Privacy Policy

Last updated: January 28, 2025

1. Introduction

At Ipan Noya, we are committed to protecting your privacy and ensuring transparency about how your personal data is collected, used, and stored. This privacy policy applies to all individuals who interact with our website and services, and it is designed to comply with the data protection laws in the European Union (EU), United States (USA), Canada, and Latin America (LatAm), including but not limited to GDPR, CCPA, PIPEDA, and LGPD.

By visiting our website and using our services, you agree to the collection and use of information as described in this policy. We want you to understand what data we collect, how we use it, and the rights you have regarding your personal information.

2. Data Collection Overview

By default, when you visit our website, our web servers collect and store certain technical information for operational purposes, including your IP address, the website from which you accessed ours, the pages you visit, and the duration of your visit. This data is necessary for the proper functioning and security of our website and is not used for personalized analysis unless specified.

3. Compliance Across Regions

We have structured this privacy policy to comply with the following regional laws:

• General Data Protection Regulation (GDPR) (EU): We ensure compliance with the rights of EU residents concerning the collection, processing, and protection of their personal data.
• California Consumer Privacy Act (CCPA) (USA): For California residents, we honor your rights to know, delete, and opt-out of the sale of your personal data.
• Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada): We follow PIPEDA guidelines to safeguard the personal data of Canadian users.
• Lei Geral de Proteção de Dados (LGPD) (Brazil and other LatAm countries): We respect the rights of users in Brazil and Latin America by ensuring consent and transparency in our data practices.

3.1 Data Controller and Data Protection Officer

For all processing activities related to personal data in connection with the use of this website (except for specific bookings and cancellations as outlined in Section 4.5), the data controller is:

Ipan Noya
Legal Company: Habiterra SAS de CV
Address: 8 Calle Ote. y 15 Av Sur, Colonia Utila, Santa Tecla, La Libertad Sur, El Salvador 1501
Phone: +503 7290-1800
Email: [email protected]

Data Protection Officer:
For inquiries about data privacy or if you need to exercise any of your rights, you can contact us at the email address listed above.

3.2 Inquiries by You

You may choose to contact us via email or other forms on our website. In doing so, we will process the personal data you voluntarily provide to us, such as your email address, name, and any other information you include in your message. We will use this data solely for the purpose of responding to your inquiry or fulfilling your request.

4. Purposes for Processing Personal Data and Legal Basis

4.1 Mandatory Data

To make a booking or apply for services on our website, we require certain personal data to fulfill the contract you wish to enter into. Without providing this mandatory information, we may not be able to offer you the full range of services.

For example, when visiting our website, data such as your IP address and the pages you access are automatically collected for administrative and technical purposes. This is necessary to ensure the proper functionality, security, and performance of our website and services.

Legal basis: This processing is based on our legitimate interest to operate and maintain our services, or contractual necessity (e.g., fulfilling your booking or inquiry), under Art. 6 para. 1 lit. b GDPR, PIPEDA, LGPD, and CCPA.

4.2 Newsletter Subscription

If you subscribe to our newsletter, we process the following data:

• Email address
• Confirmation that you have read and accepted our terms and privacy policy
• Date and time of consent
• IP address

The email address is essential for sending our newsletter. The legal basis for processing it is your explicit consent (Art. 6 para. 1 lit. a GDPR, PIPEDA, LGPD, and similar data protection laws in other regions).

We use the double opt-in procedure, meaning you will receive our newsletter only after explicitly confirming your subscription via a confirmation link sent to your email.

Additionally, if you have purchased goods or services from us, we may send you related offers (e.g., promotional content or newsletters) if permitted by applicable laws (e.g., Art. 6 para. 1 lit. f GDPR, CCPA).

You can withdraw your consent at any time by unsubscribing from our email list. Your data will be stored until you withdraw consent, or until we stop sending newsletters. After that, your data will be deleted in accordance with applicable retention periods.

