hotels.com privacy policy — score 48/100 (high risk)

Sidst analyseret

Rapportindholdet (resumé, fund, citater) er genereret på engelsk og er ikke lokaliseret.

Kør en ny analyse på en anden politik

Hotels.com (Expedia Group) · hotels.com

Rapportdetaljer

high risiko

Hotels.com (Expedia Group) collects an unusually broad range of personal data — including sensitive data, voice recordings, and co-traveler info — shares it widely with advertisers and Expedia Group brands, and uses it for extensive AI purposes with no opt-out, making this a data-hungry policy despite decent transfer safeguards.

Hotels.com's privacy statement covers an expansive data collection and sharing ecosystem. While the policy is structured and references EU-relevant safeguards (DPF certification, SCCs, Global-CBPR), the sheer breadth of data categories, purposes, and third-party recipients raises significant minimization concerns. AI usage is pervasive with no opt-out mechanism. Legitimate interest is claimed broadly for marketing and profiling. Retention periods are undefined beyond vague criteria. EU users' rights are described conditionally rather than affirmatively.

Sidst analyseret
KildeURL
Længde63,773 tegn

Vurdering pr. kategori

Opdeling af politikken på vigtige compliance-områder. God = stærk, rimelig = blandet, dårlig = bekymrende.

Data Minimizationpoor

Collects 15+ categories of personal data including government ID, voice recordings, clickstream reconstructions, sensitive data, and co-traveler info — many used for 6+ purposes, far exceeding what is necessary for booking a hotel.

Transparencyfair

The policy is detailed with tables mapping data categories to purposes and lawful bases, but it is overwhelmingly long and uses conditional language ('certain countries and regions') rather than clearly stating GDPR rights affirmatively for EU users.

Third-party Sharingpoor

Data is shared with Expedia Group companies (joint controllers), travel suppliers, targeted advertising partners, social media platforms, business partners, and data brokers — some acting as independent controllers with their own separate privacy policies.

International Transfersfair

DPF certification with SCC fallbacks and Global-CBPR participation provide legitimate transfer mechanisms, but onward transfers to numerous third-party advertisers and social media platforms are not individually assessed or disclosed.

AI/Model Trainingpoor

AI is used extensively across 13+ categories including content generation, recommendations, and pricing, all justified by legitimate interest — there is no opt-out mechanism for AI processing and no explicit statement on whether data trains foundational models.

User Rightsfair

GDPR rights are referenced but described conditionally ('certain countries and regions provide their residents with additional rights') rather than stated as universal EU rights; rights details are outsourced to a separate webpage.

Vigtige fund

Bemærkelsesværdige klausuler, problemer eller gode praksisser (kritiske først)

Kritisk

Overly broad legitimate interest claims for marketing and profiling

The policy claims legitimate interest as a lawful basis for marketing communications, targeted advertising, and building enriched user profiles across Expedia Group brands. Under GDPR Article 6(1)(f), marketing via legitimate interest requires a careful balancing test — particularly for profiling and cross-brand data synchronization. The policy states 'we will always assess it against the potential impact on your rights' but provides no specific balancing outcome or mechanism for users to challenge this assessment.

Kritisk

No opt-out for AI/ML processing of personal data

The AI section lists 13+ use categories (pricing, fraud detection, content generation, recommendations, anomaly detection, etc.) all processed under legitimate interest. There is no mechanism to opt out of AI processing of your personal data. The policy only addresses automated decision-making with legal effects, not the broader AI processing. EU users have no way to object to their data being used for AI feature generation, content generation, or enrichment of other applications.

Kritisk

Co-traveler and third-party data collection without direct consent mechanisms

The policy collects 'Friends, connections and co-traveler data' including data about travel companions and referred friends. The lawful basis listed includes 'Consent (including consent you may have received from friends or co-travelers), where applicable' — this implies Hotels.com relies on the booking person's consent for third parties' data, which is legally insufficient under GDPR. Co-travelers have no direct way to learn about or control this processing.

Advarsel

Vague retention periods with no specific timelines

The Record Retention section lists only criteria (duration of relationship, legal obligations, litigation holds, backup needs) but provides zero specific retention periods. GDPR Article 5(1)(e) requires that personal data be kept 'no longer than is necessary for the purposes.' Without defined periods, there is no way to assess compliance or for users to understand when their data will be deleted.

Advarsel

Sensitive data collection with minimal justification

The policy collects 'Sensitive data — data that could reveal racial or ethnic origin, religious or philosophical beliefs, sexual orientation, or health or disability information' and cites legal obligations and consent as lawful bases. The example given (cancellation evidence) is narrow, but the category is listed as available for Platform Usage, Communications, and Security purposes broadly. This creates a risk of scope creep beyond the narrow justified use case.

Advarsel

Extensive onward sharing to independent controllers without equivalent safeguards

Data is shared with targeted advertising partners, social media platforms, and business partners who may act as independent controllers. The policy notes these parties are 'primarily independently responsible for their compliance with applicable data protection laws' but does not describe what contractual or technical safeguards Hotels.com imposes on these onward transfers, beyond noting DPF onward transfer liability for Expedia, Inc. specifically.

Advarsel

Clickstream data reconstruction across devices and visits

The policy describes collecting clickstream data to 'reconstruct your site journey modeled on the timing and location of your actions, and include data from different devices, distinct site visits, and visits to our other platforms.' This constitutes cross-device profiling that combines data from multiple contexts, raising concerns under GDPR Article 22 and ePrivacy requirements, yet is justified solely by legitimate interest and consent 'where requested.'

