Privacy Policy

NISKA INNOVATIONS LLC ("NISKA", "we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our hotel management platform, website (niskagroup.com), and related services (collectively, the "Services").

Please read this policy carefully. By accessing or using the Services you agree to the terms of this Privacy Policy. If you disagree with any part of this policy, please discontinue use of our Services.

This policy applies to all users of NISKA, including hotel operators, hotel staff, guests of NISKA-powered properties, technology partners, and visitors to our website.

NISKA INNOVATIONS LLC is incorporated in the State of Wyoming, United States of America.

Account and registration data When you register for NISKA, we collect your name, work email address, phone number, job title, company or property name, and billing information (processed via PCI-DSS compliant payment gateways; we do not store full card numbers).

Property and operational data Hotel operators provide us with room inventory, rate plans, reservation records, guest folios, housekeeping schedules, and other operational data needed to run the platform. This data belongs to the operator; we act as a data processor on their behalf.

Guest data (processed on behalf of hotel operators) When guests make reservations through NISKA-powered channels, we process guest names, contact details, stay preferences, payment tokens, and communication history on behalf of the operating hotel. Hotel operators are the data controllers for their guests' information.

Usage and telemetry data We collect log data, IP addresses, browser type, device identifiers, pages visited, feature usage patterns, and crash reports to operate, improve, and secure the Services.

Communications When you contact our support team or respond to surveys, we retain the content of those communications and associated metadata.

We use the information we collect to:

• **Provide the Services** — deliver the hotel management, channel management, booking engine, and
• **Process payments** — facilitate billing for subscriptions and transactional fees.
• **Communicate with you** — send service notifications, product updates, security alerts, and
• **Improve the platform** — analyse usage patterns, diagnose bugs, and develop new features.
• **Ensure security and prevent fraud** — monitor for suspicious activity, enforce our terms, and
• **Comply with legal obligations** — respond to lawful government requests, tax requirements, and
• **AI and machine learning features** — aggregate and anonymised operational data may be used to

We do not sell your personal data. We share data only in the following circumstances:

Service providers and sub-processors We engage vetted third-party vendors to help operate the Services, including cloud infrastructure (Google Cloud Platform), email delivery, payment processing, analytics, and customer support tooling. All sub-processors are contractually bound to handle data securely and only for the purposes we specify.

Hotel operators (for guest data) Guest data collected via booking channels is shared with the relevant hotel operator who is the data controller for that guest relationship.

Technology integration partners When a hotel operator enables a third-party integration (e.g., a channel manager, POS system, or revenue management tool) via the NISKA marketplace, data necessary for that integration is shared with the partner. Operators control which integrations are enabled.

Legal and safety disclosures We may disclose information if required by law, court order, or to protect the rights, property, or safety of NISKA, our customers, or the public.

Business transfers In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website before your data becomes subject to a different privacy policy.

We retain personal data for as long as your account is active or as needed to provide the Services. Specific retention periods:

• **Account data**: retained for the duration of your subscription plus 90 days after termination,
• **Reservation and folio records**: retained for 7 years to comply with tax and financial record-keeping
• **Usage logs**: retained for 12 months in raw form, then aggregated and anonymised indefinitely.
• **Support communications**: retained for 3 years.

You may request deletion of your personal data at any time (see "Your rights" below). Deletion requests are subject to our legal retention obligations.

We implement industry-standard technical and organisational measures to protect your data, including:

• Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Access controls with the principle of least privilege
• Regular penetration testing and vulnerability assessments
• SOC 2 Type II audit programme (in progress)
• 99.9% uptime SLA with disaster recovery procedures

No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. We will notify affected customers of any data breach in accordance with applicable law (within 72 hours where the GDPR applies, and within the timeframes required by applicable US state law).

Depending on your location, you may have the following rights regarding your personal data:

• **Access**: request a copy of the personal data we hold about you.
• **Rectification**: ask us to correct inaccurate or incomplete data.
• **Erasure**: request deletion of your data (subject to legal retention requirements).
• **Portability**: receive your data in a structured, machine-readable format.
• **Restriction**: ask us to restrict processing of your data in certain circumstances.
• **Objection**: object to processing based on legitimate interests or for direct marketing.
• **Withdraw consent**: where processing is based on consent, withdraw it at any time.

GDPR (EEA/UK users): your rights are governed by the General Data Protection Regulation.

US State Privacy Laws: residents of California, Virginia, Colorado, and other US states with privacy legislation may have additional rights under those laws.

CCPA (California users): you have the right to know, delete, and opt out of sale (we do not sell data).

To exercise any of these rights, email privacy@niskagroup.com. We will respond within 30 days.

We use cookies and similar tracking technologies to operate and improve the Services.

Essential cookies: required for authentication, session management, and security. Cannot be disabled.

Analytics cookies: help us understand how users interact with the platform (e.g., Google Analytics, PostHog). You may opt out via our cookie consent banner.

Marketing cookies: used to measure the effectiveness of our advertising. Only set with your consent.

You can manage cookie preferences via the consent banner when you first visit our website, or by adjusting your browser settings. Note that disabling essential cookies may impair platform functionality.

NISKA is headquartered in the United States. Our primary data processing infrastructure is hosted on Google Cloud Platform. Sub-processors may process data in multiple regions, including the United States and the European Union.

For transfers of personal data from the EEA/UK to countries that have not received an adequacy decision from the European Commission, we rely on Standard Contractual Clauses (SCCs) as the legal transfer mechanism.

Standard Contractual Clauses are used for transfers from the EEA/UK to the United States.

The Services are not directed at children under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data about a child, please contact us immediately at privacy@niskagroup.com and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Sending an email to the address associated with your account at least 14 days before the change takes effect.
• Displaying a notice on the NISKA dashboard.

Your continued use of the Services after the effective date of a revised policy constitutes your acceptance of the changes.