The fine print

Privacy Policy.

How we handle the information you share with us. Last updated 2026-05-28.

Effective date: 2026-05-28  ·  Last reviewed: 2026-05-28  ·  Version: 2.0

Table of contents

  1. Who we are and what this covers
  2. Categories of information we collect
  3. How we collect information — sources
  4. How we use your information — purposes
  5. How we share information — recipients
  6. SMS / text messaging program (A2P 10DLC)
  7. Cookies, analytics, and similar technologies
  8. Do Not Track and Global Privacy Control
  9. Your California rights (CCPA / CPRA)
  10. Your rights under other U.S. state privacy laws
  11. Your rights under the EU / UK GDPR
  12. Data retention
  13. Information security
  14. International transfers
  15. Children's privacy
  16. Changes to this policy
  17. Contact and privacy request submissions

1. Who we are and what this Privacy Policy covers

This Privacy Policy ("Policy") explains how Travill Holdings LLC, doing business as The Burgundy ("The Burgundy," "we," "our," or "us"), a California limited liability company affiliated with Cedarwood Asset Management, collects, uses, discloses, and otherwise processes personal information when you: visit our website at theburgundyinn.com (and, when live, theburgundyinn.com) (the "Site"); request a reservation, stay at the property at 41121 Big Bear Blvd, Big Bear Lake, CA 92315 (the "Property"), or use any of its amenities; submit a contact, group, wedding, retreat, or newsletter form; opt into our SMS / text-messaging program; email, call, or otherwise communicate with us; or interact with our official social-media accounts. This Policy does not apply to information collected by third parties whose sites or services we link to or integrate with, including Cloudbeds, payment processors, OTA channels, and analytics vendors. By using the Site or transacting with us, you acknowledge that you have read and understood this Policy.

2. Categories of information we collect

The categories below align with personal-information categories defined in the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA / CPRA," Cal. Civ. Code § 1798.140).

  • Identifiers — name, postal address, email, phone, mobile phone, IP address, online identifiers, transaction ID.
  • Customer records (Cal. Civ. Code § 1798.80(e)) — payment-card information (processed by Cloudbeds and our PCI-compliant card processor; we do not store full card numbers), driver's license / government-ID number (collected at check-in for identity verification only), signature on rental agreement.
  • Protected classification information — not deliberately collected; only as voluntarily disclosed for accommodation, dietary, or service-animal requests.
  • Commercial information — reservation history, booking dates, room type, group size, on-property purchases, preferences, feedback.
  • Internet or network activity — pages viewed, referring URL, search terms, session duration, click events, device fingerprint elements, approximate city-level geolocation from IP.
  • Geolocation data — approximate (city-level) only; precise GPS only if you affirmatively grant browser permission (the Site does not currently request this).
  • Audio, video, or visual — security-camera footage in public/common areas (entrances, parking, lobby, bar); voicemail recordings; photos/videos you submit; photos/videos we capture at events for marketing (subject to the photo release in our Terms).
  • Professional or employment information — collected only for corporate-retreat / group-event inquiries.
  • Education information — not collected.
  • Inferences — preferences, propensity to book, repeat-guest segments derived from the above.
  • Sensitive personal information (CPRA) — we collect only: (a) government-ID number for identity verification at check-in (held no longer than required and never used for marketing); (b) precise account/payment-card credentials, which are tokenized and held by our PCI-compliant payment processor, not by us; and (c) any health/accessibility information you voluntarily disclose in an accommodation request, used only to fulfill that request. We do not use sensitive personal information to infer characteristics, and you have the right to limit our use of it (see § 9).

We do not knowingly collect biometric identifiers, genetic data, union-membership information, or contents of mail, email, or text messages that are not directed to us.

