STASH COMMONS PRIVACY POLICY

This privacy policy applies to the Stash Commons located at https://commons.stashrewards.com (the "Commons"), which is owned and operated by RevPAR Collective, Inc. d/b/a Stash Hotel Rewards ("RPC", "we" or "us"). The privacy policy explains our policies and procedures regarding the Personal Information we collect from registered Users of the Commons. Capitalized terms that are not otherwise defined in this Privacy Policy shall have the meaning given to them in the Stash Commons Terms of Use

EU-U.S. Privacy Shield

RevPAR Collective Inc. participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. RevPAR Collective Inc. is committed to subjecting all personal data received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework's applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce's Privacy Shield List.

RevPAR Collective Inc. is responsible for the processing of personal data it receives, under the Privacy Shield Framework, and subsequently transfers to a third-party acting as an agent on its behalf. RevPAR Collective Inc. complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, including the onward transfer liability provisions.

With respect to personal data received or transferred pursuant to the Privacy Shield Framework, RevPAR Collective Inc. is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, RevPAR Collective Inc. may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

TRUSTe

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) athttps://feedback-form.truste.com/watchdog/request.

Information we Collect

Commons Users

We collect Personal Information from Users when they register to access the Commons, including name, e-mail address and other work-related contact information that they voluntarily provide to us (e.g., work address, phone number and job title). In addition, Users or their Partner Administrators may post Personal Information relating to the User to the Partner Directory portion of the Commons, including name, work address, email address and phone number, and job title. By utilizing the Commons, Users agree to provide, or allow their Partner Administrator to provide, this information to us for inclusion in the Partner Directory. Users who do not wish to be listed in the Partner Directory may send a written request to partner-support@stashrewards.com to remove their information from the Partner Directory.

Technologies such as: cookies or similar technologies are used by RPC and our marketing partners, affiliates, and analytics providers. These technologies are used in analyzing trends, administering the site, tracking Users' movements around the site and to gather demographic information about our user base as a whole. We may receive reports based on the use of these technologies by these companies on an individual as well as aggregated basis.

We use cookies for authentication to remember Users' settings, to keep track of User activity during a visit to our site, to improve site performance, and to implement certain features of our site. Users can control the use of cookies at the individual browser level. If you reject cookies, you may still use our site, but your ability to use some features or areas of our site may be limited.

As is true of most websites, we also gather certain information regarding a User's visit automatically and store it in log files in order to understand traffic patterns and compile aggregated data about Commons usage. This information may include internet protocol (IP) addresses, browser type, internet service provider (ISP), the duration of session, the URL of Commons pages visited and referring/exit pages, operating system, date/time stamp, and clickstream data.

We may combine this automatically collected log information with other information we collect about you. We do this to improve services we offer you and to improve marketing, analytics, and site functionality. The collected information is not used for any other purpose.

We partner with third-party providers to either display advertising on our website or to manage our advertising on other sites. Our third-party providers may use technologies such as cookies to gather information about your activities on this website and other sites in order to provide you advertising based upon your browsing activities and interests. The cookies generated from the advertisements do not contain Personal Information and may remain on your hard drive three or more years unless you delete them. If you wish to not have this information used for the purpose of serving you interest-based ads, you may opt-out by clicking here [http://preferences-mgr.truste.com/](or if located in the European Union click here [http://www.youronlinechoices.eu/]). Please note this does not opt you out of being served ads; you will continue to receive generic ads. Where we use third parties to provide advertising, email marketing or similar services, each such third party will have its own opt-out process, which it will manage and control. You will need to follow those procedures to opt out of the services they provide.

Consent

When you register as a User of the Commons you have the opportunity to create a profile. By doing so you are specifically consenting to our collection and use of any Personal Information you provide to us, the terms of this Policy and our Terms.

Also, when you register as a User you may be given a choice to receive email messages and/or newsletters about product updates, improvements, or partner events. We use third-party service providers to send our partner communications and marketing email. There are no cookies in the email; however, they contain e-tags which permit you to share the email via social sites to which you subscribe. In addition, when you click on a link to the Commons included in the email, a persistent cookie is placed on your computer. This cookie is used to measure the effectiveness of our email marketing efforts, better understand how our users navigate through the Commons, and enhance the user experience. To that end, we collect a variety of information about how you interact with our email communications, including how many times the email is opened and/or clicked, the browser type used, operating system, user email program, etc. The cookie sent by our service providers will remain on your hard drive for 30 days after the last time you clicked on the coded link in the email or until you delete it.

