Privacy Policy

5. COOKIES AND TRACKING TECHNOLOGIES
5.1 What Are Cookies?
Cookies are small text files stored on your device that help us remember information about your visit.
5.2 Types of Cookies We Use
Essential Cookies:

• Session management

• Security and authentication

• Payment processing

• Language preferences

• Cannot be disabled (required for Site functionality)

Analytics Cookies:

• Google Analytics (tracks user behavior and traffic patterns)

• Hotjar (records user interactions for UX improvement)

• Purpose: Understand how visitors use our Site

• Duration: Up to 2 years

Marketing Cookies:

• Google Ads (for retargeting and advertising)

• Facebook Pixel (for campaign tracking)

• Purpose: Show relevant ads and measure campaign effectiveness

• Duration: Until you clear cookies or opt-out

Preference Cookies:

• Remember your saved preferences

• Font size and language settings

• Dark mode preferences

5.3 Managing Cookies
You can control cookies through your browser settings:

• Chrome: Settings → Privacy and security → Cookies and other site data

• Safari: Preferences → Privacy → Cookies and website data

• Firefox: Settings → Privacy & Security → Cookies and Site Data

• Edge: Settings → Privacy → Cookies and other site data

Note: Disabling certain cookies may affect Site functionality (bookings, payments).
5.4 Do Not Track
If your browser supports "Do Not Track" signals, we respect this preference. However, most websites and advertisers do not yet respond to these signals.
6. DATA SECURITY
6.1 Security Measures
We implement industry-standard security measures to protect your information:

• SSL Encryption: All data transmitted is encrypted (HTTPS protocol)

• Secure Payment Processing: Payment information never stored on our servers

• Access Controls: Only authorized personnel access sensitive data

• Regular Security Audits: Third-party security assessments

• Firewalls and Intrusion Detection: Monitored 24/7

• Data Encryption: Sensitive data encrypted at rest and in transit

• Employee Training: All staff trained in data protection and privacy

6.2 Limitations
While we implement strong security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your information. You use our Site at your own risk.
6.3 Payment Security

• We do NOT store full credit card numbers

• All payments processed by PCI DSS compliant providers

• Payment information encrypted and secure

• Regular security updates and patches

7. DATA RETENTION
7.1 How Long We Keep Your Information
Booking and Reservation Data:

• Retained for 7 years (required for tax and legal compliance in India)

• After stay completion: 90 days for service follow-up

• Invoice records: 7 years per Indian tax law

Account Information:

• Retained while account is active

• Deleted upon request or account closure

• Some data retained per legal obligations

Payment Information:

• NOT stored on our servers

• Retained by payment processors per their privacy policies

• Deleted after 7 years per Indian compliance

Email Communications:

• Marketing emails: Until you unsubscribe

• Transactional emails: 1 year for records

• Support tickets: 2 years for reference

Analytics Data:

• Google Analytics: Automatically deleted after 26 months of inactivity

• Website logs: 30 days (unless required for security)

Cookies:

• Session cookies: Deleted when you close browser

• Persistent cookies: Up to 2 years (can be cleared manually)

7.2 Data Deletion Request
You can request deletion of your personal data at any time (subject to legal retention requirements). We will delete non-essential data within 30 days.
8. YOUR PRIVACY RIGHTS AND CHOICES
8.1 Rights Under Indian Data Protection Law
Right to Access:

• You have the right to access the personal data we hold about you

• Request: admin@staymysa.in

• Response time: 30 days

• Free for first request annually; additional requests may incur nominal fee

Right to Correction:

• You can request correction of inaccurate or incomplete data

• We will correct data within 15 days

Right to Erasure ("Right to be Forgotten"):

• You can request deletion of your personal data

• Exception: Data required by law or for legitimate business purposes

• Request within 30 days of completion of service

Right to Data Portability:

• You can request a copy of your data in machine-readable format

• We will provide within 30 days

Right to Object:

• You can object to certain types of processing

• Particularly marketing and profiling

• We will honor requests within 10 business days

Right to Restrict Processing:

• You can request we limit how we use your data

• Exception: Legal or contractual obligations

8.2 Marketing Communications

• Opt-out: Click "Unsubscribe" at bottom of any promotional email

• Consent: We require explicit consent for marketing emails

• Frequency: No more than 2-3 emails per month

• Alternative: Contact admin@staymysa.in to update preferences

8.3 Cookie Preferences

• Manage through browser settings (see Section 5.3)

