Legal information

ZenHotels Privacy Notice

Version 1.0 | Updated: April 1, 2026

This Privacy Notice explains how Emerging Travel Group (“ETG”, or "we") collects, uses, and protects your personal data. It applies to your use of ZenHotels at www.zenhotels.com, our mobile applications, and any related digital services or booking tools (“ZenHotels”). Below, we describe what information we gather, why we need it, how we keep it safe, and what rights you have regarding your personal data. All our activities are guided by the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the national data protection laws of the Republic of Cyprus, as well as other national or international data protection legislation that governs your specific relationship with us (“Applicable Law”)

1. Who Is Responsible for Your Data

The processing of your personal data is carried out by Leaside Services Limited, located at 17 Karaiskaki Street, Office 22, Agaia Triada, Limassol, 3032, Cyprus, acting as the Controller.

As the Controller, Leaside Services Limited determines the purposes and means of processing your personal data.

2. What We Collect & How We Use It

We process your personal data only to the extent necessary to achieve the specific purposes outlined below.

Please note that the ZenHotels is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we learn that personal data has been collected from a person under 18 without verifiable parental consent, we will take appropriate steps to delete such information.

The following table details the categories of data we collect and our legal basis for processing under Applicable Law:

*Purpose of Processing*	*Categories of Personal Data*	*Legal Basis for Processing*
Account Creation	Full name Phone number Email address Date of birth Citizenship Gender Payment card data	Contract
Online booking	Full name Phone number Email address Citizenship Booking details Payment card data	Contract (for сustomers) Legitimate Interest (for other guests - to facilitate guest bookings, check-in, and support)
Reviews and ratings management	Full name Booking details Review and feedback content	Legitimate Interest (to maintain service transparency, verify booking authenticity, and help other users make informed travel decisions)
Payment processing	Payment card data Transaction data	Contract
Accounting and invoicing	Payment card data Transaction data	Legal Obligation
Loyalty program	Loyalty program data Transaction data	Legitimate Interest (to operate loyalty programs, reward repeat customers, and enhance brand engagement)
General Customer Support	Full name Phone number Email address Booking details Reasons of modification/cancellation Audio recording	Contract
Complaints and dispute resolution	Full name Phone number Email address Postal address ID details Transaction data Booking reference	Legitimate Interest (to establish, exercise, or defend legal claims and protect the company’s rights and assets)
Manage quality of customer support interactions	Full name Audio recordings Customer support inquiry content	Legitimate Interest (to monitor service standards and train support personnel)
Email marketing and newsletters	Email engagement data	Consent
Social media marketing	Full name Social media interaction data Behavioral and browsing data Cookie and tracking data	Legitimate interest (to maintain brand presence and engage with the community) Consent (for marketing communications and advanced tracking)
Cookie tracking, web & app analytics	Cookie identifiers IP address Site behavior Device data	Consent
Personalization	Behavioral and browsing data Transaction data Cookie and tracking data Loyalty program data	Legitimate interest (to provide personalized travel recommendations, and enhance user experience through behavioral modeling and content tailoring)
Corporate website management	Connection and session data IP address and session data	Legitimate interest (maintaining a secure and reliable service for all users)
Track product performance	Behavioral and browsing data Transaction data Connection and session data	Legitimate interest (to analyze service usage, identify technical issues, and improve overall product functionality)
Use consumer insights in product design (UX)	Full name Phone number Email address Audio recordings Video recordings Review and feedback content Behavioral and browsing data	Consent
Antifraud screening	Booking reference IP address and session data Payment card data (tokenized) Transaction data Hotel name and accommodation details Booking dates	Legitimate Interest (to maintain platform security and prevent financial loss)

To use ZenHotels, providing certain information is a contractual requirement. To access and use the Platform, you must provide the data categorized as Account Creation and Online booking. While you are not legally required to provide your personal data, failure to provide this mandatory information will result in the inability to register your account. Furthermore, we will be unable to conclude or execute the agreement with you, and you will be unable to use the functionality of the ZenHotels platform.

