Privacy Policy
Effective Date: February 16th, 2026
1. Introduction and Scope
This Privacy Policy ("Policy") describes the manner in which SARAY LLC, a California limited liability company ("Sarāy," "Company," "we," "us," or "our"), collects, uses, processes, stores, discloses, and protects personal information in connection with www.stayatsaray.com (the "Website"), any related websites or domains operated by the Company, mobile or web-based applications, social media pages, digital advertisements, marketing campaigns, and all communications or interactions relating to the services we provide (collectively, the "Services"). For the purposes of this Policy, "Services" includes direct short-term rental bookings; short-term rental management services; design and consulting services; any online "shop" or curated product recommendation pages through which Users (as defined below) may view, research, or purchase products from third-party retailers (including affiliate or commission-based arrangements); editorial, journal, blog, or lifestyle content relating to food, recipes, travel, design, or related subjects; marketing materials and advertisements; and any other ancillary, promotional, informational, or commercial offerings made available by the Company now or in the future.
For purposes of applicable data protection laws, SARAY LLC is the data controller (or equivalent legal term under applicable law) with respect to personal information collected in connection with the Services, except where we expressly act as a service provider or processor on behalf of a property owner or other client pursuant to a separate written agreement.
This Policy applies to all individuals who access the Website, make reservations, engage our Services, or otherwise interact with the Company, including guests, property owners, prospective clients, and other users (collectively, "Users").
This Policy does not apply to third-party websites, platforms, applications, or services that may be accessible through hyperlinks, integrations, embedded content, affiliate links, social media features, or referrals from our Website or Services. This includes, without limitation, third-party booking platforms, payment processors, software providers, advertising networks, social media platforms, retailers featured in our "shop" or curated recommendation pages, and any external sites referenced in editorial, journal, or marketing content. The Company does not control and is not responsible for the privacy, security, or data practices of independent third parties. Users who access or interact with any third-party service are subject to the privacy policies and terms of those third parties, and we encourage Users to review those policies carefully before providing personal information.
By accessing the Website or using our services, you acknowledge that you have read and understand this Policy.
2. Sources and Categories of Information Collected
The Company collects personal information from multiple sources, including information provided directly by Users, information collected automatically through technical means, information received from third parties, and information otherwise provided with User consent.
Certain personal information collected by the Company is necessary to provide the Services requested by Users, to perform contractual obligations, to comply with legal requirements, or to protect the Company’s legitimate business interests. If a User declines to provide information that is required for these purposes, the Company may be unable to provide certain services.
We collect and use personal information for the purposes described in this Policy at or before the point of collection.
A. Information Collected in Connection with Reservations and Stays
Contact information. When a User reserves, pays for, or stays in a property managed or booked through SARAY LLC, the Company may collect and process identifying, contact, financial, transactional, and compliance-related information, including but not limited to full legal name, date of birth, mailing address, email address, telephone number, emergency contact details, and booking information such as length of stay, number of guests, and communications relating to the reservation.
Identification forms and identification verification. All direct short-term rental guests are required to submit valid government-issued identification as a condition of booking. The Company collects and processes such identification information for purposes including, but not limited to, confirming identity, preventing fraud, mitigating security risks, enforcing booking terms, complying with applicable local, state, and federal laws, and satisfying regulatory requirements relating to short-term lodging and payment processing. Identity verification may be conducted through third-party service providers, including booking management systems, payment processors, or independent authentication vendors. Failure to complete required identity verification, or provision of inaccurate or incomplete information, may result in denial or cancellation of the reservation without liability to the Company.
Identity Verification Images. Where identity verification is required, we (or our verification vendors) may collect and process images of government-issued identification and images submitted for identity verification (including a ‘selfie’ or live photo/video where supported by the vendor). We may access and review these images within the vendor’s dashboard or verification results interface for purposes of confirming identity, preventing fraud, and enforcing booking terms. We do not use these images to identify individuals outside the verification context or for any unrelated purpose.
Payment information. In connection with payment processing, the Company collects payment authorization information and transaction records. Payment card data is processed through Stripe or other authorized payment processors. The Company does not store full credit card numbers. Refundable security deposits may be collected, and damage holds may be authorized in accordance with booking terms.
