Sonesta

Sonesta Privacy Notice

Last Revised: January 2020

Sonesta International Hotels Corporation (collectively with our subsidiaries, “Sonesta,” “we,” “us,” “our”) provides this Privacy Notice (“Privacy Notice”) describing important information about how we collect, use and disclose your personal data in the following circumstances:

Through the websites or mobile applications we own and control that link to this Privacy Notice (the “Online Services”),
Through the social media pages we control, emails that we send and other direct marketing activities (“Marketing Activities”),
When you visit one of the properties we own, operate, franchise or license and through other in-person interactions with you (“Offline Activities”).

When we use the term “Services” in this Privacy Notice, we collectively refer to the Online Services, Marketing Activities and Offline Activities.

When we use the term “Guests” in this Privacy Notice, we mean the users of and visitors to the “Services.” This Privacy Notice does not apply to information we collect from our employees, contractors, applicants for employment, or business contacts.

When we use the term “personal data” we mean any information that identifies an individual person or reasonably relates to an identifiable individual.

What Personal Data We Collect

1. Personal data – We collect personal data about our Guests so that we can provide an experience that is responsive to your needs and to enhance our offerings to you and our other customers, including:

Name
Postal address
Email addresses
Telephone numbers
Credit card information and other payment data
Financial information, in limited circumstances
Gender or gender expression
Lifestyle information, such as room preferences and other information necessary to fulfill special requests (e.g., medical conditions that require room accommodations)
Date of birth
Nationality, passport, visa or other government-issued identification information
Employer details
Travel itinerary, tour group, or activity data
Guest preferences and personalized data, such as your communications and language preferences, travel habits and preferences, food and beverage preferences, interests, activities, hobbies, prior stays or interactions, good and services purchased, special service and amenity requests, and important dates (such as birthdays, anniversaries and special occasions)
Social media account ID, profile photo and other data publicly available, or data made available by linking your social media and loyalty accounts
Information about family members and companions, such as names and ages of children
Images. video, and audio data via security cameras and security personnel body cameras
Geolocation information

2. Other Data – We collect other data about you, including:

Information regarding your use of our Online Services, including browser and device data, data collected through cookies, pixel tags and other technologies (these practices are more fully described below in the “Cookie Notice” section)
Demographic data and other data provided by you
Aggregated data relating to your stays

How We Collect Personal Data

1. Online Services and Marketing Activities – We collect Personal Data through our Online Services and Marketing Activities when you:

Research and book a reservation
Purchase products or services
Make a customer service request
Respond to a survey
Subscribe to our newsletters
Register for our loyalty program
Update your contact information
Participate in a competition, promotional activity, or sweepstakes
Provide a testimonial, story, review or comment
“Like,” “Follow,” or otherwise connect with or post to one of our social media pages
Interact with an email we send

2. Offline Activities – We collect Personal Data during your visits to properties we own, operate, franchise or license, and through other in-person interactions when you:

Purchase or use on-site products and services, such as restaurants and bars, fitness centers and concierge services
Attend promotional events that we host or in which we participate, or when you provide your personal data to facilitate an event.

3. Business Partners – We collect Personal Data from companies with whom we partner to provide you with products, services, or offers based upon your experiences at our properties or that may be of interest to you. These business partners are independent from Sonesta. Examples of our business partners include:

Owners, franchisees, and licensees
On-property retail and food and beverage outlets
Travel agents and tour operators
Time share partners
Rental car providers
Travel booking platforms

4. Other Sources – We collect personal data from other sources, such as public databases, joint marketing partners, Guest devices that are connected to Wi-Fi we provide, and other third parties.

5. Internet-Connected Devices – We collect personal data from internet-connected devices available in our properties. For example, a smart home assistant may be available for your use at one of our properties that you visit.

6. Physical & Mobile Location-Based Services – We collect personal data if you download one of our mobile applications (for example, we may collect the precise physical location of your device). We collect this data if you opt in through the app, either during your initial login or later, to receive the special offers and to enable location-driven capabilities on your mobile device. If you have opted-in, the app will continue to collect location data when you are in or near a participating property until you log off or close application, or if you use your device’s setting to disable location capabilities for the app.