We may engage in interest-based advertising, which involves collecting information across websites, applications, and devices to infer user interests and deliver more relevant advertisements. We work with advertising networks, attribution providers, and business partners to promote our products and services through emails and ads on third-party platforms. These activities may involve the use of cookies, pixels, mobile advertising identifiers, and similar technologies. Aside from these advertising activities, we do not use AI or automated systems to make decisions that produce legal or similarly significant effects on you, such as automated profiling or account termination without human review.

3. Processing of Third-Party Data

When we receive personal data from someone other than the data subject, we make reasonable efforts to provide such data subjects with information about how their personal data is processed, including by making this information publicly available in this Privacy Notice. We also rely on the person providing the data to bring this Privacy Notice to the attention of those data subjects.

Therefore, if you provide us with personal data of other individuals, for example, additional guests in your booking, you must ensure that you are duly authorized to do so and, where appropriate, bring this Privacy Notice to their attention.

4. How We Share Your Data

To support the operation of the ZenHotels and fulfill our obligations to you, we may share your personal data with the following categories of third parties:

Affiliated Entities: we share data within the ETG for unified management, consolidated internal reporting, and centralized technical support.

Government Authorities and Courts: we may disclose information to competent regulatory, tax, or law enforcement authorities and courts where disclosure is required by applicable law or necessary for the protection of our legal rights and defense against claims.
Data Centers and Cloud Service Providers: we use third-party infrastructure and hosting services to ensure the availability, security, and performance of ZenHotels.
Financial Institutions and Payment Systems: information is shared with banks and payment processors to process your payments, manage settlements, and handle chargeback requests or fraud detection activities.
Research and Analytics Providers: we engage partners who provide platforms for surveys and feedback collection to help us improve our products and services.
Security and Verification Services: data is shared with specialized providers for fraud prevention.
Communication Service Providers: we use third-party telecommunication operators, IP-telephony, IVR services, and AI-driven tools (including speech recognition and quality control assistants) to manage our communications with you.
Web Analytics Services: we use providers that collect statistical information about website visitor behavior to optimize the user experience.
Business and Marketing Partners: we work with partners around the world who distribute or advertise our services (this may involve integrating our booking services into their platforms or displaying customized advertisements to you based on your interests).
Booking Service Providers: in order to complete your booking, we transfer relevant reservation details to the third-party providers (such as hotels, guesthouses, or other accommodation facilities) that you have selected.

We ensure that all third parties handle your personal data in compliance with Applicable Law and are bound by appropriate confidentiality and data protection obligations.

5. How We Transfer and Protect Your Data Internationally

As a global group of companies, we may transfer and process your personal data in various locations worldwide to provide you with the ZenHotels services. These transfers occur when necessary to fulfill our contract with you, specifically for completing your travel reservations with providers located outside the European Economic Area, or processing international payments, as well as for other purposes, including providing customer support from our global offices.

Since these countries may have different data protection standards than the EU, we implement the following safeguards in accordance with Applicable Law to ensure your information remains secure:

When we share data with third-party service providers or partners, we include specific data protection clauses in our agreements, including Standard Contractual Clauses where applicable. These terms require all recipients to maintain a level of security and confidentiality that is substantially equivalent to the requirements of the Applicable Law governing our processing activities.
We apply consistent technical and organizational measures across ETG globally. These standards are designed to meet the requirements of the Applicable Law and ensure a high level of data protection.
We monitor and comply with specific legal conditions for cross-border data flows in each jurisdiction, including performing data transfer impact assessments or obtaining necessary authorizations where required by Applicable Law.

6. How Long We Keep Your Data

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, in accordance with Applicable Law. The specific retention period is determined based on the nature of the personal data, the purposes of processing, and applicable legal or regulatory requirements.

When the relevant processing purpose has been fulfilled and the applicable retention period has expired, personal data will be securely deleted or irreversibly anonymised.

