Privacy policy
How guest and visitor information is collected, used, stored, and protected across ArtRest touchpoints.
Definitions
Data Principal – the individual to whom the personal data relates.
Data Fiduciary – the person who determines the purpose and means of processing personal data; for this policy, Art Rest Homestay is the data fiduciary.
Personal data – any data about an individual who is identifiable by or in relation to such data.
Processing – any operation performed on personal data, such as collection, storage, use, sharing or deletion.
Scope
This policy applies to personal data collected in digital form or collected by other means and subsequently digitized when you:
Make a reservation for accommodation, events, meals or other services at Art Rest through our website, by telephone, by email or via a third‑party booking platform.
Visit our home stay or use on‑property facilities such as the restaurant, event spaces or Wi‑Fi.
Interact with us on social media, complete surveys, participate in promotional activities or contact our customer service.
Who we are
Data Fiduciary (Controller): Art Rest Homestay. For any questions about this policy or to exercise your rights, please email hello@artrest.in.
What personal data we collect
We collect only personal data necessary for the specified purposes described below. Depending on your interactions with us, we may collect the following categories of personal data:
Contact and identity information: full name, phone number, email address, postal address, language preference and government identification details (e.g., passport or aadhaar number) required by local tourism regulations.
Reservation and stay details: reservation dates, room preferences, special requests, names of accompanying guests, number of guests, purpose of stay (e.g., leisure or business), goods and services purchased, loyalty program membership number and guest feedback.
Payment information: credit/debit card numbers, billing address, transaction amounts and GST details for corporate bookings. Payments are processed through PCI‑compliant payment gateways, and Art Rest does not store full card numbers.
Health or dietary information: allergy information or other health conditions, meal preferences and accessibility requirements that you choose to share with us so we can accommodate your needs. This type of data will only be processed with your explicit consent and used solely for the purpose communicated at the time of collection.
Demographic and preference information: gender and date of birth (when necessary for regulatory or identification purposes), special dates (e.g., birthdays or anniversaries), marketing preferences and interests, responses to surveys and promotions.
Automatically collected data: technical information such as IP address, device identifiers, browser type, operating system, referral URLs and browsing activity on our website. We collect this information through cookies and similar technologies to provide and improve our services and for analytics, as explained in the Cookie Policy.
CCTV and access control: for the security of our guests and staff, certain areas of our premises are monitored by CCTV. Footage is stored securely and retained only as long as necessary for security and legal compliance.
How we collect personal data
We collect personal data from the following sources:
Directly from you: when you make a booking, communicate with us by phone, email, messaging apps or social media, complete a survey or otherwise provide information.
During your stay: when you check in or check out, request services, attend events, use on‑property amenities or interact with our staff.
From third‑party sources: if you book through an online travel agency, restaurant reservation platform or other service provider, they will transmit your reservation details to us. We may also receive information from payment processors and analytics providers.
Where we collect personal data about other individuals (e.g., if you provide details of a fellow traveller), you must ensure you have their permission to share it and refer them to this policy.
Purposes and lawful bases for processing
We process your personal data only for lawful purposes recognized by the DPDP Act. We rely primarily on consent and certain legitimate uses permitted under section 7 of the Act; where another law requires us to collect or disclose information (e.g., tax, anti‑terrorism or public health requirements), we do so to comply with that law.
