This Privacy Policy explains how BookInstead LLC (“BookInstead,” “we,” “us,” or “our”) collects, uses, stores, shares, and protects personal information when you access or use the BookInstead.com platform. Please read this policy carefully before using the platform. By creating an account or completing a booking, you agree to the practices described herein.
Quick Reference Summary
The table below summarizes our core data practices. The full policy below contains complete details, definitions, and your rights.
| Topic | Short Answer |
|---|---|
| Data we collect | Name, email, phone, payment info, booking history, device/browser data, and location data when applicable. |
| Why we collect it | To operate the platform, process bookings, prevent fraud, and improve the user experience. |
| Do we sell your data? | No. We do not sell personal information to third parties for their independent marketing. |
| Who we share it with | Operators (to fulfill your booking), payment processors, analytics providers, and law enforcement when required. |
| Your rights | Access, correct, delete, or export your data. Opt out of marketing. Lodge a complaint with regulators. |
| Cookies | We use cookies for functionality, analytics, and advertising. You can manage preferences via our Cookie Banner. |
| Data retention | We retain data as long as your account is active and for up to 7 years after closure for legal and tax purposes. |
| Children | The platform is not intended for users under 13. We do not knowingly collect data from children under 13. |
| Contact us | privacy@bookinstead.com |
1. Introduction and Scope
1.1 Who We Are
BookInstead LLC is a Texas limited liability company that operates the BookInstead.com online marketplace, which connects travelers (“Guests”) with tour operators, activity providers, and rental companies (“Operators”). This Privacy Policy applies to all personal information collected through the BookInstead.com website, any associated mobile applications, and all related services (collectively, the “Platform”).
1.2 Scope of This Policy
This Privacy Policy applies to:
- All registered Guests and Operators who create accounts on the Platform.
- All visitors who browse the Platform without creating an account.
- All individuals whose personal information is submitted to the Platform by another user, such as a guest who adds a travel companion to a booking.
This Privacy Policy does not apply to the data practices of Operators, who are independent businesses with their own privacy policies. BookInstead is not responsible for how Operators collect, use, or protect personal information they receive from Guests during the fulfillment of an Experience.
1.3 Relationship to Terms of Service
This Privacy Policy is incorporated by reference into BookInstead’s Terms of Service. By agreeing to the Terms of Service, you also agree to the practices described in this Privacy Policy. Capitalized terms used but not defined herein carry the meanings given to them in the Terms of Service.
1.4 Updates to This Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices, applicable law, or platform features. When we make material changes, we will notify registered users by email at least fourteen (14) calendar days before the changes take effect and update the “Last Reviewed” date at the top of this document. Continued use of the Platform after the effective date of an updated policy constitutes your acceptance of the revised practices.
2. Information We Collect
We collect personal information in three primary ways: information you provide directly to us, information we collect automatically when you use the Platform, and information we receive from third parties.
2.1 Information You Provide Directly
2.1.1 Account Registration
When you create a Guest or Operator account, we collect:
- Full legal name
- Email address
- Password (stored in hashed, encrypted form — we never store plaintext passwords)
- Phone number
- Profile photo (optional)
- Date of birth (used solely to verify that you are at least 18 years of age)
2.1.2 Booking Information
When you complete a Booking, we collect:
- Name and contact information for all guests in the booking party
- Payment method details (processed and stored by our PCI-DSS compliant third-party payment processor — BookInstead does not store full card numbers)
- Billing address
- Booking preferences, special requests, and any health or accessibility information voluntarily disclosed
- Communications with the Operator made through the Platform’s messaging feature
2.1.3 Operator Registration
When an Operator registers on the Platform, we collect, in addition to the above account information:
- Legal business name and any DBA (doing business as) name
- Business address and operating location(s)
- Tax identification number or Employer Identification Number (EIN)
- Business license numbers and copies of relevant permits
- Proof of insurance documentation
- Bank account information for payout purposes (processed through our third-party payout provider)
- A government-issued photo ID for identity verification
2.1.4 Communications
When you contact BookInstead through support channels, fill out a form, participate in a survey, or respond to a promotional communication, we collect:
- The content of your message or response
- Your contact information as provided
- Records of support interactions, including chat logs and email threads
2.1.5 User-Generated Content
When you submit reviews, ratings, photos, or other content to the Platform, we collect and store that content along with associated metadata such as the date and time of submission.