3. How we collect information — sources

  • Directly from you — via forms, booking flow, email, phone, in-person check-in, on-property guest cards, event/retreat inquiries.
  • Automatically — via cookies, server logs, and analytics tags as you use the Site (see § 7).
  • From service providers acting on our behalf — Cloudbeds, our email service provider, our SMS platform (HighLevel / "Inn Dojo"), our payment processor, and our hosting provider (Cloudflare).
  • From OTAs and third-party booking channels — Expedia, Booking.com, Airbnb forward reservation and contact information to Cloudbeds, who in turn shares it with us.
  • From social-media platforms — only information you choose to share via public posts, tags, mentions, or direct messages.
  • From referrals or recommendations — if a third party books a room or event on your behalf.
  • From publicly available sources — business listings, news mentions, public property records.

4. How we use your information — purposes

We process personal information only for the purposes listed below. For GDPR, our lawful bases are: (a) performance of a contract; (b) compliance with a legal obligation; (c) our legitimate interests; or (d) your consent (withdrawable at any time).

  • To process and fulfill reservations — confirming bookings, charging your payment method, sending pre-arrival information, check-in/out, on-property requests. Basis: contract.
  • To respond to inquiries and provide customer service. Basis: contract / legitimate interest.
  • To send transactional and operational messages — booking confirmations, modifications, check-in reminders, security alerts, accessibility responses. Basis: contract.
  • To send marketing communications — newsletter, special offers, seasonal updates, event announcements — only to people who affirmatively opt in. Unsubscribe via link in any marketing email or by replying STOP to a marketing SMS. Basis: consent.
  • To operate, secure, and improve the Site — analytics, fraud detection, debugging, A/B testing, accessibility audits. Basis: legitimate interest.
  • To manage the Property safely — CCTV recording in public/common areas, incident investigation, evictions for violation of Terms, ADA accommodations. Basis: legitimate interest / legal obligation.
  • To comply with legal obligations — tax reporting, ADA compliance, A2P 10DLC carrier requirements, lawful requests from courts and regulators. Basis: legal obligation.
  • To defend or assert legal claims. Basis: legitimate interest.
  • For corporate transactions — merger, acquisition, financing, reorganization, or sale of assets, with personal information transferred subject to this Policy. Basis: legitimate interest.

We do not use personal information for automated decision-making that produces legal or similarly significant effects, and we do not use sensitive personal information to infer characteristics.

5. How we share information — recipients

We do not sell or rent personal information for monetary consideration. We share information only with the following categories of recipients, each bound by a written agreement that limits use to the purposes for which we provided the information:

  • Service providers and processors — Cloudbeds (reservation management; privacy policy); our payment processor (PCI-DSS compliant tokenization — full card numbers are never stored by us); our email service provider; HighLevel / "Inn Dojo" (SMS / CRM); Cloudflare (hosting, security, Web Analytics; privacy policy); Google Analytics 4 (privacy policy) configured with IP anonymization; our accountants, attorneys, insurers.
  • OTAs and booking channels — Expedia, Booking.com, Airbnb — exchange of reservation information as required to fulfill bookings and for fraud/anti-piracy. Each operates under its own privacy policy.
  • Government, law enforcement, and other legal authorities — when required by valid legal process, when needed to protect the rights, property, or safety of The Burgundy, our guests, employees, or the public, or to investigate suspected fraud or violations of our Terms.
  • Successors — a buyer, investor, or successor in a merger, acquisition, divestiture, financing, bankruptcy, restructuring, or similar corporate transaction.
  • With your direction or consent — for example, coordinating with a wedding planner, charter bus operator, or third-party vendor for your event.

SMS / text-message data. No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. Information sharing with subcontractors who help us provide support services (for example, customer service) is permitted. All other use-case categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

"Sale" or "sharing" under CCPA / CPRA. We do not sell personal information. We do not "share" personal information for cross-context behavioral advertising as that term is defined in CPRA. We do not have actual knowledge of selling or sharing personal information of consumers under 16 years of age.

6. SMS / text messaging program (A2P 10DLC)

If you opt in to receive SMS communications from The Burgundy, the following apply. These clauses are also restated in Terms & Conditions § 13.

