Privacy Policy

pops.gourmand.dev

Last Updated: January 10, 2026

1. Introduction and Scope

Pops Technologies, LLC ("Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Pops browser extension, website at pops.gourmand.dev, and related services (collectively, the "Service").

This Privacy Policy applies to all users of the Service worldwide, including residents of the European Economic Area ("EEA"), United Kingdom, California, and other U.S. states with comprehensive privacy laws. Jurisdiction-specific rights and disclosures are provided in Sections 11-14.

BY INSTALLING OR USING THE SERVICE, YOU CONSENT TO THE COLLECTION, USE, AND PROCESSING OF YOUR INFORMATION AS DESCRIBED IN THIS PRIVACY POLICY. IF YOU DO NOT AGREE WITH THIS PRIVACY POLICY, PLEASE DO NOT USE THE SERVICE.

2. Data Controller Information

For purposes of the General Data Protection Regulation ("GDPR") and other applicable data protection laws, the data controller is:

Pops Technologies, LLC
Email: privacy@gourmand.dev
Website: pops.gourmand.dev

2.1 EU/UK Representative

For users in the European Economic Area or United Kingdom, our representative can be contacted at:

Email: gdpr@gourmand.dev

2.2 Data Protection Officer

For data protection inquiries:

Email: dpo@gourmand.dev

3. Information We Collect

We collect information in the following categories:

3.1 Information You Provide Directly

When you create an account or contact us, we may collect:

Email address
Name (optional)
Account preferences and settings
Communications you send to us
Feedback or survey responses
Support requests and correspondence

3.2 Hotel and Travel Data Collected Automatically

When you browse hotel and travel websites with the Service active, we automatically collect data from the pages you view, including:

Hotel names, descriptions, and property details
Room types, rates, and pricing information displayed
Availability dates and booking windows
Location and address information
Amenity listings and property features
Star ratings and review scores
Images and visual content identifiers
Search parameters you use (destination, dates, guest count, filters)
Timestamps of when you viewed each listing
URLs of hotel pages visited (limited to supported travel sites)

Important: We only collect hotel data from pages you actively view. We do not crawl, scrape, or collect data from pages you have not visited. All data originates from your direct browsing activity.

3.3 Real User Monitoring (RUM) Data

To improve the Service and learn your preferences, we collect Real User Monitoring data including:

Mouse movements and hover patterns on hotel listings
Scroll behavior and scroll depth
Click patterns and click locations
Time spent viewing specific hotels or sections
Navigation paths through search results
Interaction with price displays, photos, and amenity lists
Session duration and engagement metrics
UI element interactions within the Service

RUM data is used exclusively to understand your preferences and improve recommendations. We do not record keystrokes, form inputs, passwords, or any text you type outside the Service interface.

3.4 Browser Fingerprint Data

⚠️ IMPORTANT DISCLOSURE: We use browser fingerprinting technology to create a unique identifier based on technical characteristics of your browser and device.

This includes:

Browser type, version, and configuration
Installed browser plugins and extensions
Screen resolution and color depth
Timezone and language settings
Operating system and version
Hardware characteristics (graphics card, audio processing)
Canvas and WebGL rendering patterns
Font enumeration data

Unlike cookies, browser fingerprint data cannot be deleted through your browser settings.

This data is used for:

Fraud prevention and abuse detection
Maintaining session continuity
Personalization and preference persistence
Security purposes

You may withdraw consent for personalization-related fingerprinting through your account settings, which may affect certain Service features. Fingerprinting used for security and fraud prevention cannot be disabled.

3.5 Device and Technical Information

We automatically collect:

IP address (which may indicate approximate geographic location)
Device identifiers and type
Browser type and version
Operating system and version
Referring URLs and exit pages
Pages visited within the Service
Date and time of access
Error logs and diagnostic data
Network information

3.6 Information from Third Parties

We may receive information from:

Analytics providers (aggregated usage statistics)
Fraud prevention services (risk scores)
Affiliate partners (conversion confirmation, no personal details)

4. How We Use Your Information

We use collected information for the following purposes and legal bases:

Purpose	Data Used	Legal Basis (GDPR)
Providing core Service functionality	Hotel viewing data, account info	Contract performance (Art. 6(1)(b))
AI preference learning and personalization	RUM data, viewing patterns, hotel data	Consent (Art. 6(1)(a))
Browser fingerprinting for personalization	Browser/device technical data	Consent (Art. 6(1)(a))
Browser fingerprinting for security	Browser/device technical data	Legitimate interest (Art. 6(1)(f))
Fraud prevention and security	IP address, fingerprint, usage patterns	Legitimate interest (Art. 6(1)(f))
Affiliate commission tracking	Click data, booking attribution	Legitimate interest (Art. 6(1)(f))
Service improvement and analytics	Aggregated usage data	Legitimate interest (Art. 6(1)(f))
Customer support	Communications, account data	Contract performance (Art. 6(1)(b))
Legal compliance	As required	Legal obligation (Art. 6(1)(c))

4.1 Legitimate Interest Assessment

Where we rely on legitimate interests, we have conducted balancing tests to ensure our interests do not override your fundamental rights. You may request details of these assessments by contacting dpo@gourmand.dev.

