PRIVACY POLICY

Note: OwlTing Services do not include some OwlTing-offered products or services that have their own separate privacy policies and terms of service (e.g., OwlPay).

The OwlTing Services include:

• OwlNest Blockchain Hotel Management System
• OwlTing Market
• OwlTing Experiences
• OwlJourney
• OwlStay
• OwlNews
• OwlTing Blockchain Services
• OwlWeather
• Any other features, apps, technologies, software, or services offered under our Privacy Policy.

To learn about our privacy practices for OwlPay, please visit here.

We collect your personal data when you register with or access our Services or otherwise interact with OwlTing. We may collect the categories of information, including, but not limited to, the categories described below:

• Data You Provide. Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (“Anonymous Data”). We collect the content, communications and other information you provide when you use our Services such as when you create or use your account with us (“Account”) or when you provide feedback to us. Information we collect may include the following:

  • Identity Data includes first name, maiden name, last name, nationality, gender, marital status, passport number, ARC number, driver’s license number, Social Security number, Taxpayer Identification number, or other government-issued identification number.
  • Contact Data includes email address, residential address, billing address, and phone numbers.
  • Demographic Data includes your date of birth, and country/region.
  • Financial Data includes bank account, payment and digital wallet information.
  • Transaction Data includes details about when and where payment transactions occur, the names of the transacting parties, a description of the transactions, the payment or transfer amounts, billing and shipping information, and the devices and payment methods used to complete the transactions.
  • Profile Data includes your username, password, preferred language, survey responses, promotions, or other prospective seller marketing forms or devices; suggestions for improvements; referrals; or any other actions you perform on our Services.

• Data We Collect Automatically. When you use our Services, we may automatically collect some information by using server logs and other similar technologies. We may collect information about your usage of and activity on our Services. This information includes:

  • Technical Data includes device-specific information (such as your hardware model, operating system version, unique device identifiers and mobile network information), Internet protocol (IP) address, device event information such as crashes, system activity, hardware settings, browser type, language, the date and time when you access our Services.
  • Location Data includes information about your location, via various technologies including Internet protocol (IP) address which indicates a number assigned to every device connected to the Internet assigned in geographic blocks and other identifiers that may, for example, provide us with information on nearby devices, Wi-Fi access points.
  • Usage Data includes information about how you use our Services such as your preferences, characteristics, and behavior.

• Data We Collect from Other Sources.

  • Third-Party Services. If you link, connect, or log in using the single sign-on (“SSO”) via a third party service (e.g. Google, Facebook, Line), you direct the service to send us information such as your registration, friends list, and profile information as controlled by that service or as authorized by you via your privacy settings at that service.
  • Other Sources. To the extent permitted by applicable law, we may receive additional information about you, such as references, demographic data or information to help detect fraud and safety issues from third party service providers and/or partners, and combine it with information we have about you. For example, we may receive background check results or fraud warnings from identity verification service providers for use in our fraud prevention and risk assessment efforts.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, genetic and biometric data).

We rely upon a number of legal grounds to enable our use of your personal data. We use personal data to facilitate the business relationships we have with our Users, to comply with our financial regulatory and other legal obligations, and to pursue our legitimate business interests. We also use personal data to complete transactions and to provide payment-related services to our Users. The information we collect allows us to:

• Contractual and Pre-contractual Business Relationships. We use your personal data for the purpose of entering into business relationships with you, and to perform the contractual obligations under the contracts that we have with you. Activities include: Creation and management of your accounts and account credentials, including the evaluation of applications to commence or expand the use of our Services; Accounting, auditing, and billing activities; and processing of payments, including fraud detection and prevention, optimizing valid transactions, communications regarding such payments, and related customer service.
• Legal Compliance. We use your personal data to verify your identity in order to comply with fraud monitoring, prevention and detection obligations, laws associated with the identification and reporting of illegal and illicit activity, such as AML (Anti-Money Laundering) and KYC (Know-Your-Customer) obligations, and financial reporting obligations. For example, we may be required to record and verify your identity for the purpose of compliance with legislation intended to prevent money laundering and financial crimes. These obligations are imposed on us by the operation of law, industry standards, and by our financial partners, and may require us to report our compliance to third parties, and to submit to third party verification audits.

