Privacy Policy
Last updated: February 19, 2026
1. Data Controller
The data controller responsible for your personal data is:
Hotel Unfiltered Co., Ltd.
30 Sukhumvit Soi 4, Khlong Toey, Bangkok 10110, Thailand
Phone: +66 2 115 9505
Email: raphael@hotelunfiltered.com
Hotel Unfiltered is a hotel discovery and booking platform that helps travellers find hotels matched to their preferences using AI-powered review analysis. This policy explains how we collect, use, share, and protect your personal information when you use our website at hotelunfiltered.com and related services.
Payment Disclosure: Payments for hotel bookings are processed by Nuitee Travel (trading as LiteAPI), which acts as the Merchant of Record. Hotel Unfiltered does not directly process or store payment card data.
2. Data We Collect
| Category | Data | When Collected | Purpose |
|---|---|---|---|
| Account | Email address | Account creation / login | Authentication via magic link, booking confirmations |
| Account | Name | Booking checkout | Hotel reservation fulfillment |
| Preferences | TravelDNA quiz responses | When you complete the quiz | Personalized hotel matching (see Section 7) |
| Transactional | Booking history | When you complete a booking | Order records, customer support |
| Technical | IP address, browser type, device info | Automatically on each visit | Security, rate limiting, fraud prevention |
| Technical | Session identifiers | Automatically | Authentication, site functionality |
| Analytics | Page views, clicks, search queries | With your explicit consent only | Service improvement via Google Analytics 4 |
We do not collect sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data.
3. Legal Bases for Processing (GDPR)
We process your data under the following legal bases per GDPR Article 6(1):
- Contract performance (Art. 6(1)(b)): Email, name, and booking data are necessary to process your hotel reservations and deliver our service.
- Legitimate interest (Art. 6(1)(f)): Session data, IP addresses, and security logs are used to protect the service, prevent fraud, enforce rate limits, and improve functionality. We have balanced these interests against your rights and determined they do not override your fundamental freedoms.
- Consent (Art. 6(1)(a)): Google Analytics 4, Google Ads conversion measurement, and marketing cookies are only activated after you explicitly click “Accept all” on our cookie banner. You may withdraw consent at any time via the “Cookie Settings” link in our footer.
4. Cookies, Google Tag Manager & Tracking Technologies
We use Google Consent Mode v2 to manage all tracking scripts. By default, all analytics and advertising storage is denied until you provide explicit consent.
4a. Cookie Inventory
| Cookie / Storage Key | Category | Purpose | Duration |
|---|---|---|---|
| hu_cookie_consent | Strictly Necessary | Stores your cookie consent preference | 1 year |
| hu_access_token | Strictly Necessary | Authentication session (httpOnly, Secure) | 1 hour |
| hu_refresh_token | Strictly Necessary | Silent session renewal (httpOnly, Secure) | 30 days |
| hu.auth.user | Strictly Necessary | Cached user display data | Session |
| hu.sessionId | Strictly Necessary | Anonymous session identifier | Session |
| _ga | Analytics (consent required) | Google Analytics 4 — distinguishes users | 2 years |
| _gid | Analytics (consent required) | Google Analytics 4 — distinguishes users | 24 hours |
| _gcl_aw | Advertising (consent required) | Google Ads conversion tracking | 90 days |
| _gcl_dc | Advertising (consent required) | DoubleClick conversion tracking | 90 days |
4b. Google Tag Manager (GTM) & Google Analytics 4
We load the gtag.js library from www.googletagmanager.com with our Google Ads ID (AW-17966030035) and configure Google Analytics 4 property G-2CVVMNK34X. This script is loaded only after you grant analytics consent. When consent is denied, no Google scripts are loaded and no data is transmitted to Google.
The linker domains configured are hotelunfiltered.com (our website) and hotelunfiltered.onrender.com (our API server) to provide accurate cross-domain session measurement. All cookies are set with SameSite=None; Secure flags.
4c. How to Manage Cookies
- On our site: Click “Cookie Settings” in the footer to change your consent at any time.
- In your browser: Most browsers allow you to block or delete cookies via settings. Note that blocking strictly necessary cookies may prevent the site from functioning.
- Google opt-out: Install the Google Analytics Opt-out Browser Add-on.
5. Purpose of Processing: Hotel Analytics
The core purpose of Hotel Unfiltered is to provide hotel analytics, review aggregation, and personalized recommendations. Specifically, we process data to:
- Match hotels to your stated travel preferences (via TravelDNA profiling).
- Aggregate and analyze publicly available guest reviews using AI to generate “Best For” and “Avoid If” tags.
- Display real-time room pricing and availability from our booking partner (Nuitee Travel / LiteAPI).
- Process hotel bookings on your behalf, with Nuitee Travel acting as the merchant of record.
- Send transactional emails (magic link authentication, booking confirmations) via our SMTP provider.
We do not use your data for automated decision-making that produces legal effects, except for the TravelDNA profiling described in Section 7.