At any time you can choose to no longer receive commercial or promotional emails or newsletters from us by using the email address associated with your account to send an email to partner-support@stashrewards.com with the word 'Unsubscribe' in the subject line or following the opt-out process below. You also will be given the opportunity, in any commercial email that we send to you, to opt out of receiving such messages in the future. It may take up to ten (10) days for us to process an opt-out request. We may send you other types of transactional and relationship email communications, such as service announcements, administrative notices, and surveys, without offering you the opportunity to opt out of receiving them. Please note that changing information in your account or otherwise opting out of receipt of promotional email communications will only affect future activities or communications from us.

Use of Personal Information

Commons Users

We may use Personal Information provided by Users at the time of registration and/or added to the Partner Directory to: (a) establish and maintain Partner and authorized User Accounts; (b) confirm the identity of, and provide Commons access to, authorized Users of our Partners' Accounts; (c) update and maintain our internal records regarding partner hotels and their employees, and (d) communicate with Users regarding the Commons, the Stash Hotel Rewards program, our partner hotels and/or other matters that we believe may be of interest to you.

Third-party Access to Personal Information

We do not sell, rent or trade your Personal Information with third parties for their promotional purposes. Your contact information as contained in the Partner Directory will be viewable by other Users (i.e., employees of other partner hotels).

We may share non-Personal Information, such as aggregate User statistics, demographic information, and Commons usage information with third parties. We may use our third-party service providers and contractors to perform certain services on our behalf, such as processing, storing, maintaining and transmitting data, processing and web analytics, and data analysis. With respect to Commons analysis, we may use Google Analytics, or another analytics provider, to record and process information as to how your browser navigates the Commons, to identify keywords that drove traffic to the Commons, to help us count visitors and to evaluate the Common's technical capacity. For those analytics providers that use cookies or Web beacons, any opt-out functionality is controlled by them, and subject to their opt-out policies and practices. For information on how Google Analytics collects and processes data, visit the link to the site 'How Google uses data when you use our partners' sites or apps', (http://www.google.com/policies/privacy/partners, or any other URL Google may provide from time to time).

We may also use third-party service providers to provide specific business support services to us which may involve limited access to User Personal Information (e.g., e-mail service providers). In the event that we use an such service providers, we require them to use the information only to provide the contracted services and prohibit them using the information for any other purpose and from transferring the information to another party except as needed to provide the contracted services.

We reserve the right to disclose your Personal Information to other parties (a) when you consent to the disclosure, (b) when we believe that it is necessary to protect our rights or the security of the Commons, the Stash Hotel Rewards website at http://www.stashrewards.com or our Members, (c) as required by law, or (d) when we believe that it is necessary to comply with a judicial proceeding, court order, or legal process served on us.

We also may disclose User Personal Information to other third parties in conjunction with entering into an agreement for the sale of our stock or assets or if we are involved in bankruptcy proceedings. The recipient of Personal Information following such actions may have privacy policies that differ from those in this policy.

Security and Integrity

We will take reasonable steps to protect the Personal Information collected from Users from loss and unauthorized access or disclosure. The Commons is password protected and Partner Administrators have the ability to add additional permission layers to limit the content within the Commons that their Users can access. When you enter Personal Information on our registration forms or within your Account, we encrypt that information using secure socket layer technology (SSL). We, and the service providers maintaining or otherwise handling such Personal Information on our behalf, have put in place appropriate physical, electronic and managerial procedures to safeguard and secure the Personal Information from loss, misuse, unauthorized access or disclosure, alteration or destruction. For example, electronically stored Personal Information is stored on a secure network with firewall protection, and access to our electronic information systems requires user authentication via password or similar means. We also employ access restrictions, limiting the scope of employees who have access to Personal Information. Nevertheless, any information transmitted over the Internet may be subject to breaches of security and we cannot guarantee the security of information you send to or receive from us. Any electronic transmissions that you submit or accept are at your own risk. If you have any questions about security on our Commons, you can email us at partner-support@stashrewards.com.

Links

For your convenience, we may provide, or other Users may post, links from the Commons to other web sites, including those of our Participating Hotels. The privacy policies on these third-party web sites may be different from this policy and we are not responsible for the information collection practices or the content of the third-party sites to which we link, including any Participating Hotel sites. You access such linked sites at your own risk and should read the privacy policy of any linked site before sharing your Personal Information on such site.

