Palmabook Data Deletion and Privacy Rights

==========================================

Palmabook Holdings, Inc. (Delaware, USA) operates the Palmabook travel platform that helps guests and hosts manage vacation rentals primarily in Cancun and other Quintana Roo destinations as well as in Cuba. Protecting personal data and enabling user control are central to how we build, operate, and improve the service. This page explains how individuals can request deletion of their personal information, what rights exist across major privacy frameworks, what data categories we hold, how long they are retained, the verification and deletion process, and what circumstances may legitimately prevent full erasure. It also identifies relevant data protection authorities for further recourse if you ever believe your rights have not been respected.

The explanations below apply to all visitors, guests, hosts, and partners who interact with Palmabook through our website, apps, affiliate channels, OTA synchronization endpoints, or advertising integrations. All processing is carried out by Palmabook Holdings, Inc. in the United States, with data flows to trusted third parties such as Stripe, PayPal, Google, and the networks necessary to operate our marketplace.

1. Your Rights to Deletion and Related Controls

Individuals may have different legal rights to request deletion or erasure of their personal data depending on the place of residence. Palmabook recognizes and honors the core elements of these frameworks even where not strictly required by law.

European Union and United Kingdom - GDPR Article 17

If you are located in the European Economic Area or the United Kingdom, you have the “right to erasure” under Article 17 of the General Data Protection Regulation. You may request that we delete personal data about you where one of the following applies:

• The data is no longer necessary for the purposes for which it was collected.
• You have withdrawn consent and there is no other lawful ground for processing.
• You have objected to the processing and there are no overriding legitimate grounds.
• The data was processed unlawfully.
• The data must be erased to comply with a legal obligation under EU or member state law.

Palmabook will honor such requests subject to obligations including recordkeeping and legal enforcement requirements. The normal response time is 30 days from receipt and verification of your identity. We may extend this period by a further two months for complex requests while notifying you of the extension.

California - CCPA and CPRA

California residents have a right to request deletion of personal information under the California Consumer Privacy Act and its amendment, the California Privacy Rights Act. We will delete the information from our active systems and direct our service providers to do the same unless an exception applies. Standard response time is 45 days, extendable to 90 days with notice. We will retain information needed to complete a current transaction, detect fraud, or comply with legal obligations.

Brazil - LGPD Articles 18 and 19

Under Brazil’s Lei Geral de Proteção de Dados Pessoais, individuals can request deletion of personal data processed with their consent or where processing was unnecessary or excessive relative to legitimate interests. We will acknowledge receipt and follow the procedures established by the National Data Protection Authority (ANPD). Our confirmation or substantive response will normally be provided within 15 days.

Mexico - LFPDPPP ARCO Rights

Palmabook recognizes the rights of Access, Rectification, Cancellation, and Opposition set out in Mexico’s Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP). A “Cancellation” request is equivalent to a deletion request. Because Palmabook Holdings, Inc. is a US entity, we apply these rights contractually in relation to users booking Mexican accommodations. A verified request will trigger review and subsequent confirmation of suppression where permitted.

Canada - PIPEDA

Canadian users benefit from the right under the Personal Information Protection and Electronic Documents Act to request that an organization correct or delete personal information that is inaccurate, outdated, or no longer required for legitimate business purposes. We will consider deletion requests and may offer anonymization where complete removal would impede auditing, fraud prevention, or dispute resolution obligations.

Global Harmonization

Even outside these jurisdictions, any user may request that Palmabook delete their account and personal data. While specific statutory rights may not apply everywhere, Palmabook voluntarily provides similar controls to maintain trust and consistency.

2. Categories of Personal Data Collected and Processed

To understand what can be deleted and what must be retained, you should know what categories of data we hold. The following covers the main data groups within our systems.

Account Information

When you register or sign in, we hold basic identifiers such as your name, email, hashed password, nationality selection, and verification status. If you log in via a third-party identity provider or OTA channel, we receive profile identifiers from that integration.

Booking and Transaction History

Your reservation details, stay dates, property identifiers, amounts paid, applied cancellation policies, and related correspondence are stored on our secure servers. These records ensure accurate accounting, dispute resolution, and compliance with consumer protection and tax laws.

