Política de Privacidade

This privacy policy (the “Privacy Policy”) describes how personal data of (i) users of the website www.arevcollection.com (the “Website”) and (ii) customers of hotels (“Hotel(s)”) operating under the Arev Collection brand (together “you” or “your”) is collected, used, consulted, or otherwise processed, in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "GDPR") and the French law no. 78-17 of 6 January 1978, in its latest version in force (together the "Applicable Regulations").

Please take a moment to read this Privacy Policy carefully. This Privacy Policy may be updated at any time as a result of, among others, legal, technical or commercial changes. Please refer to it regularly to ensure that you are aware of the latest version.

<div id="1"></div>

1. WHO IS THE CONTROLLER OF YOUR PERSONAL DATA?

Hotels : (for Arev St Tropez: SAS Lou Tropez, a société par actions simplifiée, whose registered office is located at 8 Chemin des Vendanges, 83990 Saint-Tropez, registered in the Trade and Companies Register of Fréjus under number 880 110 630) act as data controller (i.e., they determine the purposes and means of the processing of your personal data) for the management of their contractual relationship with you (in particular, to manage your booking and your stay, to manage your payment, etc), to carry out marketing activities and to comply with their legal obligations. Please refer to Section 2 for more details on the processing of your personal data by Hotels.

Vanand Holdings Ltd (registered in Cyprus under number HE 389133, VAT number 10366680B - "Vanand") acts as data controller (i.e., it determines the purposes and means of the processing of your personal data) as Vanand is responsible for publishing the Website. Vanand also operates the Arev Collection database of customers staying in Hotels. Please refer to Section 2 for more details on the processing of your personal data by Vanand.

Hotels and Vanand are collectively referred to as “we”, “us” or “our”.

We are committed to protecting your privacy.

<div id="2"></div>

‍2. FOR WHAT PURPOSES AND ON WHAT LEGAL BASIS IS YOUR PERSONAL DATA COLLECTED?

We ensure that we collect and process personal data that is relevant, adequate, not excessive and strictly necessary for the purposes listed below. Please note that if you plan to submit someone else’s personal data to us, for instance when making a reservation on their behalf, you may only provide us with that person’s details with their consent and after they have been given access to information about how we will use their details, including the purposes set out in this Privacy Policy.

You will find below a table listing the relevant information related to the processing of personal data, and more specifically:

• The different purposes pursued.
• The personal data collected.
• The legal basis on which we carry out the processing.
• How long we keep your personal data.

