Privacy Policy

Who we are. Backstage ("Backstage," "we," "us," or "our") operates backstage.sh and related mobile/web applications (the "Platform"). We help travelers discover and book hotels and curated travel services, and access customer support and free city guides.

Company information & contact.

Backstage Hospitality - FZCO

Premises No. 41902 001, IFZA Business Park, DDP, Dubai Silicon Oasis, Dubai, United Arab Emirates

Primary contact: support@backstage.sh

1) Scope

This Policy explains how we collect, use, disclose, and protect personal data when you use the Platform, communicate with us (including via WhatsApp), access our free city guides, or make bookings. Separate Terms & Conditions govern your use of the Platform; supplier policies (e.g., hotels) may also apply.

2) The data we collect

• Account & identity data - name, title, date of birth, nationality, phone number, email, password, profile photo; identity documents when required by a supplier (e.g., passport copy).
• Booking data - itinerary details, travel dates, property selection, rate/room type, guest names, preferences (e.g., bed, dietary), loyalty numbers, special requests.
• Payment data - tokenized card details processed by our payment service provider (we do not store raw card numbers), transaction identifiers, billing address, VAT/Tax numbers for invoices.
• Communications data - messages via in-app chat, email, WhatsApp/Telegram, support tickets, call recordings (if support calls are recorded), and survey responses.
• Guide & support usage data - categories viewed, favorites, notes, support chat transcripts, feedback on recommendations.
• Device & technical data - IP address, device IDs, OS/browser, app version, language, time zone, crash logs, diagnostic data.
• Location data - approximate location from IP or consented precise location to tailor suggestions.
• Cookie/tracking data - cookies, pixels, SDKs for core functionality, analytics, A/B testing, fraud prevention, and advertising (see §10).
• User content - reviews, photos, and other content you upload or share.

Where we get data from.

We primarily collect personal data directly from you. We may receive limited referral and technical information from metasearch or affiliate partners when they redirect you to our checkout so we can resume your session. We do not obtain your personal data from wholesalers unless they are involved in fulfilling a booking that you asked us to manage or you authorize us to liaise with them. Hotels may share limited information with us only when necessary to service a change/cancellation/refund you request.

3) Purposes & legal bases (GDPR/UK GDPR)

• To perform a contract (Art. 6(1)(b)): create accounts; process and manage bookings; provide customer support; send confirmations, reminders, and service messages; handle changes, cancellations, and refunds.
• Legitimate interests (Art. 6(1)(f)): improve and secure the Platform; prevent fraud/abuse; personalize content; analyze product usage; provide free city guides and travel content; B2B outreach; defend legal claims (balanced against your rights).
• Consent (Art. 6(1)(a)): marketing emails/WhatsApp; push notifications; cookies beyond strictly necessary; optional data such as precise location (withdraw any time).
• Legal obligations (Art. 6(1)(c)): tax and accounting, KYC/AML (if applicable), responding to lawful requests from authorities.
• Vital interests (Art. 6(1)(d)):rare cases involving emergencies affecting a guest's safety.

4) How we share data

• Travel suppliers - hotels and local operators. They act as independent controllers for their own purposes (e.g., check-in obligations).
• Payment & fraud vendors - Stripe, anti-fraud tools, 3-D Secure providers.
• Hosting & infrastructure - cloud providers, CRM/helpdesk tools, email/SMS/WhatsApp delivery platforms, analytics and product tooling.
• Affiliates & group companies - for centralized operations and support.
• Professional advisers & authorities - auditors, lawyers, insurers; regulators and public authorities as required by law.
• Business transfers - in connection with mergers, financing, or sale of assets, subject to safeguards.

We do not sell personal data. Advertising/analytics partners set cookies/SDKs only with consent where required by law.

5) International data transfers

Where personal data is transferred outside the EEA/UK/Switzerland (e.g., to the UAE or US), we rely on mechanisms such as Standard Contractual Clauses (SCCs), the UK Addendum, and supplementary measures. Copies are available on request (with necessary redactions).

6) Retention

• Booking & invoice records: up to 10 years (accounting/tax laws).
• Account data: for the life of the account and up to 24 months after last activity.
• Support chat transcripts: up to 24 months for quality and product improvement (shorter where law requires).
• Marketing data: until you opt out; we keep a suppression record.
• Logs & diagnostics: typically 12-24 months.

We may retain data longer to establish, exercise, or defend legal claims.

7) Your rights

Depending on your location, you may have rights to access, rectify, erase, restrict, object (including to profiling/marketing), and data portability, and to withdraw consent. EU/UK residents can also complain to their local supervisory authority. To exercise rights, contact support@backstage.sh.

8) Children

The Platform is intended for individuals 18+. If a child has provided data, contact us to delete it.

9) Security

We employ technical and organizational measures appropriate to the risk (encryption in transit, access controls, role-based permissions, logging, vendor due diligence). You are responsible for keeping your credentials confidential and using strong passwords.

10) Cookies & similar technologies

We use cookies/SDKs that are Strictly necessary, Functional, Analytics, and Marketing/advertising (consent where required). Manage preferences via our Cookie Banner/Settings and your browser/device settings. See our Cookie Notice for vendor-level detail.

11) Communications & WhatsApp

By opting into WhatsApp or similar messaging, you consent to receiving service updates and support messages there. Provider terms and data practices apply. You can opt out any time.

12) Third-party links

Third-party sites or services we link to have independent privacy practices. Review their policies before providing data.

13) Changes to this Policy

We may update this Policy. Material changes will be notified via the Platform or email. Continued use after the effective date constitutes acceptance.

Controller role.

Unless stated otherwise, Backstage Hospitality FZCO is the controller for processing on the Platform. Where we transmit booking details to a hotel, that hotel becomes an independent controller for its own processing.