Our purposes include:
| Purpose | Lawful basis | Explanation |
|---|---|---|
| Reservation and stay management | Contract and consent | To create and administer bookings, allocate rooms, process payments, issue invoices, provide confirmation or pre‑arrival messages, manage check‑in and check‑out, and provide customer service. We ask for your consent when you supply personal data; without certain mandatory information (e.g., name, contact details and identification), we cannot provide accommodation. |
| Provision of on‑property services (restaurant reservations, event management, concierge, Wi‑Fi) | Consent | We use personal data to provide services you request, respond to enquiries and manage your preferences. |
| Loyalty programmes and marketing | Consent | If you opt‑in to receive promotional communications, newsletters or special offers, we will use your contact and preference information to personalise and send marketing material. You can withdraw your marketing consent at any time by following the unsubscribe instructions in our emails or contacting us. We will not send marketing communications without your prior consent. |
| Analytics and service improvement | Legitimate uses | We analyse booking patterns, website usage and guest feedback to improve our services, ensure the website functions effectively and personalise your experience. Under DPDP, processing for the purpose for which you voluntarily provided data is permitted. We use aggregated and de‑identified data for business intelligence. |
| Compliance with legal obligations | Certain legitimate uses | We process personal data to comply with applicable laws (e.g., guest registration under local tourism laws, tax and accounting regulations, law enforcement requests, public health requirements). |
| Safety and security | Legitimate uses | We use CCTV, access control systems and incident reports to ensure the security of our guests, staff and property. We may disclose personal data to law‑enforcement authorities when required by law or to protect the rights, property or safety of Art Rest, our guests or others. |
| Children’s services | Consent of guardian | We do not knowingly process personal data of individuals under 18 without verifiable parental or guardian consent. We do not engage in behavioural monitoring or targeted advertising directed at children. |
Notice and consent
Before or when we seek your consent to collect personal data, we will provide a clear notice that includes: (i) the categories of personal data we intend to process; (ii) the purposes of processing; (iii) how you can exercise your rights under the DPDP; and (iv) how to file a complaint with our Grievance Officer or the Data Protection Board. Our consent request will be written in plain language and available in English and Hindi (or other languages upon request). Consent will be free, specific, informed and unambiguous.
You may withdraw your consent at any time by contacting us or by using opt‑out features provided in our communications. Withdrawal will not affect processing that has already occurred, but we will stop processing your data for the withdrawn purpose unless there is another lawful basis for retention.
Your rights as a Data Principal
Under the DPDP Act, you have the following rights:
Right to access a summary of your personal data. You may request a summary of the personal data that Art Rest is processing about you and the types of processing activities.
Right to know recipients. You may request information about the identities of other data fiduciaries and data processors with whom your personal data has been shared.
Right to correction and completion. You have the right to have incomplete or inaccurate personal data corrected and to update your personal data. Please notify us of any changes to your contact details or preferences.
Right to erasure. You may request deletion of your personal data when the purpose for which it was collected is no longer served or when you withdraw consent. We will erase your data unless retention is required by law (e.g., accounting, tax or regulatory obligations).
Right to grievance redressal. You have the right to a readily available means of grievance redressal. You may contact our Grievance Officer using the details provided below. If we do not resolve your complaint, you may lodge a complaint with the Data Protection Board of India.
Right to nominate. In accordance with DPDP rules, you may nominate an individual to exercise your rights in the event of your death or incapacity. Please contact us if you wish to appoint a nominee.
We may require proof of identity or additional information to verify your request. We will respond within the timelines prescribed by law.
Information sharing and recipients
We will not sell or rent your personal data. We may share personal data with the following parties for the purposes described:
Service providers and processors. We engage third‑party service providers to perform certain functions on our behalf, including payment processing, reservation management, IT hosting, email delivery, marketing and analytics. Under DPDP section 8, the data fiduciary remains responsible for any processing undertaken by its processors and must ensure completeness, accuracy and security. Our processors are bound by contracts that require them to use personal data only to provide services to us and to implement appropriate security measures.
Affiliated businesses. If Art Rest is part of a group or franchise, we may share data with our affiliates for administrative purposes, unified guest experience or marketing, provided such sharing is consistent with this policy and the DPDP. We do not currently have affiliated entities but will update this policy if that changes.
Legal and governmental authorities. We may disclose personal data to law‑enforcement agencies, courts, regulators or other authorities to comply with legal obligations or respond to lawful requests, enforce our house rules or protect our rights and safety.
