Privacy Policy
Effective Date: 04 July, 2024 - Last Updated: 04 July, 2024
This Data Privacy and Security Policy (“Privacy Policy”) sets out how The Hongkong and Shanghai Hotels, Limited and its group companies and affiliates (“HSH Group”, “we” or “us”) collects, stores and handles “Personal Data” (i.e., any personal information that can be used to identify a living individual), which we may collect:
- through websites operated by us from which you are accessing this Privacy Policy, including hshgroup.com, peninsula.com and other websites owned or controlled by the HSH Group (“Websites”);
- through software applications (including automated tools and chat functionalities) made available by us for use on or through computers and mobile devices (“Apps”);
- through email messages that we send you that link to this Privacy Policy and through your communications with us online or in person;
- from third parties or other sources such as public databases, marketing partners, and other third parties; and
- when you visit or stay as a guest or tenant at one of our properties or through other offline interactions (“Guest Interactions”).
You may get the list of relevant companies within the HSH Group by clicking here.
This Privacy Policy is intended to ensure you can make informed decisions about providing your Personal Data when purchasing our products, using our Services, communicating with us and exercising shareholder’s rights. For any comments or queries, please contact us in accordance with Section 5 (Contacting us) below. You can click here to find our Websites and social media pages, where you may search for a Peninsula Hotel and/or restaurant or other goods and services that we operate or provide.
Please note that our Services are not intended for Minors. By “Minors”, we mean: (i) users under the age of 18 years old; or (ii) in the case of a region where the minimum age for processing Personal Data differs, such different age. We do not knowingly solicit or collect Personal Data from Minors for any purpose unless such information are voluntarily provided or consented by a parent or a legal guardian. If you believe that we have Personal Data of a Minor without lawful consent, or if you are the parent or guardian of the user of a relevant Minor and wish to withdraw consent, please contact us in accordance with Section 5 (Contacting us) below. For more information about how we collect, process, and protect Personal Data of Minors, please refer to Minors’ Privacy Policy If you are a parent or a legal guardian of a Minor, please read the Minors’ Privacy Policy before sharing any Minor’s Personal Data with us.
By providing Personal Data to us, you agree to the processing and use set out in this Privacy Policy and have obtained corresponding authorization (if required). If you do not agree to the processing of Personal Data in the way this Privacy Policy describes, please do not provide such data and stop using the Services.
We have organized and composed the Privacy Policy by major processes and scope of information processing so that you can easily browse the information of most interest to you.
1. How we collect and use Personal Data
2. How we disclose Personal Data
3. How we transmit, protect, and store Personal Data
4. Your rights
6. Cookies
7. Changes to the Privacy Policy
8. Other sites
Annex I: Local Specific Provisions –California
Annex II: Local Specific Provisions –China
1. How we collect and use Personal Data
1.1 This section provides more detail on the types of Personal Data we collect from you, and why. It also identifies the legal basis under which we process the relevant Personal Data, to the extent this is required by applicable laws.
Personal Data |
Use |
Legal Basis (where applicable)
|
Personal information that you provide to us, or that we obtain from public channels, including your name, date of birth, gender, ID documents, nationality, language preference, telephone number, email address and (residential and/or delivery) address and records of your trading history with us. |
We use this information to:
|
Necessary to perform our contract with you to provide our Services. |
We also use this information to handle any accidents (such as liaising with emergency services) and medical service requests, and to handle any claims made by customers. |
It is in our and your legitimate interest to ensure that incidents and accidents are handled appropriately. |
|
We may use this information to: |
We use this information with your consent. |
|
Registration information of accounts with us, including your name, date of birth, contact details, as well as the username and password that you may provide to us if you are registering an account with us, e.g. through “My Peninsula”, “Peninsula Perfect Companion” or “Mobile PenKey Concierge”. |
We use this information to: |
Necessary to perform our contract with you to provide our Services. |
We may use this information to: |
We use this information with your consent. |
|
Your payment information such as your credit card information (including credit card number, code and expiry date) and your bank account details. |
We use this information to: |
Necessary to perform our contract with you to provide the Services. |
If you contact us, via email, telephone or other means of communication, for any purpose (e.g., making enquiries in relation to a transaction with us), we may keep the correspondence on record. |
We use this information to: |
Necessary to perform our contract with you to provide and support the Services. |
|
We also use this information to handle any accidents (such as liaising with emergency services) and medical service requests, and to handle any claims made by you or third parties. |
It is in our and your legitimate interest to ensure that incidents and accidents are handled appropriately. |
CCTV recordings: We may have close circuit television systems installed which will take visual and/or aural recordings where appropriate and relevant, and we may keep recordings as permitted by applicable laws. |