Additional information. The Company may also collect and process additional information as necessary to comply with lodging regulations, tax reporting obligations, fraud prevention requirements, safety and security protocols, insurance requirements, age verification standards, vehicle or automobile registration information (including license plate numbers where required for property access or parking compliance), and any other applicable local, state, federal, or regulatory mandates governing short-term lodging operations or related services.
B. Information Collected in Connection with Short-Term Rental Management Services
When providing short-term rental management services to property owners, the Company may collect and process information reasonably necessary to enter into, perform, administer, and enforce management agreements and to satisfy contractual, regulatory, tax, insurance, and operational obligations.
Identity, legal, business, bank account, and tax information. Such information may include proof of identity; proof of ownership or authority to rent the property; business entity formation documents; operating agreements; beneficial ownership disclosures; contact information for authorized representatives; bank account and routing numbers; tax identification numbers; W-9 or other tax forms; insurance policies and certificates; mortgage holder or lienholder information where relevant; and other financial, legal, or compliance-related records required to provide services.
Additional information that may be required by law. In addition, the Company may collect and process information required to register, apply for, maintain, renew, or modify short-term rental permits, business licenses, or other governmental approvals; to collect, remit, or report lodging, occupancy, tourism, or sales taxes; to comply with municipal, county, state, or federal regulations; to respond to regulatory inquiries or audits; to maintain required records; and to satisfy reporting or recordkeeping obligations imposed by law.
Additional information. The Company may also collect information necessary to operate and manage the property on the owner’s behalf, including utility account details, vendor agreements, contractor information, access credentials, property specifications, safety and maintenance records, security system details, and billing information necessary to pay utilities, service providers, cleaners, maintenance personnel, or other vendors. The Company may further collect information necessary to investigate guest claims, insurance matters, property damage, chargebacks, or disputes, and to protect the rights, property, and legal interests of the Company and the property owner. The foregoing categories are illustrative and not exhaustive. The Company may collect additional information as required by applicable law or as reasonably necessary to provide rental management services, mitigate risk, prevent fraud, ensure safety and security, or comply with evolving regulatory requirements.
C. Information Voluntarily Provided by Users
The Company may collect and retain information that Users voluntarily provide during communications conducted in person, by telephone, email, text message, online forms, applications, social media platforms, messaging services, or other electronic or digital means. Such information may include, without limitation, names, telephone numbers, email addresses, usernames or social media handles, account identifiers, the content of communications, attachments, photographs, and any other information disclosed by the User. Where permitted by applicable law, telephone calls or virtual meetings may be recorded and transcribed for quality assurance, training, security, dispute resolution, fraud prevention, and compliance purposes. The Company may also collect information submitted in connection with reviews, ratings, testimonials, comments, surveys, or other feedback, as well as information relating to User interactions with or on the Company’s social media accounts, advertisements, or public postings. This includes any and all information a User elects to disclose during inquiries, consultations, service discussions, booking communications, customer support interactions, or other engagements with the Company.
D. Information Received from Third Parties
The Company may receive personal information from third parties in a variety of circumstances. For example, if a reservation for a property we manage is made through a third-party booking platform, that platform may provide us with information relating to the booking and stay, including contact details, reservation information, payment-related details, guest names, identity verification data, and other information submitted to that platform. If an individual is identified as an additional guest by a primary booking party, we may receive and process personal information relating to that individual from the booking party. Third parties that provide services in connection with a stay—such as utilities, contractors, maintenance providers, tour operators, concierge services, community associations, insurers, or governmental authorities—may also provide information to us where permitted or required by applicable law.
To the extent permitted by applicable law, we may obtain information from third-party identity verification providers, fraud prevention services, background screening services, anti-money laundering service providers, and similar vendors, including alerts, risk indicators, or screening results. We may also receive marketing, analytics, or demographic information from advertising partners, data providers, or publicly available sources, including information relating to travel patterns, preferences, or booking history. The collection and use of information by such third parties is governed by their respective privacy policies, and we encourage Users to review those policies. The Company is not responsible for the privacy practices of independent third parties.