Resumé til brugeren

Your data flows far beyond booking a hotel — it's shared across the entire Expedia Group, used to train AI systems, and sent to advertisers for targeting, with no way to opt out of AI processing.

Compliance-stilling

Mixed compliance posture: strong on international transfer mechanisms (DPF, SCCs, CBPR) but weak on data minimization, purpose limitation, and AI transparency. Legitimate interest claims for marketing are aggressive and may not survive scrutiny under GDPR Article 6(1)(f).

EU-overførsler

Data is transferred to the US and other countries. DPF certification is in place with SCC fallbacks, which is adequate under current EU law, but the breadth of onward transfers to third-party advertisers and social media platforms creates risk if those parties lack equivalent safeguards.

Registrerede signaler

Specifikke datapunkter og praksisser identificeret i teksten

Indsamlede data
Government issued identification dataIdentification data (name, email, phone, address)Payment dataTravel related preferencesLoyalty dataGeolocation dataImages, videos and recordingsCommunications with Hotels.comSite interaction dataFeedback dataDevice dataFriends, connections and co-traveler dataChild dataClickstream dataBirthdate and genderVoice dataSensitive data (racial origin, religion, health, sexual orientation)
Behandlingsformål
Platform usage and bookingCommunications and customer serviceMarketing and advertisingLoyalty program administrationMarket research, analytics, and trainingSecurity and complianceAI feature generation and content creationPricing optimizationFraud detectionAutomated content moderationSearch engine optimizationRecommendations and personalizationAnomaly detection
Deling med tredjeparter
Expedia Group companies (joint controllers)Third-party service providersTravel suppliers (hotels, airlines, car rental)Business partners and co-branded offersTargeted advertising partnersSocial media and online platformsThird-party data brokersLaw enforcement and government bodiesCorporate transaction recipients
Internationale overførsler
Servers located in the United StatesEU-U.S. Data Privacy Framework certificationUK Extension to EU-U.S. DPFSwiss-U.S. Data Privacy Framework certificationStandard Contractual Clauses as fallbackGlobal-CBPR certificationIntragroup agreements with SCCsAdequacy decisions reliance
AI / Modeltræning
AI used for feature generation including embeddingsAI used for content generation (text, images, video)AI used for recommendations and personalizationAI used for pricing and margin adjustmentsAI used for anomaly detectionNo opt-out mechanism for AI processingLegitimate interest claimed as basis for AI processingAutomated decision-making with legal effects requires consent or contract

Bevisuddrag

Direkte citater fra politikken, der understøtter disse fund

We may reconstruct your site journey modeled on the timing and location of your actions, and include data from different devices, distinct site visits, and visits to our other platforms.

We will not engage in automated decision-making that involves a decision with legal or similarly significant effects solely based on automated processing of personal data, unless: you explicitly consented to the processing, the processing is necessary for entering into a contract, or when otherwise authorized by applicable law.

Consent (including consent you may have received from friends or co-travelers), where applicable

We will retain your personal data in accordance with all applicable laws, for as long as it may be relevant to fulfill the purposes set forth in this Privacy Statement, unless a longer retention period is required or permitted by law.

These third-party service providers are primarily independently responsible for their compliance with applicable data protection laws.

Certain countries and regions allow us to process personal data on the basis of legitimate interests... this interest will typically be to operate or improve our platform and communicate with you as necessary to provide our services to you... to undertake marketing, or for the purpose of detecting or preventing illegal activities.

Mangler eller uklart

  • No specific data retention periods defined
  • No DPIA summary or reference for high-risk processing
  • No explicit opt-out for AI/ML training use of personal data
  • No detail on co-traveler rights notification mechanism
  • No description of data protection impact assessment for sensitive data processing
  • No specification of which third-party advertising partners receive data
  • No clear mechanism to object to legitimate interest processing beyond marketing
  • No information on data breach history or notification timeline

Spørgsmål at stille

  • What specific balancing test has Hotels.com conducted to justify legitimate interest for marketing and cross-brand profiling, and can you provide the documentation?
  • How can EU users opt out of their personal data being used for AI feature generation, content generation, and model enrichment?
  • What mechanism exists to notify co-travelers whose data you collect through a booking person, and how can they exercise their GDPR rights independently?
  • What are the specific retention periods for each category of personal data, not just the criteria for determining them?
  • Which targeted advertising partners and social media platforms receive personal data, and what specific safeguards (beyond DPF certification) apply to those onward transfers?
  • Has a Data Protection Impact Assessment been conducted for the clickstream reconstruction across devices and the processing of sensitive data categories?
Denne analyse er genereret af AI og er ikke juridisk rådgivning. Rådfør dig altid med en kvalificeret jurist ved compliance-beslutninger.

Del denne analyse

Alle med dette link kan se resultatet ovenfor.

Bygget af DentroChat

100 % europæisk AI-chat for alle

Chat med AI, arbejd med filer, generer billeder og søg på nettet. Data forbliver i Europa.

Infrastruktur hostet i EUTekst, filer, billeder og websøgningHurtig-, Tænk- og Kreativ-tilstandePrivatliv først som standardIngen data forlader Europa
Prøv gratis →