Privacy Policy
Privacy Policy
Luna Rooms (“we”, “us”, “our”) is committed to protecting personal data and respecting the privacy of individuals who interact with our website and accommodation services. This Privacy Policy explains how we collect, use, store, and disclose personal data, and outlines your rights under applicable data protection laws, including the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.
If you have any questions about this Privacy Policy or how we handle personal data, you may contact our Data Controller at datacontroller@lunarooms.com.
This Privacy Policy applies to personal data processed in connection with our website and accommodation operations. It does not apply to personal data processed by third-party platforms acting as independent data controllers, even where those platforms are used in connection with our services.
1. Data Controller
For the purposes of the UK GDPR and the Data Protection Act 2018, Luna Limited is the data controller in respect of personal data processed under this Privacy Policy, except where explicitly stated otherwise.
2. Third-Party Platforms and Allocation of Responsibility
We use third-party technology platforms to operate our services. Depending on the function performed, these platforms may act either as data processors on our behalf or as independent data controllers in their own right.
In particular:
Booking.com acts as an independent data controller in respect of booking creation, guest accounts, platform messaging, payments, refunds, fraud prevention, dispute handling, and related records. We do not control, access, or determine the retention of personal data held by Booking.com. Any data protection requests relating to data held by Booking.com must be made directly to Booking.com in accordance with their privacy policy.
Hostaway acts as a data processor on our behalf, providing channel management and guest portal services. Personal data stored within Hostaway is processed strictly under our instructions and remains under our control as data controller.
Zoom acts as a data processor where used for communications. Where telephone calls are recorded, we remain the data controller for those recordings.
We do not process, disclose, or provide access to personal data held by third-party platforms acting as independent data controllers.
3. Categories of Personal Data We Process
Depending on how you interact with us, we may process the following categories of personal data:
Identity and contact details (such as name, email address, and telephone number)
Booking and accommodation details
Guest verification and check-in information submitted via our guest portal
Communications with us, including emails and recorded telephone calls where applicable
Website usage and technical data, including IP address, browser type, access times, and log information
We do not collect or store personal data outside the systems and platforms described in this Privacy Policy.
4. Purposes and Lawful Bases for Processing
We process personal data only where a lawful basis exists, including where processing is necessary:
To perform a contract or take steps at your request prior to entering into a contract
To comply with legal or regulatory obligations
For our legitimate interests in operating, managing, and protecting our business, provided those interests are not overridden by your rights and freedoms
Processing purposes include:
Managing accommodation bookings and guest stays
Verifying guest identity and facilitating access
Communicating with guests regarding their stay or enquiries
Maintaining service quality, training, and dispute resolution
Preventing fraud, misuse, or abuse of our services
Operating, analysing, and improving our website and systems
5. Call Recording
Telephone calls may be recorded for quality assurance, training, dispute resolution, and legal compliance purposes.
Where calls are recorded:
Recordings are stored securely with restricted access
Recordings are retained only for as long as reasonably necessary
Disclosure is limited to circumstances permitted or required by law
Any disclosure, including in response to a subject access request, will be subject to lawful redaction to protect the rights and freedoms of third parties, including staff members
We do not provide real-time or telephone disclosure of recorded call content.
6. Cookies and Website Analytics
We use cookies and similar technologies to ensure the proper functioning of our website and to analyse usage patterns. These technologies may collect technical information such as IP address, browser type, referring pages, and timestamps. This information is not used to directly identify individuals.
You can manage cookie preferences through your browser settings.
7. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including compliance with legal, accounting, and regulatory requirements. Retention periods vary depending on the category of data and applicable obligations.
8. Your Data Protection Rights
Under the UK GDPR, you have the following rights, subject to legal limitations:
The right to access your personal data
The right to rectification
The right to erasure (in certain circumstances)
The right to restrict processing
The right to object to processing
The right to data portability
Requests to exercise these rights should be submitted to datacontroller@lunarooms.com.
9. Subject Access Requests (SARs)
A subject access request may be made verbally or in writing. However:
We may require reasonable proof of identity before disclosing any personal data
We may request clarification where a request is broad or unclear
We will only disclose personal data for which we are the data controller
We will not disclose personal data controlled by independent third-party platforms, including Booking.com
Responses will be provided in a secure written format
We may lawfully redact information to protect third-party rights, confidential information, and legally privileged material
The statutory response period begins only once identity verification has been completed.
10. Identity Verification and Security Measures
Before responding to any data protection request, we reserve the right to take reasonable and proportionate steps to verify the identity of the requester. This may include requesting confirmation from the email address used for the booking, government-issued identification, or other appropriate verification measures. We will not disclose personal data where we are not satisfied as to the requester’s identity or authority.
11. Format and Method of Disclosure
Where we provide personal data in response to a data protection request, we will do so in a secure written format. We do not provide disclosures verbally or by telephone. The format of disclosure will be determined by us, acting reasonably and in accordance with applicable law.
12. Redaction, Third-Party Data, and Confidentiality
Personal data disclosed in response to a subject access request may be redacted where necessary to protect the rights and freedoms of others, including our employees, contractors, and third parties. This includes redaction of names, voices, internal references, or contextual information. We are not required to disclose confidential business information or legally privileged material.
13. Manifestly Unfounded or Excessive Requests
Where a request is manifestly unfounded or excessive, including where it is repetitive, abusive, or made for purposes unrelated to the exercise of data protection rights, we reserve the right to refuse the request or charge a reasonable fee, as permitted by law. In such cases, we will provide an explanation for our decision.
14. Limitation of Scope
A subject access request entitles an individual to access their personal data, not to explanations, commentary, interpretations, internal decision-making processes, system logic, staff opinions, or correspondence that does not constitute personal data. Disclosures will be limited strictly to personal data.
Last updated 12th March 2026