2.2 Information Collected Automatically
When you access or use the Platform, we automatically collect certain technical and behavioral information, including:
2.2.1 Device and Browser Information
- IP address
- Browser type and version
- Operating system and device type
- Device identifiers (e.g., mobile advertising ID)
- Screen resolution and display settings
- Referring URL (the page you visited before arriving at BookInstead.com)
2.2.2 Usage and Behavioral Data
- Pages and Listings viewed, including timestamps and duration
- Search queries entered on the Platform
- Booking flow steps completed and abandoned
- Clicks, scrolls, and interactions with Platform features
- Features used and preferences set within your account
2.2.3 Location Data
- Approximate geographic location derived from your IP address, used to surface regionally relevant Listings and apply correct tax rates.
- Precise GPS location, only if you grant permission through your browser or mobile device settings. You may revoke this permission at any time through your device settings.
2.2.4 Cookies and Tracking Technologies
We use cookies, web beacons, pixel tags, local storage, and similar tracking technologies to collect the information described above and to improve Platform functionality. Full details are provided in our Cookie Policy, available at bookinstead.com/cookie-policy.
2.3 Information Received from Third Parties
We may receive personal information about you from the following third-party sources:
- Payment Processors: Transaction confirmation data, payment status, and fraud signals.
- Identity Verification Services: Identity verification results for Operator accounts, including document validation outcomes.
- Social Login Providers: If you choose to register or log in using a third-party social account (e.g., Google or Apple), we receive the name, email address, and profile photo associated with that account, subject to your privacy settings with that provider.
- Analytics Providers: Aggregated and anonymized data about Platform usage patterns.
- Marketing Partners: Lead or interest data from partners who refer users to the Platform, subject to those partners’ own privacy disclosures.
We use information received from third parties only in ways consistent with this Privacy Policy and the permissions you have granted to those third parties.
3. How We Use Your Information
We use the personal information we collect for the following purposes, organized by legal basis where applicable:
| Purpose | Information Used | Legal Basis |
|---|---|---|
| Creating and managing your account | Name, email, password, phone number | Contract performance |
| Processing and managing bookings | Booking details, payment info, party information | Contract performance |
| Processing payments and issuing refunds | Payment method, billing address, transaction data | Contract performance |
| Communicating with you about your booking | Email, phone, booking details | Contract performance |
| Verifying Operator eligibility and identity | Business info, ID documents, license data | Legal obligation / Legitimate interest |
| Fraud detection and prevention | IP address, device data, behavioral patterns, payment signals | Legitimate interest / Legal obligation |
| Providing guest support and resolving disputes | Account info, booking records, communications | Contract performance / Legitimate interest |
| Improving the Platform and developing new features | Usage data, behavioral data, feedback | Legitimate interest |
| Personalizing your experience and surfacing relevant Listings | Location, search history, past bookings | Legitimate interest / Consent |
| Sending marketing and promotional communications | Email, booking history, preferences | Consent (opt-in) |
| Complying with legal obligations | Any information required by law or court order | Legal obligation |
| Enforcing our Terms of Service and policies | Account data, behavioral data, communication logs | Legitimate interest / Legal obligation |
| Analytics and business reporting | Aggregated and anonymized usage data | Legitimate interest |
| Facilitating Operator payouts | Operator bank account details, booking revenue data | Contract performance |
3.1 Marketing Communications
We will only send you marketing emails, promotional offers, or newsletters if you have explicitly opted in at the time of account creation or through a subsequent opt-in mechanism on the Platform. Each marketing communication includes an unsubscribe link. You may also opt out at any time by visiting your account settings under “Communication Preferences” or by emailing privacy@bookinstead.com.
