At Reuben's Stays, your privacy matters to us as much as your comfort. This policy explains — in plain language — what personal information we collect when you book or enquire with us, why we collect it, how we protect it, and what rights you hold over your data under Indian law.
Section 1
Who We Are
Reuben's Stays is a family-run homestay business operating two properties in the Nilgiris, Tamil Nadu — Serenity and Colonial. We operate the website reubensstays.in and accept direct bookings from guests.
Under India's Digital Personal Data Protection Act, 2023 (DPDP Act), we are the Data Fiduciary — the entity that determines the purpose and means of processing your personal data. We are not a Significant Data Fiduciary, as we process limited personal data for a defined and narrow hospitality purpose.
Data Fiduciary Details
Business: Reuben's Stays | Location: The Nilgiris, Tamil Nadu, India | Website: reubensstays.in | Contact: hello@reubensstays.in
Section 2
Personal Data We Collect
We collect only the personal data that is necessary for you to make a booking, for us to manage your stay, and for us to comply with our legal obligations. We do not collect data speculatively or for purposes beyond those listed below.
| Data Type | What It Includes | Why We Collect It |
|---|---|---|
| Identity | Full name, number of guests, nationality | Confirm booking, comply with tourist register requirements |
| Contact Details | Mobile number, email address, WhatsApp ID | Booking confirmation, check-in coordination, service updates |
| Payment Information | UPI ID, bank transfer details, card type (not card number) | Process payment and issue refunds |
| Stay Preferences | Meal preferences, special requests, dietary needs | Personalise your stay experience |
| Government ID | PAN / Aadhaar number (if GST invoice is requested) | GST compliance and tax invoice generation only |
| Booking History | Prior stays, unit preference, dates | Serve returning guests better, manage availability |
| Communications | WhatsApp/email messages, review responses | Record of service requests and guest interactions |
| Device / Usage Data | Browser type, IP address, pages visited (via cookies) | Improve website performance and security |
What We Do Not Collect
We do not collect biometric data, financial credit information, health records, religious or political views, caste, or any sensitive personal data beyond what is listed above. We do not build behavioural profiles for advertising purposes.
Section 3
How We Use Your Data
Your personal data is used exclusively for the following purposes — and nothing else:
- Processing and confirming your booking reservation
- Coordinating check-in, check-out, and stay logistics with our caretaker
- Communicating updates, changes, or important information about your stay
- Arranging meals, experiences, or special requests you have indicated
- Processing payments and issuing refunds under our cancellation policy
- Generating GST invoices where applicable
- Maintaining a tourist register as required under Nilgiris district rules
- Responding to queries, complaints, or feedback from guests
- Improving our website performance and booking experience
No Marketing Without Your Consent
We do not send promotional messages, newsletters, or marketing communications unless you have explicitly opted in. If you have previously received such messages and wish to stop, simply send us a message — we will remove you immediately.
Section 4
Legal Basis for Processing
Under the DPDP Act, 2023, every act of data processing must have a lawful basis. Here is the basis on which we process each category of your data:
| Processing Activity | Legal Basis |
|---|---|
| Booking confirmation and stay management | Contract — necessary to fulfil your booking |
| Payment processing and refunds | Contract — necessary to fulfil the booking transaction |
| GST invoice generation and tax records | Legal Obligation — required under GST Act |
| Tourist register maintenance | Legal Obligation — district hospitality regulations |
| Stay personalisation and preferences | — provided when you share preferences |
| Website analytics and cookies | — via cookie consent on first visit |
| Marketing or promotional messages | — explicit opt-in required; never assumed |
Section 5
Who We Share Your Data With
We do not sell, rent, or trade your personal data. We share it only with the following parties, strictly on a need-to-know basis, and only for the purpose of fulfilling your booking:
- Our on-site caretaker — receives your name, check-in date, guest count, and meal preferences to prepare your stay
- Payment processor (e.g. Razorpay / UPI) — receives transaction data to process your payment securely
- GST authorities — where a tax invoice is raised, the required details are shared with the Government of India as required by law
- District tourist register — name and ID details as required by Nilgiris hospitality regulations
- No other third parties — we do not share data with advertisers, data brokers, analytics companies, or social media platforms
Cross-Border Data Transfers
Your data is stored and processed within India. If any third-party tool we use (such as a booking platform or email service) processes data outside India, we ensure it is covered by adequate data protection agreements. We do not knowingly transfer personal data to countries without equivalent data protection standards.