• Legitimate Business Interests. Where allowed under applicable law, we rely on our legitimate business interests to process your personal data. When we do so, we balance our legitimate interests against the interests and rights of the individuals whose personal data we process. The following list sets out the business purposes that we have identified as legitimate:

  • Detect, monitor and prevent fraud and unauthorized payment transactions;
  • Mitigate financial loss, claims, liabilities or other harm to you, the public, and OwlTing;
  • Determine eligibility for and offer new OwlTing products and services;
  • Respond to inquiries, send Service notices and provide customer support;
  • Promote, analyze, modify and improve our Services, systems, and tools, and develop new products and services, including reliability of the Services;
  • Manage, operate and improve the performance of our Services by understanding their effectiveness and optimizing our digital assets;
  • Analyze and advertise our Services;
  • Conduct aggregate analysis and develop business intelligence that enable us to operate, protect, make informed decisions, and report on the performance of, our business;
  • Share your personal data with third party service providers that provide services on our behalf and business partners which help us operate and improve our business;
  • Enable network and information security throughout OwlTing and our Services; and
  • Share your personal data among our affiliates for administrative purposes.
• Service-Related Interaction. We may process and use your personal data to communicate with you, for example, to provide information relating to our Services. We may also send service-related email, conduct survey and get feedback from you or otherwise interact with you when you register with or access our Services based on the information you provide us.
• Advertising. We may use your personal data and your device to target advertisements for our Services to you on our Site and other sites you visit (“interest-based advertising”), where allowed by applicable law, including any consent requirements. For example, when you visit our Site, we will use cookies to identify your device and direct ads for our Services to you. You have choices and control over our cookies (or similar technologies) we use to advertise to you. Please see our Cookie Policy for more information. At present, there is no industry standard for recognizing Do Not Track browser signals, so we do not respond to them.
• Marketing. We may use your personal data to send you promotional messages, marketing, advertising, and other information based on your preferences on social media advertising through social media platforms, personalize, measure, ad improve our advertising, and analyze characteristics and preferences to send you promotional messages, marketing, advertising and other information that we might be of interest to you. You can opt out of receiving marketing communications from us at any time by using the “Unsubscribe” link in each newsletter or communication, or through your account (if you have created one).

This section only applies to European Economic Area (“EEA”) users. We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

• Where we need to perform the contract we are about to enter into or have entered into with you.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
• Where we need to comply with a legal or regulatory obligation.

With your consent, we may send you push notifications. You may grant us access to your location information or contact details in order to provide our Services to you. When you upload a picture from your mobile device, your picture may also be tagged with your location information. Please read the instructions of your mobile device to understand how to change the settings and enable the sharing of such information or the receipt of (or opt out of receiving) push notifications (including Software Development Kit (“SDK”) and push token data). Different device operating systems may have different default settings, so please familiarize yourself with such settings governing push notifications.

We value your privacy. We do not share, sell, lease, transfer or otherwise disclose your personal data to third parties unless otherwise stated below.

