Everything you can grab from a silent push in those months when you don't check in but still have the app installed out of convenience. In other words: not much, but something (e.g. the company can know that the app is still installed).

I wouldn't go to lengths avoiding installation (just remember to uninstall if it really bothers you), but I'd prefer a purely web based implementation. How about clearing arbitrary NFC UID for access? (From a self-serve counter if taking humans out of the equation is so much of a goal) The credit card form factor is certainly not inconvenient at all, but dealing with them can still be surprisingly annoying when that happens to coincide with oddities from the very long tail of luggage situations.

You have to provide location access to enable bluetooth which means things like this story of the most unethical thing this former Twitter employee was asked to build are possible: https://twitter.com/stevekrenzel/status/1589700721121058817

Wow, what a story!

The precise amount of tin foil you are carrying to protect yourself, in pounds, for one. /s

Answered the same question here https://news.ycombinator.com/item?id=34091783

IP address, browser/device fingerprint.

Precise locations, time spent at each location. And device information (model, OS), super cookie association. And if it asks permissions: contacts and photos, etc. sounds like parent would grant these permissions out of app love.

You know, Phone OSs these days have a "allow location only while using the app" permission. I only need the app while I'm at my room or while checking out.

You can also reject contact and photos permissions to apps. None of the hotel apps have asked me for these.