Privacy Policy

Last Updated: October 9, 2025

Sterling Valley Systems, Inc., an affiliate of Outside Interactive, Inc. (hereinafter referred to as “Inntopia,” “we,” “us,” or “our”) is a leading provider of travel reservation technology to the destination travel market.  This Privacy Policy governs the website https://corp.inntopia.com (the “Site”), as well as the other services owned, operated, and/or provided by Inntopia (collectively, the “Services”). This Privacy Policy describes the types of personal information Inntopia collects from and about you, how Inntopia may use and disclose such information, and your choices and legal rights with respect to such information.

We collect, use, disclose, and otherwise process your personal information only in accordance with applicable data protection and privacy laws and this Privacy Policy. By using the Services, you agree to the collection, use, and disclosure of your personal information as described in this Privacy Policy. If you do not agree, please do not access or use the Services. 

For purposes of this Privacy Policy, “personal information” – also called “personal data” in the laws of some jurisdictions – refers to information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to you. Data that has been deidentified or that otherwise cannot reasonably be related back to a specific person is not considered personal information. 

For more information about how users with disabilities can access this Privacy Policy in an alternative format, please email privacy@inntopia.com. 

CALIFORNIA PRIVACY NOTICE

California residents, please see our CALIFORNIA PRIVACY NOTICE.

COLORADO, CONNECTICUT, DELAWARE, IOWA, NEBRASKA, NEW HAMPSHIRE, NEW JERSEY, OREGON, TEXAS, UTAH, VIRGINIA, MONTANA, MINNESOTA & TENNESSEE PRIVACY NOTICE

Residents of Colorado, Connecticut, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Oregon, Texas, Utah or Virginia, please see our COLORADO, CONNECTICUT, DELAWARE, IOWA, NEBRASKA, NEW HAMPSHIRE, NEW JERSEY, OREGON, TEXAS, UTAH, VIRGINIA, MONTANA, MINNESOTA & TENNESSEE PRIVACY NOTICE.

NEVADA PRIVACY NOTICE

Residents of Nevada, please see our NEVADA PRIVACY NOTICE.

EUROPEAN PRIVACY NOTICE

If you are in the UK, EU, or Switzerland, please see our EUROPEAN PRIVACY NOTICE.

1. PERSONAL INFORMATION WE COLLECT

When you use the Services, we may collect or obtain your personal information (A) directly from you; and (B) automatically when you interact with the Services.

Personal Information You Provide

When you make a reservation through one of our partner web sites or call centers, Inntopia collects your biographical information (i.e., name, physical address, email address, telephone or mobile number, date of birth, and gender), and payment card information. 

Personal Information Automatically Collected

Whenever you visit or interact with the Services, we (and our affiliates and service providers) may automatically collect the following types of personal information:

• Device Information: When you access the Services, information about your device may be collected, including IP address and/or other unique identifiers, browser type, device type, operating system, software version, hardware model, and mobile network information.
• Usage Information: When you interact with the Services, certain information may be collected, including the date and time of your visit, the pages you view immediately before and after you access the Services, the areas or pages that you visit, the amount of time you spend viewing or using the Services, the number of times you return, and other click-stream or site usage data. Additionally, if you receive an email from us, information may be collected about your interactions with the message (e.g., whether you opened, forwarded, or clicked-through to our Services).

 

Please note that we use Google Analytics to better understand how users interact with the Services. For information on Google Analytics’ information handling practices and how you can control the use of information sent to Google, please visit https://policies.google.com/technologies/partner-sites. If you wish to prevent your information from being used by Google Analytics, Google has developed the Google Analytics opt-out browser add-on available at https://tools.google.com/dlpage/gaoptout.

You may adjust your device or Internet browser settings to limit certain tracking or to decline cookies, but by doing so, you may not be able to use certain features or take full advantage of all our offerings. Please refer to your device’s settings or your Internet browser’s “Help” section for more information on how to delete cookies and/or disable your device or browser from receiving cookies or adjust your tracking preferences.

