Privacy Policy

1. Introduction

This Privacy Policy explains how HotelHero collects, stores, uses, and protects personal data of its users, what data is collected, and the purposes for which it is processed. It applies to the HotelHero website, the HotelHero platform, the HotelHero API, and any mobile applications or social media channels on which HotelHero is presented.

HotelHero is operated by Planet EOOD, a company incorporated in Bulgaria with its registered office at 28 Hristo Botev Blvd, floor 2, Sofia 1000, Bulgaria. Planet EOOD acts as the data controller for personal data processed through HotelHero.

This Policy has been adopted in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the "GDPR"). Planet EOOD is committed to ensuring compliance with EU and member-state legislation regarding the processing of personal data and the protection of the rights and freedoms of the individuals whose data it processes.

Planet EOOD is registered as a personal data controller under certificate No. 91187 / 19.07.2017, entered in the "Register of personal data controllers". A Data Protection Officer has been appointed and can be reached at [email protected].

2. Definitions

Processing means any operation or set of operations performed on personal data, whether by automated means or otherwise — including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

Controller means the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data. In this Policy, the controller is Planet EOOD.

Data subject means any identified or identifiable natural person whose personal data is processed by the controller.

Consent means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they signify agreement to the processing of their personal data.

Recipient means a natural or legal person, public authority, agency, or other body to which personal data is disclosed, whether or not a third party.

Third party means a natural or legal person, public authority, agency, or body other than the data subject, controller, or processor, and the persons who, under the direct authority of the controller or processor, are authorised to process personal data.

3. What personal data does HotelHero collect?

In order to provide its services, HotelHero collects the information necessary for the user's chosen use of the platform. Depending on the type of account and service, this may include: business contact name, work email address, company name, VAT or registration number, phone number, billing address, IP address, the browser and language used, and technical metadata about the user's interaction with the platform or API.

Where a user makes a hotel booking on behalf of an end traveller, HotelHero processes the traveller data required by the relevant supplier — typically the names of the travellers, date of birth (where required), nationality or residency, meal plan preferences, and any special requests communicated by the user. HotelHero does not market directly to end travellers.

If a user provides HotelHero with data relating to travellers other than themselves, that user is responsible for informing those travellers of this Privacy Policy and for obtaining any consent required under applicable law before sharing the data with HotelHero.

HotelHero does not store or process end-traveller payment card details. Payment information is handled by certified third-party payment processors.

Even where a user does not complete a booking, HotelHero automatically collects technical information such as IP address, browser type, device language, and usage analytics — how the site or API is used, which pages or endpoints were accessed, and for how long.

4. Why HotelHero processes personal data

HotelHero processes personal data to provide and operate its services, complete and deliver bookings made through the platform or API, and communicate with users about their account, reservations, service changes, and confirmations. Communication may take place via the in-platform messaging, by email, by phone, or through messaging applications.

HotelHero may also process user data for marketing purposes — for example, to send product updates, release notes, and information about new features or offers to registered business users. Users can opt out of marketing emails at any time using the unsubscribe link provided in every marketing message, or by contacting [email protected].

Personal data may also be processed to comply with legal obligations, to resolve disputes, to detect or prevent fraud and abuse, and to respond to lawful requests from public authorities.

Providing personal data to HotelHero is voluntary. However, depending on the service requested, HotelHero may only be able to deliver the service if certain data is provided — for example, a booking cannot be completed without traveller names and contact details.

5. Who HotelHero shares personal data with

Supplier partners. To fulfil a booking, HotelHero transmits the information necessary to complete that booking (typically traveller names, dates, residency, and room configuration) to the selected hotel supplier, bedbank, or direct hotel partner. Those suppliers process the information under their own privacy terms.

Internal teams. HotelHero may share user and booking data with authorised members of Planet EOOD staff for the purposes of customer support, dispute resolution, fraud prevention, and platform operations.