4.3 Hotel Bookings and Cancellations

When booking a hotel stay via our website, we collect and process the following data:

• Title, first name, and last name
• Email address
• Phone number
• Postal address
• City, country/region
• Credit card details (for payment)
• Booking confirmation number

This data is collected through our reservation system (via Lodgify) and processed on our behalf for managing bookings and cancellations.

Legal basis: This data processing is necessary for the performance of the contract under Art. 6 para. 1 lit. b GDPR, PIPEDA, and LGPD. If you cancel a booking, we process your data to manage the cancellation and provide refunds if applicable.

4.4 Guest Profiles

When you make a booking on our website, we may create a guest profile, storing information such as your email addressand booking details. This profile allows you to view and manage your past bookings, store preferences, and receive tailored offers.

To activate your guest profile, you will need to follow the instructions in the welcome email (which includes a verification link).

Legal basis: Creating and maintaining your guest profile is necessary for the performance of the contract (Art. 6 para. 1 lit. b GDPR, PIPEDA, LGPD). This helps us provide a more personalized experience and enhance the services we offer.

You can access, update, or delete your profile information at any time by contacting us directly. We will store your booking and profile data in accordance with statutory retention periods.

4.5 Website and Newsletter Personalization

To improve user experience, we personalize content based on your interactions with our website and newsletters. This can include tailored offers, recommendations, and personalized content.

We do not create personalized user profiles for this purpose, and any data is anonymized where possible.

Legal basis: This processing is based on your consent (Art. 6 para. 1 lit. a GDPR, PIPEDA, and LGPD), or alternatively, our legitimate interest in enhancing the website and service experience (Art. 6 para. 1 lit. f GDPR).

If you voluntarily provide your first and last name during booking or registration, these may also be used to personalize content, offers, and communications.

4.6 Online Shop

When you use our online shop, we process the following data for fulfilling your orders:

• Name
• Email address
• Postal address (city, state/province, ZIP code, country)
• Credit card information

We share this data with third-party partners, such as delivery services, payment processors, and other necessary partners (e.g., tax consultants or legal services). We may also disclose data to law enforcement authorities if required by law.

Legal basis: This processing is based on contractual necessity (for order fulfillment, billing, and delivery) under Art. 6 para. 1 lit. b GDPR, PIPEDA, and LGPD. Additionally, data retention obligations are based on Art. 6 para. 1 lit. c GDPR.

Data may be processed outside the EU/EEA or Latin America if necessary for fulfilling the contract. We ensure adequate safeguards, such as Standard Contractual Clauses (SCCs) or Privacy Shield (where applicable), are in place as required under Art. 46, 47 GDPR and similar regulations.

4.7 Website Technology and Tracking

We use tracking technologies, such as cookies, to improve the user experience on our website. These technologies serve several purposes, including authentication, security, analytics, and advertising.

Legal basis: The legal basis for using these technologies is your consent (under Art. 6 para. 1 lit. a GDPR and Section 25(1) of the TTDSG).

4.8 Cookies

Cookies are used to enhance the user experience. They serve multiple functions such as:

• Authentication cookies: for verifying user accounts
• Security cookies: to secure your account and personal data
• Advertising cookies: to show relevant ads
• Analytics cookies: to measure website traffic and improve content

4.9 Third-Party Services

4.9.1 Google Services

• Google Analytics: Used to analyze user interactions with the website (e.g., page visits, clicks, and device information). Data is anonymized to protect user identities.
• Google Tag Manager: Manages and deploys tracking tags on the website.
• Google Signals: Provides demographic and interest-based insights for cross-platform advertising.
• Google Ads & Remarketing: Targeted ads based on previous interactions with our website.

4.9.2 Microsoft Bing Ads

• Used to track whether users click on ads and reach landing pages. No personal information is shared; only aggregated data is used for campaign measurement.