Combination of Personal Information

We may combine the personal information we receive from and about you, including information you provide to us and information we automatically collect through the Services, and information collected offline. We may also combine information collected across the different computers or devices that you may use and from third-party sources. We use, disclose, and protect combined personal information as described in this Privacy Policy.

We also may supplement your personal information with information we gather from other sources which may include online and offline sources. We may collect information that is not personal information (“non-personal information”), including anonymous or aggregate data. Because non-personal information does not personally identify you, we may collect, use, and disclose such information for any purpose permitted by law. In some instances, we may combine non-personal Information with personal information. If we combine any non-personal information with personal information, the combined information will be treated by us as personal information to the extent that it is capable of personally identifying you.

2. PERSONAL INFORMATION WE USE

Inntopia may use the personal information we collect to fulfill our contractual obligations to you and for a variety of legitimate business or commercial purposes, including to:

• process your purchase of travel products, goods, or services; 
• collect or refund payment; 
• cancel or modify a reservation; 
• perform testing and Quality Assurance functions to improve our software;
• perform back-office business functions related to accounting, billing, and auditing;
• communicate with you, including to respond to your inquiries/requests and request feedback from you;
• protect the security and integrity of the Services and our business, such as by protecting against and preventing fraud, unauthorized transactions, claims and other liabilities and managing risk exposure, including by identifying potential hackers and other unauthorized users;
• comply with applicable laws and regulations and to respond to lawful requests and communications from law enforcement and other government officials;
• carry out sales and business transactions in which information held by us is among the assets transferred or is otherwise relevant to the evaluation, negotiation, or completion of the transaction; and
• protect our rights, privacy, safety, property, and/or those of others.

Additionally, we may use your personal information for other purposes disclosed at the time you provide your information or otherwise with your consent.

In addition to the purposes listed above, we may also de-identify or aggregate information (meaning information that relates to a group or category of individuals, from which individual identities have been removed) so that it will no longer be considered “personal information” and use such non-personal information for analytics purposes, to support and train our artificial intelligence and machine learning tools, to enhance and maintain the Services, or other purposes consistent with those described in this Privacy Policy.

3. PERSONAL INFORMATION DISCLOSURE

We may disclose each of the categories of personal information we collect from and about you with the following categories of recipients:

• Affiliates: Inntopia is an affiliate of Outside Interactive, Inc. When you make a reservation via the Outside Travel service, we disclose certain personal information (except payment card information) to Outside and its affiliates and subsidiaries for business, operational, promotional, and marketing purposes.
• Travel Suppliers: We disclose your personal information to our travel suppliers with whom you have purchased lodging, activities, or other goods and services.
• Service Providers: We disclose your personal information to third parties that provide business, professional, marketing, analytics, or technical support services to us; help us operate our business and the Services; or administer activities on our behalf. We require our service providers to only use your personal information in connection with providing services to Inntopia. They are not authorized by us to use the information for their own benefit.
• Competent Governmental and Public Authorities: We will disclose your personal information as necessary to respond to subpoenas, judicial processes, or government requests and investigations, or in connection with an investigation on matters related to public safety. We may disclose your information to protect the security of our Services, servers, network systems, and databases. We also may disclose your information as necessary, if we believe that there has been a violation of the broader Outside Terms of Use, any other legal document or contract related to our Services, or the rights of any third party.
• Relevant Third Parties in Connection with a Business Transaction: We may sell or purchase assets during the normal course of our business. If another entity acquires us or any of our assets, your personal information may be transferred to such entity. In addition, if any bankruptcy or reorganization proceeding is brought by or against us, your personal information may be considered an asset of ours and may be sold or transferred to third parties. 
• Other Parties: We may disclose your personal information when you consent or direct us to share your information, such as when you connect your account to a compatible service that is not provided by us. Additionally, we will disclose your personal information to other parties as we believe necessary or appropriate either to: (i) comply with applicable law; (ii) protect our operations and those of our affiliates and subsidiaries; (iii) investigate and prevent against fraud; (iv) protect our rights, privacy, safety, or property and/or those of others; or (v) allow us to pursue available remedies or limit damages that we may sustain.