E. Information Collected Automatically
When a User visits the Website, uses any application, interacts with digital communications, or engages with automated features offered by the Company, the Company may automatically collect technical, behavioral, and usage-related information. Such information may include, without limitation, IP address; device identifiers; browser type and version; operating system; referring and exit URLs; search terms; browsing activity; pages viewed; time spent on specific pages; navigation paths; clickstream data; interaction patterns; crash logs; Internet service provider or mobile carrier information; and other diagnostic data. The Company may also collect approximate or precise location information derived from IP address, device settings, GPS functionality where enabled, or other geolocation technologies. In addition, information may be automatically collected in connection with communications through telephone systems, chat features, chatbot or AI-driven messaging tools, WhatsApp or similar messaging platforms, email tracking technologies, or other digital communication channels, including call metadata, recordings (where permitted by applicable law), transcripts, timestamps, and interaction logs.
The Company uses cookies, web beacons, tracking pixels, SDKs, local storage objects, and similar tracking technologies (collectively, "Cookies and Tracking Technologies"). These technologies may be deployed directly by the Company or by third-party service providers, including analytics providers, advertising networks, and social media platforms. Cookies may be categorized as strictly necessary (required for core website functionality), performance or analytics cookies (used to measure traffic and usage patterns), functionality cookies (used to remember preferences and settings), and advertising or targeting cookies (used to deliver relevant advertisements and measure campaign effectiveness).
Where required by applicable law, the Company may present a cookie notice or consent management tool allowing Users to accept, reject, or customize certain categories of non-essential Cookies and Tracking Technologies. Users may also manage cookie preferences through browser settings or device controls; however, disabling certain cookies may impair website functionality, limit access to certain features, or affect the performance of the Services.
For Users located in the EEA or UK, we will not activate non-essential analytics or advertising technologies (including marketing pixels and similar tools) unless and until the User provides valid consent through our consent mechanism.
The Company may also collect additional information about a User, the User’s device, or the User’s interaction with the Services in ways that are described at the point of collection or otherwise disclosed to the User, including where such collection is based on the User’s consent. A User may choose not to provide certain categories of information or may decline certain tracking technologies where available; however, doing so may limit the ability to access or use certain features or portions of the Services.
3. Purpose for Processing Personal Information
The Company processes personal information for legitimate business and operational purposes, including to respond to inquiries and requests; to communicate with Users regarding reservations, stays, confirmations, modifications, and related services; to fulfill contractual obligations associated with bookings or management agreements; to verify identity, confirm eligibility (including age requirements), prevent fraud, mitigate security risks, and enforce booking or service terms; to process reservations, payments, deposits, refunds, and related financial transactions; to operate, administer, and manage properties; to comply with applicable local, state, federal, and regulatory requirements, including lodging, tax, licensing, and reporting obligations; to investigate disputes, chargebacks, insurance matters, or property damage claims; and to protect the rights, safety, and property of the Company, its clients, and its Users. The Company also processes personal information to optimize, customize, and improve the Services, including by evaluating User experiences, feedback, reviews, suggestions, usage patterns, and performance metrics in order to enhance operational efficiency, website functionality, security features, and overall service quality. Personal information may further be used to develop, conduct, measure, and improve marketing and advertising efforts, including analyzing engagement data, audience behavior, and campaign performance across digital platforms and third-party channels. Where required by applicable law, the Company relies on User consent for certain processing activities, and Users may withdraw such consent where permitted; however, withdrawal of consent may affect the availability or functionality of certain Services. The Company does not engage in fully automated decision-making processes that produce legal or similarly significant effects concerning Users without meaningful human involvement. To the extent the Company utilizes automated tools for fraud detection, risk assessment, or operational efficiency, such tools are used in conjunction with appropriate human review and oversight.
For individuals located in jurisdictions requiring a legal basis for processing, the Company relies on one or more of the following bases as applicable: performance of a contract, legitimate business interests, compliance with legal obligations, or consent. Where processing is based on consent, such consent may be withdrawn at any time, without affecting the lawfulness of processing prior to withdrawal.
4. Disclosure of Personal Information
Disclosure of personal information to third-party providers for the purpose of performing the Service.