4.9.3 Facebook Services

• Facebook Impressions: Tracks how frequently posts are displayed to users.
• Facebook Custom Audiences: Targets visitors with personalized ads on Facebook based on their interactions with the website.
• Facebook Lead Ads: Collects user emails for newsletter subscriptions.

4.10 International Data Transfers

We may transfer your data outside of the EU/EEA, especially to countries like the US. We ensure that appropriate safeguards, such as the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs), are in place to protect your data.

4.11 User Rights and Control

You have control over the cookies and tracking technologies we use. You can manage cookie preferences and opt out of personalized advertising from services like Google, Microsoft, and Facebook via their respective settings.

We only process data if necessary for the performance of the contract, for compliance with legal obligations, or based on your consent.

5. Recipients of Data

Your personal data may be shared with various third parties in connection with the services we provide, including:

• Online Booking Platforms: This includes Expedia, Booking.com, Airbnb, and their partners. These platforms help facilitate reservations and bookings made through them.
• Payment Processors: Financial transactions are handled by external parties, including BAC Credomatic, N1co, and Davivienda, which process payment information.

These third parties act as data processors, meaning they handle your data on behalf of the hotel for the purposes of making and managing bookings, and processing payments.

6. Your Rights

This section details the rights you have concerning the processing of your personal data under the GDPR. These rights are generally free to exercise, but the hotel may charge a reasonable fee if the request is unfounded or excessive. Here's a breakdown of your rights:

6.1 Withdrawal of Consent

You can withdraw consent for any data processing you've agreed to. Importantly, this withdrawal will only affect future processing—it does not affect the lawfulness of any data processing carried out prior to the withdrawal.

6.2 Confirmation and Access

You have the right to request whether your personal data is being processed. If it is, you can request to see the data being processed (under Article 15 of the GDPR).

6.3 Rectification and Erasure

• Rectification: You can request corrections if your personal data is inaccurate or incomplete (Article 16 of the GDPR).
• Erasure: You can also request to have your data erased (under Article 17 of the GDPR), subject to specific conditions, such as when the data is no longer necessary for the purposes for which it was collected.

6.4 Restriction of Processing

You can request the restriction of your data processing under certain conditions, such as when you contest the accuracy of the data or the processing is unlawful but you don't want to erase the data (Article 18 of the GDPR).

6.5 Right to Data Portability

If you’ve provided your personal data, you have the right to receive it in a structured, machine-readable format and to transfer that data to another data controller (Article 20 of the GDPR). This right only applies when:

• Processing is based on consent or contractual necessity.
• The processing is carried out automatically.

Note that this right doesn’t apply if it would affect the rights and freedoms of others (e.g., other people's personal data).

6.6 Obligation to Provide Data

While you're not obligated to provide personal data, failure to provide certain data (such as booking or payment information) may prevent you from using some services or features on the website.

6.7 Right to Lodge a Complaint

If you believe your data is not being handled in accordance with data protection laws, you can file a complaint with a supervisory authority. This is typically the data protection authority in the country where you reside or where you believe the violation occurred.

7. Right to Object

Under the GDPR, you have the right to object to the processing of your personal data in specific circumstances, particularly when the processing is based on Article 6(1)(e) (public interest or official authority) or Article 6(1)(f)(legitimate interest) of the GDPR.

• If you object, the company will no longer process your personal data unless they can demonstrate compelling legitimate grounds for processing that override your interests, rights, and freedoms, or if the data is required for legal claims (e.g., legal defense or the exercise of rights in court).

This ensures that your personal data isn't used when you have a valid reason for objecting, unless there are strong counter-reasons, such as for legal purposes.

8. Changes to This Privacy Policy

8.1 Updating Our Privacy Policy

Changes to the law or our website features may require us to update our privacy policy. If this happens, we’ll notify youof the updates. Therefore, it’s recommended that you periodically review the privacy policy to stay informed about any changes. The latest version will always be available on the website.

8.2 Printing and Storing the Privacy Policy

You have the option to print or save this privacy policy for your reference, using the print or save functions available in your browser.