If you request the deletion of your personal data or withdraw your consent, we will delete your information without undue delay. Please note that in certain cases our ability to delete personal data may be limited, for example, by statutory retention obligations, reasons of public interest, laws relating to freedom of expression and information, or where processing is necessary for the establishment, exercise or defence of legal claims.

7. What Are Your Rights

Under Applicable Law, you have certain rights that allow you to control how your personal data is used. The availability and exercise of these rights may vary depending on your location and the specific legal grounds for processing.

You may exercise the following rights by contacting us or using the automated tools available within ZenHotels:

Right of Access: you have the right to request confirmation as to whether your personal data is being processed and, where that is the case, access to the personal data and information regarding the processing (such as the purposes, categories of data, and recipients).
Right to Rectification: you have the right to obtain the rectification of inaccurate or incomplete personal data concerning you without undue delay.
Right to Erasure: you have the right to request the deletion of your personal data where the data is no longer necessary for the original purposes, or if you withdraw your consent. Please note that this right might be the subject to exceptions under the Applicable Law (e.g., for compliance with a legal obligation).
Right to Restriction of Processing: you have the right to request that we limit suspend the processing of your data, other than for storage purposes, in specific cases established by Applicable Law, such as when you contest the accuracy of the data, the processing is unlawful, the data is required for legal claims, or you have exercised your right to object and are awaiting verification of overriding legitimate grounds.
Right to Data Portability: where processing is based on consent or a contract and carried out by automated means, you have the right to receive your data in a structured, commonly used, and machine-readable format.
Right to Object: you have the right to object to the processing of your personal data based on our legitimate interests, or where processing is necessary for the performance of a task carried out in the public interest.
Right to Withdraw Consent: where processing is based on your consent, you have the right to withdraw it at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.
Right to Lodge a Complaint: you have the right to lodge a complaint with a competent data protection supervisory authority. As our primary establishment is in Cyprus, the lead authority is the Office of the Commissioner for Personal Data Protection (Cyprus). However, you also have the right to lodge a complaint with the supervisory authority in the EU Member State of your habitual residence or place of work.

To exercise these rights, please refer to the How to Contact Us section. We will respond to your request within the timeframe mandated by Applicable Law.

8. How We Keep Your Data Safe

We implement a comprehensive system of administrative, technical, and physical safeguards to protect your personal data against unauthorized access, disclosure, or destruction in accordance with Applicable Law.

Our security framework includes:

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption for data in transit and at rest. Our infrastructure is protected by advanced network security controls, including firewalls, intrusion prevention capabilities, and continuous threat monitoring. We also maintain application-level security controls designed to protect against common digital vulnerabilities and unauthorized access.
Access to personal data is strictly limited to authorized personnel on a “need-to-know” basis. We enforce multi-factor authentication and role-based access controls across our systems.
We maintain internal data protection policies, conduct regular security audits, and provide ongoing data security training for our employees. We also maintain third-party security certifications to verify our compliance with global standards.
Your data is stored in secure data centers featuring 24/7 monitoring, restricted physical access, environmental controls, and robust disaster recovery and backup systems.
We have established procedures for rapid incident response and breach notification to ensure that any potential threats are mitigated and reported as required by Applicable Law.

9. Use of Cookies and Similar Technologies

We use cookies and similar tracking technologies to collect information about your interactions with the ZenHotels, analyze trends, and provide a secure and personalized experience.

Detailed information about the types of cookies we use, their purposes, and how you can manage your preferences is available in our separate Cookie Policy.

10. Updates to This Privacy Notice

We may update this Notice from time to time to reflect changes in our practices or legal requirements under Applicable Law. In the event of significant changes, we will provide you with appropriate notice. The "Updated" date at the beginning of this document indicates when the latest changes were made.

11. How to Contact Us

If you have any questions, concerns, or requests regarding your personal data, please contact our Data Protection Officer at pd@emergingtravel.com.