Please note that we may also de-identify or aggregate personal information so that it will no longer be considered “personal information” and disclose such information to third parties for any purpose as permitted by law, including for marketing or analytics purposes. We require any third party we share this information with to maintain and use the information in de-identified or aggregate form, and not to attempt to re-identify the information.  

4. YOUR CHOICES AND LEGAL RIGHTS

We respect your privacy and provide you with information about our processing of your personal information and the ability to exercise control over our use of your information. This section of our policy outlines: (a) your choices about how we use your personal information; (b) your legal rights related to your personal information based on where you reside; and (c) specific disclosures required by law in certain states and other territories.

Your Choices

We provide you with the ability to make certain choices about how we use your personal information, as described below.

• Marketing and Promotional Communications: You can opt out of receiving marketing and promotional communications from us at any time by using the contact information below or following the instructions included in any marketing or promotional communications that you receive from us. Note that even if you opt out of receiving marketing and promotional communications from us, you will still receive non-marketing or transactional messages from us, including messages about your account and responses to your inquiries/requests.
• Browser and Mobile Tracking Opt-outs: For more information on how to opt out from targeted advertising on your specific browser or device, you can visit the DAA Webchoices Browser Check and/or the NAI Opt Out of Interest-Based Advertising. You can download the AppChoices app to opt out in mobile apps.
• Cookies: As noted above, we (and our partners and providers) use cookies on the Sites for various purposes, including for analytics and advertising purposes. To learn more about the cookies in use on our Sites or to adjust your preferences with respect to the cookies deployed on the Sites, use our cookie preference tool found by clicking “Manage Cookie Preferences” in the footer of the Sites.
• Global Privacy Control: Residents of California, Colorado, Connecticut, Texas, Montana, or New Hampshire can use certain preference signals to exercise the right to opt-out of sales and sharing by Outside. If you enable a browser-based opt-out preference signal that complies with applicable privacy laws, such as Global Privacy Control (GPC), in certain territories, upon receipt or detection, we will treat the signal as a valid request to opt out of the sale or sharing of personal information linked to that browser, as required by applicable privacy laws.
• Do Not Track: Some browsers include a “Do Not Track” (DNT) setting that can send a signal indicating you do not wish to be tracked. Unlike the GPC described above, there is not a common understanding of how to interpret the DNT signal; therefore, our websites do not respond to DNT signals. Instead, you should use the other tools to control data collection and use described above.

 

Your Legal Rights

Depending on where you reside, you may have certain rights in relation to your personal information, as described below. For more information about jurisdictions where these options are available, please read the additional instructions immediately following the list of rights below.

• Right of Access:
  • You may ask us to confirm whether we are processing your personal information and, if so, details regarding our processing of the personal information.
  • You may also request that we provide your personal information, in a portable and, to the extent technically feasible, readily usable format.
• Right to Delete: Subject to certain exceptions, you may request that we delete your personal information. There are some reasons we will not be able to fully address your request, such as if we need to complete a transaction for you, to detect and protect against fraudulent and illegal activity, to exercise our rights, or to comply with a legal obligation.
• Right to Correct: Subject to certain exceptions, you may request that we correct inaccuracies in your personal information. We will take commercially reasonable efforts to make the corrections that you request.
• Right to Opt Out of Certain Types of Information Uses and Disclosures: As described above, we disclose personal information to third parties for analytics and advertising purposes. If you are interested in exercising your right to opt out of the “sale” of your personal information or the processing of your personal information for “targeted advertising” (as these terms are defined in applicable law), you may submit a request at any time by visiting the Consumer Privacy Rights Request page linked here and/or visiting the “Manage Cookie Preferences” tool in the footer of the Sites and toggling the “Performance Cookies” and/or “Targeting Cookies off. As of the latest date of the Privacy Policy, we do NOT engage in profiling decision based on your personal information that produce legal or similarly significant effects concerning you. For residents of California, Colorado, Connecticut, Texas, Montana, or New Hampshire, we will also treat opt-out preference signals as valid opt-out requests.