• Click "Cookie Preferences" link (if available on Site)

• Email us to request custom cookie settings

8.4 Exercising Your Rights
To exercise any of the above rights:
Email: admin@staymysa.in
Subject: [Type of Request] - Privacy Rights
Include:

• Your full name

• Email address

• Booking reference (if applicable)

• Specific request details

• Valid identification (for verification)

Response Timeline: We will respond within 30 days
9. CHILDREN'S PRIVACY
9.1 Age Restrictions
Our Site is not intended for children under 18 years old. We do not knowingly collect personal information from children.
9.2 Parental Responsibility
If a child has provided information through our Site:

1. Parents/guardians can contact us immediately

2. We will delete the child's information

3. No marketing to minors without parental consent

9.3 Children at Mysa

• Parents/guardians are responsible for children's activities

• Children must be supervised at all times

• Special amenities and activities designed with child safety in mind

• Our staff trained in child safety protocols

Contact: admin@staymysa.in to report any concerns
10. INTERNATIONAL DATA TRANSFERS
10.1 Data Location
Our servers are primarily located in India. Your data is processed and stored in accordance with Indian data protection laws.
10.2 International Guests
If you are accessing our Site from outside India:

• Your data will be transferred to and processed in India

• We comply with applicable international privacy laws

• By using our Site, you consent to this transfer

10.3 GDPR Compliance (EU Guests)
For guests from European Union:

• We comply with GDPR requirements

• Your rights under GDPR are protected

• Data transfers subject to adequate safeguards

• You can contact our DPO (Data Protection Officer)

11. THIRD-PARTY LINKS AND SERVICES
11.1 Third-Party Websites
Our Site may contain links to third-party websites (Booking.com, Google Maps, social media, etc.). We are not responsible for the privacy practices of these sites.

• Read their privacy policies separately

• We do not endorse or control third-party content

• Your interactions are subject to their terms

11.2 Google Maps

• Powered by Google

• Subject to Google's Privacy Policy

• Location data processed according to Google's terms

11.3 Social Media Integration

• If you link accounts (Instagram, Facebook), we access public profile data

• Social platforms maintain their own privacy policies

• You can unlink accounts at any time

11.4 OTA Partners

• Booking.com, Airbnb, etc., have separate privacy policies

• Reservations made through these platforms are subject to their privacy terms

• We do not control their data handling practices

12. AUTOMATED DECISION-MAKING AND PROFILING
12.1 Personalized Recommendations
We may use:

• Past booking history

• Browsing behavior

• Preferences and reviews

• Analytics data

To provide personalized recommendations (room suggestions, amenity recommendations, promotional offers).
12.2 Right to Human Review

• You can request that a human reviews automated decisions

• Email: admin@staymysa.in

• We will provide explanation and allow you to challenge decisions

12.3 No Significant Decisions
We do not make significant decisions (eligibility, pricing, access) based solely on automated processing without human review.
13. CONTACT INFORMATION AND GRIEVANCE REDRESSAL
13.1 Data Protection Officer
Name: [Your DPO Name/Title]
Email: dpo@staymysa.in
Phone: +91-[Phone Number]
Address: Mysa A-Frame Cottage, Fozal Valley, Kullu, Himachal Pradesh 175101, India
13.2 Privacy Inquiries
Email: privacy@staymysa.in
Phone: +91-[Phone Number]
Hours: 24/7 (response within 24 hours)
For privacy complaints, complaints, or data requests:
Step 1: Email us with details
Step 2: We respond within 7 days with acknowledgment
Step 3: We investigate (7-15 days)
Step 4: Resolution and response within 30 days
Step 5: If dissatisfied, escalate to management
13.3 Grievance Redressal Officer
Name: [Owner/Manager Name]
Email: grievance@staymysa.in
Phone: +91-[Phone Number]
Address: Mysa A-Frame Cottage, Fozal Valley, Kullu, Himachal Pradesh 175101, India
13.4 Escalation
If you're not satisfied with our response:

1. Submit formal complaint in writing

2. Include all details and documentation

3. We will conduct thorough investigation

4. Escalate to senior management if needed

5. Provide written response within 30 days

13.5 Regulatory Authority
Internet and Mobile Association of India (IAMAI)
Website: www.iamai.in
Ministry of Electronics and Information Technology
Website: www.meity.gov.in
14. CALIFORNIA RESIDENT RIGHTS (CCPA)
If you are a resident of California, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal data is collected