5. Artificial Intelligence and Automated Processing

5.1 How AI Processes Your Data

The Service uses artificial intelligence and machine learning to:

Analyze hotels you have viewed to identify patterns in your preferences
Calculate "value" scores based on price, location, amenities, and your apparent priorities
Predict which hotels may best match your preferences
Surface recommendations from hotels you have seen
Continuously improve recommendations based on your feedback and behavior

5.2 Data Integrity — No Hallucination

Our AI system does not fabricate or "hallucinate" hotel information. All recommendations are based exclusively on real hotel data that you have viewed during your browsing sessions. If information becomes outdated, the Service will indicate when data was last seen.

5.3 Third-Party AI Training Restrictions

We do not permit our AI service providers or subprocessors to use your Inputs or data to train their own AI models. When we use third-party AI services, contractual restrictions prevent them from using your data for their model improvement.

5.4 Your Rights Regarding Automated Decisions (GDPR Article 22)

The recommendations provided by the Service are suggestions to assist your decision-making and do not constitute automated decisions that produce legal effects or similarly significant effects on you. You always retain full control over booking decisions.

However, you have the right to:

Request information about the logic involved in AI recommendations
Contest recommendations you believe are inaccurate
Request human review of AI-generated outputs
Opt out of AI preference learning while retaining core Service functionality

To exercise these rights, contact us at privacy@gourmand.dev.

6. Affiliate Marketing Disclosure

💰 IMPORTANT: The Company participates in affiliate marketing programs with hotel booking platforms, online travel agencies, and travel partners. When you click on hotel recommendations or make bookings through links provided by the Service, we may receive compensation from our affiliate partners.

This affiliate relationship means:

We receive commissions when you complete bookings through our links
Affiliate compensation may influence which hotels are displayed or their display order
We track clicks and conversions for commission attribution purposes
This compensation does not affect the price you pay for any booking

We disclose this relationship in compliance with the Federal Trade Commission's Endorsement Guides (16 CFR Part 255).

6.1 Data Shared with Affiliate Partners

We share limited information with affiliate partners:

Click identifiers and timestamps
Booking confirmation data (when applicable)
Device/browser identifiers for attribution (hashed where possible)

We do not share your complete browsing history, AI preference profiles, email address, or other personal contact information with affiliate partners.

7. How We Share Your Information

We may share your information with the following categories of recipients:

7.1 Service Providers and Subprocessors

We share data with third-party service providers who perform services on our behalf, including:

Category	Purpose	Data Shared
Cloud hosting	Infrastructure	All data (encrypted)
Analytics	Usage analysis	Aggregated/pseudonymized data
Customer support	Support tickets	Account and communication data
Email services	Notifications	Email address, name
Security services	Fraud prevention	IP, device fingerprint

These providers are contractually obligated as data processors under GDPR Article 28 agreements to:

Process data only on our documented instructions
Ensure personnel confidentiality
Implement appropriate security measures
Assist with data subject requests
Delete or return data upon termination
Submit to audits

A list of our current subprocessors is available upon request at privacy@gourmand.dev.

7.2 Affiliate Partners

As described in Section 6.1, we share limited attribution data with affiliate partners.

7.3 Legal Requirements and Law Enforcement

We may disclose your information when required by law or in good faith belief that such action is necessary to:

Comply with legal obligations or valid legal process (subpoenas, court orders, warrants)
Protect and defend the rights or property of the Company
Prevent or investigate possible wrongdoing in connection with the Service
Protect the personal safety of users or the public
Protect against legal liability

Law Enforcement Request Procedures: We evaluate all government and law enforcement requests and may challenge requests we believe are overbroad or legally deficient. We will notify affected users of requests for their data unless prohibited by law or court order.

7.4 Business Transfers

In the event of a merger, acquisition, bankruptcy, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will:

Provide notice prior to transfer
Ensure the acquiring entity honors this Privacy Policy
Give you the opportunity to delete your data before transfer (where feasible)

7.5 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

7.6 No Sale of Personal Information

We do not sell your personal information to third parties for monetary consideration.

We do not share your personal information for cross-context behavioral advertising.

See Section 13 for specific disclosures regarding California law definitions of "sale" and "sharing."

