Effective: May 25, 2018
Curtain Management Holdings Limited and each of its associated entities and group companies (collectively, “we,” “us,” “our”) respect your privacy and are committed to protecting the personal data we hold about you. If you have questions, comments, or complaints about this Privacy Notice or our processing of personal data, please see the bottom of this Privacy Notice for information about how to contact us.
This Privacy Notice explains our practices with respect to personal data we collect and process in connection with your relationship with us. This includes information we collect through, or in association with, our websites, together with all products and services we may offer from time to time via our websites, our related social media sites, or otherwise through your interactions with us (the website, products, services, and social media pages, collectively, the “Services”).
If you are providing information through the Services on behalf of someone else (e.g., your customer, client, employee, family member, friend) you hereby represent that you have the right to do so and that you have provided such party with a copy of this Privacy Notice, and all references to “you” or “your” data or personal data herein refers to the data or information of both you and such individual, as applicable.
Please review the following to understand how we process and safeguard personal data about you. By using any of our Services, whether by visiting our website or otherwise, and/or by voluntarily providing personal data to us, you acknowledge that you have read and understand the practices contained in this Privacy Notice.
- What Information Do We Collect?
We collect a variety of personal data from and about you through the Services, including:
- When you provide it to us directly, such as when booking a room or other service, subscribing for offers and updates, creating a user account, applying for employment, enquiring about our products or services, or sending us comments or concerns;
- Automatically through logging and analytics tools, cookies, pixel tags, and as a result of your use of and access to the Services; and
- From third-party sources, including individuals or entities who book stays or order services on your behalf, including but not limited to online travel agencies, corporate travel managers, travel agents, and intermediaries; travel rewards programmes; ad networks that provide online behavioural advertising services; service providers; analytics service providers, including Google Analytics; and through your interactions with us on social media websites.
You have choices about certain information we collect. When you are asked to provide information, you may decline to do so; but if you choose not to provide information that is necessary to provide any aspect of our Services, you may not be able to use those Services. In addition, as noted below in the section captioned “Your Choices”. it is possible to change your browser settings to block the automatic collection of certain information.
Finally, we may collect data that is not identifiable to you or otherwise associated with you, such as aggregated data, and is not personal data. To the extent this data is stored or associated with personal data, it will be treated as personal data; otherwise, the data is not subject to this notice.
Information You Share With Us. We collect personal data from you when you provide it to us, including through booking stays, website forms, ordering services, participating in promotions, interacting with us on social media, applying for employment, or contacting us with questions or comments.
For example, if you book stays and/or order products or services from us through the Services, you must provide us with information to process that request and/or enter into a contract with you (including but not limited to first and last name, email address, postal address, billing address, payment information, telephone number, date of birth, and any other information you may optionally provide. Similarly, you can choose to sign up for email notifications about us through the Services by providing us with your email address.
If you apply for employment we may also collect information relating to your potential employment, including CVs and application information, which may include personal, confidential and/or sensitive information.
If you contact us with questions, requests, or concerns, or to exercise your legal rights, we collect personal data sufficient to answer your questions, address your requests, and/or handle your concerns, as applicable. In certain situations, we may also require you to provide personal data to authenticate your identity in order to carry out your requests.
We also collect information from you that, depending on applicable law, may not constitute personal data.
Information Collected Automatically. When you browse or use the Services, we utilise commonly-used logging and analytics tools, including Google Analytics, to collect information about your device, the network used to access the Services, and information about your use of the Services (such as how you navigate and move around the Services).
Information collected automatically includes the software and hardware attributes of the device you use to access the Services, unique device ID information, regional and language settings, performance data about the Services, network provider, and IP address (a number assigned to your device when you use the Internet). In addition, information is collected passively in the form of log files and third-party analytics that record website activity. For example, log file entries and analytics data are generated every time you visit a particular page on our website, and track the dates and times that you use the Services, the pages you visit, the amount of time spent on specific pages, and other similar usage information, and general data (including the name of the web page from which you entered our website).
Please see our Cookie Notice and the “Your Choices” section of this Privacy Notice for more information about cookies and other web tracking technologies on the Services; for information about how you can reject, delete, or prevent cookies from being placed on your system; and how you can opt out of, limit, or prevent certain web tracking technologies and/or advertising providers from collecting information about you.
