Privacy · Global Policy
Your information,
held quietly.
How guest, owner, and visitor information moves from inquiry to reservation, payment, and stay support across our California-headquartered, multi-destination portfolio.
A short preface
A privacy notice written for the way the stay actually works.
Booking a vacation home touches more systems than booking a hotel room. An inquiry on this site might travel through a reservation platform, a payment processor, a guest-messaging tool, and a property owner's coordinator before arrival day. We named each of those systems below, so guests, owners, and visitors can see where their information actually lives.
Overview & scope
What this notice covers, and where it stops.
This notice applies to everydaylux.com and the related guest-services workflows operated by Everyday Luxury Inc. It covers information collected through the website, through reservation and support workflows connected to the site, and through the partners we rely on to operate bookings, payments, guest communications, and in-property services across our portfolio of vacation rental homes.
Third-party sites and platforms carry their own separate notices. When you move into a partner checkout, a payment processor, a travel insurance flow, a calendar sync, or a third-party listing site, that company's notice governs what happens inside their system. We name those partners by section below so you can find the relevant policy quickly.
If a partner system can see your information, you should be able to find that partner's name in this document.
The notice is written for current operations. If our reservation, payment, communication, or analytics stack changes materially, we update this document and adjust the effective date at the top.
Who we are
The business behind the booking.
Everyday Luxury Inc. is a California-headquartered vacation rental and hospitality company with rental properties across multiple US destinations and select international markets. Our headquarters and primary data controller of record is located at 50-855 Washington Street, Suite 2C, La Quinta, CA 92253.
Where we collect personal data from residents of the European Economic Area or the United Kingdom, Everyday Luxury Inc. acts as the data controller for that data unless a separate agreement designates one of our property partners as a joint controller. EEA and UK residents can reach us at the headquarters address in section 16, and may lodge a complaint with their local supervisory authority. Direct routing details are in section 16.
Information we collect
Eight categories of personal data.
The categories below describe the kinds of information we collect across the inquiry, reservation, stay, and post-stay phases. Not every category applies to every guest. A casual visitor browsing the site is covered only by sections one and four below.
Identity and contact data
Names, email addresses, phone numbers, mailing addresses, country of residence, and similar contact details you provide when you inquire, reserve, sign a rental agreement, or request guest support.
Reservation and stay data
Arrival and departure dates, destination and property interest, guest count, traveler names, special requests, dietary or accessibility notes shared voluntarily, concierge notes, and operational messages tied to the stay.
Payment and transaction data
Billing contact information, payment status, reservation totals, deposit and balance schedules, refunds, chargebacks, and tax-reporting metadata. Full payment-card numbers are handled by our payment processors and are not stored inside the website itself.
Government identification (when required)
For certain international destinations, local registration laws require a copy of guest passport or government ID at check-in. When that applies, the requirement and the local authority are disclosed during the booking confirmation, and the document is held only for the period the law requires.
Communications
Inbound messages, support tickets, voicemail transcripts where applicable, and the metadata associated with those messages (timestamps, channel, agent).
Marketing preferences
Newsletter sign-up status, segmentation tags (destination interest, prior stay history), and engagement records (opens, clicks, unsubscribes) for the channels you have opted into.
Device, usage, and security data
IP address, approximate location derived from IP, browser and device characteristics, pages viewed, referrers, session and cookie identifiers, form-interaction telemetry, and security logs used to detect abuse and protect the site.
In-property device data (where deployed)
A subset of properties uses smart locks, energy thermostats, or noise-decibel monitors. These devices record entry and exit timestamps, temperature setpoints, or ambient decibel levels (not voice content). Section seven names the providers and the specific properties this applies to.
How we collect it
Some from you. Some from the systems that make the stay work.
- Directly from you, when you complete a contact or inquiry form, request a quote, complete a reservation, sign a rental agreement, subscribe to the newsletter, or write to guest support.
- Automatically from the site, through cookies, analytics tags, server logs, security tools, and similar technologies. Section nine has the cookie detail.
- From reservation and payment partners, when a booking is processed through Streamline VRS or paid through Lynnbrook Group and other configured processors.
- From third-party listing channels, when a guest first inquires through Airbnb, Vrbo, or a similar marketplace and the booking is then transferred into our reservation platform.
- From household members or travel coordinators acting on behalf of the guest of record, including assistants, concierges, or family members making the arrangements.
Practical note
The current site uses a native contact-form handler that stores inquiries inside WordPress and emails the team. If Brevo is enabled later for forms or CRM, that workflow moves into Brevo and this notice is updated to reflect the change.
Use of data
Six purposes. Nothing more.
- To respond to inquiries, schedule follow-up, and route guest or owner requests to the right team.
- To process, confirm, administer, and support reservations, payments, deposits, refunds, and the operational messaging tied to a stay.
- To share relevant stay details with property owners, on-site managers, or service providers when needed to deliver the booked experience (for example, the housekeeping team needs the arrival date, not the credit card number).
- To detect security issues, prevent fraud and abuse, troubleshoot technical problems, and monitor site performance.
