Privacy

Privacy Policy

Last updated: May 21, 2026 · Effective immediately

TL;DR

We collect the minimum data needed to find you a place to stay and confirm your booking. We share booking data with our hotel infrastructure partner (Nuitee/LiteAPI, who is the merchant of record for hotel bookings) and with AWS (where we host). We do not sell your data, ever. We do not run advertising. We do not build behavioral profiles. You can email privacy@weeklyescapes.com any time to access, correct, or delete your data.

Who we are

weeklyescapes.com is operated by NFLO Marketing LLC, a Delaware limited liability company. Founder: Nick Flournoy. Contact for any privacy question: privacy@weeklyescapes.com.

What we collect

We try to collect as little as possible. Here is the full list, in plain language.

If you only browse the site (no account)

Search queries (city, dates, guests). Used only to return live rates from our hotel infrastructure partner. Not stored against your identity.
Server logs (IP address, user agent, page URL, timestamp) for security and abuse prevention, retained for 30 days, then deleted.
No cookies for tracking. No analytics cookies, no advertising pixels, no third-party trackers.

If you create an account

Email address (required for sign-in and confirmation emails).
Authentication identifier (a session token from our auth provider, Clerk).
Optional profile details (first name, last name, profile photo) only if you choose to add them.

If you make a booking

Guest details required by the hotel: name, email, phone, country, sometimes passport details if the property requires it.
Booking details: hotel, dates, room type, total price, special requests.
Payment details are NOT collected by us. They go directly to Nuitee/LiteAPI's payment processor (the merchant of record), processed via Stripe Elements on a secure embedded form. We never see your card number, CVV, or expiration date.

Why we collect each thing

Per GDPR Article 6, we process personal data under these legal bases:

Contract (Article 6(1)(b)): to provide the service you signed up for, including completing your booking and sending you confirmation.
Legitimate interest (Article 6(1)(f)): to keep the service running, prevent fraud and abuse, and improve product reliability.
Consent (Article 6(1)(a)): if you opt in to marketing emails (we don't currently send any) or any feature that requires explicit consent.

Who we share data with

We use a small number of carefully chosen service providers. Here is the full list, what we share with them, and where they're located:

Provider	What we share	Where
Amazon Web Services	Hosting, database, authentication backend	United States (Ohio)
Clerk	Email + auth identifier (sign-in / sign-up flow)	United States
Nuitee (LiteAPI)	Booking guest details + payment details (they are merchant of record)	European Union (Luxembourg)
Stripe	Payment processing (via Nuitee, never stored by us)	United States
Travelpayouts	Aggregated flight search queries (no personal data)	Cyprus / EU
Coliving.com	Affiliate referral parameter (no personal data, just our marker)	European Union
Amazon SES	Booking confirmation emails (your email address only)	United States (Ohio)

We have written agreements with each of these providers requiring them to process data only as we instruct, keep it confidential, and use industry-standard security.

International data transfers

We are based in the United States. If you are in the European Economic Area, the United Kingdom, or Switzerland, your data may be transferred to and processed in the US (where AWS, Clerk, Stripe, and SES operate) and the EU (where Nuitee operates). For these transfers, we rely on the European Commission's Standard Contractual Clauses as the lawful safeguard.

How long we keep data

Server logs: 30 days, then deleted.
Account data: until you delete your account, then deleted within 30 days.
Booking records: 7 years (US tax + accounting requirement). After that, deleted.
Email records: 30 days for transactional emails, then deleted.

Your rights

Regardless of where you live, you have these rights:

Access: ask us what data we have about you.
Correction: ask us to fix data that's wrong.
Deletion: ask us to delete your data ("right to be forgotten" in the EU).
Data portability: ask for a copy of your data in machine-readable format.
Objection: object to processing based on legitimate interest.

If you're a California resident, the CCPA gives you these rights plus the right to opt out of data sale. We do not sell data, so opt-out is automatic. If you're in the EU/UK/Switzerland, GDPR gives you these rights plus the right to lodge a complaint with your local data protection authority.

To exercise any of these rights, email privacy@weeklyescapes.com. We respond within 30 days, usually faster.

Children

The site is not intended for children under 16. We do not knowingly collect data from children. If you believe we have collected data from a child, email privacy@weeklyescapes.com and we will delete it.

Cookies

We use exactly one cookie if you sign in: a session cookie set by our auth provider (Clerk) to keep you logged in. It is essential for the service to function. There are no analytics cookies, advertising pixels, or third-party trackers on the site.

Because we don't run tracking cookies, we don't show a cookie consent banner. The only cookie is essential and exempt from the consent requirement under EU ePrivacy guidance.

Changes to this policy

We may update this policy as the service evolves. When we do, we'll update the "Last updated" date at the top, and post a note on our public decisions page describing what changed. If the change is material (new data collection, new sharing, etc.), we'll email account holders directly.

Questions

Email privacy@weeklyescapes.com. If you'd prefer postal mail, send to:

NFLO Marketing LLC
Attention: Privacy
[Mailing address per Delaware LLC registered agent]

Inspired in style and structure by Plausible Analytics' privacy policy. We adopted their plain-language approach because it's the right way to do this.