AREV Collection - Privacy Policy

Last update: SEPTEMBER 4, 2023

This privacy policy (the “Privacy Policy”) describes how personal data of (i) users of the website www.arevcollection.com (the “Website”) and (ii) customers of hotels (“Hotel(s)”) operating under the Arev Collection brand (together “you” or “your”) is collected, used, consulted, or otherwise processed, in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "GDPR") and the French law no. 78-17 of 6 January 1978, in its latest version in force (together the "Applicable Regulations").

Please take a moment to read this Privacy Policy carefully. This Privacy Policy may be updated at any time as a result of, among others, legal, technical or commercial changes. Please refer to it regularly to ensure that you are aware of the latest version.

1. WHO IS THE CONTROLLER OF YOUR PERSONAL DATA?

Hotels : (for Arev St Tropez: SAS Lou Tropez, a société par actions simplifiée, whose registered office is located at 8 Chemin des Vendanges, 83990 Saint-Tropez, registered in the Trade and Companies Register of Fréjus under number 880 110 630) act as data controller (i.e., they determine the purposes and means of the processing of your personal data) for the management of their contractual relationship with you (in particular, to manage your booking and your stay, to manage your payment, etc), to carry out marketing activities and to comply with their legal obligations. Please refer to Section 2 for more details on the processing of your personal data by Hotels.

Vanand Holdings Ltd (registered in Cyprus under number HE 389133, VAT number 10366680B - "Vanand") acts as data controller (i.e., it determines the purposes and means of the processing of your personal data) as Vanand is responsible for publishing the Website. Vanand also operates the Arev Collection database of customers staying in Hotels. Please refer to Section 2 for more details on the processing of your personal data by Vanand.

Hotels and Vanand are collectively referred to as “we”, “us” or “our”.

We are committed to protecting your privacy.

1. FOR WHAT PURPOSES AND ON WHAT LEGAL BASIS IS YOUR PERSONAL DATA COLLECTED?

We ensure that we collect and process personal data that is relevant, adequate, not excessive and strictly necessary for the purposes listed below. Please note that if you plan to submit someone else’s personal data to us, for instance when making a reservation on their behalf, you may only provide us with that person’s details with their consent and after they have been given access to information about how we will use their details, including the purposes set out in this Privacy Policy.

You will find below a table listing the relevant information related to the processing of personal data, and more specifically:

• The different purposes pursued.
• The personal data collected.
• The legal basis on which we carry out the processing.
• How long we keep your personal data.

 