<table>
   <thead>
       <tr>
           <th>PURPOSE OF THE PROCESSING AND DATA CONTROLLER</th>
           <th>PERSONAL DATA COLLECTED</th>
           <th>LEGAL BASIS</th>
           <th>RETENTION PERIOD</th>
       </tr>
   </thead>
   <tbody>
       <tr>
           <td>Managing your booking or purchase. Data Controller: Hotel</td>
           <td>First name, last name, second last name, nationality, date of birth, identity documents (passport, ID
               card, driver's license, visa), e-mail address, postal address, telephone number, loyalty scheme
               memberships, accommodation preferences and assistance, any other information you directly and
               voluntarily provide</td>
           <td>Performance of a contract between the Hotel and you (including the execution of pre-contractual
               measures)</td>
           <td>5 years from the end of the agreement between the Hotel and you</td>
       </tr>
       <tr>
           <td>Managing payments (including: processing a credit card guarantee or preauthorization charge to ensure
               payment of your stay and incidental charges, processing and managing any payments that are due,
               including outstanding payments, paying a commission to your travel agent if any, sending you invoices).
               Data Controller: Hotel</td>
           <td>Bank account and/or credit or debit card information (cardholder names, number, end date of validity,
               visual cryptogram), e-mail address, postal address</td>
           <td>Performance of a contract between the Hotel and you (including the execution of pre-contractual
               measures)</td>
           <td>5 years from the end of the agreement between the Hotel and you</td>
       </tr>
       <tr>
           <td>Promoting and improving our services (including: sending you commercial/marketing information if you
               have consented; carrying out satisfaction surveys; creating statistics/business indicators about the use
               of our services by our users to improve them). Data Controller: Hotel</td>
           <td>First name, last name, contact details, usage data of the services</td>
           <td>As regards commercial/marketing information: your consent. As regards satisfaction surveys and
               statistics/business indicators: the Hotel’s legitimate interest to promote and improve its services and
               ensure customer satisfaction</td>
           <td>3 years from the last contact with you / from the end of the agreement entered into with you</td>
       </tr>
       <tr>
           <td>Replying to your information requests about our services. Data Controller: Hotel</td>
           <td>First name, last name, email address, topic and any other information you directly and voluntarily
               provide regarding your request</td>
           <td>If no contractual relationship exists: the Hotel’s legitimate interest to communicate with potential
               customers and answer inquiries. If a contractual relationship exists or is being established:
               performance of a contract between the Hotel and you (including pre-contractual measures)</td>
           <td>If unrelated to an agreement: 5 years following the closing of the request (except very basic requests
               where data will not be kept). If related to an agreement: 5 years from the end of such agreement</td>
       </tr>
       <tr>
           <td>Managing invoices. Data Controller: Hotel</td>
           <td>First name, last name, contact details, payment information</td>
           <td>The Hotel’s legal obligations</td>
           <td>10 years from the end of the accounting period</td>
       </tr>
       <tr>
           <td>Managing and archiving your Hotel registration card. Data Controller: Hotel</td>
           <td>First name, last name, date and place of birth, nationality, postal address, phone number, email
               address, arrival and departure dates</td>
           <td>The Hotel’s legal obligations</td>
           <td>6 months from the date of the creation of the Hotel registration card</td>
       </tr>
       <tr>
           <td>Establishing any evidence necessary to defend our rights and managing pre-litigation and litigation.
               Data Controller: Hotel</td>
           <td>It depends on the risk of litigation identified (potentially all personal data identified in this table)
           </td>
           <td>The Hotel’s legitimate interest to defend its rights</td>
           <td>5 years after the end of the contractual relationship and/or until the end of the proceedings in case of
               ongoing litigation</td>
       </tr>
       <tr>
           <td>Managing a merger or acquisition of all or part of a Hotel or Vanand. Data Controller: Hotel or Vanand
               depending on the merger/acquisition operation</td>
           <td>Potentially all personal data identified in this table</td>
           <td>The Hotel’s and/or Vanand’s legitimate interest, particularly its business and economic interest to
               anticipate and perform a corporate operation</td>
           <td>Until the end of such merger/acquisition</td>
       </tr>
       <tr>
           <td>Handling data subjects’ rights. Data Controller: Hotel</td>
           <td>First name, last name, contact details, ID in some cases, any other personal data targeted by your
               request</td>
           <td>The Hotel’s legal obligations</td>
           <td>For proof of identity (if any): deleted once the request has been handled (may be kept up to 6 years if
               there is a high risk of litigation). For the data collected to manage the request: until the request is
               managed/closed. For the answer provided: 6 years from the closure of the request.</td>
       </tr>
       <tr>
           <td>Carrying out statistical analyses, developing the Website and optimizing your browsing (cookies may be
               placed on the Website for these purposes). Data Controller: Vanand</td>
           <td>Your behaviour on the Website, operating system, device model, IP address</td>
           <td>Your consent</td>
           <td>Cookies used/read for 6 months following your consent</td>
       </tr>
       <tr>
           <td>Ensuring the proper functioning of the Website (via essential cookies not submitted to prior consent).
               Data Controller: Vanand</td>
           <td>Technical information concerning the characteristics and operating data of the user's device, operator,
               operating system, device model, IP address</td>
           <td>Vanand’s legitimate interest in ensuring the functioning of its Website</td>
           <td>13 months from the deposit of the cookie</td>
       </tr>
       <tr>
           <td>Social Media Management (administering social media accounts and communications on behalf of the hotel).
               Data Controller: Hotel</td>
           <td>Personal details of social media followers as they make available via the social media platform</td>
           <td>The Hotel’s legitimate interest to communicate with clients and improve client experiences to boost
               sales</td>
           <td>No data is stored outside the social media platforms themselves</td>
       </tr>
   </tbody>
</table>

‍

<div id="3"></div>

3. IS THE PROVISION OF YOUR PERSONAL DATA MANDATORY?

Managing payments

Whether or not the provision of your personal data is mandatory will be indicated to you at the time of collection of such personal data (for example, where fields are marked with an asterisk). Where you do not provide personal data that is mandatory, we may not be able to reply to your request and/or to provide you with its services.