8. Data Retention

We retain your information for the following periods:

Data Type	Retention Period	Justification
Account information	Until account deletion + 30 days	Backup and legal compliance
Hotel viewing history	24 months from viewing	Service functionality
AI preference models	Until deletion/opt-out + 30 days	Service improvement
RUM session data	90 days (identifiable)	Product analytics
RUM session data	2 years (aggregated)	Long-term analytics
Browser fingerprint	12 months from last activity	Security and fraud prevention
Server/access logs	90 days	Security and debugging
Support communications	3 years	Legal compliance
Affiliate attribution	2 years	Partner reconciliation

8.1 Retention After Account Deletion

When you delete your account:

Personal data is deleted within 30 days
Aggregated/anonymized data may be retained indefinitely
Data required for legal compliance is retained as required by law
Backup copies are purged within 90 days

9. Data Security

We implement appropriate technical and organizational measures to protect your information:

9.1 Technical Measures

Encryption in transit (TLS 1.3)
Encryption at rest (AES-256)
Secure key management
Regular vulnerability scanning
Penetration testing
Intrusion detection systems

9.2 Organizational Measures

Access controls and least-privilege principles
Employee background checks
Security awareness training
Incident response procedures
Vendor security assessments
Regular security audits

9.3 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms:

We will notify relevant supervisory authorities within 72 hours (as required by GDPR)
We will notify affected users without undue delay if the breach poses high risk
Notification will include: nature of breach, likely consequences, measures taken, and contact information

No method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

10. International Data Transfers

Your information may be transferred to and processed in countries outside your country of residence, including the United States.

10.1 Transfer Mechanisms

When we transfer data from the EEA, UK, or Switzerland, we ensure appropriate safeguards:

Standard Contractual Clauses (SCCs): We use EU Commission-approved SCCs for transfers to countries without adequacy decisions
Data Privacy Framework: We may rely on DPF certification where applicable
Supplementary measures: We implement additional technical and organizational safeguards as needed

10.2 Transfer Impact Assessments

We conduct transfer impact assessments to evaluate the legal framework of destination countries and implement supplementary measures where necessary.

You may request a copy of the transfer safeguards we use by contacting privacy@gourmand.dev.

11. Your Rights Under GDPR (EEA and UK Residents)

If you are located in the European Economic Area or United Kingdom, you have the following rights:

Right	Description	How to Exercise
Access (Art. 15)	Obtain a copy of your personal data	Email privacy@gourmand.dev
Rectification (Art. 16)	Correct inaccurate or incomplete data	Account settings or email
Erasure (Art. 17)	Request deletion ("right to be forgotten")	Account settings or email
Restriction (Art. 18)	Limit processing in certain circumstances	Email privacy@gourmand.dev
Portability (Art. 20)	Receive data in machine-readable format	Email privacy@gourmand.dev
Object (Art. 21)	Object to processing based on legitimate interests	Email privacy@gourmand.dev
Withdraw Consent	Withdraw consent at any time	Account settings or email
Automated Decisions (Art. 22)	Not be subject to solely automated decisions	Email privacy@gourmand.dev

11.1 How to Exercise Your Rights

Email: privacy@gourmand.dev or gdpr@gourmand.dev
Response time: Within one month (extendable by two months for complex requests)
Verification: We may need to verify your identity before processing requests
Fee: Generally free; reasonable fee may apply for manifestly unfounded or excessive requests

11.2 Right to Lodge a Complaint

You have the right to lodge a complaint with your local supervisory authority. A list of EEA supervisory authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en

For UK residents: Information Commissioner's Office (ICO) at https://ico.org.uk

12. Global Privacy Control and Do Not Track

12.1 Global Privacy Control (GPC)

We recognize and honor the Global Privacy Control (GPC) signal.

When we detect a valid GPC signal from your browser or device, we will automatically treat it as:

A valid request to opt out of the "sale" or "sharing" of your personal information under California law
A valid request to opt out of targeted advertising under applicable state privacy laws
An objection to processing for direct marketing under GDPR

You can enable GPC in supporting browsers or through browser extensions. Learn more at https://globalprivacycontrol.org

12.2 Do Not Track (DNT)

We also recognize Do Not Track browser signals. When we detect a DNT signal, we will limit non-essential tracking to the extent technically feasible.

13. Your Rights Under CCPA/CPRA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with specific rights.

13.1 Right to Know

You have the right to request disclosure of:

Categories of personal information collected
Specific pieces of personal information collected
Sources of personal information
Business purposes for collection
Categories of third parties with whom we share
Categories of information sold or shared (if any)

13.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions (legal obligations, security, completing transactions).

13.3 Right to Correct

You have the right to request correction of inaccurate personal information.

13.4 Right to Opt-Out of Sale/Sharing

We do not "sell" personal information for monetary consideration.