- To send newsletters, destination updates, or seasonal communications to guests who have opted in or where another lawful basis applies.
- To meet accounting, tax, insurance, regulatory, and audit obligations.
We do not use guest information to build profiles for sale to third parties, and we do not run behavioral advertising auctions against guest data.
Lawful bases
For guests in the EU and UK, the legal grounds we rely on.
EU GDPRUK GDPRSwitzerland nFADP
- Contract. Processing personal data is necessary to confirm and operate the reservation you have asked us to book.
- Legal obligation. Tax records, mandatory guest registration in certain jurisdictions, accounting requirements, and similar regulatory duties.
- Legitimate interests. Site security, fraud prevention, basic analytics, and operational service quality. We balance these against the rights of the people whose data is processed.
- Consent. Marketing emails, optional cookie categories, and any processing where consent is the appropriate basis. Consent can be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal.
- Vital interests. In rare circumstances, to protect a guest's safety during the stay (for example, a wellness check coordinated with local services).
Sharing and sub-processors
The named systems guests are actually relying on.
The stay is not operated by one system alone. The list below names the partners we rely on today, what they do, and the data they see. We update this list when the stack changes.
Streamline VRS
Reservation platform of record. Sees inquiry contact, reservation dates, traveler details, and stay messaging. Used to manage availability, pricing, and the operational lifecycle of a booking.
Lynnbrook Group and payment processors
Payment processing for deposits, balances, refunds, and chargebacks. Sees the billing contact and the transaction. Full payment-card numbers are handled inside their PCI-compliant environment.
Brevo (when enabled)
Marketing email, transactional email, and CRM workflows when activated. Sees contact details, segmentation tags, and engagement events.
Hosting, security, and analytics infrastructure
Web hosting, content-delivery networks, web-application firewalls, error monitoring, and analytics tools. They see the technical and usage data described in section three.
Listing-channel partners
Airbnb, Vrbo, Booking.com, and similar marketplaces when a booking originates there. They share the guest contact and reservation details under their own privacy notices.
In-property device providers
Smart-lock, thermostat, and noise-monitor providers (such as PointCentral, Schlage Encode, August, NoiseAware, Minut) deployed at a subset of properties. They process entry timestamps, temperature setpoints, or ambient decibel readings as applicable. Voice or conversation content is not recorded.
Professional services
Accountants, auditors, insurers, and legal counsel under confidentiality obligations, when needed for the operation of the business or compliance with law.
What we do not do
We do not sell personal information for money. We do not share personal data with advertising networks for cross-context behavioral advertising. We do not rent guest contact lists.
International transfers
Bookings cross borders. So does the data.
Our headquarters are in California, and several of our partners process data in the United States. When personal data of guests in the EEA, UK, or Switzerland reaches the United States or another country outside their home jurisdiction, we rely on one or more of the following safeguards:
- Standard Contractual Clauses approved by the European Commission, with the UK Addendum and the Swiss adaptations as applicable.
- Adequacy decisions recognized by the European Commission, the UK ICO, or the Swiss FDPIC where the destination country is covered.
- Derogations under Article 49 GDPR in specific cases (such as transfers necessary to perform a reservation contract you have asked us to book).
A copy of the relevant transfer mechanism for a specific data flow is available on request through the contact path in section 16.
Cookies and site technology
Four categories. You choose three.
Cookies and similar technologies (local storage, pixels, SDKs) help the site work, stay secure, and improve over time. Visitors in the EU and UK see a consent banner that controls the optional categories. Visitors in the US see a comparable preferences link in the footer.
- Strictly necessary. Required for the site to function: session integrity, form security, load balancing. Always on.
- Functional. Remembers preferences such as currency display, recently viewed properties, and form drafts. Optional.
- Analytics. Aggregated traffic, page performance, and behavioral patterns used to improve navigation and content. Optional.
- Marketing. Limited to retargeting on platforms where we run paid campaigns. Optional. Disabled by default in the EU and UK until consent is given.
You can change your preferences any time via the Cookie Preferences link in the site footer or through your browser controls. A full cookie inventory (name, provider, purpose, expiry) is published on the cookie preferences page.
Data retention
How long we keep things, and why.
We hold information only as long as it remains useful for the relationship, required for operations, or necessary for legal and accounting purposes. Indicative periods are below; longer holds apply when law or open disputes require it.
| Category | Default retention | Trigger to extend |
|---|---|---|
| Inquiry and quote requestsPre-booking conversations | 24 months from last contact | Conversion to booking, ongoing dialogue |
| Booking and reservation recordsConfirmed stays | 7 years after the stay | Tax, accounting, insurance, dispute |
| Payment and transactionSettlement metadata | 7 years (US tax minimum) | Audit, chargeback, regulatory request |
| Guest support communicationsTickets and transcripts | 36 months from resolution | Repeat guest profile, open issue |
| Marketing engagementOpens, clicks, segments | 24 months from last engagement | Continued opt-in |
| Government ID copiesWhere law requires | Statutory minimum only | Law enforcement order |
| Security and site logsIP, fraud signals | 12 months | Active investigation |
| In-property device logsEntry, temperature, decibels | 90 days | Open damage or noise complaint |
When data passes its retention window and no legal hold applies, we delete it from active systems and rotate it out of backup snapshots in the next scheduled cycle.