 

If you wish to opt out of the processing of your personal information for any of the above purposes, or opt back in, please visit the Consumer Privacy Rights Request linked here. Right to Revoke Consent: We may seek your affirmative consent to process your personal information for certain purposes. Where applicable, you may revoke your consent at any time.

• Right to Limit Certain Processing Activities or to Object to Certain Processing Activities: Where we have not sought your affirmative consent to process your personal information, you may have the right to limit or object to our continued processing of that personal information.

 

If you exercise any of the foregoing rights, we will not discriminate against you. Unless permitted by applicable privacy laws, we will not: Deny you goods or services; charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties; provide you a different level or quality of goods or services; or suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

 

To exercise any of the rights described above, residents of certain U.S. state should  submit a request through the Consumer Privacy Rights Request linked here. You can also contact us by phone at 1-855-OUT-0567 to submit a request. If you are a resident of the EEA, UK, or Switzerland, please click here to submit your request. 

Where required by applicable law, we will make every effort to respond to your request within 45 days from when you contacted us. If you have a complex request, certain privacy laws allow us up to 90 days to respond. We will contact you within 45 days from when you contacted us to inform you of the need for additional time and the reason for such extension. We may place reasonable limits on responding to repeated requests, including charging you a reasonable fee to cover administrative costs, where allowable by law.

In order to protect your privacy, we may require proof of your identity before we can act on your request. When providing us this information, you represent and affirm that all information provided is true and accurate. Where applicable, we will use the requested information for verification purposes only. We may decline certain requests if we cannot verify your identity and confirm the personal information we maintain relates to you.

Depending on where you reside, you may authorize someone to submit a privacy rights request on your behalf (an “authorized agent”) using the submission methods outlined above. An authorized agent will need to demonstrate that you have authorized them to act on your behalf. Depending on the evidence provided, we may also contact you to verify your identity directly with us or request confirmation from you that the agent is authorized to make the request.

If we decide not to take action in response to your request, depending on where you reside, you may have the right to appeal within a reasonable period of time after you have received our decision. Where permitted by applicable law, you may submit an appeal by email at privacy@inntopia.com, or by phone at 1-855-OUT-0567. If you send an appeal via email, you must put the statement “Privacy Rights Appeal” in the subject field and provide enough information for us to understand the request you made and the rationale for the appeal. If you have this appeal right, we will resolve your appeal within 60 days (45 days for residents of Colorado). If your appeal is denied, we will explain why. If you continue to dispute our decision or would like to lodge a complaint regarding our handling of your personal information, you may contact the regulator in your jurisdiction that handles privacy complaints. If we deny your appeal, we will provide you with a method for contacting your state attorney general’s office to submit a complaint. 

Please also see below for a list of contact information for the relevant regulatory bodies in select European jurisdictions.

• European Union: https://edpb.europa.eu/about-edpb/about-edpb/members_en
• Switzerland  https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html
• United Kingdom: https://ico.org.uk/make-a-complaint/data-protection-complaints/data-protection-complaints/

CALIFORNIA PRIVACY NOTICE

Pursuant to the California Consumer Privacy Act (“CCPA”), we are providing the following additional details regarding the categories of personal information that we collect, use, and disclose. Please see the “Your Legal Rights” section immediately above for the rights available to you in relation to your personal information and how you can exercise them.

Personal Information Collection and Disclosure

The following chart details which categories of personal information we have collected from and about California residents in the past twelve (12) months, the source(s) of each category of information, the categories of third parties to whom we have disclosed each category of information for a business purpose, and the categories of third parties to whom we have “sold” or with whom we have “shared” each category of information (as such terms are defined in the CCPA) (where applicable). Please note that the first column in the chart lists by category the types of information described in the “Personal Information We Collect” section above, as required by the CCPA.