6. Who We Share Data With
| Recipient | Data Shared | Purpose | Legal Basis |
|---|---|---|---|
| Nuitee Travel (LiteAPI) | Name, email, booking details | Reservation fulfillment, payment processing | Contract performance |
| Hotels (via Nuitee) | Guest name, booking dates | Reservation fulfillment | Contract performance |
| Google LLC | Anonymized usage data | Analytics & ads measurement (consent only) | Consent |
| SMTP provider | Email address | Transactional email delivery | Contract performance |
| Render.com (hosting) | Server logs (IP, user-agent) | Infrastructure & security | Legitimate interest |
We do not sell, rent, or trade your personal data to any third party. We do not participate in data broker networks or share data for third-party advertising purposes beyond the Google measurement described above.
7. TravelDNA Profiling
When you complete the TravelDNA quiz, we analyse your responses to create a travel personality profile. This profile scores your preferences on four axes (energy, rhythm, comfort, social) and is used to personalise hotel recommendations.
This constitutes automated profiling under GDPR Article 4(4). The profiling is used solely to improve hotel match relevance and does not produce legal or similarly significant effects. You can request deletion of your TravelDNA profile at any time by contacting us.
8. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data (email, preferences) | Until account deletion requested | Service delivery |
| Booking records | 6 years after checkout | Legal and tax compliance |
| Access tokens | 7 days | Session authentication |
| Refresh tokens | 90 days | Silent session renewal |
| Magic link tokens | 15 minutes | One-time authentication |
| Event / analytics logs | 90 days | Service monitoring |
| Google Analytics data | 14 months (Google default) | Usage analytics |
9. Your Rights Under GDPR (EEA Residents)
Under the General Data Protection Regulation, you have the following rights:
- Right to access (Art. 15) — Request a copy of your personal data.
- Right to rectification (Art. 16) — Correct inaccurate personal data.
- Right to erasure (Art. 17) — Request deletion of your data (“right to be forgotten”).
- Right to restrict processing (Art. 18) — Limit how we use your data.
- Right to data portability (Art. 20) — Receive your data in a machine-readable format.
- Right to object (Art. 21) — Object to processing based on legitimate interest.
- Right to withdraw consent (Art. 7) — Withdraw cookie consent at any time via the “Cookie Settings” link.
- Right to lodge a complaint — You may lodge a complaint with a supervisory authority in your EU/EEA member state.
To exercise any of these rights, email raphael@hotelunfiltered.com. We will respond within 30 days.
10. Your Rights Under CCPA (California Residents)
If you are a California resident, the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), grant you additional rights:
- Right to know: You may request the categories and specific pieces of personal information we have collected about you in the preceding 12 months.
- Right to delete: You may request that we delete the personal information we have collected from you, subject to certain exceptions.
- Right to opt-out of sale: We do not sell your personal information as defined by the CCPA. No opt-out is required.
- Right to non-discrimination: We will not discriminate against you for exercising any CCPA rights.
- Right to correct: You may request correction of inaccurate personal information.
- Right to limit use of sensitive personal information: We do not collect sensitive personal information as defined by CCPA/CPRA.
To submit a CCPA request, email raphael@hotelunfiltered.com with the subject line “CCPA Request.” We will verify your identity before processing the request and respond within 45 days.
Do Not Sell or Share My Personal Information: Hotel Unfiltered does not sell or share (as defined under CCPA/CPRA) your personal information with third parties for cross-context behavioural advertising.
11. International Data Transfers
Your data may be processed on servers located in the United States (via our hosting provider Render.com) and in the European Union (via Google Analytics data centres). These transfers are protected by appropriate safeguards in accordance with GDPR Article 46, including Standard Contractual Clauses where applicable.
12. Children’s Privacy
Hotel Unfiltered is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at raphael@hotelunfiltered.com and we will promptly delete it.
13. Security Measures
We implement appropriate technical and organisational measures to protect your data, including:
- HTTPS encryption (TLS 1.2+) for all data in transit.
- HttpOnly, Secure, SameSite cookie flags on authentication tokens.
- Rate limiting and IP-based throttling on all API endpoints.
- Helmet.js security headers (CSP, X-Frame-Options, HSTS).
- Subresource Integrity (SRI) hashes on all third-party scripts.
- No plain-text storage of passwords (magic link authentication only).
14. Changes to This Policy
We may update this privacy policy from time to time. Changes will be posted on this page with an updated “Last updated” date. If we make material changes, we will notify you via a banner on the site. Continued use of the service after changes constitutes acceptance of the revised policy.
15. Contact & Disputes
Hotel Unfiltered Co., Ltd.
30 Sukhumvit Soi 4, Khlong Toey, Bangkok 10110, Thailand
Phone: +66 2 115 9505
Email: raphael@hotelunfiltered.com
If you are an EU resident and are unsatisfied with our response, you may use the EU Online Dispute Resolution platform: https://ec.europa.eu/consumers/odr