PillowFare

Privacy Policy

Effective June 12, 2026 · PillowFare LLC

Draft for review. This policy describes PillowFare’s actual data practices but has not yet been reviewed by counsel — have a lawyer review it (and the bracketed business details) before publishing.

Summary

PillowFare is a hotel search-and-booking site. This policy explains what information we collect, why, who we share it with, and how you can exercise your rights over it. We collect the minimum needed to run the service.

The short version:

  • We collect account, search, booking, and limited device information.
  • To complete a hotel booking, we share your guest details with LiteAPI, the travel-technology provider that arranges the reservation, and with the hotel that hosts your stay.
  • Membership billing runs through Stripe; hotel payments are handled by LiteAPI’s secure payment form. We never see or store your full card number.
  • We don’t sell or rent your personal data, and we don’t use advertising trackers.
  • You can access, correct, export, or delete your data at any time.

1. Who we are

“PillowFare,” “we,” “us,” and “our” mean PillowFare LLC, a Montana limited liability company. You can reach us at [email protected] or through our contact form.

2. Information we collect

2.1 Information you give us

  • Account information: your email address and password (stored only as a salted one-way hash by our authentication provider — we never store it in plain text), and optionally your first name, last name, phone number, country, and profile photo.
  • Passkeys: if you add a passkey, we store its WebAuthn public key and signature counter. Your biometric data never leaves your device and we never receive it.
  • Search criteria: destinations, check-in and check-out dates, the number of adults, children (and their ages, which hotels use to price the stay), and rooms.
  • Booking and guest details: the guest name, email, phone, country, and any special requests you provide to complete a reservation, plus the dates, hotel, and occupancy of the booking.
  • Technical issue reports: if you report an app or website bug, we collect the contact details, problem description, severity, page or error information, and any screenshots you choose to submit so our engineering team can investigate.
  • Membership and billing data: if you subscribe to PillowFare membership, we store a Stripe customer ID and your subscription status. Your card is processed and stored by Stripe; we never see or store your full card number, CVV, or wallet credentials.
  • Referrals:a referral code tied to your account, and — if you arrived through someone’s referral link — a record connecting your account to the referrer so credit can be applied.
  • Communications: messages you send through our contact form, including the name, email, subject, and body you provide.
  • Marketing preferences: your opt-in or opt-out status for marketing emails.

2.2 Information we collect automatically

  • Device and connection data: IP address, browser type, operating system, referrer URL, pages viewed, and timestamps. Technical issue reports also store the submitting IP address and browser user agent for diagnosis and abuse prevention.
  • Cookies and similar technologies:a session cookie to keep you signed in, a long-lived visitor-token cookie so we can associate searches you make before signing up, and CSRF tokens to protect form submissions. See “Cookies” below.
  • Recent searches:we save your recent searches so you can revisit them. Anonymous visitors’ searches are tied to the visitor-token cookie; signed-in users’ searches are tied to their account.

2.3 Information from third parties

When you book, LiteAPI and the hotel return booking confirmation status, a reservation/booking ID, and related transactional information so we can show your booking and its cancellation status on your account.

3. How we use information

  • Provide the service: run searches, show live rates, save recent searches, create and manage bookings, process cancellations, and send transactional emails (booking confirmations, cancellations, password resets, contact replies).
  • Membership: create and maintain your Stripe customer and subscription, and apply member pricing while your subscription is active.
  • Referrals: generate your referral link and credit referrals between accounts.
  • Personalization: pre-fill guest and occupancy details from your prior searches.
  • Security and fraud prevention: rate-limit sign-in and form attempts, and detect abuse.
  • Communications: respond to support inquiries, send service announcements, and — with your consent — send marketing emails about deals and product updates.
  • Legal compliance: meet tax, accounting, and other legal obligations, respond to lawful requests, and enforce our Terms.

4. Legal bases (for EU/UK users)

If you are in the EU, UK, or Switzerland, we rely on these legal bases under GDPR/UK-GDPR:

  • Contract:to provide searches, bookings, and membership you’ve requested.
  • Legitimate interests: to secure the service, prevent fraud, and improve features.
  • Consent: for marketing emails and any non-essential cookies (where applicable).
  • Legal obligation: tax records, fraud investigations, and other compliance.

5. How we share information

5.1 Travel provider and hotels

PillowFare books hotels through LiteAPI(operated by Nuitée Travel), our travel-technology provider. To complete and service a reservation we share the booking’s guest details — name, email, phone, country, check-in/check-out dates, occupancy, any special requests, and an account identifier — with LiteAPI, and LiteAPI passes the information the hotel needs to honor your stay. The hotel and LiteAPI handle that data under their own privacy policies. We do not share your data with online travel agencies or advertisers.