Business transfers. In the event of a merger, acquisition or sale of assets, personal data may be transferred as part of the transaction. We will ensure that the transferee assumes the same privacy obligations.
International transfers
Art Rest is located in India but may use service providers located in other countries (e.g., for cloud hosting or reservation systems). The DPDP allows the transfer of personal data outside India except to countries that the Indian government may prohibit. We will ensure that any cross‑border transfer complies with DPDP requirements and is subject to appropriate contractual safeguards and security measures. If we transfer your data to a jurisdiction not deemed to provide an adequate level of protection, we will take measures such as Standard Contractual Clauses or rely on government‑approved mechanisms.
Data retention and deletion
We retain your personal data only as long as necessary for the purposes described or to comply with legal, regulatory or operational requirements. Under DPDP section 8(7), a data fiduciary must erase personal data when the specified purpose is no longer served or when consent is withdrawn, unless retention is required by law. For example:
Reservation records (name, contact details, stay dates, payment receipts) are retained for six years from the end of the financial year in which the stay occurred to comply with tax and accounting obligations.
CCTV footage is retained for 30 days unless required for incident investigation or by law enforcement.
Marketing preferences are kept until you withdraw consent or for three years after your last interaction with us, whichever comes first.
When we no longer need your data, we will securely delete or anonymize it. We maintain records of deletion to demonstrate compliance and will notify you of erasure if required by law.
Security measures
Art Rest implements technical and organizational measures designed to protect personal data from unauthorized access, disclosure, alteration or destruction. Measures include:
Access controls: role‑based access for staff; unique user credentials; regular password rotations; and multi‑factor authentication for administrative systems.
Encryption: encryption of payment data during transmission and storage; secure sockets layer (SSL) or TLS encryption for our websites and electronic communications.
Network and system security: firewalls, intrusion detection and regular vulnerability assessments; secure configuration and patch management.
Data minimisation and pseudonymisation: we only collect data necessary for specified purposes and anonymise or aggregate data where possible.
Staff training and awareness: regular privacy and security training for employees and contractors.
In case of a personal data breach, we will notify the Data Protection Board of India and each affected data principal without undue delay, providing details of the breach, likely consequences, mitigation measures and our contact information. We will investigate the breach, take corrective steps to prevent recurrence and document the incident as required by law.
Cookies and tracking technologies
Our website uses cookies and similar technologies to ensure proper operation, remember your preferences, perform analytics and, with your consent, provide personalized advertising. The categories of cookies we use include:
Essential cookies – necessary for the site to function (e.g., session cookies, load‑balancing).
Functional cookies – remember your preferences, such as language and currency.
Analytics cookies – collect information about how you use our site, such as pages visited and time spent, to help us improve usability. We use this data in aggregated form.
Marketing cookies – track your visits to provide customized offers. We only use these with your explicit consent.
You can manage your cookie preferences through our cookie banner or by adjusting your browser settings. If you disable cookies, some parts of our website may not function correctly. Our cookie banner links to this policy and explains how to exercise your rights and make a complaint.
Children’s privacy
Art Rest does not knowingly collect personal data from anyone under 18 years of age without verifiable parental or guardian consent. If we become aware that a child’s data has been collected without such consent, we will delete it immediately. We do not engage in tracking or behavioral monitoring of children or targeted advertising to them.
Grievance redressal and contact
If you have any questions, concerns or requests relating to this policy or your personal data, please contact our Grievance Officer:
Email: hello@artrest.in
We will acknowledge receipt of your complaint within seven days and endeavour to address it promptly. If you are unsatisfied with our response, you may file a complaint with the Data Protection Board of India.
Changes to this policy
We may update this privacy policy to reflect changes in the law or our processing practices. The “Last updated” date at the top of the policy will tell you when it was last revised. If we make material changes, we will notify you through our website or by email before the changes take effect.