Payment Instruments and Stripe Connect Tokens

Palmabook never stores full credit card numbers. Payment processing is handled through Stripe Connect using tokenization under PCI-DSS security managed by Stripe Elements. The tokens allow partial refunds or security deposits during and after a stay, and they are deleted or invalidated once no longer required. PayPal transactions follow a similar pattern governed by PayPal’s privacy framework.

Communications and Messaging

Messages exchanged through the Palmabook interface between guests and hosts or between users and support agents may contain personal information. These communications are retained for operational and trust and safety purposes.

Analytics and Cookies

We use Google Analytics 4 (G-6Z719PJGL3) with Google Consent Mode v2 to gather aggregate metrics such as visits, conversion rates, and device characteristics. These analytics cookies can be consented to or disabled by users. Data generated by Analytics is stored on Google servers in aggregated form and cannot be individually erased but can be anonymized or detached from identifiers if requested.

Technical Logs

IP addresses, browser headers, and session identifiers are recorded for security and anti-fraud purposes. Logs have expiration lifecycles, typically no longer than 12 months, unless longer retention is needed for investigation.

Partner and Channel Integrations

If you synchronize listings or reservation calendars from Airbnb, Booking.com, Vrbo, or Expedia, the respective platform data feeds may include property identifiers and reservation metadata. These are stored solely to maintain synchronization. Additionally, affiliate conversions registered through the AWIN network may record click-through identifiers and transaction IDs, which are pseudonymized.

Understanding the above helps clarify what information can be completely erased and what may require anonymization due to ongoing legal or technical dependencies.

3. Submitting a Data Deletion Request

Using Account Settings

Whenever possible, deletion should start from your Palmabook account panel. Within your account settings, you can choose “Delete my account” which initiates a verified process. We will send a verification email to the registered address to confirm you genuinely wish to erase data.

Request via Email

If you cannot access your account, you may submit your deletion request in writing to either partners@palmabook.com or partners@palmabook.com. Please specify:

1. Your full name and the email associated with your account.
2. The country or jurisdiction of residence.
3. Whether you are a guest, host, or partner.
4. Any relevant reservation number or transaction ID.
5. A statement declaring that you wish to have your personal data deleted.

We will never require you to provide unnecessary personal data to exercise your rights, but we may need additional information to verify your identity and prevent fraudulent deletion requests.

Identity Verification

For security, we will verify identity before acting on a deletion request. Verification may involve emailing a signed confirmation, confirming control over the registered account email, or validating a payment token or booking reference. If you act on behalf of someone else, a written authorization or power of attorney will be required.

Confirmation and Timeline

Once verified, we will execute deletion within the timelines required by applicable law. You will receive a confirmation that the process has been completed or an explanation if partial deletion or anonymization was necessary. Typical response periods:

• GDPR / UK: within 30 days.
• CCPA / CPRA: within 45 days, extendable to 90 days.
• LGPD: acknowledgment immediately, substantive response within 15 days where required.
• Other regions: best effort within 30 to 45 days.

If additional processing time is needed due to complex data-linking or third-party cooperation, we will notify you.

4. What Happens During and After Deletion

Deletion affects how you interact with the platform and how Palmabook retains information needed to operate its systems.

Account and Access Termination

Deleting your account disables all login credentials, associated listings, reviews, messages, and stored preferences. Once deletion is complete, your account cannot be restored.

Bookings in Progress

Data required to complete or resolve current or upcoming bookings will not be deleted until those transactions conclude. This ensures guests and hosts can manage check-ins, cancellations, and payments correctly. If you request deletion during an active reservation, we will proceed once the booking is completed or cancelled under the applicable policy.

Financial and Legal Records

Certain financial and compliance data, including payment records and invoices, must be retained for tax and auditing obligations. Stripe or PayPal may also be required under their own regulators to keep limited data concerning transactions processed through their systems. We will ensure this information is minimally retained and access is restricted.