5.2 Payment processing

  • Hotel payments are entered into a secure payment form hosted by LiteAPI and processed by its payment provider. PillowFare never receives your full card details for a booking.
  • Membership subscriptions are billed through Stripe, Inc., which processes and stores your card as a token. We store only a customer ID and subscription status.

5.3 Other service providers (processors)

  • Cloud hosting and database provider — where our application and data run.
  • Email delivery provider— outgoing transactional and (where you’ve consented) marketing email.
  • Cloudflare R2 — stores profile photos you upload.
  • Error and performance monitoring — captures application errors so we can fix them.
  • SMS delivery provider — sends booking-related text messages to the phone number you provide.

These providers act on our behalf under data-processing agreements and may only use your data as we instruct.

5.4 Legal and safety

We may disclose information when required by law, court order, or to protect the rights, property, or safety of PillowFare, our users, or the public.

5.5 Business transfers

If PillowFare is acquired or merges with another company, your information may transfer as part of that transaction, subject to this policy.

5.6 We don’t sell your data

We do not sell or rent personal information to third-party advertisers or data brokers, and we do not “share” it for cross-context behavioral advertising.

5.7 Text messages (SMS)

If you provide a phone number when booking, we may send you text messages about your reservation — such as booking confirmations, check-in reminders, and cancellation notices. Message frequency varies with your booking activity, and message and data rates may apply. You can opt out at any time by replying STOP or get assistance by replying HELP.

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. Text messaging originator opt-in data and consent are not shared with any third parties, except with our SMS delivery provider solely to send the messages described above.

6. Cookies and tracking

We use only essential cookies:

  • Session cookie — keeps you signed in after authentication.
  • Visitor-token cookie — a long-lived random ID so we can save your recent searches before you sign up.
  • CSRF token cookie — protects form submissions from cross-site request forgery.

We currently use no third-party advertising or analytics cookies, and the essential cookies above need no consent. If we add privacy-friendly analytics in the future, it will run only if you opt invia our cookie banner — choose “Necessary only” and nothing beyond the essential cookies is set. You can change your choice at any time using the “Cookie settings” link in the site footer.

7. Your rights and choices

Wherever you live, you can:

  • Access and update your account information from your profile page.
  • Change your password or add/remove passkeys.
  • Turn marketing emails on or off.
  • Cancel your membership at any time (see the Terms).
  • Request export or deletion of your account data by emailing [email protected].

7.1 EU / UK / Swiss users

You have additional rights under GDPR/UK-GDPR including access, rectification, erasure, restriction of processing, data portability, objection to processing (including direct marketing), and the right not to be subject to solely automated decisions. To exercise these rights contact [email protected]. You may also lodge a complaint with your local supervisory authority.

7.2 U.S. state privacy rights (California and others)

Residents of California (CCPA/CPRA) and other states with privacy laws have the right to know the categories of personal information we collect and share, to request a copy, to request deletion, to correct inaccurate data, and to opt out of any “sale” or “sharing” — which we don’t engage in. Submit requests to [email protected]. We will not discriminate against you for exercising these rights.

7.3 Canadian users (PIPEDA)

Canadian users may access and request correction of personal information we hold. Contact [email protected].

8. International data transfers

PillowFare is operated from the United States. If you are located outside the United States, your information will be transferred to and processed in the U.S. and in countries where LiteAPI, the hotel, and our service providers operate. We rely on Standard Contractual Clauses or equivalent safeguards where required by law.

9. Data retention

We retain personal information only as long as needed to provide the service or comply with legal obligations:

  • Account data: until you delete your account (we delete within 30 days of a verified deletion request).
  • Recent searches: 12 months after last activity, then purged.
  • Contact messages: 24 months for support history.
  • Booking, membership, and payment records: as long as required by tax and accounting law (typically up to 7 years).
  • Server logs: 90 days.

10. Security

We use industry-standard safeguards including TLS encryption in transit, one-way password hashing, server-side session storage, CSRF protection, rate limiting on sensitive endpoints, and least-privilege access controls. No system is perfectly secure — if you suspect unauthorized access to your account, email [email protected] immediately.

11. Children’s privacy

PillowFare is not directed to children under 13 (or under 16 in the EU). We do not knowingly collect personal information from children. Child ages entered during a search are used only to price a stay and are not tied to a child’s identity. If you believe a child has provided us with personal information, contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. The “Effective” date above tells you when this version became active. For material changes we’ll notify you by email or a prominent notice on the site before the change takes effect.

13. Contact us

PillowFare LLC
[Registered business address]
Email: [email protected]
Support: Contact form