Category of Personal Information	Categories of Sources	Disclosures of Personal Information for a Business Purpose	Sale or Sharing of Personal Information
Identifiers, including names, physical addresses, email addresses, online identifiers, IP addresses, account names, and other similar identifiers.	Directly from individuals Through automated means  Third-party sources	We have disclosed this category of information for a business purpose in the past 12 months to the following categories of third parties: Our Travel Suppliers Our Service Providers  Our Analytics Providers	We have sold or shared this category of information in the past 12 months to or with the following categories of third parties: Our Travel Suppliers, Advertising and Analytics Partners and Providers (including social media platforms)
Personal information categories listed in the California Customer Records statute, including telephone numbers and credit and debit card information.	Directly from individuals	We have disclosed this category of information for a business purpose in the past 12 months to the following categories of third parties: Our Travel Suppliers Our Service Providers
Commercial information, including items purchased, obtained, or considered.	Directly from individuals Through automated means	We have disclosed this category of information for a business purpose in the past 12 months to the following categories of third parties: Our Travel Suppliers Our Service Providers Our Analytics Providers	We have sold or shared this category of information in the past 12 months to or with the following categories of third parties: Our Travel Suppliers, Advertising and Analytics Partners and Providers (including social media platforms)
Internet or other electronic network activity information, including interactions with the Services.	Through automated means Third-party sources	We have disclosed this category of information for a business purpose in the past 12 months to the following categories of third parties: Our Travel Suppliers Our Service Providers Our Analytics Providers	We have sold or shared this category of information in the past 12 months to or with the following categories of third parties: Our Travel Suppliers, Advertising and Analytics Partners and Providers (including social media platforms)
Geolocation data, such as IP location and other geolocation data	Through automated means	We have disclosed this category of information for a business purpose in the past 12 months to the following categories of third parties: Our Travel Suppliers Our Service Providers  Our Analytics Providers

Purposes for Collecting Personal Information

As described in more detail in the “Personal Information Use” section above, we collect personal information to provide and manage the Services, fulfill our contractual obligations to you, and achieve a variety of legitimate business or commercial purposes.

Disclosures of Personal Information

As detailed in the “Personal Information Disclosure” section above, we disclose personal information to fulfill the purposes described above. We will also disclose certain categories of personal information to competent governmental and public authorities and other third parties as necessary or appropriate, including when we have a legal or contractual obligation to disclose the information.

Sale and Sharing of Personal Information

As detailed in the chart above, we “sell” and “share” (as such terms are defined in the CCPA) certain categories of personal information to and with third parties and have “sold” and “shared” certain categories of personal information in the past twelve (12) months for analytics and advertising purposes. Please refer to the chart above for additional details. Our business model is not focused on selling data; however, in certain cases our partners may receive certain information through your use of the Site or Services, which under applicable laws, may constitute a “sale” of personal information.

We do not “sell” or “share” the personal information of individuals we know to be under 18 years of age.

“Shine the Light”

In addition to the above rights, under California Civil Code Section 1798.83 (“Shine the Light”), California residents may have the right to request in writing from businesses with whom they have an established business relationship: (a) a list of the categories of personal information, as defined under Shine the Light, such as name, email address, and mailing address, and the type of services provided to the customer that a business has disclosed to third parties (including affiliates that are separate legal entities) during the immediately preceding calendar year for the third parties’ direct marketing purposes; and (b) the names and addresses of all such third parties. To request the above information, please contact us by email at privacy@inntopia.com. If you do not want your personal information shared with any third party who may use such information for direct marketing purposes, then you may opt out of such disclosures by sending an email to us at privacy@inntopia.com.

 

COLORADO, CONNECTICUT, DELAWARE, IOWA, NEBRASKA, NEW HAMPSHIRE, NEW JERSEY, OREGON, TEXAS, UTAH, VIRGINIA, MONTANA, MINNESOTA & TENNESSEE PRIVACY NOTICE

 

Notice of Collection

To learn more about the categories of personal data, including sensitive personal data, we collect about you and how we use it, please see the section “Personal Information We Collect” above. To learn more about how we use that information, please see the section “Personal Information We Use” above. To learn more about the categories of third parties with whom we may share your personal data, please see “Personal Information Disclosure” above.

