We are The Sleepexchange Limited, trading as “Hoo” and “justhooit.com” (we or us), a company registered in England under company registration number 12125779.
This policy should be read together with our website Terms & Conditions, any documents referred to in it and any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you. It is important that you read the following carefully so that you are fully aware of how and why we are using your data.
This privacy notice was last updated on 22 December 2022.
If you need to contact us about anything relating to our processing of your personal data, including any requests to exercise your legal rights described in Section 13 below, please do so by e-mailing us at email@example.com
1.1 We are responsible for your personal data that we collect from you. We are classed as a ‘data controller’ in respect of your data, which means that we owe certain obligations to you and the UK data regulator, the Information Commissioner's Office (ICO), in respect of our handling of your personal data.
1.2 You have the right to make a complaint at any time to the ICO (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
Personal data, or personal information, means any information about an individual from which that person can be identified, either alone or in combination with other data. It does not include data from which your identity has been removed (anonymised data).
You may give us information about yourself by filling in forms on our website or by corresponding with us by phone, e-mail or otherwise. This includes information you provide when you register to use our site, subscribe to our service, search for a hotel to book, make a reservation through our site or purchase any other product, participate in discussion boards or other social media functions on our site, enter a competition, promotion or survey, and when you report a problem with our site.
4.1 We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
· Identity Data – includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
· Contact Data – includes billing address, email address and telephone numbers.
· Financial Data – includes bank account and payment card details.
· Transaction Data – includes details about bookings you have made and other details of products and services you have purchased from us.
· Technical Data – includes internet protocol (IP) address, your login data, browser type and version, time zone setting and approximate location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
· Profile Data – includes your username and password, bookings or other product purchases made by you, your interests, preferences, feedback, and survey responses.
· Usage Data – includes information about how you use our website (including the length of your visit to it and the number of page views), products and services. If you call us, we will record the time, date and day of the week and length of your call and whether the call was answered or not.
· Marketing and Communications Data – includes your preferences in receiving marketing from us and our third parties and your communication preferences.
4.2 Special categories. We do not collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
4.3 Children. Our website is not intended for use by anyone under the age of 16. When placing a family booking through our website we may need to request the number of children that are included in the booking and their age (or the age range in which they sit), so that this information can be passed to the relevant hotel. We do not collect the names, dates of birth or any other personal data of anyone under the age of 16.
5.1 We collect, use, and share aggregated data such as statistical or demographic data for various purposes. Aggregated data may be derived from your personal data but is not considered personal data in law as it does not directly or indirectly reveal your identity, as the data has been anonymised. This can help us to share audience information with platforms such as Facebook and Google, for the purpose of such platforms displaying our adverts to our existing customers or audiences similar to our existing customers.
5.2 If we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
5.3 We may receive data about users’ interactions with our website from various third parties, including analytics providers such as Google. However, this data is anonymised.
6.1 Our website enables you to book hotel stays in locations around the UK and the rest of the world. When you make a booking through our website we need to share some of your personal data with the relevant hotel so that your booking can be confirmed.
6.2 We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following permitted circumstances:
· Where we need to perform a contract we are about to enter into or have entered into with you.
· Where the processing of your personal data is necessary to comply with a legal obligation to which we are subject.
· Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests.
Examples of legitimate interests include: the administration and improvement of our website (including its security), fraud prevention, notifying you about changes to our services, and providing you with information about offers or other services that may be of interest to you.
7.1 We need to pass some of your personal data to third parties in order to be able to provide you with the services that you are require from us when making a booking through our website.
· Third-party services (known as Channel Managers) act as a link between us and the hotels displayed on our website, providing us with real-time availability, rates and inventory. When you make a booking we will need to pass certain of your personal data to these Channel Managers who will then pass it on to the relevant hotel. The hotel requires this information to confirm your booking. This will include Identity Data and Contact Data.
· Stripe processes payments on required to complete your bookings. When you provide us with Financial Data through our website you will be providing this information directly to Stripe for payment processing purposes. We also keep this information as we will be required to provide it to the relevant hotel.
· ActiveCampaign enables us to serve our customers with relevant email content, created by us, more efficiently. Where you have consented to receiving email communications from us about our services, we pass your email address to ActiveCampaign for this purpose.