(including: processing a credit card guarantee or preauthorization charge to ensure payment of your stay and incidental charges, processing and managing any payments that are due, including outstanding payments, paying a commission to your travel agent if any, sending you invoices)

‍

Data Controller: Hotel

<div id="4"></div>

Bank account and/or credit or debit card information (cardholder names, number, end date of validity, visual cryptogram), e-mail address, postal address

4. TO WHOM DO WE DISCLOSE YOUR PERSONAL DATA?

Performance of a contract between the Hotel and you (including the execution of pre-contractual measures)

We will only share your personal data in certain circumstances and in accordance with the provisions of Applicable Regulations.

5 years from the end of the agreement between the Hotel and you

In particular, we disclose your personal data to identified recipients and authorized internal persons, as described below. All recipients and authorized persons processing your personal data are subject to confidentiality obligations. Thus, we disclose your personal data to:

Promoting and improving our services

• To internal authorized employees who need to process your personal data for the purposes specified in section 2 of this Privacy Policy and, more specifically to:
• Customer support department,
• Human resources department,
• Commercial/marketing department,
• Accounting department.

Including sending you commercial/marketing information (if you have consented);

• To external recipients and in particular:
  - carrying out satisfaction surveys;
  - creating statistics/ business indicators about the use of our services by our users to improve them.

• Public authorities and bodies to whom we must disclose some of your personal data to comply with legal obligations, to protect the rights and/or safety of an individual;

Data Controller: Hotel

First name, last name, contact details, usage data of the services

• Third-party service providers, acting as data processors, and in particular:
• Axeptio,
• Mews,

As regards the provision of commercial / marketing information: your consent.

In addition, your personal data may be shared with third parties for the following purposes:

As regards satisfaction surveys and the creation of statistics / business indicators: the Hotel’s legitimate interest, and, in particular, its business and economic interest to promote its services, to improve them and ensure customers’ satisfaction.

• in the event of a merger or acquisition of all or part of a Hotel or Vanand by a third party or in the event of a sale, assignment or restructuring.
• in response to judicial or administrative proceedings of any kind or to law enforcement measures requested by the competent authorities.

3 years from the last contact with you / from the end of the agreement entered into with you

‍

Replying to your information requests about our services

<div id="5"></div>

Data Controller: Hotel

5. DO WE TRANSFER YOUR PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA?

First name, last name, email address, topic and any other information you directly and voluntarily provide regarding your request.

Your personal data will not be transferred to a country located outside the European Economic Area.

Depending on the information request:

- If you do not have a contractual relationship with us and are not in the process of establishing such a relationship: the Hotel’s legitimate interest and, in particular, its economic interest to communicate with potential customers and to answer to their inquiries; or

<div id="6"></div>

- If you have a contractual relationship with us or are in the process of establishing such a relationship: performance of a contract between the Hotel and you (including the execution of pre-contractual measures)

‍6. YOUR RIGHTS

In accordance with Applicable Regulations, you have the following rights with respect to your personal data:

If the request is not related to an agreement between you and the Hotel, we will retain your personal data for 5 years following the closing of the request (except for very basic requests for which your personal data will not be kept).

1. Right to withdraw consent

If the request is related to an agreement between you and the Hotel, we will retain your personal data for 5 years from the end of such agreement.

Wherever we rely on your consent, you will be able to withdraw that consent at any time you choose by contacting us at privacy@arevcollection.com. The withdrawal of your consent will not affect the lawfulness of the collection and processing of your personal data based on your consent up until the time you withdraw your consent. Please note that we may have other legal grounds for processing your personal data for other purposes, such as those set out in this Privacy Policy (see the table in section 2 of this Privacy Policy to understand which processing are based on your consent).

Managing invoices.

2. Right to access and obtain a copy of your personal data

Data Controller : Hotel

You have the right to access, review, and  request a copy of your personal data processed as described in this Privacy Policy (provided the request is not manifestly unfounded or excessive, particularly because of its repetitive nature).

First name, last name, contact details, payment information

3. Right to rectify your personal data

You may request to rectify your personal data if they are inaccurate, incomplete or not up to date (provided that the request is not manifestly unfounded or excessive, particularly because of its repetitive nature).

The Hotel’s legal obligations.

4. Right to erasure

10 years from the end of the accounting period

You have the right to request the erasure of your personal data processed by us as described in this Privacy Policy. However, this is not an absolute right, as we may be obliged to retain your personal data for legal or legitimate reasons. You may exercise your right to erasure in the following cases: if you have validly objected to the processing of your personal data or have withdrawn your consent, if the personal data is not or is no longer necessary for the purposes for which it was originally collected or processed, or if the personal data is unlawfully processed.