Information Obtained from Third Parties. We receive personal data from third parties that book stays or order services on your behalf (such as travel agencies), from third parties that provide services to us or to you on our behalf, as well as from third parties that provide web analytics and usage information to us such as Google Analytics.
In addition, if you choose to interact with us or our partners on social media by posting to our pages, tagging us (or using certain hashtags or other identifiers) in posts, or participating in activities, we may collect certain information from the social media account you use to interact with us, including the name associated with the account, the account handle, recent activity, the content of any posts in which we are tagged, and other information that may be contained on your social media profile to allow us to respond to the posts and understand and engage with our audience.
For the purposes of this Privacy Notice, “partners” means affiliates, service providers, licensors, licensees, vendors, or other third parties with which we have a business relationship.
- How Do We Process Personal Data?
We process personal data for two general purposes, pursuant to various legal bases:
- For our business operations (including communicating with you, fulfilling orders, providing information about our products and services, improving the Services, and complying with applicable legal requirements); and
- To market and promote our products and offerings and the products and offerings of providers located at our properties.
We disclose personal data to our service providers to allow them to provide services to us and assist in carrying out your requests, and to our partners in aggregate, demographic form in connection with our marketing and business development efforts.
In addition, we may disclose information we maintain, including personal data: when permitted or required to do so by law; in response to a request from a law enforcement agency or authority or any regulatory authority; and/or to protect the integrity of the Services or our interests, rights, property, or safety, and/or that of our users and others.
See the “Your Choices” section below for information about how you can make decisions about how we process personal data, including how to opt out of certain marketing communications.
Legal Bases for Processing. We process personal data for, or based on, one or more of the following legal bases:
- Performance of a Contract. We process personal data to enter into, or perform under, the agreement between us, such as when you book or pay for stays or services;
- Legitimate Interests. We process personal data for our legitimate interests, including contact information, order history, and Services usage data to market our services to you and to improve our offerings and our Services; to the extent necessary and proportionate for the purposes of ensuring network and information security; and for administrative, fraud detection, and legal compliance purposes;
- Compliance with Legal Obligations and Protection of Individuals. We process personal data to comply with the law and our legal obligations, as well as to protect you and other individuals from certain harms; and
- Your Consent. We may process personal data because you have given us your consent to do so.
Operational Uses. We process your personal data as part of our operations, which include:
- Providing you with information tailored to your requests, responding to enquiries, booking stays, and delivering services and products;
- Operating, maintaining, and improving the quality of the Services and such content, products and/or services as we may make available through the Services;
- Communicating with you by email, post, or telephone about products, services, booking status, promotions, and other topics;
- Compliance with applicable laws, regulations, rules and requests of relevant law enforcement and/or other governmental agencies;
- Endeavouring to protect our and our partners’ rights, property, or safety, and the rights, property, and safety of our users and other third parties; and
- For other purposes, as permitted or required by law.
Marketing Uses. We process your personal data to send messages to you about us, our partners, and the products and services we and our partners offer, which may from time to time include contests, promotions, rewards, events, and special offers for products and services. These communications are tailored based on the communications preferences you select when providing us with your information. We process personal data collected through social media platforms and web tracking technologies to better understand our audience’s preferences and usage patterns and send marketing communications to our audience.
Sharing of Personal Data. Some of the above processing involves sharing collected personal data with third parties, including service providers, affiliates, and other partners.
- We share personal data with third parties when you ask us to do so;
- We share personal data among our affiliated entities;
- We share personal data with our service providers, including properties where you book stays, payment processors, software and Web developers, commercial email service providers, security consultants, and other vendors we engage so that they may provide services to us or on our behalf;
- We share personal data we collect in aggregated, demographic form (such as, for example, the percentage of male and female visitors to the Services) with certain partners, prospective partners, advertisers, sponsors, and service providers in order to provide us, our affiliates, and our partners with information about the use of the Services and levels of engagement with the Services, to allow us to enter into new business relationships; and
- We share personal data with third parties when we believe it is required by, or necessary to comply with, applicable law.
- Protecting Personal Data
We employ reasonable and appropriate physical, technical, and organisational safeguards designed to promote the security of our systems and protect the confidentiality, integrity, availability, and resilience of personal data. Those safeguards include: (i) the pseudonymisation and encryption of personal data where we deem appropriate; (ii) taking steps to ensure personal data is backed up and remains available in the event of a security incident; and (iii) periodic testing, assessment, and evaluation of the effectiveness of our safeguards.