The Company may disclose personal information to third parties that perform services on the Company’s behalf or that are necessary to provide the Services requested by a User or required under a contractual obligation. Such third parties may include, without limitation, payment processors; booking management platforms; identity verification providers; hosting and cloud service providers; analytics and marketing vendors; customer relationship management systems; maintenance technicians; contractors; housekeepers; cleaners; security personnel; technology vendors; and other operational service providers engaged to facilitate reservations, property management, or related services. In certain circumstances, the Company may authorize local service providers to collect personal information directly on its behalf where necessary to deliver Services or comply with operational requirements.
The Company may also disclose personal information to third-party identity verification, background screening, fraud prevention, sanctions screening, anti-money laundering, or risk assessment providers for purposes of confirming identity, validating documentation, conducting watchlist or sanctions checks, assessing potential fraud risk, verifying age or eligibility, or otherwise protecting the integrity and security of the Services. Such disclosures may include identifying information, government-issued identification details, contact information, transaction information, and related reservation or account data as reasonably necessary to complete verification processes.
The Company may engage third-party identity verification providers that utilize automated document authentication, facial comparison technology, or similar verification tools. Any biometric analysis or facial geometry comparison, where applicable, is performed solely by such third-party vendors. The Company does not independently collect, create, store, or retain biometric identifiers or biometric information for identification purposes, except to the extent such information is incidentally contained within identification documents or images submitted by a User. All such processing is subject to the contractual and privacy obligations of the applicable vendor.
Biometric-Related Processing. Some identity verification vendors may use facial comparison or similar technology to confirm that a submitted selfie matches the identification document. Any facial comparison or biometric analysis (if used) is performed by the vendor as part of the verification service. We receive verification results and may have access to the images submitted for verification within the vendor platform. Unless we explicitly state otherwise in a specific notice at the time of collection, we do not use biometric identifiers to identify individuals for any purpose unrelated to identity verification, and we do not sell such data.
Disclosure of personal information to third-party providers for the purpose of performing services associated with a stay you book. The Company may disclose personal information to third parties that provide services in connection with a specific reservation or stay, including concierge services, parking operators, tour providers, food or delivery services, community or resort associations, property owners, insurers, or governmental entities where required in connection with a property under their control or jurisdiction. Some resorts, community associations, government agencies, or property owners may require the Company to provide guest information in connection with access, security, compliance, or regulatory obligations.
Disclosure of personal information to affiliated companies for the purpose of performing the Service in a local or remote location. In circumstances where a User books or engages the Company for management services relating to a property located outside the User’s primary residence or outside the Company’s principal jurisdiction, personal information may be transferred to affiliated, partner, or subcontracted entities located in the relevant geographic area for purposes of providing localized operational support, compliance services, or property management functions. If a User directs or requests that the Company share personal information with a third party, including for purposes of resolving a dispute, coordinating services, or facilitating a transaction, the Company may disclose such information consistent with the User’s instructions.
Disclosure of personal information in order to comply with the law, and/or in the event that such disclosure is required by the law.
The Company may disclose personal information to governmental authorities, regulatory agencies, law enforcement bodies, courts, administrative tribunals, tax authorities, licensing boards, housing or lodging regulators, or other public officials where such disclosure is required or permitted by applicable law, regulation, subpoena, warrant, court order, governmental request, audit, or other legal process. The Company may also disclose personal information where it determines in good faith that disclosure is reasonably necessary to comply with legal or regulatory obligations; to respond to investigations, claims, or enforcement actions; to enforce contracts or terms of service; to detect, prevent, or investigate suspected fraud, financial misconduct, identity theft, money laundering, or other unlawful activity; to protect the rights, property, safety, or security of the Company, its clients, its Users, or the public; or to establish, exercise, or defend legal claims. Such disclosures may include the provision of reservation records, identification information, payment transaction data, communications, or other relevant records as legally required or authorized.
The Company may disclose personal information in connection with obtaining, maintaining, renewing, or modifying governmental permits, licenses, registrations, or other regulatory approvals relating to rental management services. Such disclosures may include owner identification details, contact information, property address information, tax identification numbers, permit or license numbers, and information concerning rental activity where necessary to satisfy regulatory or reporting obligations.