We may "share" personal information with affiliate partners for attribution purposes, which may constitute "sharing" under CCPA. You may opt out by:

Contacting us at ccpa@gourmand.dev
Using the "Do Not Sell or Share My Personal Information" link on our website
Enabling Global Privacy Control in your browser

13.5 Right to Limit Use of Sensitive Personal Information

We do not use sensitive personal information for purposes beyond those permitted under CCPA.

13.6 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights. However, opting out of certain processing may affect Service functionality.

13.7 Categories of Personal Information Collected

In the preceding 12 months, we have collected:

CCPA Category	Examples	Sold?	Shared?
Identifiers	Email, IP address, device IDs, fingerprint	No	Limited (attribution)
Commercial information	Hotel viewing history	No	No
Internet activity	Browsing on travel sites, clicks, RUM data	No	No
Geolocation	Approximate location from IP	No	No
Inferences	AI-derived preferences	No	No

13.8 How to Submit a Request

Email: ccpa@gourmand.dev
Response time: Within 45 days (extendable by 45 days)
Verification: We will verify your identity using your account information or other reasonable means
Authorized agents: You may designate an authorized agent with written permission

14. Additional U.S. State Privacy Rights

We comply with comprehensive privacy laws in the following states. Residents of these states have rights similar to those described in Section 13:

14.1 Virginia (VCDPA)

Virginia residents have rights to access, correct, delete, obtain a copy, and opt out of targeted advertising, sale, and profiling. Appeal requests can be submitted to privacy@gourmand.dev within 45 days of denial.

14.2 Colorado (CPA)

Colorado residents have rights to access, correct, delete, obtain a copy, and opt out of targeted advertising, sale, and profiling. We honor universal opt-out mechanisms including GPC.

14.3 Connecticut (CTDPA)

Connecticut residents have rights to access, correct, delete, obtain a copy, and opt out of targeted advertising, sale, and profiling.

14.4 Utah (UCPA)

Utah residents have rights to access, delete, and obtain a copy, and to opt out of targeted advertising and sale.

14.5 Other States

We monitor privacy legislation and will update this policy as new state laws take effect, including laws in Oregon, Texas, Montana, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, and others.

14.6 Appeal Process

If we deny your privacy request, you may appeal by:

Emailing privacy@gourmand.dev with "Appeal" in the subject line
Providing your original request and reason for appeal
We will respond within 45-60 days depending on your state

If your appeal is denied, you may contact your state's Attorney General.

15. Cookies and Tracking Technologies

15.1 Types of Technologies Used

Technology	Purpose	Duration
Essential cookies	Authentication, security	Session
Preference cookies	Remember settings	1 year
Analytics cookies	Usage statistics	2 years
Browser fingerprinting	Security, personalization	12 months

15.2 Managing Cookies

You can control cookies through:

Browser settings (block all or third-party cookies)
Our cookie preference center (where available)
Opt-out links for specific analytics providers

Note: Disabling cookies may affect Service functionality.

15.3 Browser Fingerprinting

For browser fingerprinting, use the opt-out mechanism in your account settings. Security-related fingerprinting cannot be disabled.

16. Children's Privacy

The Service is not intended for users under the age of 18.

We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will:

Delete that information promptly
Notify the parent/guardian if contact information is available

If you believe we have collected information from a child, please contact us immediately at privacy@gourmand.dev.

17. Third-Party Links

The Service may contain links to third-party websites. We are not responsible for the privacy practices of these websites. We encourage you to read the privacy policies of any third-party sites you visit.

18. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of material changes by:

Posting the updated policy on pops.gourmand.dev
Updating the "Last Updated" date
Sending notice via email to registered users (for material changes)
Providing at least 30 days notice before material changes take effect

Your continued use of the Service after the effective date constitutes acceptance of the updated policy. If you do not agree, you must discontinue use before the effective date.

19. Contact Us

If you have questions about this Privacy Policy, your personal data, or wish to exercise your rights:

Purpose	Contact
General privacy inquiries	privacy@gourmand.dev
GDPR/EU inquiries	gdpr@gourmand.dev
Data Protection Officer	dpo@gourmand.dev
CCPA/California requests	ccpa@gourmand.dev
Other U.S. state requests	privacy@gourmand.dev
Website	pops.gourmand.dev

Response Times:

GDPR requests: Within 1 month
CCPA requests: Within 45 days
Other requests: Within 30 days

If you are unsatisfied with our response, you may lodge a complaint with your local data protection authority or state Attorney General.

20. Acknowledgment

BY USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY AND AGREE TO THE COLLECTION, USE, AND PROCESSING OF YOUR INFORMATION AS DESCRIBED HEREIN.