However, no method of safeguarding information is completely secure. While we use measures designed to protect personal data, we cannot guarantee that our safeguards will be effective or sufficient. In addition, you should be aware that Internet data transmission is not always secure, and we cannot warrant that information you transmit utilising the Services is or will be secure.
- Retention of Personal Data
We retain personal data for as long is necessary or appropriate to fulfill the purpose for which it was collected, as well as to the extent necessary or appropriate to carry out the processing activities described above, including but not limited to compliance with applicable laws, regulations, rules and requests of relevant law enforcement and/or other governmental agencies, and to the extent we reasonably deem necessary to protect our and our partners’ rights, property, or safety, and the rights, property, and safety of our users and other third parties. We consider multiple factors, including legal requirements, the scope and nature of the personal data, and potential risk of harm to data subjects from a data breach, in determining the appropriate retention period. If you have a specific question regarding retention of your personal data, you may contact us as described in the “Additional Information and Assistance” section below.
- Your Rights Regarding Personal Data
You have a variety of legal rights regarding the collection and processing of personal data. You may exercise these rights, to the extent they apply to you, by contacting us as provided at the end of this Privacy Notice, or by following instructions provided in this Privacy Notice or in communications sent to you. Please be prepared to provide reasonable information to identify yourself and authenticate your requests.
Note, however, that we may request certain reasonable additional information (that may include personal data) to help us authenticate the request and/or to clarify or understand the scope of such requests.
These rights vary depending on the particular laws of the jurisdiction applicable to you, but may include:
- The right to know whether, and for what purposes, we process personal data about you;
- The right to be informed about the personal data we collect and/or process about you;
- The right to learn the source of personal data about you we process, where we obtain that personal data from a source other than you;
- The right to access, modify, and correct personal data about you (as set forth in more detail below under “Accessing, Modifying, Rectifying, and Correcting Collected Personal Data”);
- The right to know with whom we have shared personal data about you, for what purposes, and what personal data has been shared (including whether personal data was disclosed to third parties for their own direct marketing purposes);
- Where processing of personal data about you is based on consent, the right to withdraw your consent to such processing; and
- The right to lodge a complaint with a supervisory authority located in the jurisdiction of your habitual residence, place of work, or where an alleged violation of law occurred.
See “Your California Privacy Rights” and “Your Privacy Rights” for more information about certain legal rights.
Accessing, Modifying, Rectifying, and Correcting Collected Personal Data. We strive to maintain the accuracy of any personal data collected from you, and will use commercially reasonable efforts to respond promptly to update our database when you tell us the information in our database is not accurate. However, we must rely upon you to ensure that the information you provide to us is complete, accurate, and up-to-date, and to inform us of any changes. Please review all of your information carefully before submitting it to us, and notify us as soon as possible of any updates or corrections.
In accordance with applicable law, you may obtain from us certain personal data in our records. If you wish to access, review, or make any changes to personal data you have provided to us through the Services, you may do so at any time by contacting us as provided below or, for certain information, through your account on the Services. Please note, however, that we reserve the right to deny access as permitted or required by applicable law.
Your California Privacy Rights. California Civil Code Section 1798.83, known as the “Shine the Light” law, permits our users who are California residents to request and obtain from us a list of what personal data (if any) we disclosed to third parties for their own direct marketing purposes in the preceding calendar year and the names and addresses of those third parties. Requests may be made only once per year per person, must be sent to the email address below, and are free of charge.
We do not disclose personal data protected under the “Shine the Light” law to third parties for their own direct marketing purposes.
Your Privacy Rights. In addition to the above-listed rights, certain privacy laws provide individuals with enhanced rights in respect of their personal data. These rights may include, depending on the circumstances surrounding the processing of personal data:
- The right to object to decisions based on profiling or automated decisionmaking that produce legal or similarly significant effects on you;
- The right to request restriction of processing of personal data or object to processing of personal data carried out pursuant to (i) a legitimate interest or (ii) performance of a task in the public interest (including, but not limited to, processing for direct marketing purposes);
- In certain circumstances, the right to data portability, which means that you can request that we provide certain personal data we hold about you in a machine-readable format; and
- In certain circumstances, the right to erasure and/or the right to be forgotten, which means that you can request deletion or removal of certain personal data we process about you.
Note that we may need to request additional information from you to validate your request. To exercise any of the rights above, you may contact us as described in the “Additional Information and Assistance” section below.