Opting out of marketing communications does not affect our ability to send you transactional messages related to your account or active bookings, including booking confirmations, cancellation notices, refund notifications, and support responses.
3.2 Automated Decision-Making
We use automated tools to detect fraud, assess booking risk, and flag accounts for review. These systems may result in a Booking being held for review, a payment being declined, or an account being flagged for suspension. Where an automated decision materially affects you, you have the right to request human review by contacting privacy@bookinstead.com. We do not make final account suspension or ban decisions using automated systems alone.
4. How We Share Your Information
We do not sell your personal information to third parties for their own marketing or commercial purposes. We share personal information only as described in this section.
4.1 Sharing with Operators
When you complete a Booking, we share the following information with the Operator to facilitate fulfillment of the Experience:
- Your full name and the names of all members of your booking party
- Your email address and phone number, for coordination purposes
- Your booking details, including date, time, party size, and any special requests or health information you voluntarily disclosed
- Any communication you have sent through the Platform’s messaging feature
We do not share your payment method details with Operators. Operators receive only the confirmation that payment was successfully processed. Operators are contractually required to use Guest information solely for the purpose of fulfilling the booked Experience and may not use it for independent marketing, solicitation, or any other purpose without your explicit consent.
4.2 Sharing with Service Providers
We share personal information with trusted third-party service providers who perform functions on our behalf, including:
- Payment Processors: To process transactions, handle refunds, and detect payment fraud.
- Identity Verification Providers: To verify Operator identities and business credentials.
- Cloud Hosting Providers: To store and serve Platform data securely.
- Email Service Providers: To send transactional and marketing communications.
- Analytics Providers: To analyze Platform usage and improve performance.
- Customer Support Platforms: To manage support tickets and communication logs.
- Fraud Detection Services: To identify and prevent fraudulent activity.
All service providers are bound by written data processing agreements that require them to: (a) process data only as directed by BookInstead; (b) implement appropriate security measures; and (c) not use your data for their own independent purposes.
4.3 Sharing for Legal Compliance
We may disclose personal information when we have a good-faith belief that disclosure is necessary to:
- Comply with a subpoena, court order, legal process, or government request.
- Enforce our Terms of Service or protect the rights, property, or safety of BookInstead, our users, or the public.
- Investigate, prevent, or take action against suspected fraud, illegal activity, or violations of our policies.
- Respond to an emergency involving risk to the life or safety of any person.
Where permitted by law, we will attempt to notify you before disclosing your information in response to a legal request.
4.4 Business Transfers
If BookInstead is involved in a merger, acquisition, asset sale, financing, bankruptcy, or reorganization, your personal information may be transferred as part of that transaction. We will notify registered users via email and/or a prominent notice on the Platform before your personal information is transferred and becomes subject to a different privacy policy.
4.5 Aggregated and Anonymized Data
We may share aggregated, anonymized, or de-identified data — data that cannot reasonably be used to identify you — with partners, advertisers, researchers, or the public for purposes including industry analysis, platform improvement, and marketing. This data is not personal information and is not subject to the protections in this Privacy Policy.
5. Cookies and Tracking Technologies
5.1 What Are Cookies
Cookies are small text files placed on your device by websites you visit. They are widely used to make websites work more efficiently, to remember your preferences, and to provide information to website operators about user behavior. BookInstead uses cookies and similar technologies, including web beacons, pixel tags, and local storage objects.
5.2 Types of Cookies We Use
| Cookie Type | Purpose | Examples |
|---|---|---|
| Strictly Necessary | Required for core platform functionality — login sessions, booking flow, payment processing. | Session tokens, CSRF protection cookies, cart state |
| Functional | Remember your preferences and settings to personalize your experience. | Language preferences, saved search filters, login state |
| Analytics / Performance | Help us understand how users interact with the Platform so we can improve it. | Google Analytics, Hotjar, session recording tools |
| Marketing / Advertising | Track your activity across sites to deliver relevant ads and measure ad campaign effectiveness. | Meta Pixel, Google Ads tags, retargeting pixels |
5.3 Your Cookie Choices
When you first visit BookInstead.com, you will be presented with a Cookie Consent Banner that allows you to accept or reject non-essential cookie categories. You may also manage your cookie preferences at any time by:
- Clicking the “Cookie Preferences” link in the footer of BookInstead.com.