We use this information to ensure the security of our properties, and, where applicable, to comply with our legal obligations. |
It is in our legitimate interest to use this information to protect the integrity of the Services. |
We use this information to handle any accidents (such as liaising with emergency services) and medical service requests, and to handle any claims made by customers. |
It is in our legitimate interest to ensure that incidents and accidents are handled appropriately. |
|
Survey Information |
We may ask you to complete surveys that we use for research purposes. In such circumstances we will collect the information provided in the survey and use this to assist us in developing new services and products and to improve our existing services and products. |
We use this information with your consent. |
Details of, and information relating to, your visits to our Websites and Apps collected through cookies and similar technologies |
We use this information to ensure our Websites and Apps function correctly (e.g. content on our Websites and Apps are presented in the most effective manner for you and for your device). |
Necessary to perform our contract with you to provide and support the Services. |
For our hotel-related Services only (e.g., when you make a hotel or spa reservation, purchase a gift certificate from us, or enjoy customised concierge services to be provided via Mobile PenKey Concierge) |
||
Your travel details (including flight number, arrival and departure dates and time, country/region of origin and destination), your frequent flyer information, your travel partner’s information (including accompanying family members, partners or friends), employment information (applicable to group reservation), preferences for rooms, food and beverages, and spa /salon treatments, internet access identifiers, and specific services details (including important dates or anniversaries). We may also need collect information as required by local laws such as the number of identity card or passport, type of entry visa, driver’s license, date and place of birth, gender, title, and nationality. |
We use this information to: |
Necessary to perform our contract with you to provide and support the Services. |
Health-related information or preferences, such as allergies and health conditions that may be important to know in connection with the provision of food and beverages, or spa / salon treatments. |
We use this information to provide you with Services in a manner that is suitable to your needs. |
It is in your and our legitimate interest to ensure the Services are provided in a safe manner. |
Your itemised spending to properly assemble your folio during your stay, which includes your room rate and other expenses billed to your room. |
We use this information to: |
Necessary to perform our contract with you to provide and support the Services. |
Personal information provided via dedicated accounts such as “Peninsula Perfect Companion”, “Mobile PenKey Concierge”, such as your name, contact details, date of birth or drivers’ license number for renting a car. |
We use this information to enrol you in, and provide you with lifestyle and customised concierge services under, the relevant program and account your registered for. |
Necessary to perform our contract with you to provide and support the Services. |
For non-hotel related Services only (e.g., residential and commercial leasing, and operation of residential clubs and provision of food and beverages, banquet and transport services not connected to our hotels) |
||
Information to satisfy your requests for related services: license plate number (applicable to residential and commercial leasing), co-habitant or visitor (applicable to residential leasing), food and beverages preferences and requests (applicable to provision of food and beverages services), itinerary and activity arrangement (applicable to provision of banquet or transport services), etc. |
We use this information to: |
Necessary to perform our contract with you to provide and support the Services. |
Information relating to your identity or membership with us such as details of identity card and passport and particulars of tenancy, employment and club membership. |
We use this information to: |
Necessary to perform our contract with you to provide and support the Services. |
We may use this information to: |
We use this information with your consent. |
|
For communication with shareholders, investors, potential investors and analysts and for verifying shareholders’ identity only (e.g., sharing with you our financial information, announcements and press release and inviting you to our presentations and/or to exercise your shareholder’s rights) |
||
Your full name, email address and addresses, percentage of share and vote, phone number, employer and other Personal Data and, if appropriate, copy of your identification document, strictly for us to communicate with you and/or to verify your identity as our shareholder. We also use any Personal Data of yours that, from time to time, is in possession of the Hong Kong Share Registrar of The Hongkong and Shanghai Hotels, Limited (currently, Computershare Hong Kong Investor Services Limited). |
We use this information to: |
We use this information to perform our obligations to you as analysts, shareholders, investors and/or potential investors. |
1.2 In general, we may use the Personal Data set out above to assure your future comfort and attention to your individual needs, and/or assist in developing new services and products and to improve our existing services and products. It is in our legitimate interest to continuously improve and develop our Services. In addition, we may use the above information to comply with our legal obligations, to safeguard our legal rights including (without limitation) in relation to the defence of any claims, and to cooperate with law enforcement agencies, government authorities, regulators and/or the court in connection with proceedings or investigations anywhere in the world. We are obliged to meet our legal obligations, and it is in our legitimate interest to safeguard our legal rights.
