Introduction & Controller Identity
This Privacy Policy describes how Avoota Hotels & Resorts Private Limited ("Avoota", "We", "Us", or "Our"), incorporated under the laws of India and registered at 12th Floor, One Avoota Tower, Bandra Kurla Complex, Mumbai 400 051, collects, uses, shares, and protects personal data relating to guests, website visitors, loyalty programme members, and any other individual whose data we process ("You" or "Data Principal").
Avoota is the Data Fiduciary as defined under the Digital Personal Data Protection Act, 2023, and the Data Controller under GDPR, for all personal data processed through the Platform and across all 34 Avoota properties worldwide. By accessing the Platform or making a reservation, you acknowledge the practices described in this Policy.
We will never sell your personal data. We will never use your data for purposes beyond what is described in this Policy without your explicit consent. We will always make it straightforward for you to access, correct, and delete your information.
Data We Collect
We collect personal data only to the extent necessary to deliver and improve our services. The table below sets out each category, its source, and whether it is required.
| Category | Examples | Source | Required? |
|---|---|---|---|
| Identity & Contact | Full name, email, phone, date of birth, nationality | Directly from you | Mandatory |
| Booking & Stay | Reservation details, room type, dietary needs, special occasions | You / Property | Mandatory |
| Payment | Card type, last four digits, billing address (full card numbers not stored) | Payment processor | Mandatory |
| Identity Verification | Passport or government-issued ID as required by local law at check-in | Directly from you | Regulatory |
| Usage & Technical | IP address, device type, browser, pages visited, session duration | Automatically collected | Functional |
| Preferences & Feedback | Pillow type, floor preference, review content, survey responses | Directly from you | Optional |
| Loyalty Programme | Points balance, tier status, redemption history | Programme activity | Members only |
We collect data revealing health conditions, dietary requirements, or accessibility needs only with your explicit consent and solely to personalise your stay. This data is never used for profiling or shared with third parties beyond the property team responsible for your care.
How We Use Your Data
We process personal data for the purposes and on the legal bases set out below. We will never use your data in ways incompatible with the purpose for which it was collected without first obtaining your explicit consent.
- AReservation Fulfilment: Processing your booking, pre-arrival communications, and ensuring all in-stay requirements are met. Legal basis: performance of a contract.
- BPayment Processing: Authorising, charging, and reconciling payments; preventing fraud and chargebacks. Legal basis: performance of a contract and legal obligation.
- CRegulatory Compliance: Guest registration, anti-money-laundering checks, and submission of mandatory data to local authorities where required by law. Legal basis: legal obligation.
- DService Improvement: Analysing usage patterns to enhance the Platform, personalise content, and optimise the guest journey. Legal basis: legitimate interests.
- EMarketing & Personalisation: Sending promotional communications and AI-assisted stay recommendations — only where you have opted in. Legal basis: consent.
- FLoyalty Programme: Crediting, tracking, and enabling redemption of Avoota One points and tier benefits. Legal basis: performance of a contract.
- GSafety & Security: CCTV monitoring in public areas, fraud prevention, and protecting the safety of guests and staff. Legal basis: legitimate interests and legal obligation.
Sharing & Disclosure
We do not sell or rent your personal data to any third party. We share data only in the limited circumstances below, and only with recipients who are contractually bound to protect it to the same standard we apply.
- 1Avoota Group Entities: Other hotels and corporate offices within the Avoota Hotels & Resorts group, for delivering group-wide services and loyalty benefits.
- 2Service Providers: Payment processors, cloud infrastructure providers, email delivery platforms, and analytics services — all under strict Data Processing Agreements.
- 3Travel Partners: Online travel agencies or booking platforms through which you made your reservation, for confirmation and communication purposes only.
- 4Legal Authorities: Government agencies or law enforcement where disclosure is required by applicable law, court order, or to protect the safety of individuals.
- 5Business Transfers: In the event of a merger, acquisition, or sale of assets, personal data may be transferred subject to continued adherence to this Policy.
Every third-party data processor undergoes a formal privacy and security assessment before being granted access to personal data. Assessments are reviewed annually and whenever a provider's services change materially.
International Transfers
As a global hospitality group with 34 properties across six continents, Avoota may transfer personal data across national borders. When transferring data outside of India or the European Economic Area, we apply appropriate safeguards as required by the DPDP Act, 2023 and GDPR respectively.
- →For transfers from the EEA / UK: We rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by transfer impact assessments where required.
- →For transfers from India: We comply with the Government of India's cross-border data transfer framework and restrict transfers to jurisdictions assessed as providing adequate protection.
- →Property-level data such as on-site CCTV is processed and retained locally within the jurisdiction of the relevant property and is not transferred internationally.
You may request a copy of the transfer safeguards applicable to your data by writing to our Data Protection Officer at privacy@avoota.com. We will respond within 30 days.