In jurisdictions that impose lodging, occupancy, tourism, hotel, sales, or similar taxes, and where the Company is authorized to collect and remit such taxes on behalf of an owner, the Company may disclose information to appropriate governmental authorities in connection with tax collection, reporting, or remittance. Such disclosures may include property owner’s names and contact information, guest names and contact information, property address, dates of stay, transaction amounts, amounts of tax collected or due, applicable permit or registration numbers, and relevant tax identification information, to the extent required by applicable law.
Disclosure of personal information to facilitate any type of merge, sale of change in the Company’s structure, control and interest. In the event of a merger, acquisition, restructuring, financing transaction, or sale of assets, personal information may be transferred as part of the transaction, subject to appropriate confidentiality safeguards.
Disclosure of personal information to third-party companies, services, and providers that assist the Company in connection with its overall operation.
In addition to disclosures made in connection with specific reservations or management services, the Company may disclose personal information to third parties that assist the Company in the general operation, administration, and management of its business. Such third parties may include, without limitation, certified public accountants, auditors, legal counsel, financial institutions, insurance providers, software and technology platforms (including booking management systems, accounting systems such as QuickBooks or similar providers, customer relationship management systems, hosting providers, cloud storage vendors, cybersecurity vendors, and analytics platforms), compliance consultants, payroll providers, and other professional advisors or business service providers. The Company may also engage new or replacement service providers in the future as its operations evolve, and personal information may be disclosed to such providers as reasonably necessary to operate, secure, improve, and administer the Services. These disclosures are made for legitimate business purposes and subject to appropriate contractual, confidentiality, and data protection obligations.
The Company may disclose personal information to advertising partners, social media platforms, advertising networks, and digital publishers in connection with marketing, audience development, analytics, and promotional activities. Where permitted by applicable law, the Company may use certain identifiers, including email addresses or other contact information, in hashed, encrypted, or otherwise pseudonymized form for purposes such as custom audience creation, lead generation, campaign measurement, and advertising optimization across digital platforms. Such activities are conducted for legitimate business and marketing purposes. Users may request that the Company cease using their personal information for certain marketing activities in accordance with applicable law. For individuals located in jurisdictions requiring consent for targeted advertising, advertising pixels, tracking technologies, and cross-context behavioral advertising tools will be activated only after obtaining legally required consent.
The Company may aggregate or de-identify information relating to Users so that it can no longer reasonably be associated with an identified or identifiable individual. Such aggregated or de-identified information may be used for business analytics, service improvement, marketing analysis, regulatory reporting, industry benchmarking, or other legitimate business purposes and may be shared with third parties in such aggregated or de-identified form.
The Company does not sell personal information in exchange for monetary consideration. However, certain disclosures for advertising or analytics purposes may constitute "sharing" under applicable California law.
The Company may engage analytics and advertising providers, including but not limited to Google Analytics, Meta (Facebook), and similar digital advertising platforms, which may collect information through cookies, pixels, SDKs, or other tracking technologies to measure website traffic, evaluate marketing performance, create custom audiences, perform retargeting, and deliver cross-context behavioral advertising. To the extent such activities constitute “sharing” or targeted advertising under applicable law, Users may submit an opt-out request as described in Sections 13 and 14 of this Policy.
5. Communications, User Choices, and Privacy Rights
A. Service-Related Communications
The Company may send communications necessary to provide the Services, including confirmations, reservation details, operational updates relating to a property, security notices, billing communications, changes to terms or policies, regulatory disclosures, and other information required to fulfill contractual or legal obligations. Such communications are considered transactional or service-related in nature and may be delivered by email, telephone, text message, messaging platforms, or other reasonable means.
B. Marketing Communications
Where permitted by applicable law, the Company may send promotional communications regarding properties, services, editorial content, shop recommendations, events, or other offerings that may be of interest. Users may opt out of receiving marketing emails at any time by using the unsubscribe mechanism provided in the communication or by contacting the Company using the contact information set forth in this Policy. Opting out of marketing communications will not affect receipt of transactional or legally required communications. Opting out of marketing communications does not automatically opt a User out of targeted advertising conducted through third-party advertising platforms; such requests must be submitted separately as described in Sections 13 and 14 of this Policy.
C. Communications from Third Parties
Certain third parties providing services in connection with a reservation or management engagement (such as payment processors, booking platforms, concierge services, or operational vendors) may communicate directly with Users in connection with the Services. Such communications are governed by the privacy practices of the applicable third party. The Company is not responsible for the independent communication practices of third parties.