6.1 Program identity

The Burgundy operates a text-messaging program to send (a) marketing messages about special offers, discounts, package deals, and service updates, and (b) non-marketing messages including booking confirmations, reservation reminders, modification notices, group-inquiry replies, accessibility responses, and operational updates such as power-outage notices. Consent for marketing and non-marketing messages is collected on separate, distinct, unchecked-by-default checkboxes; you may opt into one, both, or neither.

6.2 No information sharing

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. Information sharing with subcontractors who help us provide support services (for example, customer service) is permitted. All other use-case categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

6.3 Granular, affirmative consent

Marketing and non-marketing SMS consent are presented as separate, unchecked-by-default boxes. Submitting a form (even one that includes your phone number) does not opt you in to messages; consent must be affirmatively checked. Consent to receive SMS is never required to use our services, complete a booking, or submit a form.

6.4 Opt out anytime

Reply STOP to any text from us to be removed from the program. We will confirm your opt-out via SMS and you will receive no further marketing or non-marketing messages from us until you re-opt in.

6.5 Help

Reply HELP to any text from us for assistance, or contact [email protected] or +1 (858) 799-0213.

6.6 Carriers, rates, and frequency

Carriers are not liable for delayed or undelivered messages. Message and data rates may apply. Message frequency varies. For questions about your text plan or data plan, contact your wireless provider.

6.7 Compliance

This SMS program is operated in accordance with the CTIA Short Code Monitoring Handbook, the Telephone Consumer Protection Act (TCPA), the CAN-SPAM Act, and applicable A2P 10DLC carrier requirements.

7. Cookies, analytics, and similar technologies

  • Strictly necessary — security. Cloudflare uses session cookies and a server-side fingerprint to detect malicious traffic, prevent DDoS, and route legitimate visitors.
  • Performance and analytics — aggregated. Cloudflare Web Analytics (cookieless, no IP retention) and Google Analytics 4 (configured with IP anonymization).
  • Functional. Local-storage flags that remember whether you have dismissed a notice on this device.
  • Advertising / cross-site tracking. We do not currently use advertising cookies or cross-context behavioral-advertising tags on the Site.

You can disable cookies in your browser at any time. Disabling some cookies may degrade or disable Site features.

8. Do Not Track and Global Privacy Control

Our Site does not respond differently to browser "Do Not Track" (DNT) signals because there is no industry consensus on what such signals should mean for a website that does not engage in cross-context behavioral advertising. We honor the Global Privacy Control (GPC) signal as a valid opt-out of "sale" or "sharing" of personal information under California, Colorado, and Connecticut privacy laws — receipt of a GPC signal will be treated as an opt-out request for the device or browser sending it.

9. Your California rights (CCPA / CPRA)

If you are a California resident, the CCPA / CPRA gives you the following rights:

  • Right to know the categories and specific pieces of personal information we have collected, the sources, business or commercial purposes, and categories of third parties with whom we share it, in the preceding 12 months.
  • Right to delete, subject to legal-retention exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of "sale" or "sharing" — we do not sell or share for cross-context behavioral advertising. GPC honored.
  • Right to limit use of sensitive personal information — direct us to use sensitive PI only to perform the services you requested.
  • Right to non-retaliation — no denial of service, different prices, or different quality for exercising privacy rights.

How to exercise your rights. Email [email protected] with subject "Privacy Request" or call +1 (858) 799-0213. We verify identity using information already on file before fulfilling the request. We respond within 45 calendar days, with possible 45-day extension if reasonably necessary.

Authorized agents. You may designate an authorized agent via signed written authorization or power of attorney. We verify the agent's authority and may ask you to confirm directly.

Appeals. Reply to our denial within 60 days; we respond to appeals within 60 calendar days.

"Shine the Light" (Cal. Civ. Code § 1798.83). The Burgundy does not share personal information with third parties for their direct marketing purposes.