Your Privacy Rights

You have the right to submit a request to know, delete, correct (except Utah residents), and to opt-out of the sale or processing of your personal data for targeted advertising purposes. If you live in Delaware, you have the right to obtain a list of the of categories of third parties to which we have disclosed personal information. If you live in Oregon, you also have a right to request a list of specific third parties to which Outside has disclosed your personal data. You also have a right to appeal a denial of any of these requests. To learn more about these rights, see “Your Choices and Legal Rights” above.

NEVADA PRIVACY NOTICE

If you are a Nevada resident, you have the right to submit a request directing us not to make any sale of your personal information. We do not sell your personal information as defined under Nevada law. However, to request email confirmation that we do not sell your personal information, please e-mail privacy@inntopia.com with “Nevada Opt-Out of Sale” in the subject line and in the body of your message. We will provide the requested information to you via an email response.     

EUROPEAN PRIVACY NOTICE

IF YOU ARE SITUATED IN THE EUROPEAN ECONOMIC AREA, SWITZERLAND, OR THE UNITED KINGDOM, THIS SECTION APPLIES TO OUR COLLECTION, USE, AND DISCLOSURE OF YOUR PERSONAL INFORMATION AND ADDITIONAL RIGHTS YOU HAVE UNDER APPLICABLE LAW.

Role and Data Controller Contact Details

The General Data Protection Regulation (“GDPR”) and other related laws distinguish between organizations that process personal information for their own purposes (known as “controllers”) and organizations that process personal information on behalf of other organizations (known as “processors”).

We act as a controller with respect to personal information collected from you as you engage with our Services. If you have questions with respect to our processing of your information as a controller, you can contact us by email at the email address set forth in the section entitled “How To Contact Us” below.

Lawful Basis for Processing

The GDPR and related laws require a “lawful basis” for processing personal information. Our lawful bases include the following:

• Consent: We may collect, use, and disclose your personal information on the basis of the consent that you provide us at the point of information collection or disclosure.
• Contractual necessity: We may collect and use certain personal information where it is either necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract. This may include personal information used to provide you with the Services and related transaction information.
• Compliance with a legal obligation: We are subject to various legal requirements in the jurisdictions in which we operate, and we may use, disclose, and retain your personal information if necessary for us to comply with a legal obligation arising under an applicable law to which we are subject.
• Legitimate interests: We may collect and use your personal information to the extent necessary to carry out our legitimate interests (or those of a third party), provided that such interests do not outweigh your interests or fundamental rights and freedoms. For example, we may collect and use your personal information in reliance on a legitimate interest in managing our relationship with you; conducting and managing our business; providing you with customer support; developing and enhancing the Services; detecting and preventing fraud and other harmful activities; and monitoring and maintaining the security of our information, systems, and networks.

Onward Transfer

Outside is a global business and it, or its service providers, may process, transfer, and store personal information on servers located in a number of countries inside of the EEA (e.g., Germany) and UK or outside of the EEA and UK, including in the United States and Canada. Since we are committed to protecting your personal information, we take steps to ensure that there are appropriate safeguards in place when we transfer personal information across international borders. Please be advised that we may be required to disclose your personal information in response to lawful requests by public authorities in the United States, including to meet national security or law enforcement requirements. If the GDPR applies and your data is transferred outside the UK or the EEA to the United States or any other country, we will transfer your personal information subject to appropriate safeguards, such as an adequacy decision by the European Commission on the basis of Article 45 of Regulation (EU) 2016/679 or Standard Contractual Clauses, as provided from time to time by the European Commission. You can receive additional information about where your personal information is transferred and the appropriate safeguards by contacting us. 