Dispute Resolution and Fraud Prevention

Palmabook’s trust and safety architecture depends on historical information to prevent fraud, protect users, and resolve complaints. We may retain pseudonymized identifiers that permit us to recognize banned or high-risk profiles without storing user-identifying data.

Analytics and Aggregated Data

When personal identifiers are removed, aggregate or statistical data may persist for business intelligence and performance measurement. Such data is not considered personal because it no longer relates to any identified individual.

Partner Integrations

Where we share data with external platforms such as Airbnb, Booking.com, Vrbo, Expedia, or AWIN, your deletion request will not automatically extend to those parties. You should contact each platform directly to exercise equivalent rights. However, once deletion is complete on our side, Palmabook will stop transmitting updates or syncing personal identifiers to or from those partners.

5. Legal Bases and Limitations to Deletion

There are legitimate scenarios under each privacy law where an organization may deny or restrict full deletion.

1. Legal Obligations: We must retain certain booking and payment records to comply with commercial, accounting, and taxation laws.
2. Security and Fraud Detection: Deleting all records might impair detection of repeat fraudulent actors. We may retain hashed or pseudonymized identifiers solely for security.
3. Dispute Management: Data relevant to existing claims, chargebacks, or litigation will be preserved until those matters are resolved.
4. Freedom of Expression: Reviews posted by users may fall within protected expression; we anonymize rather than delete them where necessary.
5. Backup Systems: Erasure from live systems is immediate, but copies in encrypted backups will disappear naturally upon rotation within our retention schedules.

In each instance we apply strict minimization and ensure any retained data is accessible only for the specified legal purpose.

6. How Children’s Data Is Treated

Palmabook is not directed to minors under the age of 18. We do not knowingly collect or retain personal information from anyone under 18 years old. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly. Parents or legal guardians who believe their child has used Palmabook may contact partners@palmabook.com to request deletion.

7. Data Retention Periods and Anonymization Procedures

Routine Retention

• Booking data: 7 years after completion, for tax documentation and disputes.
• Communications: 3 years after account closure, then anonymization.
• Access logs: 12 months.
• Cookies and analytics: as managed within Google Analytics’ retention settings (26 months by default).

Anonymization

When deletion of all identifiers would compromise the integrity of analytic trends or risk management, we replace user identifiers with irreversible hashes. This transforms data to a form that cannot be linked back to you. Once anonymized, data is excluded from privacy rights because it ceases to be personal information.

8. Appeals and Supervisory Authority Contacts

If you believe Palmabook has not respected your deletion right, you may first appeal internally by writing to partners@palmabook.com with “Deletion Appeal” in the subject line. The appeal will be reviewed by a senior privacy officer not involved in the original decision and answered within 30 days.

If you remain unsatisfied, you have the right to contact your local data protection authority. Below are illustrative regulators relevant to major jurisdictions served by Palmabook users:

• United Kingdom: Information Commissioner’s Office (ICO)
• France: Commission Nationale de l’Informatique et des Libertés (CNIL)
• Spain: Agencia Española de Protección de Datos (AEPD)
• Mexico: Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI)
• Canada: Office of the Privacy Commissioner of Canada (OPC)
• California: California Attorney General, Privacy Unit
• Brazil: Autoridade Nacional de Proteção de Dados (ANPD)
• European Union: The supervisory authority of your EU Member State of residence

You may also consult their websites for submission procedures. Palmabook will cooperate with any lawful investigation or inquiry from these regulators.

9. Interaction with Other User Rights

Deletion requests interact with additional privacy and transparency rights such as access, rectification, and portability:

1. Access: Before deletion, you may request a copy of your data to verify what Palmabook holds.
2. Rectification: If you prefer correction instead of deletion, we can update inaccurate information.
3. Portability: Where technically possible, we can supply structured data of your bookings and reviews for transfer to another platform.
4. Restriction: You may request that processing of certain data be temporarily halted while verifying accuracy.

Once your account and data are deleted, these additional rights no longer apply because the data no longer exists.

10. Safeguards and Audit Trail

Palmabook maintains advanced technical and organizational safeguards to manage deletion requests securely.

