PRIVACY POLICY

Effective Date: March 2026 | Version 1.0

Welcome to OTel ("we", "us", or "our"), operated by House of OTel, a micro-luxury boutique hospitality brand curating soulful escape experiences across India and abroad. Our properties include destinations in Goa, Bhimtal, Dehradun, Sariska Tiger Reserve, and Phuket, with upcoming locations in Dubai and Varanasi.

This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you visit our website (www.otelrooms.com) and (www.o-tel.com) and (www.rampurestate.com), make a booking, or interact with us through any channel including WhatsApp, email, or telephone. It also sets out your rights as a data principal under applicable Indian law.

We are committed to protecting your privacy and handling your personal data in a transparent, lawful, and responsible manner in accordance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules").

The Data Fiduciary responsible for your personal data is:

House of OTel Website: www.otelrooms.com Email: contact@otelrooms.com Phone: +91 85954-17822

For any privacy-related queries, grievances, or requests, please contact us at the above details. We endeavour to respond to all queries within 72 hours.

We collect personal data that you voluntarily provide to us, as well as data collected automatically when you use our website or services.

• Full name and contact details (email address, phone number, WhatsApp number)

• Communications you send us via email, WhatsApp, or our contact forms

• IP address, browser type, operating system, and device identifiers

• Pages visited, time spent on pages, referral URLs, and clickstream data

• Cookie data and similar tracking technologies (see Section 9 for details)

• Location data if you permit your browser to share it

We may collect sensitive personal data or information (SPDI) as defined under the SPDI Rules, such as financial information (for payment processing) and, in limited cases, dietary preferences or health-related accommodation requests. Such data is collected only with your explicit consent and is subject to enhanced protection measures.

We process your personal data for the following purposes:

• Processing and confirming your accommodation reservations

• Communicating booking confirmations, invoices, and itinerary information

• Providing pre-arrival, in-stay, and post-departure guest services

• Facilitating check-in procedures and identity verification as required by law

• Processing payments and issuing receipts or GST invoices

• Detecting and preventing fraudulent transactions

• Complying with financial record-keeping obligations under Indian law

• Responding to your enquiries, feedback, and complaints

• Sending transactional communications essential to your booking

• Sending promotional offers, property updates, and travel inspiration with your consent

• Conducting guest satisfaction surveys to improve our services

• Complying with applicable Indian laws including the Foreigners Act, 1946 and state-level hotel regulations

• Responding to lawful requests from government authorities or law enforcement

• Enforcing our terms and conditions and protecting our legal rights

• Analysing website traffic and user behaviour to enhance the user experience

• Testing and developing new features and services

• Ensuring website security and preventing misuse

Under the DPDP Act, 2023, we process your personal data on the following lawful bases:

• Consent: Where you have given clear, informed, and specific consent for a particular purpose (e.g., marketing communications, cookies).

• Contractual Necessity: Where processing is necessary to fulfil a booking contract with you or to take pre-contractual steps at your request.

• Legitimate Interests: Where processing is necessary for our legitimate business interests (e.g., fraud prevention, network security, business analytics), provided these do not override your fundamental rights.

• Legal Obligation: Where processing is required to comply with applicable Indian laws and regulations.

You may withdraw your consent at any time where consent is the basis of processing. This will not affect the lawfulness of processing carried out prior to your withdrawal.

We do not sell, rent, or trade your personal data. We may share your data with the following categories of third parties, only to the extent necessary and subject to appropriate safeguards:

• Property Management Partners: Property caretakers and local staff at our individual properties (Goa, Bhimtal, Dehradun, Sariska, Phuket) who need access to your booking details to serve you.

• Payment Processors: RBI-regulated payment gateway providers and banking partners for secure transaction processing.

• Technology Service Providers: Website hosting, CRM, and booking management software providers who process data on our behalf under data processing agreements.

• Regulatory Authorities: Government bodies, police, or law enforcement agencies when required by law (e.g., guest registration under the Foreigners Act, local police station intimation).

• Professional Advisors: Legal, accounting, and tax advisors bound by professional confidentiality obligations.

All third-party service providers are required to maintain the confidentiality and security of your personal data and are prohibited from using it for any purpose other than providing services to OTel.

Given that OTel operates a property in Phuket, Thailand, some personal data may be transferred outside India. Any such transfer will be made in compliance with the DPDP Act, 2023, and applicable cross-border data transfer provisions notified by the Government of India. We ensure that adequate safeguards are in place before transferring data to international locations, including contractual commitments that provide data protection standards equivalent to those applicable in India.