D. Privacy Rights of United States Residents
Residents of certain U.S. states, including California, may have specific rights under applicable privacy laws. Subject to identity verification and applicable legal limitations, such rights may include the right to request access to personal information collected about them; to request correction of inaccurate information; to request deletion of personal information, subject to lawful exceptions; to obtain a copy of personal information in a portable format where required by law; to opt out of certain disclosures that constitute “sale” or “sharing” under applicable law; and to limit the use of certain categories of sensitive personal information where applicable.
To exercise applicable privacy rights, a User may submit a written request to the Company at the contact email provided in this Policy. The Company may require verification of identity before responding to a request and may deny requests where permitted by law. The Company will not discriminate against a User for exercising any applicable privacy rights.
We recognize certain browser-based opt-out preference signals (such as the Global Privacy Control) and will treat such signals as valid requests to opt out of the ‘sale’ or ‘sharing’ of personal information to the extent required by applicable law.
E. Data Retention and Deletion
The Company retains personal information for as long as reasonably necessary to fulfill the purposes described in this Policy, including to provide Services, comply with contractual and legal obligations, resolve disputes, enforce agreements, prevent fraud, and maintain business and tax records. When personal information is no longer required for these purposes, the Company will take reasonable steps to delete or de-identify such information in accordance with applicable law.
Verification Data Retention. Identification documents and verification images are retained only for as long as reasonably necessary to complete verification, comply with legal obligations, resolve disputes, prevent fraud, and enforce our terms. Where verification is performed by a third-party provider, retention and deletion may be controlled by that provider’s settings and contractual obligations; we will take reasonable steps to limit retention and request deletion where appropriate.
Users may decline to provide certain categories of personal information; however, doing so may limit the availability or functionality of certain Services.
F. Authorized Agents and Appeals
Where permitted by applicable law, a User may designate an authorized agent to submit a privacy request on the User’s behalf. The Company may require proof of written authorization and may require the User to verify their identity directly before processing such request. In jurisdictions that provide a right to appeal a denial of a privacy request, Users may submit a written appeal using the contact information provided below.
5. Sensitive Personal Information
To the extent the Company collects information that may be considered “sensitive personal information” under applicable law, including government-issued identification numbers, precise geolocation data, financial account information, or other legally protected categories, such information is collected and processed solely for legitimate business purposes, including identity verification, fraud prevention, regulatory compliance, booking fulfillment, security, and contractual performance. The Company does not use sensitive personal information for purposes beyond those reasonably necessary to provide the Services or as otherwise permitted by law. Where required by applicable law, Users may request to limit certain uses of sensitive personal information. The Company does not intentionally collect medical or health information; however, Users may voluntarily provide information relating to accessibility needs or health-related accommodations in connection with a stay. Such information will be used solely to facilitate requested accommodations or comply with applicable law.
7. Data Security
The Company implements and maintains reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, misuse, or destruction. These safeguards are intended to be appropriate to the nature, scope, context, and purposes of processing, as well as the sensitivity of the personal information involved.
Such measures may include, without limitation, role-based access controls; authentication protocols; encryption or tokenization of certain categories of data where appropriate; secure data transmission practices; firewalls and intrusion detection systems; vendor risk assessments and contractual data protection obligations; internal policies governing data handling and confidentiality; employee training regarding data security; monitoring and logging of system activity; and procedures designed to detect, investigate, and respond to potential security incidents.
Access to personal information is restricted to personnel and service providers who have a legitimate business need to access such information in order to perform their duties. Service providers that process personal information on behalf of the Company are contractually required to implement reasonable security safeguards consistent with applicable law.
In the event of a data security incident involving personal information, the Company will take reasonable steps to investigate, mitigate, and remediate the incident and, where required by applicable law, provide notice to affected individuals and relevant authorities.
While the Company strives to protect personal information using commercially reasonable safeguards, no method of electronic transmission or storage is completely secure. Accordingly, the Company cannot guarantee absolute security, and Users provide personal information at their own risk.
8. International Data Transfers and Non-U.S. Users
The Company is headquartered in the United States, and the Services are operated from the United States. The Company may offer Services to individuals located in the European Economic Area (“EEA”), the United Kingdom (“UK”), and other jurisdictions outside the United States.