PURPOSE OF THE PROCESSING AND DATA CONTROLLER	PERSONAL DATA COLLECTED	LEGAL BASIS	RETENTION PERIOD
Managing your booking or purchase. Data Controller: Hotel	First name, last name, second last name, nationality, date of birth, identity documents (passport, ID card, drivers license, visa), e-mail address, postal address, telephone number, loyalty scheme memberships, accommodation preferences and assistance, any other information you directly and voluntarily provide	Performance of a contract between the Hotel and you (including the execution of pre-contractual measures)	5 years from the end of the agreement between the Hotel and you
Managing payments (including: processing a credit card guarantee or preauthorization charge to ensure payment of your stay and incidental charges, processing and managing any payments that are due, including outstanding payments, paying a commission to your travel agent if any, sending you invoices) Data Controller: Hotel	Bank account and/or credit or debit card information (cardholder names, number, end date of validity, visual cryptogram), e-mail address, postal address	Performance of a contract between the Hotel and you (including the execution of pre-contractual measures)	5 years from the end of the agreement between the Hotel and you
Promoting and improving our services (including: - sending you commercial/marketing information (if you have consented); -           carrying out satisfaction surveys; -           creating statistics/ business indicators about the use of our services by our users to improve them. Data Controller: Hotel	First name, last name, contact details, usage data of the services	As regards the provision of commercial / marketing information: your consent. As regards satisfaction surveys and the creation of statistics / business indicators: the Hotel’s legitimate interest, and, in particular, its business and economic interest to promote its services, to improve them and ensure customers’ satisfaction.	3 years from the last contact with you / from the end of the agreement entered into with you
Replying to your information requests about our services Data Controller: Hotel	First name, last name, email address, topic and any other information you directly and voluntarily provide regarding your request.	Depending on the information request: -           If you do not have a contractual relationship with us and are not in the process of establishing such a relationship: the Hotel’s legitimate interest and, in particular, its economic interest to communicate with potential customers and to answer to their inquiries; or - If you have a contractual relationship with us or are in the process of establishing such a relationship: performance of a contract between the Hotel and you (including the execution of pre-contractual measures)	If the request is not related to an agreement between you and the Hotel, we will retain your personal data for 5 years following the closing of the request (except for very basic requests for which your personal data will not be kept). If the request is related to an agreement between you and the Hotel, we will retain your personal data for 5 years from the end of such agreement.
Managing invoices. Data Controller : Hotel	First name, last name, contact details, payment information	The Hotel’s legal obligations.	10 years from the end of the accounting period
Managing and archiving your Hotel registration card Data Controller: Hotel	First name, last name, date and place of birth, nationality, postal address, phone number, email address, arrival and departure dates	The Hotel’s legal obligations.	6 months from the date of the creation of the Hotel registration card.
Establishing any evidence necessary to defend our rights and managing pre-litigation and litigation. Data Controller: Hotel	It depends on the risk of litigation identified (potentially all personal data identified in this table)	The Hotel’s legitimate interest to defend its rights	5 years after the end of the contractual relationship and/or until the end of the proceedings in case of ongoing litigation. Please note that all the retention periods identified in this table include the need to keep the data for litigation purposes.
Managing a merger or acquisition of all or part of a Hotel or Vanand. Data Controller: Hotel or Vanand depending on the merger / acquisition operation	Potentially all personal data identified in this table	The Hotel’s and/or Vanand’s legitimate interest and, in particular, its business and economic interest to anticipate and perform a corporate operation	Until the end of such merger/acquisition
Handling data subjects’ rights. Data Controller : Hotel	First name, last name, contact details, ID in some cases, any other personal data targeted by your request	The Hotel’s legal obligations	For the proof of identity (if any): deleted once the request has been handled (can be kept longer, for 6 years as from the closure of the request if there is a high risk of litigation)   For the data collected to manage the request: until the request is managed/closed For the answer provided to you: 6 years as from the closure of the request
Carrying out statistical analyses, developing the Website and optimizing your browsing: cookies may be placed on the Website for these purposes – for more information you can refer to our Cookie Policy.     Data Controller: Vanand	Your behaviour on the Website, operating system, device model, IP address	Your consent	These cookies are used/read for 6 months following your consent
Ensuring the proper functioning of the Website (via essential cookies not submitted to prior consent).     Data Controller: Vanand	Technical information concerning the characteristics and operating data of the user's device, operator, operating system, device model, IP address	Vanand’s legitimate interest in ensuring the functioning of its Website	13 months from the deposit of the cookie
Social Media Management (administering Social Media accounts and communications on behalf of the hotel).   Data Controller: Hotel	Personal details of social media followers, as they make available via the social media platform	The Hotel’s legitimate interest and, in particular, its interest in communicating with its clients and improving the clients’ experiences to boost its sales.	No data is stored outside the social media platforms themselves

 

 

3. IS THE PROVISION OF YOUR PERSONAL DATA MANDATORY?

Whether or not the provision of your personal data is mandatory will be indicated to you at the time of collection of such personal data (for example, where fields are marked with an asterisk). Where you do not provide personal data that is mandatory, we may not be able to reply to your request and/or to provide you with its services.

4. TO WHOM DO WE DISCLOSE YOUR PERSONAL DATA?

We will only share your personal data in certain circumstances and in accordance with the provisions of Applicable Regulations.

In particular, we disclose your personal data to identified recipients and authorized internal persons, as described below. All recipients and authorized persons processing your personal data are subject to confidentiality obligations. Thus, we disclose your personal data to:

• To internal authorized employees who need to process your personal data for the purposes specified in section 2 of this Privacy Policy and, more specifically to:
• Customer support department,
• Human resources department,
• Commercial/marketing department,
• Accounting department.