Why We Collect Personal Data

We collect the personal data above about our Guests so that we can provide an experience that is responsive to your needs and to enhance our offerings to you and our other customers. More specifically, we use the information in connection with the following:

Our business transactions with you, including, but not limited to:
- Fulfilling bookings
- Entering into a contract with you
- Responding to your inquiries and fulfilling your requests
- Sending administrative information to you (for example, information regarding the Services or an event you are attending)
- Completing and fulfilling any purchases or requests for services
Our legitimate business interests, including, but not limited to:
- Providing any other specific products, services, and information you request from us (such as participation in our loyalty programs)
- Providing you our newsletter, surveys, and other marketing and informational materials regarding our properties, products, and services (subject to your opt out right described in the “Opt Out” section below)
- Personalizing your experience on the Services by presenting products and offers tailored to you
- Allowing you to participate in sweepstakes, contests, and similar promotions, and to administer these activities (each of which may have additional rules and could contain additional information about how we process your personal data)
- Facilitating social sharing functionalities of your social media accounts
- Carrying out data analysis, audits, fraud monitoring and prevention, internal quality assurance, developing new products, enhancing, improving or modifying our Services, identifying usage trends, auditing use and functionality of our Services, helping enforce compliance with our Terms of Use, helping protect our Services, determining the effectiveness of our promotional campaigns, and operating and expanding our business activities
- Allowing you to send messages to a friend through the Services. By using this functionality, you are telling us that you are entitled to use and provide us with your friend’s name and email address
- Fulfilling any other purpose for which you provide your personal data or which we disclose to you at the time of disclosure
Any consent you may have provided, including, but not limited to:
- Accommodating special requests due to health conditions
- We will make it clear to you in advance that we are relying on your consent (for example, when you sign up to our mailing list), and you have the right to decline to provide your consent and, if consent is provided, to withdraw your consent at any time
As necessary or appropriate for legal reasons, including, but not limited to:
- To comply with our legal obligations
- To comply with legal process
- To respond to requests from public and government authorities, including those outside your country of residence
- To enforce our terms and conditions
- To protect our operations or those of any of our affiliates and other third parties
- To protect our rights, privacy, safety or property, or that of our affiliates, you, or other third parties
- To allow us to pursue available remedies or limit damages we, our affiliates, or other third parties, may sustain

How We Share and Disclose Personal Data

1. To Whom We Disclose Personal Data for a Business Purpose

In the course of processing your personal data in connection with fulfilling bookings and providing other products and services you obtain from us, it may be necessary to transfer your personal data to:
- Our affiliates (for example, we share loyalty program data)
- Our owners, franchisees and licensees (for example, we share reservation data)
- Payment processors and/or third-party service providers located in the United States and throughout the world for the purposes outlined in this Privacy Notice
- Business partners, sponsors, and other third parties
Unless otherwise precluded or governed by legal requirements, we do not grant permission to any of our affiliates, property owners, franchisees, licensees or third-party service providers that may receive your information to use such information independent of use in connection with our products and services, consistent with this policy.
Reservations made via our websites (but not our call centers) are processed by Sabre, Inc., a third party. Personal data disclosed during the reservation process via our websites will be subject to this Privacy Notice, and, with respect to Sabre’s holding, use and retention of such information, shall be subject to Sabre’s privacy policy (as may be updated from time to time) displayed on Sabre’s website, which is accessible at http://www.sabre.com.
Except for the disclosure noted above regarding affiliates, properties, franchises and licenses, payment processors and third-party service providers, and except as disclosed below, our practice is to not provide access to, sell, rent, or otherwise give physical possession of your personal data to other parties.

2. When We Disclose Your Personal Data – Situations in which we may disclose your personal data, any communications sent to or received from you, and other information that we may have relating to you, are:

When we have received your consent to do so
When a hotel or other property leaves the Sonesta system and access to your personal data is necessary to facilitate business operations or meet contractual obligations
To comply with legal or regulatory requirements or obligations in accordance with applicable law, including pursuant to a court order, subpoena, discovery, investigation, or similar action
In case of emergency, if we believe it helpful in order to safeguard the life, health, or property of an individual
If reasonably necessary to protect or enforce our property and rights, including to prevent, investigate, identify persons or organizations potentially involved in, or take any action regarding suspected fraud, violations of our terms of service, or activity that appears to us to be illegal or may expose us to legal liability, and
In the event we merge with, or sell, or have a change of control of all or part of our business to a third party, to the acquirer of such business.

3. If information is shared as mentioned above, we reasonably seek to limit the scope of information that is furnished to the amount necessary for the specific circumstances.

Cookie Notice

We collect other data using cookies and related data collection technologies (“Cookies”) to provide our Online Services engage in Marketing Activities, gather information when users navigate through our websites to enhance and personalize the experience, to understand usage patterns, and to improve our websites, products, and Services.

