay is a Costa Rica-based payment processor used for local currency transactions. Tilopay may set session cookies for payment flow management. These are session cookies deleted when you close your browser.
9.5 WhatsApp / Baileys Integration
Our WhatsApp integration uses the Baileys library, which operates as a WhatsApp Web client running on our server. This integration does not involve any cookies in guest browsers. Guest communication happens via the WhatsApp mobile application.
9.6 Cloudflare
All traffic to Hotel Native-powered sites is routed through Cloudflare's content delivery network. Cloudflare sets the following cookies for security and performance:
__cf_bm: Bot management cookie. 30 minutes.cf_clearance: Challenge solution cookie. 30 minutes.__cflb: Load balancing. Session.
These are strictly necessary for DDoS protection and platform availability. They cannot be disabled.
10. International Data Transfers
Cookies set by our first-party systems involve data stored on our servers located in the United States (hosted by our VPS provider). Cookies set by Google Analytics transfer data to Google's servers, which may be located in the United States or other countries. Cookies set by Meta transfer data to Meta's servers, which may be located in the United States.
For users in the EU/EEA and UK, international transfers to the United States are made in accordance with:
- Standard Contractual Clauses (SCCs): We rely on EU Standard Contractual Clauses (as updated in 2021) for transfers of personal data to the United States.
- UK International Data Transfer Agreements (IDTAs): For UK residents, we use UK IDTAs or UK Addenda to EU SCCs.
- Data Processing Agreements (DPAs): We maintain DPAs with Google, Meta, Stripe, and other key subprocessors that include appropriate transfer mechanisms.
11. Children's Privacy
The Hotel Native Platform is not directed at children under the age of 16 (or under 13 in the United States). We do not knowingly set cookies that track children under these ages. If we discover that we have inadvertently processed data from a child under the applicable minimum age, we will delete that data promptly. If you believe we may have collected cookie data from a child, please contact us at privacy@hotelnative.ai.
12. Your Rights
12.1 Rights Under GDPR and UK GDPR
If you are located in the EU, EEA, or UK, you have the following rights with respect to personal data processed through cookies:
Right to Withdraw Consent (Article 7(3) GDPR): You can withdraw consent to non-essential cookies at any time through our Cookie Preference Center, browser settings, or by contacting us. Withdrawal does not affect prior lawful processing.
Right of Access (Article 15 GDPR): You have the right to request confirmation of whether we process your personal data through cookies and to receive a copy of that data.
Right to Erasure (Article 17 GDPR): You have the right to request deletion of personal data collected through cookies. Note that we cannot delete data held by third parties such as Google or Meta — you must exercise deletion rights directly with them.
Right to Restriction of Processing (Article 18 GDPR): You may request that we restrict processing of your data in certain circumstances.
Right to Object (Article 21 GDPR): You have the right to object to processing based on legitimate interests (such as our own analytics). We will stop such processing unless we can demonstrate compelling legitimate grounds.
Right to Data Portability (Article 20 GDPR): Where processing is based on consent and carried out by automated means, you may request your data in a structured, commonly used, machine-readable format.
Right to Lodge a Complaint: You have the right to lodge a complaint with your national data protection authority. EU residents may contact their national supervisory authority. UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk.
12.2 Rights Under CCPA/CPRA (California)
California residents have the following rights:
Right to Know: You may request disclosure of what personal data we collect through cookies, the purposes for collection, the categories of third parties we share it with, and the specific pieces of personal data collected.
Right to Delete: You may request deletion of personal data collected through cookies.
Right to Opt-Out of Sale/Sharing: You may opt out of the sharing of personal information collected through cookies for cross-context behavioral advertising. Use the "Do Not Sell or Share My Personal Information" link in our footer, or enable the Global Privacy Control signal in your browser.
Right to Correct: You may request correction of inaccurate personal information.
Right to Limit Use of Sensitive Personal Information: If we process sensitive personal information through cookies, you may request limitation of that use. Note that our cookies do not collect sensitive personal information as defined by CPRA.
Non-Discrimination: We will not discriminate against you for exercising your privacy rights. Opting out of marketing cookies will not affect your access to the Platform.
Authorized Agent: You may designate an authorized agent to submit requests on your behalf. We will require verification of the agent's authorization.
12.3 How to Exercise Your Rights
To exercise any of the above rights, please contact us through one of the following channels:
- Email: privacy@hotelnative.ai
- Postal Mail: Hello Native AI, Inc., Attn: Data Privacy, [Address on file with registration authorities]
- Online Form: Available at hotelnative.ai/privacy-request
We will respond to verifiable requests within:
- GDPR/UK GDPR: 30 days (extendable to 90 days for complex requests)
- CCPA/CPRA: 45 days (extendable to 90 days)
We may need to verify your identity before fulfilling requests, which helps prevent fraud and unauthorized access to your data.
13. Changes to This Cookie Policy
We may update this Cookie Policy from time to time to reflect:
- Changes in the cookies we use
- New legal requirements or regulatory guidance
- New third-party integrations
- Changes in our business operations
When we make material changes, we will:
- Update the "Last Updated" date at the top of this Policy
- Display a prominent notice in our Cookie Consent Banner
- For authenticated PMS users, display a notice in the dashboard
- If required by applicable law, request renewed consent for changed processing activities
We encourage you to review this Policy periodically. Your continued use of the Platform after we post changes constitutes acceptance of the updated Policy to the extent permitted by applicable law.
14. Contact Information
If you have questions, concerns, or requests relating to this Cookie Policy or our use of cookies, please contact:
Hello Native AI, Inc. Data Privacy Team Email: privacy@hotelnative.ai Website: hotelnative.ai
Data Protection Officer (EU Representative): For matters specifically relating to GDPR compliance, please email: dpo@hotelnative.ai
California Privacy Rights: For California-specific privacy requests, please email: ccpa@hotelnative.ai or use the "Do Not Sell or Share My Personal Information" link in our footer.
We are committed to working with you to resolve any concerns about our use of cookies. If you do not feel that your concern has been adequately addressed, you have the right to contact the relevant supervisory authority in your jurisdiction.
This Cookie Policy was prepared in accordance with the EU General Data Protection Regulation (GDPR) (Regulation 2016/679), the UK General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications Regulations 2003 (PECR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and Costa Rican Law No. 8968 on Protection of Persons Regarding the Treatment of Their Personal Data.