Cookies & Tracking
Our Platform uses cookies and similar technologies — including web beacons, pixels, and local storage — to enhance your experience, remember preferences, and deliver relevant content. You can manage your cookie preferences at any time via our Cookie Preference Centre.
| Cookie Type | Purpose | Duration | Required? |
|---|---|---|---|
| Strictly Necessary | Session management, security tokens, and booking flow state | Session / 1 year | Always On |
| Analytics & Performance | Understand Platform usage; data is anonymised and aggregated | Up to 26 months | Consent Required |
| Personalisation | Remember language, currency, and room preferences across visits | Up to 12 months | Consent Required |
| Marketing & Advertising | Deliver relevant Avoota promotions on third-party platforms | Up to 90 days | Consent Required |
To opt out of interest-based advertising industry-wide, you may visit youronlinechoices.eu or use your browser's privacy settings. Cookie preferences set in our banner apply to this browser and device only.
Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.
| Data Type | Retention Period | Basis |
|---|---|---|
| Booking & Guest Records | 7 years from check-out | Legal / Tax obligation |
| Payment Transactions | 7 years from transaction date | Legal / Regulatory |
| Account & Profile Data | Duration of account + 3 years | Contractual / Legitimate interest |
| Loyalty Programme Data | Duration of membership + 2 years | Contractual |
| Marketing Consent Records | Until withdrawn + 5 years | Legal obligation (proof of consent) |
| Website Analytics | 26 months | Legitimate interest |
| CCTV Footage | 30 days (longer if incident-related) | Security / Legal obligation |
At the end of each applicable retention period, data is securely deleted or anonymised in accordance with our internal Data Lifecycle Management Policy.
Security Measures
Avoota employs a multi-layered security framework to protect personal data against unauthorised access, disclosure, alteration, and destruction. Our security programme is aligned with ISO/IEC 27001 and PCI DSS, and is subject to annual independent audits.
- AEncryption: All data in transit is encrypted using TLS 1.3. Sensitive data at rest — including payment data and identity documents — is encrypted using AES-256.
- BAccess Controls: Role-based access ensures staff may only access data necessary for their function. All access is logged and reviewed quarterly.
- CPenetration Testing: Our Platform undergoes annual penetration testing by an independent cybersecurity firm, with all findings remediated within defined SLAs.
- DIncident Response: We maintain a documented Data Breach Response Plan. In the event of a breach affecting your rights, we will notify you and the relevant supervisory authority within the legally required timeframe.
- EStaff Training: All staff handling personal data complete mandatory annual privacy and security training, with role-specific modules as required.
If you discover a security vulnerability in our Platform, please report it responsibly to security@avoota.com. We operate a responsible disclosure programme and will acknowledge all valid reports within 48 hours.
Your Rights
Depending on your country of residence, you have a range of rights over your personal data. We honour all applicable rights and aim to respond to all verified requests within 30 days, or the shorter period required by applicable law.
- 1Right of Access: Request a copy of the personal data we hold about you, including the purposes for which it is processed and the recipients to whom it has been disclosed.
- 2Right to Rectification: Ask us to correct inaccurate or complete incomplete personal data without undue delay.
- 3Right to Erasure: Request deletion of your personal data where there is no compelling reason for continued processing, subject to our legal retention obligations.
- 4Right to Portability: Receive your data in a structured, machine-readable format and transfer it to another controller where technically feasible.
- 5Right to Object: Object to processing based on legitimate interests or for direct marketing at any time. Marketing opt-outs take effect within 10 business days.
- 6Right to Restriction: Request that we restrict processing in certain circumstances — for example, while accuracy is contested or an objection is being assessed.
Submit a verified request to privacy@avoota.com or through the Data Rights section of your Avoota account. You also have the right to lodge a complaint with the Data Protection Board of India or, if based in the EU/UK, your national data protection authority.
Children's Privacy
The Avoota Platform is not directed at, and we do not knowingly collect personal data from, individuals under the age of 18. Bookings involving minors must be made by a parent or legal guardian, who accepts responsibility for the accuracy of any information provided on behalf of the minor.
If we become aware that we have inadvertently collected personal data from a child under 18 without appropriate parental consent, we will take immediate steps to delete that data. Parents or guardians who believe their child's data may have been collected should contact us at privacy@avoota.com.
Policy Updates
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated via email to registered users and/or by a prominent notice on the Platform at least 30 days before the change takes effect. Your continued use of the Platform after the effective date of any amendment constitutes acceptance of the revised Policy.
For minor, non-material changes — such as corrections or clarifications that do not alter your rights — notice may be given by updating the "Last Updated" date at the top of this document. An archive of previous versions is available upon request from privacy@avoota.com.
Contact & Data Protection Officer
Our Data Protection Officer (DPO) is appointed in accordance with the requirements of the GDPR and the DPDP Act, 2023. You may contact our DPO directly for any privacy-related queries, complaints, or to exercise your data rights. All requests are acknowledged within 48 hours and responded to in full within 30 days.
Attn: Data Protection Office
12th Floor, One Avoota Tower
Bandra Kurla Complex, Mumbai 400 051
Maharashtra, India
DPO: Mr. Rohan Mehta
Email: privacy@avoota.com
Grievance Officer: Ms. Aditi Rajan — grievance@avoota.com
If you are not satisfied with our response, you have the right to escalate your complaint to the Data Protection Board of India or, if you are based in the EU/UK, to your national data protection authority. For general queries, contact our Guest Relations team via the Contact Us page. We aim to resolve all concerns within 5 business days.