Managing and archiving your Hotel registration card

5. Right to restriction of processing

Data Controller: Hotel

You may ask us to restrict the processing of your personal data. This right means that the processing of your personal data by us is restricted, so that we may retain the data, but we may not use or otherwise process it. This right applies in specific circumstances, namely (i) if you challenge the accuracy of your personal data: the processing is then restricted for a period of time to allow us to verify the accuracy of the data; (ii) in cases where the processing is unlawful and you object to the erasure of your personal data and instead demand the restriction of their use; (iii) in cases where we no longer need the personal data for the purposes mentioned above in section 2, but they are still necessary for the establishment, exercise or defense of legal claims; and (iv) in cases where you have objected to the processing based on the legitimate interests pursued by us, you may request that the processing be restricted for the period necessary to determine whether we can comply with your objection.

First name, last name, date and place of birth, nationality, postal address, phone number, email address, arrival and departure dates

5. Right to object to processing

The Hotel’s legal obligations.

Where we process your personal data on the basis of our legitimate interests (see the table in section 2 of this Privacy Policy for data processing based on our legitimate interests), you may at any time object to the processing of your personal data on grounds relating to your particular situation, unless we have compelling legitimate grounds for processing such data which override your interests, rights and freedoms, or where such data is necessary for the establishment, exercise or defense of legal claims.

6 months from the date of the creation of the Hotel registration card.

6. Right to data portability

Where you have provided your data to us and where the processing is carried out by automated means and based on your consent or the performance of a contract between you and us, you have the right to receive the personal data processed about you in a structured, commonly used, and machine-readable format, and to transmit this data to another service provider.

Establishing any evidence necessary to defend our rights and managing pre-litigation and litigation.

7. Right to give general and specific instructions

Data Controller: Hotel

You also have the right to give general and specific instructions to decide the fate of your personal data after your death.

It depends on the risk of litigation identified (potentially all personal data identified in this table)

8. Right to lodge a complaint

The Hotel’s legitimate interest to defend its rights

You have the right to lodge a complaint before the relevant supervisory authority (in France, the Commission Nationale de l'Informatique et des Libertés: the “CNIL”). However, we invite you to contact us at privacy@arevcollection.com before filing any complaint with the CNIL.

5 years after the end of the contractual relationship and/or until the end of the proceedings in case of ongoing litigation. Please note that all the retention periods identified in this table include the need to keep the data for litigation purposes.

To exercise any of your rights, you can file a request via email at privacy@arevcollection.com

‍

Managing a merger or acquisition of all or part of a Hotel or Vanand.

<div id="7"></div>

Data Controller: Hotel or Vanand depending on the merger / acquisition operation

7. HOW TO CONTACT US

Potentially all personal data identified in this table

Questions, comments, remarks, requests or complaints regarding this Privacy Policy are welcome and should be addressed to privacy@arevcollection.com.

The Hotel’s and/or Vanand’s legitimate interest and, in particular, its business and economic interest to anticipate and perform a corporate operation

‍

No data is stored outside the social media platforms themselves

Until the end of such merger/acquisition

The Hotel’s legitimate interest and, in particular, its interest in communicating with its clients and improving the clients’ experiences to boost its sales.

Personal details of social media followers, as they make available via the social media platform

Handling data subjects’ rights.

Data Controller : Hotel

Data Controller: Hotel

First name, last name, contact details, ID in some cases, any other personal data targeted by your request

The Hotel’s legal obligations

Social Media Management(administering Social Media accounts and communications on behalf of the hotel).

For the proof of identity (if any): deleted once the request has been handled (can be kept longer, for 6 years as from the closure of the request if there is a high risk of litigation)

13 months from the deposit of the cookie

For the data collected to manage the request: until the request is managed/closed

Vanand’s legitimate interest in ensuring the functioning of its Website

For the answer provided to you: 6 years as from the closure of the request

Technical information concerning the characteristics and operating data of the user's device, operator, operating system, device model, IP address

Carrying out statistical analyses, developing the Website and optimizing your browsing: cookies may be placed on the Website for these purposes – for more information you can refer to our Cookie Policy.

Data Controller: Vanand

Ensuring the proper functioning of the Website (via essential cookies not submitted to prior consent).
Your behaviour on the Website, operating system, device model, IP address

Your consent
‍These cookies are used/read for 6 months following your consent