1.3 There are several ways by which we may collect your Personal Data from you:
- we may collect your Personal Data from you directly by engaging with you, for example, through our Apps, when you make a direct booking on our Websites, or when you book or purchase our service or product in-person;
- we may also collect Personal Data from third parties, including agents and online service providers that make hotel, spa or restaurant reservations on your behalf, facilitate online payments or gift purchases or that are otherwise involved in the reservations process or delivering our Services to you;
- we may also collect Personal Data from you through your activity on social media platforms that link to us such as Facebook fan pages or WeChat Official Account, or when you share content, photographs or follow us. Please note that these social media platforms will have their own privacy policies and procedures governing the processing of your Personal Data;
- we may collect your Personal Data from automated technologies, including browsing activity collected by automated technologies on our Websites;
- we may collect your Personal data from public sources, such as public databases;
- we may collect your Personal Data from surveillance/recording technologies, for example, video surveillance in common areas of our facilities, voicemail technologies, and audio recording technologies with consent to the extent required by law;
- we may collect your Personal Data from government or administrative agencies, for example, law enforcement, public health officials, and other government authorities; and
- we may collect your Personal Data from an acquired company, if we acquired another entity.
1.4 If you provide us with Personal Data about other individuals (e.g., family members or travel companions), regardless of whether you are travelling together, you must obtain such individuals’ authorisation or consent to provide us with their details and let them know where they can find a copy of this Privacy Policy.
1.5 We may combine information that we have collected offline with information we collect online. We combine information across devices, such as computers and mobile devices. We may also combine information we receive from a third party with information we already have.
2. How we disclose Personal Data
2.1 Only where necessary will we disclose your Personal Data to third parties. Situations where this may occur include the following:
(a) Affiliates ► To provide you with Services and ensure the consistency of service standard and business management, we may disclose your Personal Data to the affiliates in the HSH Group. Our affiliates have signed an intra-group data disclosure agreement and may only use your Personal Data in accordance with this Privacy Policy. You may find a list of the relevant affiliates by clicking here.
(b) Third party service providers who process Personal Data on our behalf to help us undertake the activities described in the Section 1 ► We may permit selected third parties such as service providers, agents, contractors, entities, which may include the property/hotel owner, and/or other HSH Group companies, to use your Personal Data for the purposes set out in Section 1 (How we collect and use Personal Data) above, including:
- specialised agents helping us to provide advertisements and promotional campaigns and events and analyse their effectiveness, to manage your communications and questions to us, to maintain the relationship with you, to provide personalised services for you, and to send marketing communications to you with your consent in advance;
- third party vendors helping us to deliver products to you, such as post offices and couriers;
- payment service providers and credit reporters helping us to assess your credit score, to verify your information (if and when this is required for signing certain contracts) and to process your online payment;
- third party vendors helping us to provide customer or concierge services and customer care;
- travel agencies, firms or companies helping us to provide training, seminars, banquets, events, personalized experience services; and
- consulting firms helping us to manage client relationship and to provide reports and analysis of market research and customer surveys.
(c) Law enforcement agencies, government authorities, regulators, and the court to comply with our legal obligations or to handle incidents/ claims ► We may disclose your Personal Data when required by relevant laws or by court order or requested by other government or law enforcement authorities to assist with proceedings or investigations. In such circumstances, unfortunately, we may not be able to seek your consent to, or notify you in advance of, such disclosure.
(d) Third parties to safeguard our legal rights and property ► We may disclose your information to third parties in order to:
i. enforce our terms and conditions and other agreements, including investigation of any potential violation thereof;
ii. detect, prevent or otherwise address security, fraud or technical issues; or
iii. protect the rights, property or safety of us, our customers, a third party or the public as required or permitted by law (such as exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction).