7.2 In the event that we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer. Similarly, if we ourselves are the target of an acquisition by a third party, personal data held by us about our customers will be one of the assets transferred to that third party. We will notify you in writing if any such circumstance occurs.
7.3 We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
8.1 Our servers are hosted by Amazon Web Services located in London, United Kingdom.
8.2 When you make a booking at a hotel outside the UK through our website, it will be necessary for some of your personal information to be transferred to that hotel in order for the booking to be confirmed, and for the hotel’s own records.
8.3 We do not ourselves handle this international data transfer, and we do not ourselves transfer any of the personal data that you give us outside the UK. Instead, we pass this information to the relevant Channel Manager whose role is to pass it to the hotel’s reservations system.
8.4 The Channel Manager handles the transfer of data to the relevant hotel and is primarily responsible for ensuring that all such data transfers occur in accordance with the relevant rules on the international transfer of personal data from the UK. Where the hotel is located in a jurisdiction that has not received an adequacy ruling from the UK in respect of its data protection legislation (such as the US), this may involve ensuring that an appropriate form of data transfer agreement approved by the ICO (known as an IDTA) is in place with the relevant data recipient.
8.5 We take reasonable steps to ensure that the Channel Manager handles any international data transfers in compliance with the relevant requirements, including that we put the Channel Manager under contractual obligations to us to do so.
9.1 We are committed to ensuring that your information is secure. While the transmission of information via the internet is never completely secure, we do our best to protect your personal data.
9.2 We have put in place suitable physical, electronic, and managerial procedures to safeguard and secure your personal information. We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity.
As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. However, in general any data collected through these mechanisms will be anonymised.
We have essential cookies – one for Authentication, to remember which user is logged in; and another for Search Criteria, to remember the search filter that the user wants to apply. We also bring two Third Party cookies to your attention:
· Cookie Name: _ga
Expiry Period : 2 Years
Purpose: Used by Google Analytics to distinguish users.
· Cookie Name: m.stripe.com
Expiry Period : 2 Years
Purpose: Used by Stripe payment services for fraud prevention and detection
Please refer to your device’s help material to learn what controls you can use to remove or block cookies, or other similar technologies; or block or remove other data stored. Please remember that if you do this, it may affect the functionality of our website and/or your ability to use our services.
12.1 You are in control of the information you provide to us through this website. You may choose to restrict the collection or use of your personal information in the following ways:
· Whenever you are asked to fill in a form on the website, look for the box that you can click to indicate that you do not want the information to be used by anybody for direct marketing purposes.
· If you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by contacting us at firstname.lastname@example.org.
12.2 A link enabling you to unsubscribe from direct marketing will be included in every direct marketing communication that is sent to you.
12.3 Please note that if you choose not to share some of your information, you may not be able to access or use some areas of the site.
13.1 You have rights under data protection laws in relation to your personal data. These rights are set out in the box below. If you wish to exercise any of these rights set out above please contact us.
You have the following rights:
· Request access to your personal data (a "data subject access request"). This enables you to receive a copy of the personal data we hold about you.
· Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data corrected. We may need to verify the accuracy of any new data you provide to us.
· Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. In some circumstances we may not be able to comply with an erasure request for specific legal reasons which will be notified to you, if applicable, at the time of your request.
· Object to processing of your personal data. You have a right to object where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which you believe causes such processing to adversely impact on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes.
· Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in certain scenarios, for example if you want us to establish the data's accuracy or where our use of the data is unlawful but you do not want us to erase it.
· Request the transfer of your personal data to you or to a third party. We will provide your personal data in a structured, commonly used, machine-readable format. This right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
· Withdraw consent at any time where we are relying on consent to process your personal data. The lawfulness of any processing carried out before you withdraw your consent will not be affected. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time.
13.2 You will not have to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
13.3 We may need to request specific information from you to help us confirm your identity before you can exercise any of these rights. This is a security measure to ensure that your personal data is not disclosed to someone who does not have a right to receive it. We may also need to ask you for further information in relation to your request to help speed up our response.
13.4 We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will let you know and keep you updated.
We will only retain your personal data for as long as necessary to fulfil the purposes for which we collect, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Please contact us if you would like further information about our data retention policies.
We may update this policy from time to time. Any changes we may make will be posted on this page and, where appropriate, notified to you by email. Please regularly check this policy to ensure that you are aware of its current terms.