10. Your rights under other U.S. state privacy laws

Residents of Colorado, Connecticut, Virginia, Utah, Texas, Florida, Oregon, Montana, Iowa, Delaware, New Jersey, New Hampshire, Tennessee, Indiana, Kentucky, Minnesota, Maryland, Rhode Island, and other states with comprehensive consumer-privacy laws have rights that include some or all of: access, correction, deletion, portability, and the right to opt out of targeted advertising, sale, or profiling that produces legal or similarly significant effects. To exercise these rights, contact us using the methods in § 17. We honor verified requests within the statutory window applicable to your state of residence.

11. Your rights under the EU / UK GDPR

If you are in the EEA, UK, or Switzerland, GDPR (and equivalent UK and Swiss laws) gives you the following rights: access; rectification; erasure (subject to legal-retention exceptions); restriction; objection to processing based on legitimate interests and to direct-marketing processing; data portability for data processed on the basis of contract or consent; withdrawal of consent at any time; right not to be subject to automated decision-making with legal or similarly significant effects (we do not engage in such processing); and right to lodge a complaint with your local supervisory authority. Direct inquiries to [email protected].

12. Data retention

  • Reservation records — 7 years after the stay (IRS and California Department of Tax and Fee Administration requirements).
  • Payment-card data — not stored by us; held only by our PCI-compliant payment processor.
  • Government-ID copies or numbers — destroyed within 30 days of check-out unless required for an ongoing dispute, investigation, or legal hold.
  • Newsletter subscriptions — until you unsubscribe, plus a suppression record indefinitely to honor your opt-out.
  • SMS opt-in records — for as long as you are opted in plus 4 years after opt-out (TCPA defense).
  • Contact / inquiry submissions — 2 years from last contact, unless the inquiry led to a reservation.
  • Security camera footage — rolling 30 days, except segments retained for active investigation or legal hold.
  • Server, analytics, and audit logs — rolling 90 days raw, indefinitely aggregated/non-identifying.

13. Information security

We use commercially reasonable administrative, technical, and physical safeguards to protect personal information against unauthorized access, alteration, disclosure, or destruction. These include: HTTPS/TLS encryption for all Site traffic; HTTP Strict Transport Security with preload; a strict Content Security Policy; X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and Cross-Origin-Opener-Policy security headers; access controls on backend systems; vendor due-diligence reviews; and PCI-DSS reliance on tokenization for payment data. Despite these measures, no method of internet transmission or electronic storage is 100% secure. If we become aware of a breach affecting your personal information, we will notify you and the appropriate authorities in accordance with applicable law.

14. International transfers

The Burgundy operates from the United States. If you access the Site or transact with us from outside the United States, your information will be transferred to, processed in, and stored in the United States, where data-protection laws may differ from those of your jurisdiction. By using the Site or contacting us, you consent to such transfer. Where required, we rely on the EU Standard Contractual Clauses (and the UK addendum) for transfers from the EU/UK to the United States.

15. Children's privacy

The Site is intended for adults aged 21 and older (in line with our reservation policy). We do not knowingly collect personal information from children under 13 as defined by COPPA, nor do we sell or share personal information of consumers under 16 as defined by CCPA. If you believe a child has provided us with personal information, please contact us and we will delete it.

16. Changes to this policy

We may update this Policy from time to time. When we do, we will update the "Effective date" and "Version" at the top of this page. Material changes will be highlighted on the Site for at least 30 days before they take effect.

17. Contact and privacy request submissions

The Burgundy — Privacy Contact
Travill Holdings LLC dba The Burgundy
41121 Big Bear Blvd
Big Bear Lake, CA 92315
Phone: +1 (858) 799-0213
Email (privacy requests): [email protected]

For accessibility questions or to report an accessibility barrier, see our Accessibility Statement.

This Policy is provided for informational purposes and does not constitute legal advice. The Burgundy reserves the right to interpret and apply this Policy at its discretion.