Social Media Features

The Commons includes Social Media Features, such as Follow and Like buttons and interactive mini-programs, that run on our site. These Features may collect your IP address, which page you are visiting on our site, and may set a cookie to enable the Feature to function properly. Social Media Features are either hosted by a third-party or hosted directly on the Commons. Your interactions with these Features are governed by the privacy policy of the company providing it.

Blog

The Commons offers privately accessible blogs and community forums. You should be aware that any information you provide in these areas may be read, collected, and used by others who access them. To request removal of your Personal Information from our blog or community forums, contact us at partner-support@stashrewards.com. In some cases, we may not be able to remove your Personal Information, in which case we will let you know if we are unable to do so and why. Alternatively, if you used a third-party application to post such information, you can remove it, by either logging into the said application and removing the information or by contacting the appropriate third-party application.

Testimonial

We display personal testimonials of Users on our site in addition to other endorsements. With your consent we may post your testimonial along with your name. If you wish to update or delete your testimonial, you can contact us at partner-support@stashrewards.com.

Choice

Users have the choice not to complete and submit a personal profile to us and/or to opt out of receiving promotional electronic communications from us. Users can opt out of promotional electronic communications by following the directions contained in such communications or by changing their communications preferences at the Manage Account portion of the Commons here. Users will need their User ID and password to access this portion of the Commons.

International Visitors

The Commons is hosted in the United States. If you choose to use the Commons from the European Union or other regions of the world with laws governing data collection and use that may differ from U.S. law, then please note that you are transferring your Personal Information outside of those regions to the United States for storage and processing. Also, the Commons may transfer your data from the U.S. to other countries or regions in connection with storage and processing of data, fulfilling your requests, and operating the service. By providing any information, including Personal Information, to RevPAR Collective, you consent to such transfer, storage, and processing.

Do Not Track

Section 22575 of the California Business & Professions Code requires website and online service operators to disclose whether they honor web browser 'Do Not Track' settings. RPC supports and honors 'Do Not Track' web browser settings. If you enable Do Not Track settings in the browser you are using, RPC will not collect, store, or use Personal Information about websites you visit using that browser other than the Commons. Other parties, however, may not honor Do Not Track signals. These parties may collect Personal Information about your online activities over time and across different websites when you visit the Commons, for example by using cookies on the Commons. We have no access to or control over other parties' Personal Information collection practices, even those with which RPC may have an affiliation. You should carefully review the privacy policy and terms of any website you visit. For more information about Do Not Track, please visit www.allaboutdnt.org.

Changes

We reserve the right to modify this policy at any time, so please review it frequently. If we decide to change our Commons privacy policy we will post those changes to this Policy and notify you of any material changes here, by email or by means of a notice on the log-in page of the Commons, so that you are aware of what information we collect, how we use it, and under what circumstances we disclose it.

Other Terms and Conditions

Your access to and use of the Commons and services are also subject to our Terms.

Contact Us

If you have any questions about this privacy policy or our privacy practices, or if you want to review, correct, delete inaccuracies or change Personal Information about you, you may do so by making the change within the Manage Account section of the Commons or by contacting us at partner-support@stashrewards.com or at the following address: RevPAR Collective, Inc. d/b/a Stash Hotel Rewards, 2225 E. Bayshore Road, Suite 200, Palo Alto, CA 94303. We will respond to your request as soon as we are able, or in relation to a request for access to or the correction of your Personal Information with us, within 30 days.

Upon request, RPC will provide you with information about whether we hold, or process on behalf of a third-party, any of your Personal Information. To request this information please contact us via partner-support@stashrewards.com.

Please note that in an effort to prevent the unauthorized disclosure of Personal Information, you may be required to provide proof of identity in order to access Personal Information. If, upon review, you wish to deactivate your User profile or update your Personal Information, you may do so by making the change on your Manage Account page or by emailing partner-support@stashrewards.com. We will respond to your request to access within 30 days. In some instances, however, information that you request to be removed may be retained in certain files for a period of time in order to troubleshoot problems. In addition, some types of information may be stored indefinitely on back-up systems or within log files due to technical constraints or financial or legal requirements. Therefore, you should not always expect that all of your Personal Information will be completely removed from our databases in response to your request

Data Retention

We will retain your information for as long as your User account is active or as needed to provide you services. If you wish that we no longer use your information to provide you services, contact us at partner-support@stashrewards.com. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Terms Applicable to Data from E.U. Member Countries

If we collect Personal Information from E.U. residents in a manner subject to the General Data Protection Regulation then, in addition to the above, the following terms shall also apply to our collection, use and retention of that information:

Compliance with Privacy Shield Principles: When handling information from residents of the E.U. member countries, we strive to comply with the E.U.-U.S. Privacy Shield Framework principles (Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability) regarding the collection, use and retention of Personal Information from European Union member countries. However, our compliance with these principles may be limited (a) to the extent necessary to meet applicable national security, public interest, or law enforcement requirements or (b) by statute, governmental regulation, or case law. If there is a conflict between the policies set forth below and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List at https://www.privacyshield.gov/list.