- Your Choices
In addition to your choices with respect to the collection of personal data (see “What Information Do We Collect?” above), you have the ability to make certain choices about how we communicate with you, and how we process certain personal data.
Communications Opt-Out. You may opt out of receiving marketing or other communications from us at any time through a given communications channel (such as email or telephone) by following the opt-out link or other unsubscribe instructions provided in any email message received, or by informing our customer service representative of your desire to opt out. If you wish to opt out by sending us an email please include “Opt-Out” in the email’s subject line and include your name and the email address you used to sign up for communications in the body of the email.
Note that if you do business with us in the future, you may not, subject to applicable law, opt out of certain automated notifications, such as order or subscription confirmations, based on business transactions (e.g., e-commerce).
Cookies, Web Tracking, and Advertising. Please consult our Cookie Notice more information about how to control and/or opt out of certain web tracking technologies.
- Other Important Information About Personal Data and the Services
Our Privacy Notice also includes information about other practices with respect to personal data, including:
- Collection of personal data from children;
- Links and references to third-party websites and services on our Services:
- What happens to personal data in the event we sell or transfer some or all of our business;
- How we respond to “Do Not Track” requests; and
- Information about where we process and transfer personal data.
Collection of Personal Data from Children. Children under 18 years of age are not permitted to use the Services, and we do not knowingly collect information from children under the age of 18. By using the Services, you represent that you are 18 years of age or older.
Third-Party Websites and Services. As a convenience, we may reference or provide links to third-party websites and services, including those of unaffiliated third parties, our affiliates, service providers, and third parties with which we do business (including, but not limited to, food & beverage providers and spa service providers). When you access these third-party services, you leave our Services, and we are not responsible for, and do not control, the content, security, or privacy practices employed by any third-party websites and services. You access these third-party services at your own risk. This Privacy Notice does not apply to any third-party services; please refer to the Privacy Notices or policies for such third-party services for information about how they collect, use, and process personal data.
Business Transfer. We may, in the future, sell or otherwise transfer some or all of our business, operations or assets to a third party, whether by merger, acquisition or otherwise. Personal data we obtain from or about you via the Services may be disclosed to any potential or actual third-party acquirers and may be among those assets transferred.
Do Not Track. We use analytics systems and providers and participate in ad networks that process personal data about your online activities over time and across third-party websites or online services, and these systems and providers may provide some of this information to us. We do not currently process or comply with any web browser’s “do not track” signal or similar mechanisms.
Note, however, that you may find information about how to opt out of Google Analytics, DoubleClick and Bing Ads online behavioural advertising, and/or block or reject certain tracking technologies in our Cookie Notice.
International Data Transfers. Your personal data will be stored and processed in the United Kingdom, but may also be stored and processed by our associated entities and group companies in the United States. If you are using the Services from outside the United States, by your use of the Services you acknowledge that we may transfer your data to, and store your personal data in, the United States, which may have different data protection rules than in your country, and personal data may become accessible as permitted by law in the United States, including to law enforcement and/or national security authorities in the United States.
- Modifications and Updates to this Privacy Notice
This Privacy Notice replaces all previous disclosures we may have provided to you about our information practices with respect to the Services. We reserve the right, at any time, to modify, alter, and/or update this Privacy Notice, and any such modifications, alterations, or updates will be effective upon our posting of the revised Privacy Notice. We will use reasonable efforts to notify you in the event material changes are made to this Privacy Notice, such as by posting a notice on the Services or sending you an email. Your continued use of the Services following our posting of any revised Privacy Notice will constitute your acknowledgement of the amended Privacy Notice.
- Applicability of this Privacy Notice
This Privacy Notice is subject to any agreements that govern your use of the Services, whether used by you directly or by a third party (e.g., travel agent or travel manager) on your behalf, all of which will be deemed use by you. This Privacy Notice applies regardless of the means used to access or provide information through the Services.
This Privacy Notice does not apply to information from or about you collected by any third-party services, applications, or advertisements associated with, or websites linked from, the Services. The collection or receipt of your information by such third parties is subject to their own privacy policies, statements, and practices, and under no circumstances are we responsible or liable for any third party’s compliance therewith.
- Additional Information and Assistance
If you have any questions or concerns about this Privacy Notice and/or how we process personal data, or would like to exercise any of the legal rights set forth above, please contact us at:
Data Protection Officer
The Curtain Hotel & Members Club
45 Curtain Road
London, EC2A 3PT