Privacy Policy
Introduction
Privacy is imperative to Strategic Hospitality Resources (“SHR” or “we”) an access company. This Privacy Policy describes SHR’s web site and services (collectively, the “Service”). SHR (“SHR,” “we,” “us,” or “our”) and its wholly owned subsidiaries complies with the EU-US, the Swiss-US Data Privacy Framework as set forth by the U.S. Department of Commerce regarding the collection, Personal Information Protection and Electronic Documents Act (“PIPEDA”) of Canada, General Data Protection Regulation (GDPR) of EU for use, and retention of personal information transferred from the Swiss and the European Union or Canada to the United States. Additionally, SHR has certified to the Department of Commerce that it adheres to the Data Privacy Framework Principles (Data Privacy Framework active participant)
If you have questions, concerns, or believe there is an enforcement breech regarding this Privacy Policy, you should contact our Data Protection Officer at [email protected].
What Does This Notice Cover
This Website Privacy Notice applies only to your use of our website. Our site may contain links to other websites. Please note that we have no control over how your data is collected, stored, or used by other websites and we advise you to check the privacy policies of any such websites before providing any data to them.
What Is Personal Data?
Personal data is defined by the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.
Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers. If you do not provide us with your personal data, we may not be able to provide you with our services or respond to any questions or requests you submit to us via our website. We will tell you when we ask for personal data which is a contractual requirement or is needed to perform our functions or to comply with our legal obligations.
What Personal Data do we collect and how?
Our site collects certain information automatically, including your IP address, the type of browser you are using, and certain other non-personal data about your computer or device such as your operating system type or version, and display resolution. You can remove or reject cookies using your browser or device settings, but in some cases doing so may affect your ability to use our products and services.
We collect the following personally identifiable information about our users: name, e-mail address, corporate web address, telephone number, business address, preferred means of communication, and other information voluntarily provided. This personally identifiable information is typically provided when users register for online services, subscriptions, communications, surveys, or to request information. We also collect information about users regarding web pages accessed, traffic patterns and site usage.
How We Use the Information We Collect About You
We, our service providers and our vendors may use any information collected by users: to operate the Service; to effect users’ transactions; to provide better services, products and opportunities to users; to notify users about services and opportunities that may be of interest to such users; to create and share reports about users’ transactions; and for other marketing purposes. We may also share your personally identifiable information with other third parties, including our business partners in order to continue to provide our services to you and only if business needs require it.
Security and where we store your personal data.
We are committed to protecting the security of your personal data. We use a variety of security technologies and procedures to help protect your personal data from unauthorised access and use. As effective as modern security practices are, no physical or electronic security system is entirely secure. We have implemented strict internal guidelines to ensure that your privacy is safeguarded at every level of our organization. We will continue to revise policies and implement additional security features as new technologies become available.
Personal data security is essential to us, and to protect personal data, we take the following measures:
- limiting access to your personal data to those employees and third parties with a legitimate need to know and ensuring that they are subject to duties of confidentiality;
- procedures for dealing with data breaches (the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, your personal data) including notifying you and/or the relevant Supervisory Authority when legally required to do so;
Cookies
Cookies are information components stored on your hard drive containing information about you. These pieces of information allow the Service to remember important information that will make your use of the Service more useful. You can choose to reject or turn off the cookies through your browser settings. If you reject or turn off the cookies, you may still use the Service.
Log Files
We use IP addresses to analyze trends, administer the Service, track users’ movements, and gather demographic information.
Email Confidentiality Policy
We have created this email Privacy Policy to demonstrate our firm commitment to your privacy and the protection of your information. The information in our e-mail and any attachment(s) is confidential and for the use of the addressee(s) only. If you received a mailing from us, (a) your email address is either listed with us as someone who has expressly shared this address for the purpose of receiving information in the future (“opt-in”), or (b) you have registered or purchased or otherwise have an existing relationship with us. We respect your time and attention by controlling the frequency of our mailings. We value your privacy, and we use security measures to protect against the loss, misuse and alteration of data used by our system. To unsubscribe or manage email communication preferences, visit the bottom of any email from SHR and click ‘Unsubscribe’ and/or ‘Manage Preferences’.
What Are My Rights?
Under the General Data Protection Legislation, you have the following rights, which we will always work to uphold:
- The right to be informed about our collection and use of your personal data. This Privacy Notice should tell you everything you need to know, but you can always contact us to find out more or to ask any questions using the details in the ‘Contact Us’ section.
- The right to access the personal data we hold about you. ‘Contact Us’ below will tell you how to do this.
- The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete. It is important that your personal data is kept accurate and up-to-date. If any of the personal data we hold about you changes, please keep us informed as long as we have that data.
- The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we hold. Please contact us using the details in the ‘Contact Us’ section to find out more.
- The right to restrict (i.e. prevent) the processing of your personal data.
- The right to object to us using your personal data for a particular purpose or purposes.
