Legal

Privacy Policy

Last updated: May 1, 2026

1. Scope

This Privacy Policy explains how Book My Points ("we", "us", "Book My Points") collects, uses, shares, and protects personal information when you visit our marketing site, browse the property directory, submit a booking request, list as an owner, or otherwise interact with our services (collectively, the "Services"). By using the Services, you agree to the practices described here.

2. Information we collect

We collect the minimum information needed to match guests with owners, verify bookings, and process payments.

Information you give us

  • Account details — for owners: name, email, phone, ownership program(s), and proof of ownership; for guests: name, email, and the contact details shared at confirmation.
  • Booking details — destination, dates, room preferences, party size, and any notes you write to your matched owner.
  • Communications — chat thread messages between you, owners, and our admins; emails you send to support.
  • Payment details — card information is collected and tokenized by Stripe; we do not receive or store your full card number.
  • Owner banking — payouts are handled through Stripe Connect; we receive confirmation that an account is set up but do not store your bank account number.

Information we collect automatically

  • Device and usage — IP address, browser type, operating system, referring URL, pages viewed, and timestamps.
  • Cookies and similar technologies — see Section 7.
  • Logs — magic-link requests, login attempts, and security-relevant events for abuse prevention.

Information from third parties

  • Stripe — payment status, last four digits of cards on file, dispute and refund status, and Connect account verification status.
  • Resort verification — confirmation numbers and reservation details obtained directly from the booking program (e.g., Marriott Vacation Club) when we verify a stay.

3. How we use information

  • Operate the booking lottery, match guests with owners, and run the booking lifecycle end-to-end.
  • Authenticate users via email magic links and prevent unauthorized access.
  • Place card holds, capture payments after verification, issue refunds, and pay owners.
  • Send transactional notifications (proposal updates, hold reauth, status changes, dispute outcomes) and a small number of operational emails (e.g., 90-day inactivity check-ins).
  • Detect, investigate, and prevent fraud, abuse, and policy violations.
  • Comply with legal obligations and resolve disputes (including the 14-day post-stay dispute window).
  • Improve the Services — diagnostics, debugging, aggregate analytics, and product development.

4. How we share information

We do not sell your personal information. We share it only as described below.

  • Owners and guests — see Section 6 for what is shared between matched parties.
  • Service providers — Stripe (payments, payouts, identity), Cloudflare (hosting, CDN, edge compute, email routing), our email provider, and analytics tools, each bound to confidentiality and processing agreements.
  • Resorts and points programs — limited information needed to verify a reservation (e.g., name on the booking, confirmation number).
  • Legal and safety — to comply with valid legal process, enforce our Terms, and protect the rights, safety, or property of users, the public, or Book My Points.
  • Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to standard confidentiality protections.

5. Payments and Stripe

All payments are processed by Stripe. Card details are entered directly into Stripe Elements and sent to Stripe — they do not transit our servers. We store a Stripe customer ID, payment intent IDs, hold expiry, and non-sensitive metadata (e.g., last four digits, brand) needed to display status and reconcile refunds, captures, and disputes. Owner payouts are handled through Stripe Connect Express, which maintains its own privacy notice and onboarding flow.

6. Owner ↔ guest information sharing

We minimize cross-party sharing on purpose:

  • Before you confirm a proposal, owners see only your booking parameters (resort, dates, party size, preferences). They do not see your full name, email, or phone.
  • When you confirm, the owner receives the legal name(s) needed to put on the resort reservation and a way to contact you for logistics.
  • Chat threads between you and the owner are gated by magic link, retained for support and dispute purposes, and visible to Book My Points admins for moderation and abuse prevention.

7. Cookies and tracking

We use a small number of first-party cookies and similar technologies for session management, magic-link authentication, CSRF protection, and aggregate analytics. We do not use third-party advertising cookies. Most browsers let you block or delete cookies; doing so may break sign-in and the booking flow.

8. Data retention

We keep account, booking, and payment records for as long as your account is active and for a reasonable period afterward to satisfy tax, accounting, dispute-resolution, and legal obligations (typically up to seven years for financial records). Magic-link requests, security logs, and chat threads are kept for shorter periods sized to abuse prevention and support. You may request deletion under Section 10; some records must be retained where the law or a legitimate business need requires.

9. Security

Book My Points runs on Cloudflare Workers with TLS in transit, encrypted storage, scoped credentials, and short-lived magic links instead of passwords. Card data is stored only by Stripe. No system is perfectly secure: please use a strong, unique email password and notify us promptly if you suspect unauthorized access.

10. Your rights and choices

Depending on where you live, you may have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate or incomplete information.
  • Delete your account and associated data, subject to retention exceptions.
  • Export your data in a portable format.
  • Opt out of non-transactional emails (transactional booking notifications cannot be turned off while you have active bookings).
  • Lodge a complaint with your local data-protection authority.

To exercise any of these rights, email privacy@bookmypoints.com.

11. Children

The Services are not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact privacy@bookmypoints.com and we will delete it.

12. International users

Book My Points is operated from the United States and our service providers may process information in the U.S. and other countries. Where required, we rely on appropriate transfer mechanisms (such as Standard Contractual Clauses) for personal data originating in the European Economic Area, the United Kingdom, or Switzerland.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or in-product banner. Continued use of the Services after the effective date constitutes acceptance of the revised policy.

14. Contact us

Privacy questions: privacy@bookmypoints.com. General questions: contact-us@bookmypoints.com. See the Support page for issue-specific addresses.