Personal information collected from individuals located in the EEA or UK may be transferred to, processed, and stored in the United States and other jurisdictions where the Company or its service providers operate. These jurisdictions may not provide the same level of data protection as the country in which the individual resides.
Where required by applicable data protection law, the Company implements appropriate safeguards for cross-border transfers of personal information, including, where applicable, reliance on Standard Contractual Clauses approved by the European Commission or other legally recognized transfer mechanisms designed to ensure an adequate level of protection.
By using the Services or submitting personal information, individuals located outside the United States acknowledge that their personal information may be transferred to and processed in the United States and other jurisdictions in accordance with this Policy.
9. Children’s Privacy
The Services are not directed to individuals under the age of eighteen (18). The Company does not knowingly collect personal information from individuals under 18. If the Company becomes aware that it has collected personal information from a minor without appropriate authorization, it will take reasonable steps to delete such information in accordance with applicable law.
10. Do Not Track Signals
The Website does not currently respond to browser “Do Not Track” signals. Users may adjust their browser settings to manage tracking preferences; however, certain features of the Services may be affected.
11. Changes to This Policy
The Company may update or modify this Privacy Policy from time to time to reflect changes in business practices, legal requirements, or operational needs. Any updates will be posted on the Website with a revised effective date. Continued use of the Services after such updates constitutes acknowledgment of the revised Policy.
12. Contact Information
Questions, requests, or concerns regarding this Privacy Policy or the Company’s data practices may be directed to:
SARAY LLC
7494 Santa Monica Blvd.
West Hollywood, CA 90046
Email: hello@stayatsaray.com
The Company may establish additional mechanisms for submitting privacy requests as required by applicable law.
13. California Privacy Notice
This section supplements the information contained in this Privacy Policy and applies solely to residents of the State of California pursuant to the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA").
A. Categories of Personal Information Collected
In the preceding twelve (12) months, the Company has collected the categories of personal information described in Section 2 of this Policy, which may include identifiers (such as name, email address, IP address, government-issued identification, and online identifiers); customer records information (such as billing and payment information); commercial information (such as reservation history and transaction data); internet or electronic network activity information (such as browsing activity and interaction data); geolocation data; professional or employment-related information (in connection with property management services); audio, electronic, or similar information (including call recordings where permitted by law); and sensitive personal information (as described in Section 6).
B. Business or Commercial Purposes
The Company collects and uses personal information for the business and commercial purposes described in Section 3 of this Policy, including providing the Services, processing reservations and payments, identity verification, fraud prevention, marketing, analytics, regulatory compliance, security, and operational management.
C. Categories of Personal Information Disclosed
The Company may disclose the categories of personal information identified above to the categories of recipients described in Section 4 of this Policy for business purposes, including service providers, contractors, identity verification vendors, payment processors, advertising partners, governmental authorities, and professional advisors.
The Company does not sell personal information for monetary consideration. However, certain disclosures for cross-context behavioral advertising may constitute "sharing" under California law.
D. California Consumer Rights
California residents have the right to request: (i) disclosure of the categories and specific pieces of personal information collected about them; (ii) disclosure of the categories of sources from which personal information is collected; (iii) disclosure of the business or commercial purposes for collecting, selling, or sharing personal information; (iv) disclosure of the categories of third parties to whom personal information is disclosed; (v) correction of inaccurate personal information; (vi) deletion of personal information, subject to legal exceptions; (vii) a portable copy of personal information; (viii) to opt out of the "sale" or "sharing" of personal information; and (ix) to limit the use and disclosure of sensitive personal information where applicable.
The Company will not discriminate against a California resident for exercising any rights under the CCPA.
E. Exercising California Rights
California residents may submit verifiable consumer requests by contacting the Company using the information provided in Section 12 of this Policy. The Company may require identity verification before processing a request and may deny requests as permitted by law. Authorized agents may submit requests on behalf of a consumer, subject to verification requirements.
Opt-Out of Sale or Sharing; Limit Use of Sensitive Personal Information. California residents may request to opt out of the “sale” or “sharing” of personal information, including cross-context behavioral advertising as defined under the CCPA, by submitting a written request to hello@stayatsaray.com with the subject line “Do Not Sell or Share My Personal Information.”