Security and breach response
Encryption, access controls, and a 72-hour clock.
No security control is absolute. We maintain a defense-in-depth program designed to reduce unauthorized access, misuse, and accidental loss across the website, the reservation platform, and the systems our team uses day to day.
- Encryption in transit (TLS 1.2 minimum) for all guest-facing endpoints, and encryption at rest for stored personal data.
- Role-based access control with least-privilege defaults, multi-factor authentication for staff, and quarterly access reviews.
- Vendor security review at onboarding and at renewal, with data-processing agreements where personal data is involved.
- Logging, monitoring, and alerting across the WordPress stack and connected platforms.
If we determine a personal-data breach has occurred that creates a meaningful risk to guests or owners, we notify the relevant supervisory authority within 72 hours where the law requires it (notably under EU and UK GDPR), and we notify affected individuals without undue delay where high risk is involved.
Children's privacy
The booking adult is the customer.
Our website and reservation services are intended for adults of the age of majority in their jurisdiction. We do not knowingly collect personal information directly from children under 13 in the United States or under 16 in the EU and UK. The names of minors traveling on a reservation are provided by the booking adult as part of the stay record, are used only to operate the stay, and are not used for marketing.
If you believe a child has provided us with personal information without appropriate consent, please contact us using section 16. We review and delete the information promptly.
Automated decisions and AI
Software helps. People decide.
We do not make decisions about a guest's ability to book, the price they are quoted, or their continued access to our properties using fully automated processing alone. Software helps us draft initial responses, sort inquiries, and flag potential fraud, but every decision that materially affects a guest is reviewed by a member of our team.
If we ever introduce a meaningful automated-decision system that produces legal or similarly significant effects, we update this notice, describe the logic involved, and offer the right to request human review.
Your privacy rights
What you can ask us to do, by where you live.
California (CCPA/CPRA)EU (GDPR)UK (UK GDPR)Other US states
For California residents
- Request the categories and specific pieces of personal information collected.
- Request correction of inaccurate information.
- Request deletion, subject to applicable legal and operational exceptions.
- Request information about the categories of sources, purposes, and recipients.
- Opt out of any "sale" or "sharing" of personal information for cross-context behavioral advertising. We do not sell or share for advertising as those terms are defined under California law, but the opt-out path is available regardless.
- Receive equal service and pricing when you exercise a right, subject to lawful program limitations.
For residents of the EU, UK, and Switzerland
- Right of access, rectification, erasure, restriction, portability, and objection under the GDPR and UK GDPR.
- Right to withdraw consent for any processing based on consent.
- Right to lodge a complaint with your local supervisory authority.
For residents of other US states with privacy laws
Residents of states with comprehensive privacy laws (including Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia) have access, correction, deletion, and opt-out rights comparable to those above. We honor verified requests from those states under the same workflow.
How to submit a request
Email [email protected], call (760) 659-3986, or use the contact page. We may need to verify your identity before completing the request, and we may ask for additional details when an authorized agent is acting on your behalf. We respond within the timeframe required by your jurisdiction (45 days under California law; 30 days under GDPR, with one possible 60-day extension).
Property owner data
For owners, the management agreement governs.
Property owners are not guests, and the data we hold on owners (banking details for owner payouts, statements, occupancy and revenue reports, maintenance history, owner-portal credentials) is governed by the property management agreement signed at onboarding rather than by this notice. Owners with questions about their data should contact their assigned account manager or write to the address in section 16.
Updates and contact
How to reach us, and how this notice changes.
Everyday Luxury Inc. (US headquarters and data controller)
50-855 Washington Street, Suite 2C
La Quinta, CA 92253, United States
(760) 659-3986 · [email protected]
For residents of the European Economic Area
EEA residents can reach us directly at the headquarters address above. You also have the right to lodge a complaint with the supervisory authority in your country of residence. The European Data Protection Board publishes the current list of national authorities and their contact details at edpb.europa.eu/about-edpb/about-edpb/members_en. The text of the GDPR is available at gdpr-info.eu.
For residents of the United Kingdom
UK residents can reach us directly at the headquarters address above. You also have the right to lodge a complaint with the Information Commissioner's Office. The ICO website explains how to make a complaint and what to expect: ico.org.uk/make-a-complaint. General privacy guidance for individuals is available at ico.org.uk/your-data-matters.
Updates to this notice
We update this notice when our reservation systems, payment flows, contact-form processors, marketing tools, or in-property device providers change in ways that affect what we collect or how it is used. The effective date at the top of the page reflects the most recent revision. Material changes are highlighted in a banner on the homepage for at least 30 days.
Last updated: April 29, 2026
Need a booking-specific answer
Privacy questions land best with the same team handling your stay.
Disclosure questions, data requests, and reservation-specific clarifications resolve faster when the guest of record reaches out using the same contact details used for the booking.