Privacy Policy

1. What We Collect

When you submit a hotel booking to Rate Ranger, we collect:

• Your email address: so we can send you price alerts and booking confirmations.
• Booking details: hotel name, address, city, country, check-in/check-out dates, room type, price, currency, confirmation number, cancellation policy, and guest name (if included in the email).

We do not require you to create an account. Your email address is your identifier.

When you submit a booking via our website form, we collect the same information you provide in the form fields.

2. Lawful Basis for Processing (GDPR)

We process your personal data under the following lawful bases as defined by the General Data Protection Regulation (GDPR):

• Contract performance (Article 6(1)(b)): When you submit booking details to us, you are requesting a service. Processing your data is necessary to perform that service (monitoring hotel prices and sending alerts).
• Legitimate interest (Article 6(1)(f)): We have a legitimate interest in improving our service, preventing abuse, and communicating relevant updates. This processing does not override your fundamental rights.

3. How We Use Your Data

• Price monitoring: We use your booking details to search for lower prices across publicly available hotel booking websites.
• Email notifications: We send you price drop alerts, booking confirmations, and cancellation deadline reminders.
• Service improvement: We may use aggregated, anonymized data to improve our parsing accuracy and service reliability.

We do not sell your personal data to third parties. We do not use your data for advertising.

4. Email Parsing & Guest Data

When you submit booking details, our system stores only the booking-relevant fields listed in Section 1. Guest names are deleted according to the retention schedule in Section 6.

For booking confirmations from platforms we do not have a dedicated parser for, we may send a cleaned, truncated excerpt of the email body (up to 4,000 characters) to OpenAI (GPT-4o-mini) for data extraction. No email address, name, or personal identifier is included in the text sent to OpenAI. The full email body is not retained after parsing.

Emails that are not booking confirmations (e.g., spam, personal emails, flight confirmations) are automatically detected and discarded without being stored or processed.

5. Third-Party Services & Data Processors

We use the following third-party services to operate Rate Ranger. Where data is transferred from the EU/EEA to processors in the United States, we rely on each processor's Data Processing Addendum and Standard Contractual Clauses (SCCs) to provide adequate safeguards under GDPR Chapter V.

• Amazon Web Services (AWS): Email reception (SES), compute (Lambda), and file storage (S3). Data is processed in the US East (N. Virginia) region. AWS provides GDPR DPA and SCCs. Data shared: raw emails (stored in S3), booking data (processed in Lambda).
• Supabase: Database hosting (Postgres) for booking records, price checks, alerts, and user data. Hosted in the US. Supabase provides GDPR DPA. Data shared: all structured booking and user data.
• Resend: Outbound email delivery for all transactional emails. Data shared: your email address and email content.
• SerpAPI: Hotel price lookups via Google Hotels search results. Data shared: hotel name, city, and dates only. No personal information (email, name) is sent to SerpAPI.
• OpenAI: GPT-4o-mini for parsing booking confirmations from unsupported platforms. Data shared: cleaned, truncated email excerpt (no personal identifiers). OpenAI provides GDPR DPA and does not use API data for model training.
• Cloudflare: Privacy-friendly website analytics (Cloudflare Web Analytics). Cloudflare collects aggregated, anonymous page view data including: pages visited, referrer URL, browser type, device type, and country. Cloudflare Web Analytics does not use cookies, does not track individual users, does not collect IP addresses, and does not fingerprint browsers. No personal data is shared with Cloudflare through this service. Data shared: anonymous page view metadata only.

6. Data Retention

We retain your data only as long as necessary to provide our service. The following retention periods are automatically enforced:

• Active bookings: Retained while being monitored. Automatically set to "expired" 30 days after your check-out date.
• Price check history: Deleted after 90 days.
• Raw emails: Deleted after 90 days.
• Your account and email address: Retained as long as you have active or recent bookings. Automatically deleted 90 days after your last check-out if you have no active bookings.

You may request immediate deletion of all your data at any time (see Section 7).

7. Your Rights (GDPR)

If you are located in the EU/EEA, you have the following rights under the General Data Protection Regulation:

• Right of access (Article 15): You can request a copy of all data we hold about you.
• Right to erasure (Article 17): You can request permanent deletion of all your data.
• Right to data portability (Article 20): You can receive your data in a structured, machine-readable format (JSON).
• Right to rectification (Article 16): You can correct inaccurate booking data by using the "Something wrong?" link in your confirmation email or contacting us.
• Right to object (Article 21): You can stop monitoring for any booking via the unsubscribe link in every email.

How to exercise your rights:

• Unsubscribe from a booking: Click the "Unsubscribe" link in any Rate Ranger email.
• Delete all your data: Click the "Delete my data" link in any Rate Ranger email, or email hello@rateranger.io.
• Export your data: Email hello@rateranger.io to request a data export.

We will respond to all data subject requests within 30 days, as required by GDPR Article 12(3).

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority (the Irish Data Protection Commission) within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
• Notify affected users via email without undue delay, as required by GDPR Article 34, when the breach is likely to result in a high risk to your rights and freedoms.
• The notification will describe the nature of the breach, the likely consequences, and the measures taken to address it.

To report a security concern, contact hello@rateranger.io.

9. Cookies & Analytics

This website uses Cloudflare Web Analytics, a privacy-friendly analytics service that does not use cookies and does not track individual users. It collects only anonymous, aggregated data about page views (such as which pages are visited, referrer URLs, browser type, and device type). No personal data is collected, no IP addresses are stored, and no browser fingerprinting is performed.

When you click a booking link in a Rate Ranger email and visit a third-party booking site, that site may set its own cookies. These cookies are governed by the respective third party's cookie policy, not ours.

10. Security

We implement the following security measures to protect your data:

• Encryption in transit (TLS/HTTPS) for all data transfers.
• Row-level security (RLS) policies on our database to restrict access.
• HMAC-signed tokens for all email action links to prevent unauthorized access.
• API keys and credentials stored in environment variables, never in source code.
• CORS restrictions on our API to prevent cross-origin abuse.
• No password storage (email-only identification eliminates password breach risk).

11. Children

Rate Ranger is not intended for use by individuals under 18 years of age. We do not knowingly collect data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at hello@rateranger.io.

12. International Data Transfers

Rate Ranger processes data in the United States via our sub-processors (AWS, Supabase, Resend, OpenAI). For users in the EU/EEA, we ensure adequate safeguards for international data transfers through Standard Contractual Clauses (SCCs) and Data Processing Addendums (DPAs) with each processor, as required by GDPR Chapter V.

13. Supervisory Authority

If you are located in the EU/EEA and believe we are processing your data unlawfully, you have the right to lodge a complaint with the Irish Data Protection Commission (DPC), our lead supervisory authority, or with the supervisory authority in your EU/EEA member state of residence.

Irish Data Protection Commission: www.dataprotection.ie

14. Changes

We may update this Privacy Policy from time to time. Material changes will be communicated via email to active users. The "Last updated" date at the top of this page indicates when the policy was last revised.

15. Contact

For questions about this Privacy Policy, your data, or to exercise your rights, contact us at hello@rateranger.io.