(e) Third parties who require such data in connection with a change in the structure of our business ► We may also disclose your Personal Data to a prospective buyer, new owner or other third party involved in any of the following transactions or change to our business (including any negotiations regarding any such transaction or change): (i) sale, transfer, merger, consolidation or reorganisation of any part(s) of our business, or merger with, acquisition or formation of a joint venture with any other business; or (ii) sell or transfer any of our assets (in which case the Personal Data may be sold as part of those assets).
2.2 All third-party service providers providing services to or for us are prohibited from retaining, using or disclosing your Personal Data for any purpose except where strictly necessary for the Services (i.e., for the purposes described above).
2.3 This Privacy Policy does not apply to third-party service providers (e.g., airlines, online travel agents, car rental companies, table booking websites) who may collect personal information from you and may disclose it to us. In these situations, we strongly advise you to review the applicable third-party provider’s privacy policy before providing your personal information.
3. How we transmit, protect, and store Personal Data
Security of communications
3.1 We take commercially reasonable administrative (e.g., information security and access policies), technical, and physical safeguards designed to protect the Personal Data that we possess. Despite such efforts, however, please note that no company can fully eliminate risks or guarantee complete security of Personal Data. We cannot guarantee the security of your Personal Data transmitted through the Services or otherwise via the Internet – any transmission is at your own risk. Unauthorised entry or use, hardware or software failure, and other factors may also compromise the security of your information. Further, while we strive to put in place appropriate contractual protections, we are unable to guarantee the security of Personal Data hosted on databases run by third parties, and to the extent legally permissible, we bear no liability for uses or disclosures of personal information or other data arising in connection with theft of the information or other malicious actions.
3.2 We store certain customer information and reservation details in our Customer Information System and Reservation System on our subcontractor’s secure servers. Our server resides behind various measures such as firewalls, authentication, access control, integrity protection, encryption and anti-virus tools designed to protect Personal Data collected from you against unauthorised or accidental access. Because laws applicable to personal information vary by country, our hotels or other business operations will put in place additional measures that may be different depending on the applicable legal and regulatory requirements.
International Personal Data transfers
3.3 As a global company, we endeavour to provide you with the same outstanding service in Hong Kong, as you would find in Beijing, Shanghai, Paris, New York, Tokyo, etc. To achieve this goal, we have established a global network comprised of properties, offices, trusted service providers and associates around the globe. The nature of our business and our operations require us to transfer your Personal Data to other Group companies, properties, centres of operations, data centres, or service providers that may be domiciled in countries outside of your own for the purposes mentioned in this Privacy Policy. Currently, personal data may be transferred to our headquarters in Hong Kong as well as other countries or regions where we are present or have data servers, including mainland China, Singapore, Japan, Vietnam, United Kingdom, United States of America, Thailand, Turkey, the Philippines, and France. The relevant countries or jurisdictions for the purposes of any such cross-border Personal Data transfer will depend on your location.
3.4 For customers located in relevant jurisdictions, including without limitation the EEA or the UK, transfers between our affiliates in the HSH Group and to third parties use applicable safeguards, such as incorporating standard contractual clauses, obtaining your consent or taking into account adequacy assessments.
Storage of Personal Data
3.5 Your Personal Data will be stored for the period of time required to fulfil the relevant purpose described in Section 1 (How we collect and use Personal Data) above unless otherwise required or permitted by law. If information is used for two purposes, we will retain it until both purposes have been fulfilled, but we will stop using it for a purpose once that purpose is fulfilled.
4. Your rights
4.1 Some jurisdictions’ laws grant specific rights to users of the Services. Please refer to the Local Specific Provisions (set out in the relevant annexes to this Privacy Policy), or the applicable laws in your jurisdiction, for an overview of specific rights that may apply to persons subject to data protection laws in the listed jurisdictions and how these can be exercised.
4.2 Subject to Section 4.1 above, you may enjoy certain rights in relation to your Personal Data that we hold. Some of these rights only apply in certain circumstances (as set out in more detail below). If you wish to exercise any of these rights, please reach out to us in accordance with Section 5 (Contacting us) below and we will handle your request in line with the applicable law and regulations.
(a) Access: you may ask us to provide you with access to your Personal Data and further details on the use we make of your Personal Data and who we share your Personal Data with.
(b) Correction: you may ask us to correct any inaccuracies in the Personal Data we hold about you.
(c) Complaint: if you are not satisfied with our use of your Personal Data or our response to any exercise of these rights, you may complain to the data protection authority in your country.