• Encryption: All personal data is stored encrypted both in transit (TLS 1.2+ or equivalent) and at rest.
• Access Controls: Only trained personnel authorized under confidentiality agreements can action deletion requests.
• Audit Logging: Each data-deletion event is recorded in an audit trail so we can document compliance.
• Third-Party Contracts: Our agreements with Stripe, PayPal, AWS, Google Cloud, and OTA partners include clauses requiring cooperation with deletion when technically feasible.
• Continuous Review: Privacy workflows are audited annually and after any significant structural change.

These measures ensure erasure is accurate, verified, and documented.

11. Relationship with Service Providers and Processors

Stripe and PayPal

When processing payments, Stripe and PayPal act as independent controllers for regulated financial data. If you wish to delete data held by those processors, you should contact them directly. Palmabook’s deletion of your account will revoke API tokens connecting to those processors.

OTA Channel Synchronization

Our platform offers calendar and booking syncs to Airbnb, Booking.com, Vrbo, and Expedia through iCal links and RateHawk bedbank integration. These data flows are controlled under their own privacy terms. Deleting your Palmabook account stops new data transfers but does not remove data previously shared within their systems.

Google Analytics and Ads

Analytics identifiers collected through Google services operate on aggregate principles. At your request, we can reset tracking identifiers or delete stored user-level analytics data where technically feasible.

AWIN Affiliate Program

Affiliate tracking through AWIN uses pseudonymous IDs to record referral performance. Deletion of your user account does not directly impact AWIN’s affiliate records, but those identifiers cannot be traced back to you once your Palmabook data is removed. Requests concerning AWIN data should be directed to that partner.

Cloud Infrastructure

Palmabook’s servers are hosted in the United States with redundancy and regional failover. Backups are encrypted, and data in backup snapshots is automatically purged on rotation cycles not exceeding one year.

12. International Data Transfers and Legal Mechanisms

Because Palmabook Holdings, Inc. is located in the United States, personal information from users in other countries is transferred under recognized safeguards:

• Standard Contractual Clauses (SCCs) for transfers from the EEA or UK.
• Adequacy-understanding frameworks where recognized by the European Commission, UK government, or other regulators.
• Contract-based assurances and security standards that meet or exceed ISO-27001-equivalent controls.

Upon account deletion, these contractual clauses remain valid only for data still subject to retention obligations. Once deletion is complete, the clause obligations naturally expire.

13. Automated Decision-Making and Profiling

Palmabook does not perform fully automated decision-making that produces legal or similarly significant effects on individuals. Some minimal automated screening occurs to prevent spam listings or fraudulent transactions. These processes rely on temporary scoring data which is deleted or anonymized after review. If you request deletion, such profile scores are purged along with your account identifiers.

14. Updates to this Data Deletion and Privacy Rights Page

Palmabook may revise this page to reflect new laws, technical changes, or internal process updates. Changes will be published on this page accompanied by the template banner stating “Effective date: as of the date of your visit.” Continued use of Palmabook following an update constitutes acknowledgment of the revised policy. Significant changes affecting user rights will be communicated within the platform or by email to registered addresses where required by law.

15. Contact Information

For any questions or to exercise your data-deletion rights, contact us at:

• For deletion or legal requests: partners@palmabook.com
• For partner accounts or listings: partners@palmabook.com

If you have advertising-related privacy questions, you may also contact ads@palmabook.com.

Please include only the information necessary for us to identify your account. We will treat all correspondence with strict confidentiality.

16. Summary of Key Points

• Users in the EU, UK, California, Brazil, Mexico, and Canada can request deletion under their applicable privacy laws.
• Requests are free of charge and typically completed within 30-45 days.
• Some data must remain for legitimate legal, tax, or security reasons.
• Analytics and backup systems handle deletion through anonymization and lifecycle expiration.
• Palmabook relies on modern technical safeguards and audits deletion for compliance transparency.

Data protection is a continuous commitment. Palmabook Holdings, Inc. (Delaware, USA) remains responsible for ensuring that every deletion request is handled ethically, securely, and lawfully, maintaining balance between user privacy, safety, and the integrity of the travel marketplace.