Privacy Policy

Last Updated: January 2024

We respect your privacy and are committed to protecting your data. This Privacy Statement outlines how we collect, use, disclose, and protect your personal data when you interact with websites, apps and services provided within our portfolio of hotels. Our portfolio includes owned, managed and franchised hotels under the brand names of Anantara, Avani, Elewana, Oaks, NH Hotels, NH Collection, nhow and Tivoli (“Brands”). We encourage you to read this statement carefully to understand our practices regarding your personal information.

The Brands are operated jointly by Minor Hotels Europe & Americas S.A.1, Minor Hotel Group Limited and Oaks Hotels & Resorts Limited when we mention "we", "us" or "our" in this privacy statement, we are referring to the relevant entity within our group responsible for processing your personal data.

Table of Contents

1. Data controllers
2. Information and consent
3. Scope of this Privacy Statement
4. How we collect your personal data
5. Purposes for which we collect data
6. The data we collect about you
7. Sharing of personal data
8. International transfers
9. Data retention
10. Your rights
11. Direct marketing
12. Contact us
13. Data security
14. Liability
15. Changes to this Privacy Statement

1. Data controllers

The purposes and means of personal data processing set in this Privacy Statement are determined jointly by:

Name: Minor Hotels Europe & Americas, S.A. ("MINOR HOTELS EUROPE & AMERICAS"). Name: Minor Hotel Group Limited (“MINOR HOTELS"). Name: Oaks Hotels and Resorts Limited (“OAKS HOTELS”).
Tax identification number: A-28027944 Tax identification number: 100372000223 Tax identification number: ACN: 113 972 366 ABN: 70 113 972 366
Address: C/Santa Engracia 120, 7ª, 28003, Madrid, Spain Address: 88 The Parq Building, 12th Fl., Ratchadaphisek Road, Klongtoey Subdistrict, Klongtoey District, Bangkok Metropolis 10110, Thailand Address: Post: PO Box 473, Cotton Tree, QLD 4558, Australia
Data Protection Officer: you can contact us via the following channels, addressing your message to the attention of Data Protection Officer:

E-mail: [email protected]

Address: Headquarters of C/Santa Engracia 120, 7ª, 28003, Madrid, Spain 
Data Protection Officer: you can contact us via the following channels, addressing your message to the attention of Data Protection Officer:

E-mail: [email protected]

Address: 88 The Parq Building, 12th Fl., Ratchadaphisek Road, Klongtoey Subdistrict, Klongtoey District, Bangkok Metropolis 10110, Thailand

Data Protection Officer: you can contact us via the following channels, addressing your message to the attention of Data Protection Officer:

E-mail: [email protected]

Address: Post: PO Box 473, Cotton Tree, QLD 4558, Australia

2. Information and consent

By accepting this Privacy Statement, you give your free, informed, specific and unequivocal consent for the processing of personal data provided through this website (the "Website") to be processed by MINOR HOTELS EUROPE & AMERICAS, MINOR HOTELS and OAKS HOTELS as joint data controllers.

The user must carefully read this Privacy Statement, which has been drafted in a clear and simple manner to facilitate its understanding, freely and voluntarily determining whether the user wishes to provide his/her personal data to MINOR HOTELS EUROPE & AMERICAS, MINOR HOTELS and OAKS HOTELS.

3. Scope of this Privacy Statement 

This Privacy Statement applies to the personal information we collect through:

  • Online services: websites owned or controlled by any of us, web and mobile applications, social media pages, HTML-formatted email messages, Wi-Fi connectivity and other digital channels; and     
  • Offline interactions: when you visit or stay as a guest at one of our properties, attend events and activities hosted by us, reach out to our call center, or through other offline interactions. 

Collectively, we refer to the above as our “Services.