(d) Erasure: you may ask us to delete your Personal Data if we no longer have a lawful ground for use, unless otherwise required or stipulated by applicable laws and regulations, but we will let you know if that is the case.
(e) Withdrawal of consent: where processing is based on consent (e.g., marketing, or certain uses of the special categories of Personal Data), and to the extent provided by applicable laws and regulations, you may withdraw your consent to certain processing activity or activities by us by contacting us, and we will stop that particular processing activity. Where consent is required to process your Personal Data, if you do not consent to the processing or if you withdraw your consent, we may not be able to deliver the expected service. Please note that the right to withdraw consent is only available if the legal basis for processing Personal Data is consent.
(f) Object to processing: you may object to our processing of your Personal Data. If you wish to do so, please contact us and we will consider your request.
(g) Restriction: you may require that we stop processing your Personal Data (other than for storage purposes in certain circumstances). Please note, however, that if we stop processing such Personal Data, we may use it again if there are valid grounds under data protection laws for us to do so (e.g., for the defence of legal claims or for another’s protection).
(h) Portability: you may have the right to receive a copy of certain of your Personal Data we process about you. For example, in certain jurisdictions this can comprise Personal Data we process on the basis of your consent (e.g., survey information) or pursuant to our contract with you (e.g., account name), as described in Section 1 (How we collect and use Personal Data) above. We will provide further information to you about transferring this Personal Data if you make such a request.
(i) Advertising: You may choose to stop receiving personalised advertising or marketing promotions from us when using the Services by following the instructions of any marketing materials provided via email, by updating your preferences in your “My Peninsula” or “Peninsula Perfect Companion” account (where applicable) or by contacting us.
4.3 Where we act as a data processor, you should contact the data controller to exercise any of your rights.
4.4 Notwithstanding the foregoing, we may from time to time send you announcements when we consider it necessary to do so (for example, when we need to inform you about maintenance, security or safety matters at our properties). These are essential system and Service-related announcements, and you are not able to opt-out of these notifications, which are not promotional in nature.
Updating information
4.5 We will use reasonable endeavours to ensure that your Personal Data is accurate. In order to assist us with this, you should notify us of any changes to your Personal Data that you have provided to us by updating your details in your account in “My Peninsula”, “Peninsula Perfect Companion” or “Mobile PenKey Concierge” (where applicable) or by contacting us in accordance with Section 5 (Contacting us) below.
5. Contacting us
5.1 If you have any questions about this Privacy Policy or our processing of your Personal Data, or otherwise want to exercise any rights you may have, please contact us at:
Data Privacy Team
The Hongkong and Shanghai Hotels, Limited
8/F St George’s Building
2 Ice House Street
Central, Hong Kong SAR
Phone: +852 2926 2888
Email: privacy@peninsula.com
5.2You can also reach out to our representatives for data protection purposes as follows:
Representative in the European Union at:
Peninsula Paris Hotel Management SARL
Ref: “EU Representative”
c/o The Peninsula Paris
19 avenue Kléber,
Paris, France, 75116
Attention: Executive Office / HSH Management Services Limited
Phone: +33 1 5812 2888
Email: privacy@peninsula.com
Representative in the United Kingdom at:
Peninsula London Limited
(Acting as general partner on behalf of Peninsula London, LP)
Ref: “UK Representative”
c/o The Peninsula London
1 Grosvenor Place, London
SW1 7HJ, United Kingdom
Attention: Executive Office / HSH Management Services Limited
Phone: +44 20 3959 2888
Email: privacy@peninsula.com
Representative in Thailand at:
Siam Chaophraya Holdings Company Limited
Ref: “Thailand Representative”
c/o The Peninsula Bangkok
333/1 Charoennakorn Road, Klongton-Sai,
Klongsan, Bangkok 10600, Thailand
Attention: Executive Office / HSH Management Services Limited
Phone: +66 2 020 2888
Email: privacy@peninsula.com
Representative in Türkiye at:
PIT İstanbul Otel İşletmeciliği Anonim Şirketi
Ref: “Türkiye Representative”
c/o The Peninsula Istanbul
Karaköy, Kemankeş Karamustafapaşa Mahallesi, Kemankeş Caddesi No:34,
34425 Beyoğlu, Istanbul, Türkiye
Attention: Executive Office / HSH Management Services Limited
Phone: +90 212 931 2888
Email: privacy@peninsula.com
5.3We will endeavour to deal with your request within a reasonable time. This is without prejudice to any right you may have to launch a claim with a data protection authority in the region in which you live or work where you think we have infringed data protection laws.