• Verification Service Providers. In order to detect and/or prevent fraud and comply with our legal obligations, we will sometimes need to share your information with third party identity verification services.
• Operational Service Providers. In order to deliver our Services to you, we will need to share your information with third parties who provide us with certain tools/services including data storage, customer service platforms, accounting and invoicing, IT, email and other communication tools, security and fraud detection.
• Other Service Providers. In order to improve the functionality of our Services, we will sometimes share your information with service providers that help us analyze how people are using our Services in order for us to refine the product. We may also share your information with services providers who help us to deliver certain advertising/marketing campaigns in order to grow our business.
• Law Enforcement Agencies and Regulators. We may share your personal data as we believe necessary: (i) to comply with applicable law, or rules imposed by payment method in connection with use of that payment method; (ii) to enforce our contractual rights; (iii) to protect the Services, rights, privacy, safety and property of OwlTing, our Users or others; and (iv) to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include authorities outside your country of residence.
• Group Companies. Information may be shared with OwlTing Group entities in order to, inter alia, meet our legal and regulatory obligations. EEA Users should be aware that OwlTing Group’s affiliates are likely to act as processors in respect of your personal information in order to provide you with the best possible service and customer support.
• Business Partners. From time to time we may partner with other companies (“Partners”) to allow you to transact with individuals that are customers of such Partners and not OwlTing. In order to complete these transactions, we will need to share information regarding your account (such as name, email address, phone number and date of birth) with the applicable Partner so that they can meet their legal and regulatory obligations. Your information will only be shared with such Partners to the extent you actually transact or interact with customers of such Partner.
• Suppliers. We may share your personal data with our suppliers such as accommodation properties (e.g., the specific accommodation that you have requested us to reserve through OwlJourney) or third party vendors (e.g., the details of your order that you placed through OwlTing Market) and/or third party accommodation suppliers, and activity providers (e.g., your reservation for tours). These suppliers may contact you as necessary to obtain additional information about you, facilitate your reservation including communicating with you prior to arrival about your upcoming stay, or respond to a review you may submit in accordance with their own independent privacy policies.
• Professional Advisers. In order to complete third party financial, technical, compliance and legal audits of OwlTing’s operations or otherwise comply with our legal obligations, we may need to share information about your account as part of such review with professional advisers acting as processors or joint controllers who provide consultancy, banking, legal, compliance, insurance or accounting services.
• Third Parties. We may choose to sell, transfer, or merge parts of our business or our assets to third parties. Alternatively, we may acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Policy.
• With Your Consent. Where you provide consent, we share your information as described at the time of consent. For example: At your direction or as described at the time you agree to share; or when you authorize a third-party application or website to access your personal information.

We use reasonable technical and organizational information security measures to provide appropriate protection for your personal information from leaking or unauthorized access and prevent such risks of providing personal information. We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We cannot, however, guarantee your personal data may not be accessed, disclosed, altered, or destroyed by any attacks from hackers or any skilled computer experts. If you have reason to believe that your interaction with us is no longer secure (e.g., you feel that the security of your account has been compromised), please contact us immediately.

In relation to EEA Users, we have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

We retain your personal data as long as we are providing our Services to you. Even after we stop providing our Services directly or indirectly to you, and even if you close your account, we keep your personal data in order to comply with our legal and regulatory obligations. We may also keep it to assist with our fraud monitoring, detection and prevention activities. We also keep your personal data to comply with our tax, accounting, and financial reporting obligations, where we are required to retain the data by our contractual commitments to our financial partners, and where data retention is mandated by the payment methods you used. In all cases where we keep data, we do so in accordance with any limitation periods and records retention obligations that are imposed by applicable law.

Even after you close your account, we may be required to retain certain information you have provided for a number of years. For example, we are subject to various AML and CTF regulations which, in a number of jurisdictions, require us to retain certain personal data for a minimum period of five (5) years following the closure of your account.

For further details of retention periods for different aspects of your personal data please contact us.

In some circumstances we may use Anonymized Data (defined in Section 2) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

You may have choices regarding our collection, use and disclosure of your personal data:

• Opting out of receiving electronic communications from us. If you no longer want to receive marketing-related emails from us, you may opt-out via the unsubscribe link included in such emails. We will try to comply with your request(s) as soon as reasonably practicable.
• How you can see or change your account personal data. If you would like to review, correct, or update your personal data that you have previously disclosed to us, you may do so by signing in to your account or by contacting us.