• Right to know whether personal data is sold or disclosed

• Right to opt-out of sale of personal data

• Right to access personal data

• Right to deletion

• Right to non-discrimination for exercising privacy rights

To exercise CCPA rights:
Email: ccpa@staymysa.in
Include: Name, email, booking reference, specific request
Response time: 45 days
15. EUROPEAN RESIDENT RIGHTS (GDPR)
If you are a resident of the European Union, you have rights under the General Data Protection Regulation (GDPR):

• Right to access, rectification, erasure

• Right to restrict processing

• Right to data portability

• Right to object to processing

• Right not to be subject to automated decision-making

• Right to lodge complaint with supervisory authority

To exercise GDPR rights:
Email: gdpr@staymysa.in
Data Protection Authorities in your country:

• Germany: www.bfdi.bund.de

• France: www.cnil.fr

• UK: www.ico.org.uk

• Italy: www.garante.it

• Spain: www.aepd.es

16. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy periodically to reflect:

• Changes in our practices

• New privacy laws and regulations

• Feedback from guests

• Security updates

How we notify you:

• Update "Last Updated" date at top of policy

• Email notification for material changes

• Prominent notice on our Site

• You may need to accept updated terms to continue using services

Your responsibility: Review this policy regularly for updates
17. ACCOUNTABILITY AND GOVERNANCE
17.1 Privacy by Design

• We implement privacy protections from the start

• Data minimization: Collect only necessary information

• Purpose limitation: Use data only for stated purposes

• Regular privacy audits and assessments

17.2 Data Protection Impact Assessments

• Conducted annually

• Identify potential privacy risks

• Implement mitigation measures

• Document findings

17.3 Staff Training

• All employees trained in data protection

• Privacy awareness programs

• Regular updates on new regulations

• Consequences for privacy violations

17.4 Vendor Management

• All service providers undergo privacy audits

• Contractual obligations for data protection

• Regular compliance checks

• Immediate termination if breaches occur

18. INCIDENT RESPONSE AND DATA BREACHES
18.1 Security Incident Response
In case of a data breach or security incident:
Our Response (immediate):

1. Contain the breach

2. Notify affected individuals (within 72 hours if required)

3. Document incident details

4. Notify regulatory authorities (if required)

5. Provide guidance on protective measures

18.2 Your Rights Upon Breach

• Notification of incident

• Description of compromised data

• Likely consequences

• Measures we're taking to mitigate harm

• Recommendations to protect yourself

18.3 Reporting Security Issues
If you discover a security vulnerability:

• Email: security@staymysa.in

• Include: Detailed description, screenshots (if possible)

• Do NOT publicly disclose before giving us time to fix

• We appreciate responsible disclosure

19. DEFINITIONS

• Personal Data: Any information that identifies or can identify an individual

• Processing: Collection, storage, use, sharing, deletion of personal data

• Data Controller: The entity determining purposes and means of processing (Mysa)

• Data Processor: Entity processing data on behalf of controller (service providers)

• Explicit Consent: Clear, voluntary agreement to specific processing

• Legitimate Interest: Processing necessary for business operations or rights

• Profiling: Automated analysis of personal characteristics or behavior

20. FINAL NOTES
20.1 Entire Agreement
This Privacy Policy constitutes the entire agreement regarding your privacy and supersedes all prior agreements.
20.2 Severability
If any provision is found to be invalid, the remaining provisions continue in effect.
20.3 Jurisdiction
This Privacy Policy is governed by:

• Laws of India (Indian Information Technology Act, 2000)

• Laws of Himachal Pradesh

• Disputes resolved in courts of Kullu district

20.4 Questions?
For any questions or concerns not addressed:
📧 Email: admin@staymysa.in
📞 Phone: +91-[7374000057]
🏠 Address: Mysa A-Frame Cottage, Fozal Valley, Kullu, Himachal Pradesh 175101, India
We respond to all privacy inquiries within 24 hours.
ACKNOWLEDGMENT
By using Mysa A-Frame Cottage website and services, you acknowledge that you have:

• Read this Privacy Policy

• Understood your privacy rights

• Consented to our privacy practices

• Agreed to this policy terms

Thank you for trusting Mysa with your personal information. Your privacy is our priority. 🙏
© 2026 Mysa A-Frame Cottage. All rights reserved.
Last Updated: January 1, 2026
Version 1.0