6. Cookies
6.1 Our Websites and Apps use cookies and other technologies to distinguish you from other users of the relevant website. Cookies are small files which, when placed on your device helps us provide you with a good experience when you browse our Websites and also allows us to improve our Websites. For detailed information on the cookies that we use and the purposes for which we use them, please refer to our Cookies Policy.
7. Changes to the Privacy Policy
7.1 In the future, we may need to make changes to this Privacy Policy. All changes will be included in the latest Privacy Policy published on our Websites or Apps, so that you will always understand our current practices with respect to the Personal Data. Any changes to our Privacy Policy will become effective upon posting of the revised Privacy Policy. If required by the applicable laws and regulations, we will notify you of any major changes to this Privacy Policy. Unless otherwise required by the applicable laws and regulations, you will be deemed to have accepted and agreed the revised Privacy Policy then in effect by visiting our websites or using our services after such changes.
8. Other sites and languages
8.1 Our Websites or Apps may contain links to other third-party websites. If you follow a link to any of those third-party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal information. Please check these policies before you provide any personal information to such third-party websites.
8.2 Except as otherwise prescribed by law or as expressly set out, in the event of any discrepancy or inconsistency between the English version and local language version of this Privacy Policy, the English version shall prevail.
ANNEX I: LOCAL SPECIFIC PROVISIONS – CALIFORNIA
1. Scope and application
This section applies to California residents covered by the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, (“CCPA”). For the purposes of this section, “personal information” and “sensitive personal information” have the meanings given in the CCPA and do not include information excluded from the CCPA’s scope.
2. Collection and disclosure of personal information
2.1 Notice at Collection. We collect the personal information identified in the Privacy Policy, Section 1 (How we collect and use Personal Data), above, for the purposes identified in Section 1, above, and retain it for the period described in Privacy Policy, Section 3.5, above. We do not sell your personal information or disclose it for cross-context behavioral advertising (“sharing”). We also do not collect or process sensitive personal information for the purpose of inferring characteristics about you. We also have no knowledge of any sale or sharing of personal information of users under 16 years of age.
In addition, we do not use or disclose sensitive personal information for purposes other than to perform the services reasonably expected by an average consumer who requests those services.
2.2. Disclosures for Business Purposes. We have disclosed each of the categories of personal information listed in Section 1 (How we collect and use Personal Data), above, for the following “business purposes”, as that term is defined under the California Consumer Privacy Act (“CCPA”), in the last 12 months:
- Service providers: For the business purpose of performing services on our behalf and, in particular, for the specific purposes described in Section 1 (How we collect and use Personal Data), above.
- Auditors, lawyers, consultants, and accountants engaged by us: For the business purpose of auditing compliance with policies and applicable laws, in addition to performing services on our behalf.
- Affiliated companies: To other companies within the HSH Group for the business purposes of (1) auditing compliance with policies and applicable laws, (2) helping to ensure security and integrity, (3) debugging, (4) short-term transient use, (5) performing services on our behalf, (6) internal research, and (7) activities to maintain or improve the quality or safety of a service or device.
Littler Note: The CCPA regulations require a disclosure of:
a) the categories of personal information disclosed for a “business purpose” to third parties in the preceding 12 months;
b) for each category of personal information so disclosed, the categories of third parties to which the information was disclosed; and
c) identification of the specific business or commercial purpose for disclosing the individual’s personal information.
We have suggested common forms of disclosure for a “business purpose” above, but please revise for accuracy and add any other parties to which Quail has disclosed personal information for a “business purpose”, along with the categories of personal information disclosed and “business purpose” or “commercial purpose” for the disclosure. Please bear in mind that the CCPA’s definitions of “business purpose” and “commercial purpose” are extremely narrow. For example, are there business partners to which Quail discloses personal information for business purposes – perhaps identifiers to a third-party security guard for the business purpose of security, or perhaps internet activity information to a user experience firm to maintain the safety of, or improve, a good or service, etc.? PLEASE DELETE THIS NOTE BEFORE FINALIZING.
