Privacy Policy

We use the information we collect for the following purposes:

• Process, confirm, and manage your reservations and any associated payments or refunds
• Authenticate your guest portal account and protect it from unauthorized access
• Deliver pre-arrival, in-stay, and post-stay communications by email, SMS, and WhatsApp
• Personalize your retreat experience and tailor activity recommendations
• Send marketing communications, retreat invitations, and newsletters where you have given consent (you can unsubscribe at any time)
• Measure website performance, conversion rates, and marketing effectiveness across paid and organic channels
• Run remarketing and lookalike advertising campaigns on Google, Meta (Facebook/Instagram), and similar platforms
• Detect, prevent, and respond to fraud, abuse, and security incidents
• Comply with tax, accounting, and other legal obligations under Guatemalan law and applicable international regulations

We do not sell or rent your personal information to third parties for their independent marketing. We do share specific data with the following processors and service providers strictly so they can perform their function on our behalf. Each is bound by data-processing terms and its own published privacy policy (linked below):

• Stripe (United States / Ireland) — payment processing and card-on-file tokenization. PCI-DSS compliant. https://stripe.com/privacy
• Cloudbeds (United States) — property management system, reservation records, room availability. https://www.cloudbeds.com/privacy-policy/
• Supabase (United States / EU) — database, authentication, and file storage (row-level-security protected). https://supabase.com/privacy
• Postmark (United States) — transactional email delivery (booking confirmations, magic-link sign-in, receipts). https://postmarkapp.com/privacy-policy
• GoHighLevel / LeadConnector (United States) — CRM, SMS, and WhatsApp messaging to guests. https://www.gohighlevel.com/privacy-policy
• Google LLC (United States) — Google Analytics 4, Google Tag Manager, Google Ads conversion tracking and remarketing, Google Business Profile. https://policies.google.com/privacy
• Meta Platforms, Inc. (United States) — Meta Pixel for conversion measurement and remarketing on Facebook and Instagram. https://www.facebook.com/privacy/policy
• PostHog (United States / EU) — product analytics, funnel measurement, and feature flagging (no advertising use). https://posthog.com/privacy
• Microsoft Clarity (United States) — anonymized session recording and heatmaps for UX improvement. https://privacy.microsoft.com/en-us/privacystatement
• Rollbar (United States) — error tracking and crash diagnostics for our website and apps. https://rollbar.com/privacy/
• Online travel agencies you choose to book through (Airbnb, Booking.com, Expedia, TripAdvisor, Hospitable) — only when you originate a booking on their platform
• Government, tax, or law-enforcement authorities when we are legally required to disclose information

We use Google Analytics 4, Google Ads, and the Meta Pixel to measure how visitors find and interact with our website, to attribute bookings to the marketing channels that drove them, and to show relevant ads to people who have previously visited our site (remarketing). These services may set cookies or process limited identifiers (such as a hashed email or phone number when you submit a form) to match your activity across devices. They do not receive your full payment information or government IDs.

You can opt out of personalized advertising at any time through these tools:

• Google Ads personalization: https://adssettings.google.com
• Google Analytics opt-out: https://tools.google.com/dlpage/gaoptout
• Meta / Facebook ad preferences: https://www.facebook.com/adpreferences
• Digital Advertising Alliance opt-out: https://optout.aboutads.info
• Use the cookie banner on our site to decline analytics and advertising categories

Subject to applicable law (including the GDPR, CCPA/CPRA, LGPD, and the Guatemalan Constitutional right to data protection), you have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate or incomplete information
• Request deletion of your personal data (subject to legal retention obligations)
• Withdraw consent for marketing communications at any time
• Object to or restrict processing of your information
• Request portability of your data in a structured, machine-readable format
• Lodge a complaint with your local data protection authority

To exercise any of these rights, email info@lomadeatitlan.com. We respond to verified requests within 30 days.

We use cookies and similar technologies that fall into three categories. You can manage your preferences at any time using the cookie banner on our site or your browser settings.

Categories of cookies we use:

• Strictly necessary — required for the website, guest portal, and booking flow to function (session, authentication, cart, security, fraud prevention). These cannot be disabled.
• Analytics — Google Analytics 4, PostHog, and Microsoft Clarity, used to understand how visitors use our site so we can improve it. You can decline these.
• Advertising — Google Ads and Meta Pixel, used to measure ad effectiveness and show relevant ads on other sites. You can decline these.