 

• To external recipients and in particular:

 

• Public authorities and bodies to whom we must disclose some of your personal data to comply with legal obligations, to protect the rights and/or safety of an individual;

 

• Third-party service providers, acting as data processors, and in particular:

• 80 Days,
• Mews,

In addition, your personal data may be shared with third parties for the following purposes:

• in the event of a merger or acquisition of all or part of a Hotel or Vanand by a third party or in the event of a sale, assignment or restructuring.
• in response to judicial or administrative proceedings of any kind or to law enforcement measures requested by the competent authorities.

5. DO WE TRANSFER YOUR PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA?

Your personal data will not be transferred to a country located outside the European Economic Area.

 

6. YOUR RIGHTS

In accordance with Applicable Regulations, you have the following rights with respect to your personal data:

1. Right to withdraw consent

Wherever we rely on your consent, you will be able to withdraw that consent at any time you choose by contacting us at privacy@arevcollection.com. The withdrawal of your consent will not affect the lawfulness of the collection and processing of your personal data based on your consent up until the time you withdraw your consent. Please note that we may have other legal grounds for processing your personal data for other purposes, such as those set out in this Privacy Policy (see the table in section 2 of this Privacy Policy to understand which processing are based on your consent).

2. Right to access and obtain a copy of your personal data

You have the right to access, review, and  request a copy of your personal data processed as described in this Privacy Policy (provided the request is not manifestly unfounded or excessive, particularly because of its repetitive nature).

3. Right to rectify your personal data

You may request to rectify your personal data if they are inaccurate, incomplete or not up to date (provided that the request is not manifestly unfounded or excessive, particularly because of its repetitive nature).

4. Right to erasure

You have the right to request the erasure of your personal data processed by us as described in this Privacy Policy. However, this is not an absolute right, as we may be obliged to retain your personal data for legal or legitimate reasons. You may exercise your right to erasure in the following cases: if you have validly objected to the processing of your personal data or have withdrawn your consent, if the personal data is not or is no longer necessary for the purposes for which it was originally collected or processed, or if the personal data is unlawfully processed.

5. Right to restriction of processing

You may ask us to restrict the processing of your personal data. This right means that the processing of your personal data by us is restricted, so that we may retain the data, but we may not use or otherwise process it. This right applies in specific circumstances, namely (i) if you challenge the accuracy of your personal data: the processing is then restricted for a period of time to allow us to verify the accuracy of the data; (ii) in cases where the processing is unlawful and you object to the erasure of your personal data and instead demand the restriction of their use; (iii) in cases where we no longer need the personal data for the purposes mentioned above in section 2, but they are still necessary for the establishment, exercise or defense of legal claims; and (iv) in cases where you have objected to the processing based on the legitimate interests pursued by us, you may request that the processing be restricted for the period necessary to determine whether we can comply with your objection.

5. Right to object to processing

Where we process your personal data on the basis of our legitimate interests (see the table in section 2 of this Privacy Policy for data processing based on our legitimate interests), you may at any time object to the processing of your personal data on grounds relating to your particular situation, unless we have compelling legitimate grounds for processing such data which override your interests, rights and freedoms, or where such data is necessary for the establishment, exercise or defense of legal claims.

6. Right to data portability

Where you have provided your data to us and where the processing is carried out by automated means and based on your consent or the performance of a contract between you and us, you have the right to receive the personal data processed about you in a structured, commonly used, and machine-readable format, and to transmit this data to another service provider.

7. Right to give general and specific instructions

You also have the right to give general and specific instructions to decide the fate of your personal data after your death.

8. Right to lodge a complaint

You have the right to lodge a complaint before the relevant supervisory authority (in France, the Commission Nationale de l'Informatique et des Libertés: the “CNIL”). However, we invite you to contact us at privacy@arevcollection.com before filing any complaint with the CNIL.

To exercise any of your rights, you can file a request via email at privacy@arevcollection.com

7. HOW TO CONTACT US

Questions, comments, remarks, requests or complaints regarding this Privacy Policy are welcome and should be addressed to privacy@arevcollection.com.