Third-party service providers. HotelHero works with vendors that support the delivery of the service, including infrastructure providers, analytics providers, email service providers, and online payment processors. These vendors receive only the data necessary to perform their function.

Competent authorities. HotelHero discloses personal data to law-enforcement or regulatory authorities where required by law, or where it is necessary to prevent, investigate, or prosecute criminal activity or fraud, or to protect the rights of HotelHero, its users, or third parties.

6. Security measures

Personal data is processed only by authorised Planet EOOD staff and authorised processors, for the purposes of delivering the services for which the data was collected. Staff are trained on GDPR obligations and on the handling, storage, and deletion of personal data.

All data collected through HotelHero is stored on authorised, secured servers located within the European Union. Personal data is retained for as long as necessary to deliver the service, maintain user accounts, comply with applicable laws, resolve disputes, and detect or prevent fraud or other unlawful activity.

All retained personal data is subject to this Privacy Policy. For questions about retention periods for specific categories of personal data, please contact HotelHero using the details below.

7. Children's data

HotelHero is a B2B platform intended exclusively for users aged 18 and over acting in a business capacity. HotelHero does not knowingly collect personal data directly from children. Where a booking includes a child traveller (as part of a room configuration), HotelHero processes only the minimum data required by the supplier to complete the booking.

8. Your rights as a data subject

You have the right to control how your personal data is used. Under the GDPR, you may request a copy of the personal data HotelHero holds about you, notify HotelHero of any changes and request a correction, request erasure or restriction of processing in certain circumstances, object to certain types of processing, and request data portability to a third party.

You have the right to withdraw any previously given consent at any time, subject to applicable law. You also have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP) or with the data protection authority in your place of residence.

HotelHero relies on users to ensure that the personal data they provide is complete, accurate, and up to date. Please notify HotelHero promptly of any changes or inaccuracies.

If you have a registered HotelHero account, you can access and update much of your personal data directly through the platform. For any data that is not available through your account — or to exercise any of the rights described above — please contact HotelHero's Data Protection Officer at [email protected].

9. Data controller and contact

Planet EOOD controls the storage, processing, and erasure of the personal data you provide through HotelHero. Planet EOOD processes this data in accordance with this Privacy Policy and applicable Bulgarian and EU law.

For questions about this Privacy Policy or about how your personal data is processed, please contact the HotelHero data protection office at [email protected].

10. International data transfers

As a general rule, your personal data will not be transferred to third parties unless HotelHero is legally required to do so, the transfer is necessary to perform a contract, or you have given explicit prior consent.

Some HotelHero service providers may process data outside the EU/EEA. In those cases, HotelHero ensures that an appropriate level of data protection is established before any personal data is transferred — typically through the European Commission's Standard Contractual Clauses or an adequacy decision — comparable to the standard of protection within the EU.

11. Cookies

By using the HotelHero website, you agree to the storage of cookies on your device. Cookies are small text files stored on your hard drive and associated with your browser; they cannot transfer viruses or run programs. Cookies allow HotelHero to recognise returning users and to personalise the experience.

HotelHero uses both session cookies (which expire when you close your browser) and persistent cookies (which remain for a longer period). HotelHero also uses other tracking technologies, such as pixel tags — small graphic images delivered as part of a web request to collect information about how the site is used.

These technologies collect information such as IP address, device ID, user ID, pages visited, browser type, operating system, referral URL, and time spent on each page. This information is used to keep you logged in, to analyse aggregate usage, and to improve HotelHero's services. Usage analytics via Google Analytics (Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) are retained for one day.

You can delete stored cookies at any time through your browser security settings. For more information on cookies and how to manage or delete them, visit allaboutcookies.org or the help section of your browser. Depending on your browser (Chrome, Safari, Firefox, Edge), you can choose which cookies to accept or reject.

12. Contact

HotelHero — a service operated by Planet EOOD.

Address: 28 Hristo Botev Blvd, floor 2, Sofia 1000, Bulgaria
General: [email protected]
Data Protection Officer: [email protected]