Purpose

Stay Express® ("SE"), a trade name of Care Hotel Group, is committed to maintaining the security of our website (www.stayexpress.com) and protecting the personal and financial information of all visitors and guests. This Site Security Policy explains the technical and organizational measures we have in place to safeguard your data and describes your responsibilities when using our site.

Scope

This policy applies to all users of the Stay Express® website, including prospective guests, confirmed guests, and loyalty club members. It covers all digital interactions with the site, including browsing, account creation, reservations, and any submission of personal or payment information.

Encryption & Secure Connections

All data transmitted between your browser and the Stay Express® website is protected using industry-standard encryption:

• TLS (Transport Layer Security) 1.2 or higher is required for all connections to the site.
• SSL encryption is required for all mobile device connections. If your device does not support SSL, you will not be able to connect securely and should contact your service provider.
• Payment card data is processed in accordance with the Payment Card Industry Data Security Standard (PCI DSS). We do not store full card numbers on our servers.
• HTTPS is enforced site-wide. Plain HTTP connections are automatically redirected to HTTPS.

Authentication & Account Security

If you have been issued a login and password for the Stay Express® site or loyalty portal:

• Your credentials are for your personal use only. You may not share, transfer, or permit others to use your login.
• You are responsible for maintaining the confidentiality of your username and password.
• You accept full responsibility for all activities conducted under your account.
• You must notify Stay Express® immediately if you believe your account credentials have been compromised (see Section 9 for contact details).
• Stay Express® will never ask you for your password by email, phone, or chat.

We recommend that you:

• Use a strong, unique password (at least 12 characters, mixing letters, numbers, and symbols).
• Never reuse passwords across multiple sites.
• Log out of your account after each session, especially on shared devices.

Payment Security

Stay Express® takes the security of your payment information seriously:

• All payment transactions are processed by PCI DSS-compliant payment processors.
• Credit card numbers are encrypted during transmission and are not stored in plaintext on our systems.
• We use tokenization technology where applicable to minimize the exposure of raw payment data.
• Guests are advised to verify that the URL in their browser begins with "https://" before entering any payment information.

Infrastructure & Technical Controls

The Stay Express® website is hosted on infrastructure protected by the following controls:

• Firewalls and intrusion detection systems to monitor and filter incoming and outgoing network traffic.
• Regular vulnerability scanning and penetration testing by qualified security professionals.
• Access to backend systems is restricted to authorized personnel using role-based access controls.
• Server software and third-party components are regularly patched and updated to address known security vulnerabilities.
• Audit logs are maintained for administrative and system access events.
• Data backups are encrypted and stored securely offsite.

Prohibited Activity

Users of this site are strictly prohibited from engaging in any activity that threatens its security, including but not limited to:

• Attempting unauthorized access to any account, system, or network connected to this site.
• Uploading or transmitting malware, viruses, Trojan horses, ransomware, or any other malicious code.
• Using automated tools such as bots, scrapers, or crawlers to access or extract data from the site.
• Conducting denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks.
• Exploiting vulnerabilities or attempting to circumvent security controls.
• Intercepting or monitoring data transmissions on the site without authorization.

Violation of these prohibitions may result in immediate account termination, civil liability, and/or referral to law enforcement authorities.

Cookies & Tracking Technologies

The Stay Express® website uses cookies and similar tracking technologies to support site functionality, remember your preferences, and analyze site usage. The following types of cookies may be used:

• Essential Cookies: Required for the site to function (e.g., session management, shopping cart).
• Functional Cookies: Remember your preferences, language, and region settings.
• Analytics Cookies: Help us understand how visitors use the site (e.g., page views, traffic sources).
• Marketing Cookies: Used to deliver relevant advertisements and track campaign effectiveness.

You may manage or disable cookies through your browser settings. Please note that disabling certain cookies may affect site functionality. For full details, see our Privacy Policy.

Vulnerability Disclosure

Stay Express® values the security research community. If you discover a potential security vulnerability on our website, we ask that you:

• Report it promptly and in good faith to us.
• Allow us reasonable time to investigate and remediate the issue before public disclosure.
• Avoid accessing, modifying, or exfiltrating data as part of your research.

We are committed to working with researchers who report vulnerabilities responsibly. We do not authorize automated scanning or testing of production systems without prior written consent.

Third-Party Services

The Stay Express® website may integrate with third-party services, including payment processors, analytics providers, and marketing platforms. While we vet these providers for compliance with applicable security standards, Stay Express® cannot guarantee the security practices of third-party sites. We encourage you to review the privacy and security policies of any third-party service you access through our site.

Mobile Device Security

When accessing the Stay Express® site on a mobile device:

• Ensure your device operating system and browser are up to date.
• Only download the official Stay Express® app from authorized app stores.
• Be cautious of using public Wi-Fi networks when making reservations or entering payment information. Use a VPN when possible.
• If your device is lost or stolen, change your Stay Express® account password immediately.

Incident Response

In the event of a security incident affecting customer data, Stay Express® will:

• Investigate the incident promptly using our internal security response procedures.
• Notify affected users and relevant regulatory authorities as required by applicable law.
• Take corrective action to contain and remediate the incident.
• Maintain transparency with affected parties throughout the resolution process.

To report a suspected security incident or unauthorized account activity, please contact us.

Policy Updates

Stay Express® reserves the right to update this Site Security Policy at any time. Changes will be posted to this page with a revised effective date. Continued use of the site following any updates constitutes your acceptance of the revised policy. We encourage you to review this policy periodically.

Governing Law

This policy is governed by the laws of the State of Texas, United States of America. Any disputes arising in connection with this policy shall be resolved in accordance with the governing law provisions of the Stay Express® Terms of Use.