Privacy Policy

Introduction STAAH Limited (we, us, our, STAAH) complies with the New Zealand Privacy Act 1993 (NZ Privacy Act) and other applicable privacy and data protection laws when dealing with personal information. Personal information is information about an identifiable individual (a natural person). Your privacy is top priority for us and, at STAAH, we are committed to safeguarding your privacy. This policy sets out how we will collect, use, disclose and protect your personal information when you use this website (www.staah.com) or our services. This privacy policy should be read in conjunction with our cookies policy at www.staah.com/cookies-privacy.htm (Cookies Policy). If you are based in the European Union and use this website or our services, the additional terms in the addendum to this policy (GDPR Addendum) apply to you. This policy does not limit or exclude any of your rights under the NZ Privacy Act and other applicable laws. If you wish to seek further information on the NZ Privacy Act, see www.privacy.org.nz. Changes to this policy We may change this policy by uploading a revised policy onto the website. The change will apply from the date that we upload the revised policy. This policy was last updated on 31st May 2018. WHAT PERSONAL INFORMATION DO WE COLLECT We collect, hold and process two categories of personal information:

• Account and Marketing Data is personal information that we collect about you:
  • in connection with the creation or administration of a STAAH account
  • if you ask to receive information about us or our services, including if you sign up to schedule a demo call
  • when you contact us directly (e.g. telephone call, email, website chat or through your user dashboard)
  • when you visit this website. The Account and Marketing Data we collect may include company/personal names, usernames, phone numbers, email addresses, your location, information about how you use our website or services (for example, traffic volumes, time spent on pages), your IP address and/or other device identifying data, and other information required to provide a service or information you have requested from us.
  • Customer Data is personal information that STAAH’s customers (e.g. hotels) may collect from their customers (e.g. hotel guests using STAAH’s products and services). This may include first and last names, email address, mobile phone number and travel information such as check in and check out dates and any special requests (if required). We will not collect or process Customer Data except as provided in our agreements with our customers and we require our customers to comply with applicable privacy and data protection laws.

The remainder of this privacy policy sets out how we will collect, use, disclose and protect Account and Marketing Data and does not apply to Customer Data. WHO DO WE COLLECT YOUR PERSONAL INFORMATION FROM We collect personal information about you from:

• you, when you provide that personal information to us, including via our website and our services, through any registration or subscription process, through any contact with us (e.g. telephone, email, website chat, face to face meeting) or when you buy or use our services
• third parties where you have authorised this, such as via LinkedIn or Facebook credentials, or the information is publicly available.

If possible, we will collect personal information from you directly. When you visit or use our website or services, we may collect information about you:

• by recording clickstream data, which is information that is recorded when you click anywhere on the website, including the date and time of your access, time zone setting, information about your browser and system or device configuration and capabilities, the webpages you access and your IP address
• through the use of cookies and similar storage technologies. Please refer to our Cookies Policy for further information, including information on how you can disable these technologies.

You may be asked to provide billing information when using the website or related services, including your billing address and credit card information. If your billing address is anywhere other than the United Kingdom or the European Union, your billing information is processed by us. If your billing address is in the United Kingdom or European Union, we use GoCardless to process credit card transactions and we do not have access to your credit card information. You can view GoCardless’ privacy policy at https://gocardless.com/legal/privacy. How we use your personal information We may use personal information provided directly by you:

• to provide this website and our products and services to you, including to provide technical support or information in relation to our products and services
• to verify your identity
• to provide the website and our products and services to you
• to market our products and services to you, including contacting you electronically (e.g. by text or email for this purpose). You can stop receiving our promotional emails or service related communications by following the unsubscribe instructions included in those communications or contacting us at marketing@staah.com
• notify you about changes to the website or our products and services
• to improve the website and services that we provide to you
• to respond to communications from you.

We may use information generated by your access and use of this website or our services:

• to monitor the performance of this website or our services and ensure that these perform in the best manner possible
• for security and system integrity purposes
• to tailor content or advertisements to you. For further information, please see our Cookies Policy.

We may also combine information we collect (aggregate) or remove personally identifiable (anonymise) information to conduct research and statistical analysis to understand our audience. This privacy policy does not apply to our use of such aggregated or anonymous information. We may also use your personal information:

• to protect and/or enforce our legal rights and interests, including defending any claim
• for any other purpose authorised by you, the Act or other applicable law
• to respond to lawful requests by public authorities, including to meet law enforcement requirements
• to transfer your information in the case of a sale, merger, consolidation, liquidation, reorganisation or acquisition.