Basis for Collection: As set out above, we collect and process Personal Information for which you have given your express consent at the time of collection. For example, we collect Personal Information when you elect to create an account on the Commons. We also collect and process Personal Information to improve our services, to deliver services and perform obligations under contracts we have with you, and to comply with our own legal obligations.

Sensitive Data: We do not collect sensitive data, for example biometric data, health data, or data revealing racial or ethnic origin, from visitors to the Commons.

Onward Transfer: Except as otherwise provided in this Privacy Policy, we only disclose Personal Information to third parties who reasonably need to have access to it for the purpose of the transaction or activity for which it was originally collected or to provide services to or perform tasks or our behalf or under our instruction. All such third parties must agree to use such the Personal Information we provide to them only the purposes for which we have engaged them and they must either: (a) comply with the E.U.-U.S. Privacy Shield Principles or another mechanism permitted by the applicable E.U. & Swiss data protection law(s) for transfers and processing of Personal Information or (b) agree to provide adequate protections for the Personal Information that are no less protective than those set out in this Privacy Policy. Where we have knowledge that an entity to whom we have provided Personal Information is using or disclosing Personal Information in a manner contrary to this Privacy Policy, we will take reasonable and appropriate steps to prevent, remediate or stop the use or disclosure.

Authorized Transfer: We also may disclose Personal Information for other purposes or to other third parties when you have consented to or requested such disclosure. Please be aware that we will disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We are not liable for appropriate onward transfers of personal data to third parties.

Data Processors: We may retain third parties to process or analyze personal Information we collect from the Commons. For example, the Commons may be maintained or hosted by a third-party service provider, a promotion may be administered by a sales promotion agency, and/or products may be fulfilled by a wholesaler. These suppliers and other third parties that provide services for us are contractually obligated not to use Personal Information about you except as we authorize.

Profiling: We may analyze Personal Information we have collected about you to create a profile of your interests and preferences so that we can contact you with information that is relevant to you. We may make use of additional information about you when it is available from external sources to help us do this effectively. We may also use Personal Information about you to detect and reduce fraud and credit risk.

Your Rights: Your rights include: (a) the right to withdraw your consent to the processing of Personal Information about you to which you have previously given consent; (b) the right to object to processing of Personal Information about you for the purpose of direct marketing and other purposes based on our legitimate interest; (c) the right to request information about the Personal Information we collect, how we process it and with whom we share it; (d) the right, in some cases, to require erasure of the Personal Data about you stored with us; and (e) the right to have incorrect Personal Information about you corrected or removed. If you wish to exercise any of these rights, contact us at member support.

If you request to have incorrect Personal Information removed, we may retain some of your Personal Information as necessary for the purposes of our legitimate business interests or in furtherance of public interests in accordance with the Privacy Shield Principles. Any Personal Information you have shared publicly with others may continue to be publicly visible on the Commons.

You also have the right to obtain a copy of the Personal Information we have about you, although we reserve the right to charge a fee for this depending on the nature and frequency of your request(s) and our cost to provide the information.

Questions and Complaints: If you have questions or complaints regarding this Policy or our handing of your Personal Information, please contact partner-support@stashrewards.com. We will promptly investigate and attempt to resolve complaints and disputes in a manner that complies with the principles described in this Privacy Policy.

Enforcement and Disputes: In compliance with the E.U.-U.S. Privacy Shield, we commit to resolve complaints about your privacy and our collection or use of your Personal Information. If you do not receive timely acknowledgement of your request or have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

In addition to the above, you may complain to your home data protection authority and can invoke binding arbitration for some residual claims not resolved by other redress mechanisms. Contact details for the E.U. data protection authorities can be found at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.

The Federal Trade Commission has jurisdiction over our compliance with this Privacy Policy and the E.U.-U.S. Privacy Shield Framework. As a last resort, privacy complaints that remain unresolved after pursuing these and other channels may be subject to binding arbitration before the Privacy Shield Panel to be created jointly by the U.S. Department of Commerce and the European Commission.

Effective: July 2018