2.3 Do Not Track Setting. Our Websites currently respond/do not respond to web browser “do not track” (DNT) signals or other mechanisms that indicate your preference for having information collected over time and across different web sites following your visit to our Websites. DNT is a preference you can set in your browser’s settings to let the website you visit, including our Websites, know that you do not want the websites collecting your personal information. You can also visit https://allaboutdnt.com/ to learn more.
2.4 Aggregated and Deidentified Information. We may aggregate and/or deidentify information, use it internally, and disclose to third parties. Neither Aggregated Information nor Deidentified Information (defined below) is personal information.
- “Aggregated Information” refers to information about a group of individuals from which the individually identifiable information has been removed. An example of Aggregated Information would be the statistic that 20 people used our website’s contact form on a given day.
- “Deidentified Information” means information subjected to reasonable measures to ensure that the deidentified information cannot be associated with the individual. An example of Deidentified Information would be the data point that an unidentified visitor first entered our Website through our main web page. We maintain Deidentified Information in a deidentified form and do not attempt to reidentify it, except that we may attempt to reidentify the information just to determine whether our deidentification processes function correctly.
3. Rights under the CCPA
If you are a California resident and the CCPA does not recognise an exception that applies to you or your personal information, you have the right to:
(a) Know: You may submit a verifiable request for specific pieces of your personal information and for information about how we collect, use, and disclose your personal information. Please note that the CCPA’s right to obtain “specific pieces” does not grant a right to the whole of any document that contains personal information, but only to discrete items of personal information. Moreover, California residents generally just have a right to know categories, for example, categories of third parties to which personal information is disclosed, but not the individual third parties.
(b) Delete: You have the right to submit a verifiable request for the deletion of personal information that you have provided to us.
(c) Correct: You have the right to submit a verifiable request for the correction of inaccurate personal information we maintain, taking into account the nature of the personal information and the purposes of processing the personal information.
(d) be free from unlawful discrimination for exercising your rights including providing a different level or quality of services or denying goods or services to you when you exercise your rights under the CCPA.
We target to fulfil all verified requests within the period stipulated by the CCPA, being 45 days as at the date of this Privacy Policy. If necessary, extensions for an additional 45 days will be accompanied by an explanation for the extension.
5. How to exercise your rights
5.1 If you are a California resident to whom the CCPA applies, you may also exercise your rights, if any, regarding other data by contacting us in accordance with Section 5.1 (Contacting us) above, by emailing privacy@peninsula.com, or by calling the toll-free phone numbers in Section 6 (Contacting us) below. We may take steps to verify your identity before complying with your request to protect your privacy and security, and may decline your request if we are unable to verify your identity. To verify your identity, we may need the personal information from you including the following: your first name, last name, address, phone number, date of birth, and email address.
5.2 Under the CCPA, you may exercise these rights yourself or you may also designate an authorised agent to make these requests on your behalf. In order for us to process the request, you must provide the authorised agent with signed written permission. We reserve the right to require the agent to verify their own identity and to confirm directly with you that you have provided the authorised agent permission to submit the request.
6. Contacting us
If you have questions or concerns regarding this Privacy Policy, please contact us in accordance with Section 5 (Contacting us) above.
Additionally, for our US properties, we have the following toll-free numbers available for you to make a request in relation to your Personal Data to us:
(a)The Peninsula Beverly Hills: +1 800 462 7899
(b)The Peninsula Chicago: +1 866 288 8889
(c)The Peninsula New York: +1 800 262 9467
(d)Quail Lodge & Golf Club: +1 866 675 1101
ANNEX II: LOCAL SPECIFIC PROVISIONS –CHINA
We have prepared this Annex II in accordance with the Personal Information Protection Law of the People's Republic of China (“PIPL”) for residents of the People’s Republic of China (which, for the purpose of the Annex II of this Privacy Policy only, excluding Hong Kong SAR, Macao SAR and Taiwan, “China”) and individuals who are in China. In case of any conflict between this Annex II and the main text of this Privacy Policy, this Annex II shall prevail.
1.To whom we share Personal Data
As set out in Section 2 (How we share Personal Data) above, where permitted by the applicable laws and regulations, we may share your Personal Data with our affiliates, service providers, agents, contractors, and other business partners when and if it is necessary to do so. You may find a list of our affiliates to which we share your Personal Data and to know their details by clicking here. In addition, you may contact our Data Privacy Team in accordance with Section 5 (Contacting us) above to obtain information of our business partners and to whom we share your Personal Data.