In the performance of our obligations, we will comply with all applicable data protection and privacy laws and regulations in the jurisdictions we operate in:

  • California: please refer to the California Consumer Privacy Act Statement.
  • Australia or New Zealand:  where our Brands are operated by Oaks Hotels & Resorts Ltd (and their related body corporates, associates and affiliates): additional privacy related matters refer to the Oaks website.   

This Privacy Statement does not apply to the personal information that we collect about employees, business partners and other personnel related to their working relationship with us, or the personal information that we collect about applicants and candidates. We may also collect, generate, use and disclose aggregate, anonymous, and other non-identifiable data related to our Services, which is not personal information subject to this Privacy Statement.

4. How we collect your personal data

We use different methods to collect data:
 
Direct interactions: You may give us your personal data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide online when you book accommodation, sign up for a newsletter, or participate in a survey, contest or promotional offer. We collect personal data offline when you visit our properties, or use our Services such as restaurants, childcare services and spas.   
 
The data requested in the forms on the Website is mandatory (unless otherwise indicated in the relevant field) to perform services or fulfill your request. If you do not wish to provide required personal information then we unable to fulfill your request, but you can still see the content of the Website. 

Automated technologies or interactions: You may give us your personal data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide online when you book accommodation, sign up for a newsletter, or participate in a survey, contest or promotional offer. We collect personal data offline when you visit our properties, or use our Services such as restaurants, childcare services and spas.   

The data requested in the forms on the Website is mandatory (unless otherwise indicated in the relevant field) to perform services or fulfill your request. If you do not wish to provide required personal information then we unable to fulfill your request, but you can still see the content of the Website. 

  • Information about the devices you use to access our Websites (IP address, MAC address, device, browser and operating system type);
  • Pages and URLs that refer visitors to our sites, also pages and URLs that visitors exit to once they leave our Websites;
  • Information about your visits (date and time) and actions taken on our Websites(such as page views, site navigation patterns or application activity); 
  • A general geographic location (such as country and city) from which a visitor accesses our Websites; and 
  • Search terms that visitors use to reach our Websites. 

We collect this personal data by using cookies, web beacons and other similar technologies.

Security Systems: When you visit our hotels, information may be collected about you through such properties’ closed-circuit television systems, electronic key cards and other security systems.

Third parties or publicly available sources: We will receive personal data about you from various third parties and public sources including business partners, franchisees, hotels managed by us, travel agents and aggregators.

5. Purposes for which we collect data

We use personal data to provide you with the Services, to develop new products and services, and to protect safety and security of our guests, team members, and properties. 

Personal data provided through the Website will be processed by us for the following purposes:

Booking process: Fulfill and manage booking requests, including any modifications and cancellations, perform basket retrieval, send a reminder of the pending booking or Website searches, send transaction confirmation, manage payment or prepayment, or refer you to loyalty programs that can be used to receive benefits. In addition to the information provided in the reservation form, we will integrate certain data from your guest profile previously managed by us to provide you with a better service in our hotels. The legal basis for this processing activity is the contractual relationship with you.

Sending commercial communications and newsletters: If you have subscribed to our marketing communications, we will send you tailored promotional offers regarding our Services and Brands. If we have your permission, we will inform you about Services offered by other entities within our group and business partners, a list of which can be found at https://www.nh-hotels.com/loyalty.  You have the option to subscribe or unsubscribe at any time via the link included in the email or reaching out to us. The legal basis for this processing activity is your consent.

Check-in online and FAST PASS: Manage check-in online process, personalize our Services, and respond to requests. The legal basis for this processing activity is a contractual relationship.

Best-rate guarantee: Manage claims or requests submitted through the Best Rate Guarantee - Claim Form, including contacting you to resolve the claim or request. The legal basis for this processing activity is your consent.

NH PRO Blog: Manage the publication of your comments on the Website, subscribe and unsubscribe from the blog's newsletter. In the event that this is necessary, to check the content of users' comments and, where appropriate, remove those whose content does not comply with the conditions applicable to this Website at the discretion of the joint controllers.  The legal basis for this processing activity is consent.