Section 6
How Long We Keep Your Data
We keep your personal data only for as long as it is necessary for the purpose it was collected, or as required by Indian law. Here are our specific retention periods:
| Data Category | Retention Period | Reason |
|---|---|---|
| Booking records and guest details | 3 years | Post-stay dispute resolution and service history |
| GST invoices and payment records | 7 years | Mandatory under India's GST Act and Income Tax Act |
| Tourist register entries | As required by regulation | Nilgiris district hospitality compliance |
| Communications (WhatsApp / email) | 2 years | Service quality and dispute reference |
| Stay preferences and special requests | Duration of stay + 1 year | Returning guest personalisation; deleted on request |
| Website cookies and analytics | 12 months | Website performance; renewed with fresh consent |
Once the retention period expires, or if you exercise your right to erasure, your data will be securely deleted or anonymised.
Section 7
Your Rights Under the DPDP Act
The Digital Personal Data Protection Act, 2023 gives you clear, enforceable rights over your personal data. Here is what you are entitled to — and how to exercise each right:
Right to Access
You can request a summary of the personal data we hold about you, the purposes for which it is being used, and a list of any third parties it has been shared with.
Right to Correction
If any of your personal data we hold is inaccurate or incomplete, you have the right to ask us to correct or update it. We will do so promptly.
Right to Erasure
You can ask us to delete your personal data once the purpose for which it was collected has been fulfilled, subject to legal retention obligations (e.g. tax records).
Right to Withdraw Consent
Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Right to Nominate
You may nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity. Please provide written authorisation.
Right to Grievance Redressal
If you believe your data rights have been violated, you may file a complaint with our Grievance Officer. Unresolved complaints may be escalated to the Data Protection Board of India.
Response Timelines
We will acknowledge all data rights requests within 48 hours and fulfil them within 30 days. Complex requests may take up to 45 days with prior notice to you. All requests must be made in writing to our Grievance Officer — details in Section 11 below.
Section 8
Children's Personal Data
The DPDP Act, 2023 requires heightened protections for the personal data of children under the age of 18. At Reuben's Stays, bookings are made by adults on behalf of their families. We apply the following practices:
- We do not directly collect personal data from children — all booking data is provided by the adult making the reservation
- Where guest details include children (e.g. number of children, age group for bed configuration), this is collected only for stay logistics and not retained beyond the booking period
- We do not send any marketing communications to or about children
- If you believe a child's data has been inadvertently collected, please contact our Grievance Officer and we will delete it promptly
Section 9
How We Protect Your Data
We implement reasonable technical and organisational safeguards to protect your personal data against unauthorised access, loss, misuse, or disclosure. Our measures include:
- Access control — only the host and designated caretaker have access to guest data, and only to the extent needed for their role
- Secure communication — bookings and payments are communicated via encrypted channels (HTTPS, WhatsApp end-to-end encryption)
- Payment security — we do not store full card or UPI credentials; payments are handled by regulated payment processors
- Physical security — any paper records are stored securely and disposed of through confidential waste methods
- Limited sharing — guest data is shared only with the minimum number of people necessary to fulfil the booking
No Absolute Guarantee
While we take our security obligations seriously, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, but we commit to notifying you promptly in the event of any breach that affects your data.
Section 10
Personal Data Breach Protocol
In the event of a personal data breach — any unauthorised access, disclosure, or loss of your data — we will act immediately in accordance with the DPDP Act, 2023:
Immediate Containment
Upon discovering a breach, we will immediately take steps to contain it, isolate affected systems or data, and assess the scope and nature of the incident.
Notify the Data Protection Board — Within 72 Hours
We will notify the Data Protection Board of India within 72 hours of becoming aware of the breach, as required under the DPDP Act.
Notify Affected Guests — Promptly
We will contact all guests whose personal data may have been affected, describing what happened, what data was involved, and what steps we are taking.
Remediation & Review
We will document the breach, identify the root cause, implement corrective measures, and review our security practices to prevent recurrence.
Section 11
Grievance Officer
As required under the DPDP Act, 2023, Reuben's Stays has designated a Grievance Officer for all personal data related queries, rights requests, and complaints. If you wish to exercise any of your rights under this policy, or if you have a concern about how your data has been handled, please reach out directly.
Designated Grievance Officer
We're here to answer any question about your data.
Name
[Host Name] — Reuben's Stays
privacy@reubensstays.in
+91 [Your Number]
We will acknowledge your request within 48 hours and resolve it within 30 days. If you are not satisfied with our response, you may escalate to the Data Protection Board of India at dpboard.gov.in.
Section 12
Changes to This Policy
We may update this Privacy & Data Protection Policy from time to time to reflect changes in our practices, technology, or applicable law — including updates to the DPDP Rules as they are phased in through 2027.
- Material changes will be communicated to guests who have an active booking or have stayed with us in the prior 12 months, via email or WhatsApp
- The updated policy will always be available at reubensstays.in/privacy-policy
- Continued use of our booking services after a policy update constitutes acceptance of the revised terms
- The "Last Updated" date at the bottom of this page will always reflect the most recent revision
Governing Law
This policy is governed by and construed in accordance with the laws of India, including the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and applicable GST legislation. Any disputes shall be subject to the jurisdiction of courts in Tamil Nadu, India.