Disclosing your personal information We may disclose your personal information to:

• another company within our group for the purposes described in this policy
• any business that supports our services and products, including any person that hosts or maintains any underlying IT system or data centre that we use to provide the website or our products and services. Please see the GDPR Addendum for further information or the third party providers we use.
• our professional advisers e.g. accountants, lawyers, auditors
• any other person authorised by you
• any other company in the case of a sale, merger, consolidation, liquidation, reorganisation or acquisition

We may also disclose research and statistical analysis on an anonymised basis derived from your personal information to third parties. We may disclose personal information we hold about you if we believe that such disclosure is necessary to:

• comply with legal requirements or process
• protect our rights or property
• enforce this policy or any other agreement that we may have with you

We share information about your use of the website with our trusted advertising, social media and analytics partners through the use of cookies, web beacons and similar storage technologies. Please refer to our Cookies Policy of for further information. TRANSFERS OF personal information A business that supports our services and products may be located outside New Zealand. This may mean your personal information is held and processed outside New Zealand. Please see the GDPR Addendum for further information about personal data transfers from the European Economic Area. Protecting your personal information We will take reasonable steps to keep your personal information safe from loss, unauthorised activity, or other misuse. We implement appropriate technical and organisational measures to ensure a level of security appropriate to risks inherent in processing personal information. This includes on premise security of STAAH computer software. We encrypt any sensitive information that is transmitted via our website (such as credit card numbers) using secure socket layer technology (SSL). When credit card details are collected, we simply pass them on in order to be processed as required. We never permanently store complete credit card details. You can play an important role in keeping your personal information secure by maintaining the confidentiality of any password used in relation to our products and services. Please do not disclose your password to third parties. Please notify us immediately if there is any unauthorised use of your account or any other breach of security. Accessing and correcting your personal information Subject to certain grounds for refusal set out in the NZ Privacy Act or other applicable law, you have the right to access your readily retrievable personal information that we hold and to request a correction to your personal information. Before you exercise this right, we will need evidence to confirm that you are the individual to whom the personal information relates. In respect of a request for correction, if we think the correction is reasonable and we are reasonably able to change the personal information, we will make the correction. If we do not make the correction, we will take reasonable steps to note on the personal information that you requested the correction. If you want to exercise either of the above rights, email us at marketing@staah.com. Your email should provide evidence of who you are and set out the details of your request (e.g. the personal information, or the correction, that you are requesting). Internet use While we take reasonable steps to maintain secure internet connections, if you provide us with personal information over the internet, the provision of that information is at your own risk. If you follow a link on our website to another site, the owner of that site will have its own privacy policy relating to your personal information. We suggest you review that site’s privacy policy before you provide personal information. Contact us If you have any questions about this privacy policy, our privacy practices, or if you would like to request access to, or correction of, your personal information, you can contact us here: marketing@staah.com

STAAH Privacy Policy – GDPR Addendum

If you are based in the European Union (EU) and use this website or our products or services, these additional terms (GDPR Addendum) form part of our privacy policy. The General Data Protection Regulation (GDPR) regulates the collection, processing and transfer of EU individuals’ personal data (as defined in the GDPR). The personal information described in our privacy policy is personal data under the GDPR. We are committed to complying with the GDPR when dealing with Account and Marketing Data about our website visitors and product or service users based in the EU. This GDPR Addendum was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of our collection and use of personal data. However, we are happy to provide any additional information or explanation needed. Any requests for further information should be sent to marketing@staah.com. For the purposes of the GDPR:

• we are the data controller (as defined in the GDPR) when processing Account and Marketing Data; and
• our customers are the data controller when processing Customer Data

We will not process Customer Data except as provided in our agreements with our customers and we require our customers to comply with applicable privacy and data protection laws. If we receive any data subject requests relating to Customer Data, such as requests to access personal data, we will forward this request to the relevant customer. The remainder of this GDPR Addendum applies to Account and Marketing Data only, and does not apply to Customer Data. PROCESSESING PERSONAL DATA The personal data we may process consists of the Account and Marketing Data described in our privacy policy. This Account and Marketing Data may be processed for the purposes outlined in our privacy policy. The legal basis for our processing of Account and Marketing Data is your consent and, for certain Account and Marketing Data, processing is necessary for the performance of a contract to which you are a party or for our legitimate interests (except where such interests would be overridden by your fundamental rights and freedoms which require the protection of personal data). Despite the above, we may process any of your personal data where such processing is necessary for compliance with applicable laws. You do not have to provide us with your name or contact information to access and use certain parts of the website. You do have to provide us with information that is automatically collected by Google Analytics during your use of the website (location, browser and operating system details), however, this is not personal information. For further information on cookies, please see our Cookies Policy. You must provide us with your name and contact information to access your account or if you wish to contact us. The consequence of not providing your name and contact information is that we will not be able to provide you with an account or contact you. Your rights Your rights in relation to your personal data under the GDPR include:

• right of access – if you ask us, we will confirm whether we are processing your personal data and provide you with a copy of that personal data.
• right to rectification – if the personal data we hold about you is inaccurate or incomplete, you have the right to have it rectified or completed. We will take every reasonable step to ensure personal data which is inaccurate is rectified. If we have shared your personal data with any third parties, we will tell them about the rectification where possible.
• right to erasure – we delete your personal data when it is no longer needed for the purposes for which you provided it. You may request that we delete your personal data and we will do so if deletion does not contravene any applicable laws. If we have shared your personal data with any third parties, we will take reasonable steps to inform those third parties to delete such personal data.
• right to withdraw consent – if the basis of our processing of your personal data is consent, you can withdraw that consent at any time.
• right to restrict processing – you may request that we restrict or block the processing of your personal data in certain circumstances. If we have shared your personal data with third parties, we will tell them about this request where possible.
• right to object to processing – you may request that we stop processing your personal data at any time and we will do so to the extent required by the GDPR.
• rights related to autonomous decision making, including profiling – you have a right to not be subject to a decision based solely on automated processing including profiling, which produces legal effects concerning you or similarly significantly affects you, except where such automated decision making is necessary for entering into, or the performance of, a contract with you, is authorised by applicable laws or is based on your explicit consent.
• right to data portability – you may obtain your personal data from us that you have consented to give us or that is necessary to perform a contract with you. We will provide this personal data in a commonly used, machine-readable and interoperable format to enable data portability to another data controller. Where technically feasible, and at your request, we will transmit your personal data directly to another data controller.
• the right to complain to a supervisory authority – you can report any concerns you have about our privacy practices to the relevant data protection supervisory authority.

Where personal data is processed for the purposes of direct marketing, you have the right to object to such processing, including profiling related to direct marketing. If you would like to exercise any of your above rights, please contact us at marketing@staah.com. If you are not satisfied by the way your query is dealt with by our data protection officer, you may refer your query to your local data protection supervisory authority e.g. in the United Kingdom, this is the Information Commissioner’s Office. CHILDREN We do not intend to collect personal data from children aged under 16. If you have reason to believe that a child under the age of 16 has provided personal data to us through our website and/or by using our services, please contact us at marketing@staah.com. International transfer of data The Account and Marketing Data may be transferred to, and stored in, a country operating outside the European Economic Area (EEA). Under the GDPR, the transfer of personal data to a country outside the EEA may take place where the European Commission has decided that the country ensures an adequate level of protection. In the absence of an adequacy decision, we may transfer personal data provided appropriate safeguards are in place. STAAH Group We may transfer Account and Marketing Data from the EEA to STAAH’s entities outside of the EEA. The STAAH group consists of the following companies:

• STAAH Limited – New Zealand
• STAAH Pty Limited – Australia
• STAAH Europe Limited – United Kingdom
• STAAH Hotel Software Private Limited – India

New Zealand is recognised by the European Commission as a country that ensures an adequate level of data protection and we rely on this decision when transferring personal data from the EEA to New Zealand. STAAH Pty Limited and STAAH Hotel Software Private Limited have entered into Standard Contractual Clauses as published by the European Commission. The Standard Contractual Clauses provide specific guarantees around transfers of personal data. Third party processors The Account and Marketing Data we collect may also be processed by the third parties set out below. Some of the Account and Marketing Data we collect is processed in New Zealand (where our operations are located). New Zealand is recognised by the European Commission as a country that ensures an adequate level of data protection and we rely on this decision in transferring personal data to New Zealand. Some of the Account and Marketing Data we collect is processed by us and/or third party data processors in other countries, including the United States. Where Account and Marketing Data is transferred outside the EEA, it will only be transferred to countries or specified sectors within a country that have been identified as providing adequate protection for EEA data (e.g. organisations in the United States under the EU-U.S. Privacy Shield framework), or to a third party where we have approved transfer mechanisms in place to protect your personal data (e.g. by entering into the European Commission’s Standard Contractual Clauses). For further information, please contact us using the details set out in set out in our privacy policy. List of third party processors as at 31st May 2018:

Third party processor	Purpose	Location of processor	Policy pages
Hostgator	Website hosting	USA	https://www.endurance.com/privacy/privacy
Zoho	Customer management	India	https://www.zoho.com/privacy.html
MailChimp	Email service provider	USA	www.mailchimp.com/legal/privacy
GoCardless	Payments provider	United Kingdom	https://instapage.com/privacy-policy
Xero	Cloud accounting	New Zealand	https://www.xero.com/nz/about/terms/privacy/
LiveChat, Inc.	Customer service	USA	https://www.livechatinc.com/privacy-policy/
Twak.to, Inc	Customer service	USA	https://www.tawk.to/privacy-policy/
Google, Inc.	Analytics Advertising	USA	https://policies.google.com/privacy?hl=en&gl=nz
Facebook	Advertising	USA	https://www.facebook.com/privacy/explanation
Linkedin	Advertising	USA	https://www.linkedin.com/legal/privacy-policy

DATA Retention policy Account and Marketing Data that we collect and process will not be kept longer than necessary for the purposes for which it is collected, or for the duration required for compliance with applicable law, whichever is longer. The criteria we use to determine the period of time for which we keep Account and Marketing Data includes:

• the nature and type of Account and Marketing Data that you provide to us
• the purpose for which you provide Account and Marketing Data
• the necessary business and operational requirements to continue to supply you with the services or functionality that you have requested

CONTACTING US You can contact us as set out in our privacy policy. The name and contact details of our European GDPR representative are Sarah Jones, sarah.jones@staah.com.