- Adjusting your browser settings to block or delete cookies. Note that disabling strictly necessary cookies will impair the Platform’s core functionality, including the ability to log in or complete a booking.
- Using your device’s privacy settings to limit mobile advertising identifiers.
Strictly necessary cookies cannot be disabled, as they are essential to the Platform’s operation. Our full Cookie Policy, including a list of specific cookies in use and their retention durations, is available at bookinstead.com/cookie-policy.
6. Data Retention
We retain personal information for as long as necessary to fulfill the purposes for which it was collected and to comply with our legal and business obligations. The following retention schedule applies:
| Data Category | Retention Period | Reason |
|---|---|---|
| Active account information | Duration of account + 7 years post-closure | Legal compliance, tax records, dispute history |
| Booking and transaction records | 7 years from transaction date | Tax law, financial audit requirements, chargeback defense |
| Payment processing data | As required by payment processor and PCI-DSS standards | Payment fraud prevention, chargeback defense |
| Support and dispute communications | 5 years from last interaction | Legal defense, pattern analysis, dispute resolution history |
| User-generated content (reviews, photos) | Duration of account; may persist after deletion if tied to a completed booking | Platform integrity, Operator right to respond |
| Analytics and behavioral data | Up to 26 months in identifiable form; then anonymized indefinitely | Platform improvement, trend analysis |
| Marketing consent records | Duration of consent + 3 years | Legal proof of consent |
| Operator identity and license documents | Duration of Operator account + 7 years | Regulatory compliance, liability protection |
| Fraud flags and investigation records | Up to 10 years | Recurrence prevention, legal action |
| Deleted account data | Up to 30 days in recoverable form; then permanently deleted or anonymized | Account recovery, fraud prevention |
After the applicable retention period expires, we will securely delete or anonymize your personal information in accordance with industry-standard data destruction procedures. Where deletion is not technically feasible (e.g., encrypted backups), we will isolate the data and protect it from further processing until deletion is possible.
7. Data Security
7.1 Security Measures
BookInstead implements a layered set of technical, administrative, and physical safeguards to protect your personal information against unauthorized access, disclosure, alteration, or destruction. These measures include:
- Encryption in Transit: All data transmitted between your browser or device and our servers is encrypted using TLS 1.2 or higher (HTTPS).
- Encryption at Rest: Personal information stored in our databases is encrypted at rest using AES-256 or equivalent industry-standard encryption.
- Payment Data Security: All payment processing is handled by PCI-DSS Level 1 compliant third-party processors. Full card numbers are never stored on BookInstead servers.
- Access Controls: Access to personal data within BookInstead’s systems is restricted on a need-to-know basis. Employees must use multi-factor authentication to access production systems containing personal data.
- Regular Security Audits: We conduct periodic security assessments, penetration testing, and vulnerability scans of our Platform and infrastructure.
- Incident Response: We maintain a documented data breach response plan, including procedures for notifying affected users and regulators within legally required timeframes.
7.2 No Absolute Security
While we take security seriously and implement industry-standard protections, no data transmission over the internet or data storage system can be guaranteed to be 100% secure. You use the Platform at your own risk. If you have reason to believe your account has been compromised, notify us immediately at security@bookinstead.com.
7.3 Your Responsibilities
You are responsible for maintaining the security of your account credentials. Do not share your password with anyone, use a strong unique password, and notify us immediately of any unauthorized account access. BookInstead will never ask for your password via email, phone, or chat.
8. Your Privacy Rights
BookInstead respects your right to control your personal information. The rights described below apply to all users. Additional rights specific to California residents and international users are described in Sections 9 and 10.
8.1 Right to Access
You have the right to request a copy of the personal information BookInstead holds about you. Upon a verified request, we will provide a portable summary of your data in a commonly used format (such as CSV or JSON) within thirty (30) calendar days.