Your Data Subject Rights

Your Rights. If you are a data subject under the GDPR or similar jurisdictions, subject to certain conditions, you have the right to:

• Access, rectify, or erase any personal information we process about you;
• Data portability – that is, asking us to transfer your personal information to any third party of your choice;
• Restrict or object to our processing of your personal information; and
• Where applicable, withdraw your consent at any time for any processing of your personal information.

Please see “Your Legal Rights” above for more information on how to exercise these rights.

Complaints

If you have a complaint about our use of your personal information or our response to your request(s) regarding your personal information, you may submit a complaint to the Data Protection Supervisory Authority in your jurisdiction. We would, however, appreciate the opportunity to address your concerns before you approach a data protection regulator and welcome you to first direct an inquiry to us. In addition to our contact details set out above, you can also contact our Designated Individual Overseeing Compliance of this Privacy Policy by following the “How To Contact Us” section below.

5. THIRD-PARTY SERVICES

The Services may include links to or integrations with third-party websites and/or offer you the ability to interact with social plug-ins from social media platforms. We have no control over the personal information that is collected, stored, or used by third-party websites or social media platforms, and we are not responsible for their information handling or privacy practices. Your use of these third-party services is subject to each provider’s privacy policy, so we encourage you to read these policies carefully.

6. CHILDREN’S PRIVACY

Protecting children’s privacy is important to us. We do not direct the Services to, nor do we knowingly collect any personal information online from children under the age of 18. Please contact us if you are a parent or guardian of a child under the age of 18 and you believe that we may have collected personal information online from your child. If we learn that a child under the age of 18 has provided personal information online through the Services, we will use reasonable efforts to delete such information.

7. INFORMATION RETENTION

We will retain your personal information as long as necessary to fulfill the purposes outlined in this Privacy Policy, including to satisfy our legal or reporting requirements, unless a longer retention period is required or allowed under law.

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of personal information; the potential risk of harm from unauthorized use or disclosure of the personal information; the purpose for which we use the personal information; whether we can achieve the purposes through other means; and the applicable legal requirements.

If we de-identify information, we will maintain and use the information in de-identified form and not attempt to re-identify the information except as required or permitted by law.

8. INFORMATION SECURITY

Protecting your data is central to everything we do. We use a combination of advanced technologies, strict security standards, and independent audits to safeguard the information we process on your behalf.

• Tokenization of Card Data: We never store raw payment card numbers. Instead, we use tokenization technology that replaces sensitive card details with unique, non-sensitive tokens. This ensures that your payment information is protected end-to-end.
• PCI DSS Compliance: We meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS), the global benchmark for handling, transmitting, and storing payment card data.
• Independent Security Certifications: Our security practices are regularly audited and certified, including:
  • SOC 2 – (pending) – confirming that our controls meet strict standards for security, availability, confidentiality, and privacy.
  • ISO/IEC 27001 – demonstrating our commitment to internationally recognized best practices in information security management.

While we apply industry-leading safeguards, no security system is perfect, and we cannot guarantee the absolute security of your personal information. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us of the problem by following the “How To Contact Us” section below.

9. REVISIONS TO THIS PRIVACY POLICY

We reserve the right, in our sole discretion, to change, modify, add, remove, or otherwise revise portions of this Privacy Policy at any time. The “Effective Date” at the top of this page indicates when this Privacy Policy was last revised. When we make changes, we will revise the date at the top of this page to reflect the date such changes occurred. If we change the Privacy Policy in a material way, we will provide you with appropriate notice before such changes take effect. Unless otherwise stated, your continued use of the Services following the posting of a revised version of this Privacy Policy constitutes your acceptance of the changes.

10. HOW TO CONTACT US

Sterling Valley Systems, Inc., an affiliate of Outside Interactive, Inc., is the controller and business responsible for processing your personal information as set forth in this Privacy Policy, except as expressly noted herein.

If you have any questions about this Privacy Policy or our information handling and privacy practices, you may contact us at privacy@inntopia.com or by mail to Inntopia Privacy Officer, PO Box 309, Stowe, VT 05672.