2.Software Development Kits (SDK) Provided by Third Parties
To provide you with a better service experience, our websites or online channels may contain SDK from third-party providers to whom we may share your Personal Data when you use our Services. You may find details of these SDKs and their operators below:
Name |
Function |
Type of personal data collected |
Operator |
Privacy policy/hyperlink to official website |
Gift platform API |
Support users to shop on e-commerce platforms |
Information of orders and addressees, user’s name and email address |
Techsembly Pte. Ltd |
|
Spa Booking Engine |
Support users to reserve spa service |
Name, email address and phone number |
CPS Graphics, Inc. dba Tambourine |
|
Spa Booking Engine |
Support users to reserve spa service |
Name, email address and phone number |
Shiji Concept Online Spa |
|
TravelClick Guest Management Solution |
User information management |
Name and email |
TravelClick |
https://www.amadeus-hospitality.com/travelclick-legal/terms-and-conditions/ |
Sinobase |
Member data management and statistical analysis |
Name, birthday, mobile phone number, WeChat ID, booking records |
Sinobase Marketing Technology Corporation |
|
WeChat Order Management |
Support users to reserve rooms |
Name, birthday, mobile phone number, WeChat ID, stay period |
Beijing Shiji Information Technology Co., Ltd. |
|
WeChat Content Management and Customer Relationship Management |
Data management and statistical analysis |
User’s WeChat ID and nickname, pages and contents visited, and duration of visit |
Shanghai JINGdigital Co., Ltd. |
https://www.jingdigital.com/%E9%9A%90%E7%A7%81%E6%94%BF%E7%AD%96/ |
RECON |
e-Payment solution |
Name and credit card number |
Cityline (Hong Kong) Limited |
We will conduct necessary security testing to all third-party SDKs and require third-party providers to implement strict measures to protect the security of your Personal Data. Meanwhile, we may update the SDKs’ information according to changes in service requirements and business functions from time to time. You can find the most updated version in our latest Privacy Policy.
3.Personal Data transmission across international borders
In principle, the Personal Data that is generated or collected by us in China will be stored in China. However, to process your reservation and payment and to provide with you our Services, we may need to transfer your Personal Data outside of China. Data protection laws in these countries or regions may be different from those in China and the level of protection to your Personal Data may vary accordingly.
If your Personal Data is transferred outside of China, we will take appropriate protective measures as required by the laws and regulations in China, including, as appropriate, carrying out personal data protection impact assessments, obtaining necessary certification from the competent authorities, conducting security assessment by qualified third-party institutes, and/or signing the standard contractual clauses issued by the Cyberspace Administration of China with overseas recipients.
4.Special protection of Minors’ Personal Data
Please note that our websites and our products and services are not intended for Minors (i.e., persons under the age of 18) unless expressly stated in the relevant descriptions. We do not knowingly solicit or collect Personal Data of Minors. To ensure that guardians of Minors can make informed decisions regarding provision of Minors’ Personal Data when purchasing and using products and services provided by us, we have published the Minors’ Privacy Policy to explain how we collect, store, use, transfer or disclose the Minors’ Personal Data. If you are a Minor’s guardian, please read and understand the Minors’ Privacy Policy.
5.Contacting us
In addition to contacting us in accordance with Section 5 (Contacting us) above, you may contact our data protection officers in China as follows:
Data Protection Officer in China
The Palace Hotel Ltd.
8 Goldfish Lane, Wangfujing, Beijing
The Peninsula Beijing
Phone: +86 10 8516 2888
Email: privacy@peninsula.com
The Peninsula Shanghai Waitan Hotel Company Limited
No. 32, The Bund 32 Zhongshan Dong Yi Road, Shanghai
The Peninsula Shanghai
Phone: +86 21 2327 2888
Email: privacy@peninsula.com
Peninsula Merchandising (Shenzhen) Company Limited
D16, F/8, Block B, Aerospace Science and Technology Plaza, 3rd Street of Haide, Nanshan District, Shenzhen
Phone: +86 0755 2657 9989
Email: privacy@peninsula.com
Please allow 15 business days for us to process any data access requests. Where the request involves complex information gathering, we will advise you of the additional time needed to process your request.