- The right to withdraw consent. This means that, if we are relying on your consent as the legal basis for using your personal data, you are free to withdraw that consent at any time.
- The right to data portability. This means that, if you have provided personal data to us directly, we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal data to re-use with another service or business in many cases.
- Rights relating to automated decision-making and profiling. We do not use your personal data in this way.
- The right to lodge a complaint with the relevant Supervisory Authority, if you have any cause for complaint about our use of your personal data. We would welcome the opportunity to resolve your concerns ourselves however, so please contact us first, using the details in the ‘Contact Us’ section.
Do You Share My Personal Data?
We will not share any of your personal data with any third parties for any purposes, subject to the following exceptions:
Service Providers:
Carefully selected companies that provide services for or on behalf of us, such as companies that help us with IT support and website security. These providers are also committed to protecting your information.
Other Parties When Required by Law or as Necessary to Protect Our Services:
For example, it may be necessary by law, legal process, or court order from governmental authorities to disclose your information. They may also seek your information from us for the purposes of law enforcement, national security or other issues that are related to public security. We will challenge any such requests that are not valid.
Other Parties in Connection with Corporate Transactions:
We may disclose your information to a third party as part of a merger or transfer, acquisition or sale, or in the event of a bankruptcy.
Other Parties with Your Consent or at Your Direction:
In addition, to the disclosures described in this Privacy Notice, we may share information about you with third parties when you separately consent to or request such sharing. If any personal data is transferred outside of the EEA, we will take suitable steps in order to ensure that your personal data is treated just as safely and securely as it would be within the EEA and under the relevant Data Protection Legislation.
Retention of your personal data:
We will store your personal data only for as long as necessary for the purpose(s) for which it was obtained. The criteria used to determine our retention periods include (i) the length of time we have an ongoing relationship and/or provide our services; (ii) whether there is a legal requirement to which we are subject; and (iii) whether the retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations). Please contact us if you wish to obtain further information concerning our retention periods (see ‘Contact Us’ below).
International Transfers:
Your use of our website may from time to time involve the transfer, storage, and processing of your personal data to other countries outside of the European Economic Area. We will take appropriate measures, in compliance with applicable law, to ensure that your personal data remains protected. Such measures include the use of Standard Contractual Clauses to safeguard the transfer of data outside of the EEA.
As stated in Part 7 above, we may be requested by law, legal process, or court order from governmental authorities to disclose your information. SHR also commit that if we are ever compelled by a valid and binding legal request to disclose visitor/customer data, we will disclose only the minimum amount of data necessary to satisfy the request.
Minors
SHR does not provide services for purchase by children, nor do we market to children. If you are under the age of 18, please do not submit any personal information through our website. We encourage parents and legal guardians to monitor their children’s internet usage and to help enforce this Privacy Notice by instructing their children never to provide personal information via our website without their guardian’s consent.
Disclosure Required by Law
We cooperate with law enforcement agencies in identifying those who use the Service for illegal activities. Therefore, we respond to subpoenas, warrants or other court orders regarding information concerning any users. We will, at our discretion, disclose information if we believe that we are required to do so by law, that such disclosure is necessary to protect us from legal liability or that we should do so to protect the integrity of the Service.
General Data Protection Regulation (GDPR)
As a leading Hospitality Resource platform and services provider, SHR, Strategy Hospitality Resources, has made the security and protection of your data a top priority by using state-of-the-art physical, technological, and procedural security safeguards.
The cornerstone to our platform is a rigorous security system that we—and by extension, you—can trust. We employ multiple safeguards and security protocols that are trusted in the industry with the singular goal of ensuring your data are protected.
We use multiple security measures, such as firewalls, Encryption, IDS/IPS, Physical/Logical security and Regular Security Audits (to name a few) to safeguard the confidentiality of our users’ personally identifiable information. Information we collect about our users is stored on secured servers.
If you should have any questions about the security of the Services or SHR environment, please inquire by sending an e-mail to [email protected].
Resolution of Complaints
In compliance with the Data Privacy Framework principles, SHR commits to the resolution of complaints and our collection or use of your Information. We have also committed to resolve any complaints pursuant to the Privacy Shield Privacy Principles by European Union and Swiss individuals with inquiries or complaints regarding our Data Privacy Framework policy should first contact SHR at: [email protected].
SHR has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to the unresolved Data Privacy Framework complaints concerning human resources data transferred from the EU and Switzerland in the context of the employment relationship.
Correction/Updating Personally Identifiable Information
You can ask to see the personal information that we hold about you. If you want to review, verify or correct your personally identifiable information, or if you no longer desire SHR’s services, we will endeavor to provide a way to correct, update or remove the data you provided to us. Please note that any such communication must be in writing by sending an e-mail to [email protected]. In the event that we cannot provide you with access to your personal information, we will endeavor to inform you of the reasons why, subject to any legal or regulatory restrictions.