Electronic gift cards: Manage purchase and redemption of electronic gift cards, including communication between the parties and payment processing. The legal basis for this processing activity is a contractual relationship with you. 

User-generated content (UGC) on social media platforms: Display UGC on our Websites for promotional purposes. The legal basis for this processing activity is your consent.

Social platforms log-in: If you register or sign in with your Facebook, Apple ID, Google or other third-party accounts to our Websites, you give such third-party service providers permission to share your personal information from those accounts (such as your registration and profile information). This information varies and is controlled by third-party service providers or as authorized by you via your privacy settings.  The legal basis for this processing activity is your consent. 

6. The data we collect about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (“Aggregate Data”).
 
We may collect, use, store and transfer different kinds of personal data about you which we have arranged according to the different purposes as follows:
  • Contact information (email address, mailing address, country and phone number);
  • Payment information (card number, billing address and bank account information);
  • Demographic data (gender, age and preferred language);
  • Information related to your reservation, stay or visit to a property (including the property where you have stayed or outlet you have visited, date of arrival and departure, and goods and services purchased, interests and preferences);
  • Information necessary to fulfil your special requests and/or specific accommodations;
  • Customer Preferences
  • Employment information (such as company name, job title and work contact information) to respond to requests for proposals or honor contractual arrangements;
  • Copies of your correspondence if you contact us;
  • Feedback and survey responses;
  • Information collected through the use of closed-circuit television systems, keycards and other security systems;
  • Information related to your use and interaction with our website and network; and
  • Information as requested by government authorities to fulfill our legal obligations.
We do not collect the following special categories of personal data about you: race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, genetic, biometric data, and criminal convictions and offenses. 

7. Sharing of personal data

Our goal is to provide you with the highest level of hospitality and Services, and to do so, we share personal data with the following parties:

  • Our Hotels: We disclose personal data to other companies within our corporate structure for the purposes described in this Privacy Statement, such as providing Services and personalizing our communication with you. We share your personal data with hotels where you will stay to fulfil and complete your reservation. The companies indicated in the list include entities (link) in our structure,  owners of hotels and franchisees of the Brands. 
  • Strategic business partners: We disclose personal data and other data to business partners who provide goods, services and offers that enhance your experience at our properties. By sharing data, we are able to make personalized services and unique travel experiences available to you. For example, this sharing enables spa, restaurant, health club, concierge and other outlets at our properties to provide you with services.
  • Service providers: We disclose personal data to third-party service providers for the purposes described in this privacy statement. Examples of service providers include companies that provide website hosting, data analysis, payment processing, order fulfillment, information technology and related infrastructure provision, customer service, email delivery and marketing,  
  • Public administrations and police bodies: We disclose personal data to public administrations and police under requirement or as part of an investigation, in order to comply with obligations under the regulations, to prevent fraud or money laundering and to cooperate with these entities in the performance of their duties.

Comply with laws: We may disclose personal data to courts and other authorities if required to do so by law. We require all third parties to protect your personal data and to process it in accordance with the applicable law. We do not allow our third-party service providers to use your personal data for their own purposes, and only permit them to process your personal data for specified purposes and in accordance with our instructions.

8. International transfers

As a global hospitality company, we may transfer your personal data across multiple jurisdictions. Insofar as it is necessary for the purposes, your personal data may be transferred to the following locations: 

A list of the above countries is located here.

When we share data, it may be transferred to, and processed in, countries other than the country you live in – such as to the United States, Singapore or where our data hosting provider’s servers are located. These countries may have laws different to what you’re used to.  Where we disclose personal data to a third party in another country, we put safeguards in place to ensure your personal data remains protected.

For individuals in the European Economic Area (EEA), this means that your data may be transferred outside of the EEA. Where your personal data is transferred outside the EEA, it will only be transferred to countries that have been identified as providing adequate protection for EEA data, or to a third party where we have approved transfer mechanisms in place to protect your personal data, for example, by entering into the European Commission’s Standard Contractual Clauses.