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, including compliance with legal, accounting, or regulatory requirements.

• Booking records and transaction data: 7 years (as required under Indian tax and accounting laws)

• Guest identity records: As required under applicable hotel regulations and state police notification requirements

• Marketing communications and consent records: Until you withdraw consent, plus 1 year thereafter

• Website analytics data: 24 months in anonymised or aggregated form

• Complaint and correspondence records: 3 years from resolution

Once data is no longer required, it is securely deleted or anonymised in accordance with our data retention procedures.

Our website uses cookies and similar tracking technologies to enhance your browsing experience and help us understand how our site is used.

• Essential Cookies: Necessary for the website to function and cannot be disabled (e.g., session management, load balancing).

• Analytics Cookies: Help us understand visitor behaviour and improve our website (e.g., Google Analytics). These are anonymised where possible.

• Marketing Cookies: Used to deliver relevant advertising and track campaign effectiveness, activated only with your consent.

When you first visit our website, you are presented with a cookie consent notice. You may accept or decline non-essential cookies. You can also manage cookie preferences through your browser settings at any time. Please note that disabling certain cookies may affect the functionality of our website.

Under the Digital Personal Data Protection Act, 2023, you have the following rights with respect to your personal data:

• Right to Access: You have the right to obtain a summary of the personal data we hold about you and information about how it is being processed.

• Right to Correction and Erasure: You may request correction of inaccurate or incomplete personal data, and erasure of personal data that is no longer necessary for the purpose for which it was collected, subject to legal retention obligations.

• Right to Grievance Redressal: You have the right to a readily available means of grievance redressal in respect of any act or omission of OTel regarding your personal data.

• Right to Nominate: You have the right to nominate another individual to exercise your rights in the event of your death or incapacity.

• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting prior lawful processing.

To exercise any of these rights, please contact us at contact@otelrooms.com or call +91 85954-17822. We will respond within the timeframe specified under the DPDP Act. We may need to verify your identity before processing your request.

In accordance with the Information Technology Act, 2000, and the SPDI Rules, 2011, OTel has designated a Grievance Officer to address concerns regarding the processing of personal data:

Grievance Officer, House of OTel Email: contact@otelrooms.com Phone: +91 85954-17822 Response Time: Grievances will be acknowledged within 48 hours and resolved within 30 days of receipt.

If you are not satisfied with our resolution, you may approach the Data Protection Board of India (once constituted and operational under the DPDP Act, 2023) or seek other appropriate legal remedies available under Indian law.

OTel's website and booking services are not directed at children under the age of 18. We do not knowingly collect personal data from minors without verifiable parental or guardian consent. If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete such data promptly. If you believe we have inadvertently collected data from a minor, please contact us immediately at contact@otelrooms.com.

We implement and maintain reasonable security practices and procedures as mandated under the SPDI Rules, 2011, to protect your personal data from unauthorised access, disclosure, alteration, or destruction. Our security measures include:

• Encryption of sensitive data in transit using SSL/TLS protocols

• Secure payment processing through PCI-DSS compliant third-party gateways

• Access controls restricting personal data to authorised personnel on a need-to-know basis

• Regular review of data collection, storage, and processing practices

• Staff training on data protection obligations

While we take all reasonable precautions, no method of transmission over the internet or electronic storage is 100% secure. In the event of a personal data breach that is likely to result in harm to you, we will notify you and the relevant regulatory authority as required under the DPDP Act.

Our website may contain links to third-party websites including Google Reviews, Airbnb, and social media platforms. This Privacy Policy does not apply to those third-party sites. We encourage you to review the privacy policies of any third-party services you access through our website. We are not responsible for the privacy practices or content of such third-party sites.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the Effective Date at the top of this document and, where appropriate, notify you via email or a notice on our website. We encourage you to review this Policy periodically. Your continued use of our website or services after any changes constitutes your acknowledgement of the updated Policy.

This Privacy Policy is governed by and construed in accordance with the laws of India. Any disputes arising in connection with this Policy shall be subject to the exclusive jurisdiction of the courts at New Delhi, India.

If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your personal data, please contact us:

House of OTel — Privacy Enquiries Website: www.otelrooms.com Email: contact@otelrooms.com WhatsApp / Phone: +91 85954-17822