Your Consent; Notification of Changes
By using the Service, you consent to SHR’s collection and use of the information described in this Privacy Policy. If we decide to change this Privacy Policy, we will post those changes via our homepage so our users are aware of what information we collect, how we use it, and under what circumstances we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify you by way of an e-mail. Please check this policy from time to time to make sure that you are aware of our latest Privacy Policy.
SHR’s full Standard Operating Procedure (SOP) for GDPR can be provided upon request by emailing [email protected].
PCI-DSS
SHR being responsible for the security of cardholder data that it possesses, or otherwise stores, processes, or transmits on behalf of our clients, or to the extent that SHR could impact the security of the customer’s cardholder data environment; it will maintain the necessary technical and organizational measures needed to protect the security and availability of any Data created, collected, received or otherwise obtained to provide SHR services.
In particular, these technical and organizational measures control access to the premises where Data are Processed (physical access control), access to the IT systems via which Data are Processed (system access control), access to the Data themselves (data access control), the disclosure of the Data to other parties (data transfer control), when and how the Data are entered or modified (entry control), how subcontractors process Data (control of instructions), the availability of the Data (availability control), and the separate processing of the Data from other data, including other personal data (separation control).
All SHR client’s user accounts that provide access to cardholder data complies with all the requirements described by the PCI DSS V 3.2.1 guidelines, as well as comply with any future requirements or documents released by the PCI council as it applies to SHR and our clients’ environment.
A copy of SHR’s Attestation of Compliance (AOC) for PCI-DSS can be provided upon request by emailing [email protected].
Data Privacy Framework Certification
SHR Group complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. SHR Group has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. SHR Group has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/ .
However, it is important to note that the Platform and its servers are operated in the United States and in the EU. If you are located outside of the United States, please be aware your personal information will be transferred to, processed, and used in the United States and in the EU. By using the Platform, you affirmatively consent to such transfer, processing, and use of your Personal Information in accordance with the EU-US Data Privacy Framework, the Swiss-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, and this Privacy Policy.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, SHR Group commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.
SHR, as the processor of data for our clients/hotels (Processor of data according to GDPR), does collect Personally Identifiable Information (PII) during the room reservation process. However, the PII data collected is not shared with any other organization outside of the specific hotels that have taken the reservation, as they are the owners of the data (controllers of data according to GDPR).
Please note that per Data Privacy Framework “Available Remedies” for arbitration options “ the “EU-U.S. Data Privacy Framework Panel” (the arbitration panel consisting of one or three arbitrators, as agreed by the parties) has the authority to impose individual-specific, non-monetary equitable relief (such as access, correction, deletion, or return of the individual’s data in question) necessary to remedy the violation of the Principles only with respect to the individual. These are the only powers of the EU-U.S. Data Privacy Framework Panel with respect to remedies. In considering remedies, the EU-U.S. Data Privacy Framework Panel is required to consider other remedies that already have been imposed by other mechanisms under the EU-U.S. DPF. No damages, costs, fees, or other remedies are available. Each party bears its own attorney’s fees.”
An individual who decides to invoke this arbitration option must take the following steps prior to initiating an arbitration claim: (1) raise the claimed violation directly with the organization and afford the organization an opportunity to resolve the issue within the timeframe set forth in section (d)(i) of the Supplemental Principle on Dispute Resolution and Enforcement; (2) make use of the independent recourse mechanism under the Principles, at no cost to the individual; and (3) raise the issue through the individual’s DPA to the Department and afford the Department an opportunity to use best efforts to resolve the issue within the timeframes set forth in the Letter from the Department’s International Trade Administration, at no cost to the individual.
SHR Group’s active membership can be viewed at Data Privacy Framework Active member list.
Personal Information Protection and Electronic Documents Act (PIPEDA)
SHR complies with Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”). PIPEDA sets out rules for the collection, use and disclosure of personal information in the course of commercial activity as defined in the Act.
SHR fully complies with the 10 principles of PIPEDA which are Accountability, Identifying Purposes, Consent, limiting collection, Limiting Use Disclosure and Retention, Accuracy, Safeguards, Openness, Individual Access, Provide Recourse.
Complaints/Questions
Any questions or concern about SHR’s personal information handling practices may be directed to the Privacy Officer. Requests for access to information, or to make a complaint, are to be made in writing (via letter or email) and sent to the Privacy Officer at the address;
Privacy Officer
1334 Brittmoore
Suite 2410
Houston, TX 77043
Toll Free: +1 800 252 0522
or
Email address: [email protected]
If the hotel client is dissatisfied with the finding and corresponding action taken by SHR’s Privacy Officer, the hotel client may bring a complaint to the Federal Privacy Commissioner at the address below:
The Privacy Commissioner of Canada
112 Kent Street
Place de Ville
Tower B, 3rd Floor
Ottawa, Ontario K1A 1H3
Toll Free +1 800 282 1376
Email: [email protected]
Website: www.priv.gc.ca
SHR’s full Standard Operating Procedure (SOP) for PIPEDA can be provided upon request by emailing [email protected].