• Your data protection rights. Depending on your location and subject to applicable law, you may have the following rights with regard to the personal data we control about you:

  • The right to request confirmation of whether OwlTing processes personal data relating to you, and if so, to request a copy of that personal data;
  • The right to request that OwlTing rectifies or updates your personal data that is inaccurate, incomplete or outdated;
  • The right to request that OwlTing erase your personal data in certain circumstances provided by law;
  • The right to request that OwlTing restrict the use of your personal data in certain circumstances, such as while OwlTing considers another request that you have submitted (including a request that OwlTing make an update to your personal data);
  • The right to request that we export your personal data that we hold to another company, where technically feasible;
  • Where the processing of your personal data is based on your previously given consent, you have the right to withdraw your consent at any time; and/or
  • In some cases, you may also have the right to object to the processing of your personal data.

• Process for exercising data protection rights

  • No fee usually required. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
  • What we may need from you. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
  • Time limit to respond. We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Our Services may provide the ability to connect to other online services. These online services may operate independently from us and/or may have their own privacy notices or policies, which we strongly suggest you review. If any online service linked to our Services is not owned or controlled by us, or does not claim to be covered by this Privacy Policy, we are not responsible for it and/or it is not covered by this Privacy Policy. Please refer to the privacy policy associated with that online service.

Our Services are not directed to minors, including children under the age of 13, and we request that they not provide personal data through the Services. In some countries, we may impose higher age limits as required by applicable law.

We may change this Privacy Policy from time to time. When we do make updates, we will let you know by changing the “Last updated” legend at the top of this Privacy Policy. If it is a big update, we will send you a notification or post a notice on our website. If you ever have any questions about changes made to the Privacy Policy, please contact us.

If applicable law requires that we obtain your consent or provide notice in a specified manner prior to making any changes to this Privacy Policy applicable to you, we will provide such required notice and will obtain your required consent.

If you are located in California, we process your personal data in accordance with the California Consumer Privacy Act (CCPA). This section provides additional details about the personal data we collect and use for purposes of CCPA.

• How We Collect, Use, and Disclose Your Personal Data. The Personal Data We Collect section describes the personal data we may have collected about you, including the categories of sources of that information. We collect this information for the purposes described in the How We Use Personal Data section. We share this information as described in the How We Disclose Personal Data section. OwlTing uses cookies, including advertising cookies, as described in our Cookie Policy.

• Your CCPA Rights and Choices. As a California consumer and subject to certain limitations under the CCPA, you have choices regarding our use and disclosure of your personal data:

  • Exercising the right to know: You may request the following information about the personal information we have collected about you:

    • the categories and specific pieces of personal information we have collected about you;
    • the categories of sources from which we collected the personal information;
    • the business or commercial purpose for which we collected the personal information;
    • the categories of third parties with whom we shared the personal information; and
    • the categories of personal information about you that we disclosed for a business purpose, and the categories of third parties to whom we disclosed that information for a business purpose.
  • Exercising the right to delete: You may request that we delete the personal information we have collected from you, subject to certain limitations under applicable law.
  • Exercising the right to opt-out from a sale: You may request to opt out of any “sale” of your personal information that may take place.
  • Non-discrimination: The CCPA provides that you may not be discriminated against for exercising these rights.
• To submit a request to exercise any of the rights described above, please contact us.

This Private Policy is written in English. Any translations into another language are made solely for convenience and will not be considered in the interpretation or application of this Privacy Policy. The other translations of this Private Policy are only for reference. In case of any discrepancy, the English version shall prevail.

To submit questions regarding this Privacy Policy, you can contact OwlTing by emailing us at support@owlting.com or at our mailing address at:

Obook Inc. ATTN: Legal Department 3F., No. 213, Sec. 3, Beixin Rd., Xindian Dist. New Taipei City 231, Taiwan

We may need to verify your identity before responding to your request, such as verifying that the email address from which you send the request matches your email address that we have on file. Authentication based on a government-issued and valid identification document may be required.