Where applicable, California residents may also request to limit the use and disclosure of sensitive personal information to purposes permitted by law by submitting a written request to hello@stayatsaray.com with the subject line “Limit Sensitive Personal Information.”
The Company will process such requests in accordance with applicable law and may require reasonable identity verification before fulfilling the request.
Additional Opt-Out Methods (California). In addition to submitting a request by email, California residents may opt out of the ‘sale’ or ‘sharing’ of personal information (including cross-context behavioral advertising) by (i) enabling a legally recognized opt-out preference signal, such as the Global Privacy Control (GPC), where available, and/or (ii) using any cookie consent or advertising preference tools made available on the Website. Where we receive a valid opt-out preference signal, we will process it in a frictionless manner in accordance with applicable law.
14. Other U.S. State Privacy Rights
Residents of certain U.S. states, including but not limited to Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, and other jurisdictions that have enacted comprehensive consumer privacy laws, may have additional rights regarding their personal information, subject to statutory thresholds and applicability requirements.
Depending on the applicable law, such rights may include: (i) the right to confirm whether the Company processes personal information about the individual; (ii) the right to access personal information; (iii) the right to correct inaccuracies; (iv) the right to delete personal information; (v) the right to obtain a portable copy of personal information; (vi) the right to opt out of targeted advertising; (vii) the right to opt out of the sale of personal information, where applicable; and (viii) the right to opt out of certain profiling activities that produce legal or similarly significant effects.
Where required by applicable law, the Company will provide a
mechanism for submitting privacy requests and will respond within the timeframes required by law. In jurisdictions that provide a right to appeal a denied privacy request, Users may submit an appeal using the contact information provided in Section 12 of this Policy.
The Company reserves the right to verify the identity of any individual submitting a privacy request and to deny requests as permitted by applicable law.
Pursuant to Nevada Revised Statutes Chapter 603A, Nevada residents may submit a request directing the Company not to sell their “covered information” (as defined under Nevada law) to third parties. The Company does not currently sell covered information in exchange for monetary consideration as defined under Nevada law. However, Nevada residents may submit an opt-out request by contacting the Company using the contact information provided in Section 12 of this Policy. The Company will respond to such requests in accordance with applicable Nevada law.
Residents may exercise rights to opt out of targeted advertising or certain profiling activities by submitting a written request to hello@stayatsaray.com with the subject line “Targeted Advertising Opt-Out.”
15. European Economic Area and United Kingdom Privacy Rights
This section applies to individuals located in the European Economic Area and the United Kingdom.
A. Legal Bases for Processing
Where required by applicable data protection law, the Company processes personal information on one or more of the following legal bases:
Performance of a Contract – Processing necessary to provide booking services, manage reservations, process payments, or fulfill contractual obligations.
Legitimate Interests – Processing necessary for fraud prevention, identity verification, security, business operations, service improvement, marketing analytics, and protection of the Company’s legal rights, provided such interests are not overridden by an individual’s fundamental rights and freedoms.
Consent – Processing based on an individual’s consent, including for marketing communications and certain categories of Cookies and Tracking Technologies.
Legal Obligation – Processing necessary to comply with applicable laws, regulations, tax requirements, and governmental requests.
B. Data Subject Rights
Individuals located in the EEA or UK may have the following rights under applicable law:
The right to access personal information;
The right to rectify inaccurate or incomplete personal information;
The right to request erasure of personal information under certain circumstances;
The right to restrict processing;
The right to data portability;
The right to object to processing based on legitimate interests;
The right to object to direct marketing at any time;
The right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
To exercise these rights, individuals may contact the Company at hello@stayatsaray.com. The Company may require reasonable identity verification before responding.
C. Right to Lodge a Complaint
Individuals located in the EEA or UK have the right to lodge a complaint with the supervisory authority in their country of residence if they believe their personal information has been processed in violation of applicable data protection laws.
D. Representative
Where required under applicable law, the Company will appoint a representative in the European Union and/or the United Kingdom to act as a point of contact for individuals and supervisory authorities on data protection matters. Once appointed, representative contact details will be provided in this Policy.