8.2 Right to Correction
You have the right to request that we correct inaccurate or incomplete personal information. You may update most account information directly in your account settings. For information that cannot be self-corrected, contact privacy@bookinstead.com.
8.3 Right to Deletion
You have the right to request deletion of your personal information. Upon a verified request, we will delete or anonymize your data within thirty (30) calendar days, subject to the following exceptions:
- Information we are required to retain by law, including tax records and transaction data.
- Information necessary to complete a pending transaction or resolve an open dispute.
- Information retained for fraud prevention purposes where deletion would impair our ability to protect against recurrence.
- Information that is part of a backup system, which will be deleted on the next backup purge cycle.
8.4 Right to Opt Out of Marketing
You may opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email, adjusting your preferences in your account settings, or contacting privacy@bookinstead.com. We process opt-out requests within ten (10) business days. Note that transactional emails related to your account and bookings are not marketing and cannot be opted out of while your account is active.
8.5 Right to Object to Processing
Where we process your personal information based on our legitimate interests, you have the right to object to that processing. We will honor your objection unless we can demonstrate compelling legitimate grounds that override your interests, or unless the processing is necessary for the establishment, exercise, or defense of legal claims.
8.6 Right to Restrict Processing
In certain circumstances, you have the right to request that we restrict the processing of your personal information — for example, while we investigate an accuracy dispute or consider your objection to processing.
8.7 How to Submit a Privacy Request
To exercise any of the rights described above, submit a written request to privacy@bookinstead.com with the subject line “Privacy Rights Request.” Your request must include:
- Your full name as registered on the Platform.
- The email address associated with your account.
- A description of the specific right you are exercising and the information to which your request pertains.
We may ask you to verify your identity before processing your request. We will not charge a fee for a reasonable request but reserve the right to charge a nominal administrative fee for excessive or repetitive requests.
9. California Privacy Rights (CCPA / CPRA)
This section applies to California residents and supplements the general rights described in Section 8. It is provided in compliance with the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA).
9.1 Categories of Personal Information Collected
In the past twelve (12) months, BookInstead has collected the following categories of personal information from California consumers:
| Category | Examples | Collected? |
|---|---|---|
| Identifiers | Name, email, IP address, account ID | Yes |
| Personal records | Phone number, billing address, payment info | Yes |
| Protected classification characteristics | Age (18+ verification only) | Yes (limited) |
| Commercial information | Booking history, transaction records, preferences | Yes |
| Internet / electronic network activity | Browsing behavior on the Platform, device data, cookies | Yes |
| Geolocation data | Approximate IP-based location; precise GPS only if permitted | Yes (limited) |
| Sensory data | Profile photos and review images uploaded by users | Yes (if provided) |
| Professional / employment information | Operator business details, license numbers | Yes (Operators only) |
| Inferences drawn from above | Booking preferences, likelihood to rebook, risk scores | Yes |
| Sensitive personal information | Government ID for Operator verification; financial account info for payouts | Yes (Operators only) |
9.2 Sources and Business Purposes
The sources from which we collect this information and the business or commercial purposes for which it is used are described in Sections 2 and 3 of this Privacy Policy.
9.3 California Consumer Rights
California residents have the following rights under CCPA/CPRA:
- Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collection, and the categories of third parties with whom we have shared it.
- Right to Delete: You may request deletion of personal information we have collected from you, subject to applicable exceptions.
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt Out of Sale or Sharing: BookInstead does not sell personal information within the meaning of CCPA. We do not share personal information with third parties for cross-context behavioral advertising without consent.
- Right to Limit Use of Sensitive Personal Information: You may direct us to limit the use of sensitive personal information (as defined by CPRA) to uses necessary to perform the services you requested.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you services, charge different prices, or provide a different level of service because you exercised your privacy rights.
9.4 Submitting a California Privacy Request
California residents may submit a rights request by emailing privacy@bookinstead.com with the subject line “California Privacy Request.” We will verify your identity and respond within forty-five (45) calendar days. If we need additional time (up to 90 days total), we will notify you within the initial 45-day period.