By providing your personal information to us, you consent to us disclosing your personal information to any such overseas recipients for the purposes described in this privacy statement and acknowledge that such overseas recipients may not be subject to laws that require them to protect your personal information in a way that is comparable to the safeguards in the applicable laws in your home state.  

  • We enter into a specific contract with third parties which enable the enforcement of the data subject’s rights, according to the applicable regulations.
  • We use your consent to transfer data if the applicable law requires it.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data.

9. Data retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint, or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

In order to determine the appropriate retention period, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements of the relevant country.

We determine the retention period based on the following considerations:
  • If personal data was collected for the purpose of contract performance, it will be stored for the entire duration of the contractual relationship, and once it has ended until the statute of limitations expire.
  • If personal data was collected for the purpose of compliance with legal obligations, it will be stored until the obligation is fulfilled.
  • If personal data was collected for the purpose of legitimate interest, it will be stored until the end of this interest.
  • If personal data was collected with your consent, it will be stored until consent is withdrawn. You can withdraw your consent at any time through the link provided in the communications.
Details of retention periods for different aspects of your personal data are available in our Retention Statement which you can request from us by contacting us.

10. Your rights

You can exercise your data rights under data protection laws by contacting us:

  • Request access to your personal data
  • Request correction of your personal data
  • Request erasure of your personal data
  • Object to processing of your personal data
  • Request restriction of processing your personal data
  • Request portability of your personal data
  • Right to withdraw consent.

Under certain circumstances where applicable law permits, you also have the right to lodge a complaint with a competent data protection supervisory authority. 

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable administration fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances, and we will indicate the reason for refusal.

Time limit to respond

We try to respond to all legitimate requests within one month, or within the timeframe as specified by the applicable data protection legislation. Occasionally, it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. 

11. Direct marketing

With your consent, we may send you direct marketing communications regarding our Brands and Services.  If you have opted in to receive marketing communications, we may contact you by electronic messages (email, SMS, or website), by mail or other means that you share with us.  You have the right to withdraw consent at any time by contacting us using the details provided in the Contact Us section or clicking unsubscribe link in our marketing messages. 

Please note that if you choose to opt out of marketing emails, we will continue to send you transactional messages, such as information about your reservations or stays, including confirmation and pre-arrival emails, or account security updates.

12. Contact us

If you wish to exercise any of the rights set out above, please contact us.

Asia, Africa and Middle East
Email: [email protected]; or
Post: 88 The Parq Building, 12th Fl. Ratchadaphisek Road, Klongtoey Subdistrict, Klongtoey District, Bangkok Metropolis 10110, Thailand

Europe and America
Email: [email protected]; or
Post: Calle Santa Engracia 120, 7ª, 28003, Madrid

Australia and New Zealand
Email: [email protected]; or
Post: PO Box 473, Cotton Tree, QLD 4558, Australia

13. Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality. 

We have put in place procedures to deal with any suspected personal data breach, and will notify you and any applicable regulator of a breach where we are legally required to do so.

14. Liability

This Website is not intended for children, and we do not knowingly collect data relating to children.

You guarantee that you have informed any third parties whose data you are providing, if you have done so, of the points covered in this privacy statement. In addition, you guarantee that their authorization has been obtained to provide their data to us for the indicated purposes.

You will be liable for any false or inaccurate information provided, and for direct or indirect damage caused to us or to third parties.

15. Changes to this Privacy Statement

We keep our privacy statement under regular review. At the top of this page, you will see the date on which the privacy statement was last revised, and it is also the date from which any changes will become effective. Your use of the Services following these changes means that you accept the revised privacy statement. If you would like to review the version of the privacy statement that was effective immediately prior to this revision, please contact us at [email protected].

It is also important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.