9.5 Authorized Agents
You may designate an authorized agent to submit a CCPA request on your behalf. We will require the agent to provide written proof of authorization and may require you to verify your identity directly with us before honoring the request.
10. International Users and GDPR
This section applies to users who are residents of the European Economic Area (EEA), the United Kingdom (UK), or other jurisdictions with comprehensive data protection laws. If you access BookInstead from outside the United States, your information will be transferred to and processed in the United States.
10.1 Data Transfers to the United States
BookInstead is based in the United States and processes personal information on servers located in the United States. If you are located in the EEA, UK, or another jurisdiction with data transfer restrictions, your personal information will be transferred to a country that may not provide the same level of protection as your home jurisdiction.
Where required by law, we implement appropriate safeguards for international data transfers, which may include Standard Contractual Clauses approved by the European Commission, adequacy decisions, or other legally recognized transfer mechanisms.
10.2 Legal Bases for Processing (GDPR)
For users in the EEA or UK, we rely on the following legal bases to process personal information:
- Contract Performance: Processing necessary to fulfill a booking or manage your account.
- Legal Obligation: Processing required to comply with applicable law.
- Legitimate Interests: Processing for fraud prevention, platform security, and service improvement, where our interests are not overridden by your rights.
- Consent: Processing for marketing communications and non-essential cookies, which you can withdraw at any time.
10.3 Additional Rights for EEA / UK Residents
In addition to the rights described in Section 8, EEA and UK residents have the right to:
- Lodge a complaint with your local data protection authority (DPA) if you believe your rights have been violated.
- Request a copy of the Standard Contractual Clauses or other transfer mechanisms we use for international data transfers.
- Withdraw consent at any time for processing based on consent, without affecting the lawfulness of prior processing.
10.4 Data Protection Officer
BookInstead has not formally designated a Data Protection Officer (DPO) at this time. Privacy inquiries from EEA and UK residents may be directed to privacy@bookinstead.com. We will respond in accordance with applicable law.
11. Children’s Privacy
The BookInstead Platform is not directed to children under the age of thirteen (13), and we do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided personal information to us without verifiable parental consent, we will take immediate steps to delete that information from our systems.
Users between the ages of 13 and 17 may not create accounts or complete Bookings on the Platform. Bookings involving minors as participants must be made by an adult account holder (18 or older) who assumes full responsibility for the minor’s participation, including consent to any waivers required by the Operator.
If you believe a child under 13 has provided personal information to BookInstead, please contact us immediately at privacy@bookinstead.com.
12. Do Not Track Signals
Some web browsers transmit “Do Not Track” (DNT) signals to websites. Because there is currently no universally accepted technical standard for responding to DNT signals, BookInstead does not alter its data collection or use practices in response to DNT signals at this time. We will reassess this practice if and when an industry-wide standard is established.
You can manage your tracking preferences through our Cookie Consent Banner and through your browser’s built-in privacy settings, as described in Section 5 of this Privacy Policy.
13. Third-Party Links and Embedded Content
The Platform may contain links to third-party websites, embedded maps, social media widgets, or other external content. These third-party services operate independently from BookInstead and have their own privacy policies. BookInstead is not responsible for the privacy practices of any third-party website or service.
We encourage you to review the privacy policy of any third-party site or service before submitting personal information to it. Interaction with embedded social media features (such as a “Share” button) may result in data collection by the relevant social media platform, even if you are not logged into that platform.
14. Contact Information and Privacy Requests
For all privacy-related inquiries, requests, complaints, or questions about this Privacy Policy, please contact us at:
Privacy Email: privacy@bookinstead.com
General Support: support@bookinstead.com
Security Concerns: security@bookinstead.com
Legal Notices: legal@bookinstead.com
Mailing Address: BookInstead LLC, Houston, Texas (full address to be added before publication)
Website: www.bookinstead.com
Response Time: We aim to respond to all privacy requests within 5 business days and to fulfill verified requests within 30 calendar days.