Cookies on our websites are generally divided into the following categories:
- Essential Cookies: These cookies are strictly necessary to provide you with services available through our Online Services and to use some of their features, such as access to secure areas. Because these cookies are strictly necessary to deliver the Online Services, you cannot refuse them without impacting how our Online Services function.
- Performance and Functionality Cookies: These cookies are used to enhance the performance and functionality of our Online Services but are non-essential to their use. However, without these cookies, certain functionality may become unavailable.
- Analytics and Customization Cookies: These cookies collect information that is used to help us understand how our Online Services are being used or how effective our marketing campaigns are, or to help us customize our Online Services for you in order to enhance your experience.
- Targeting Cookies: These cookies record your visit to our Online Services, the pages you have visited and the links you have followed to recognize you as a previous visitor and to track your activity on our websites and other websites you visit. These cookies qualify as persistent cookies, because they remain on your device for us to use during a next visit to our websites. You can delete these cookies via your browser settings. See below for further details on how you can control third-party targeting cookies.
- Pixels & Beacons: These technologies count how many people visit certain web pages. Information collected from invisible pixels is used and reported in the aggregate and does not contain personal data. We may use this information to improve marketing programs and content.
We also allow third parties to use Cookies on our Online Services to collect information about your online activities over time and across different websites you visit. This information is used to provide advertising tailored to your interests on websites you visit, also known as interest-based advertising, and to analyze the effectiveness of such advertising.
How to control Cookies:
- You can review your Internet browser settings, typically under the sections “Help” or “Internet Options,” to exercise choices you have for certain Cookies. If you disable or delete certain Cookies in your settings, you may not be able to use features of the Online Services.
- To learn more about the use of Cookies by Google for analytics and to exercise choice regarding those Cookies, please visit the Google Analytics Opt-out Browser Add-on.
- We support the Self-Regulatory Principles for Online Behavioral Advertising of the Digital Advertising Alliance (“DAA”). To learn more about certain third-party Cookies used for interest-based advertising, including through cross-device tracking, and to exercise certain choices regarding such cookies, please visit the Digital Advertising Alliance, Network Advertising Initiative, Digital Advertising Alliance-Canada, European Interactive Digital Advertising Alliance [MB1] or your device settings if you have the DAA or other mobile app.
- The opt-outs described above are device- and browser-specific and may not work on all devices. If you choose to opt-out through any of these opt-out tools, this does not mean you will cease to see advertising. Rather, the ads you see will just not be based on your interests.

Other Information

1. Links to Other Web Sites – In some cases, our Online Services contain links to websites operated and maintained by third parties over which we have no control. When you connect to such website, you leave our Online Services. You should always read the privacy policy on these sites prior to transmitting any personal data since we cannot verify or be responsible for information not maintained by us. You connect to these sites at your own risk.

2. Social Media Sites – We are not responsible for the collection, usage and disclosure policies and practices (including data security) of other organizations, such as Facebook, Apple, Google, Microsoft, RIM or any other app developer, app provider, social media platform provider, operating system provider, wireless service provider or device manufacturer, including any personal data you disclose to other organizations through or in connection with our mobile applications or our Marketing Activities.

3. Protecting Minor Children – Except as noted below, we do not seek to obtain nor do we wish to receive personal data directly from minors; however, we cannot always determine the age of persons who access and use our Online Services. If a minor (as defined by applicable law) provides us with his/her data without parental or guardian consent, we encourage the parent or guardian to contact us to have this information removed and to unsubscribe the minor from our future marketing communications. Exceptions to this are:

The names and ages of minors staying in rooms under reservations booked by an adult, whose names are recorded
Our properties have from time to time programs and services directed at children, such as our “Just for Kids” and similar supervised children's services, for which email, contact information and age may be acquired from minors aged 13 and over (such minimum age subject to appropriate adjustment in each jurisdiction to comply with law)

4. Information Provided on Someone Else’s Behalf – If you provide us with information about someone else, please ensure you have the person’s permission to do so for the purposes detailed in this Privacy Notice.

Opt Out

1. Our intention is that you should only receive email communications that you request, or that you will find useful. We may periodically contact you to provide information on:

Upcoming or past reservations
Travel Pass account information
General hotel or corporate informational updates
To ask for your feedback on our service

2. This communication is typically via email, though it may be by phone or direct mail (particularly with respect to upcoming reservations). We may also send promotional emails with special offers that may be of interest to you (unless you have opted out).

3. All of our promotional emails give you the option to opt out at any time by clicking on a link at the bottom of the email. You may also opt out of any future promotional emails by emailing your request to: emailoptout@sonesta.com. Please allow 10 business days for your email opt out request to take effect.

4. You may choose not to submit your personal data by submitting your request by calling our Compliance Hotline at 855.251.0649. However, doing so may cause certain transactions to become affected. For example, not providing a name will prevent the processing of reservations.

Security

We seek to take steps to protect the information you provide us from loss, misuse and unauthorized access, disclosure, alteration and destruction. We have implemented physical, electronic and managerial procedures to help safeguard and secure your information from loss, misuse, unauthorized access or disclosure, alteration or destruction. Unfortunately, no security system is 100% secure, thus we cannot guarantee the security of all information you provide to us via the Services.

Region-Specific Disclosures

1. European Economic Area – For individuals in the European Economic Area, please click here for additional detailed disclosures (“EEA Disclosures”).

2. California – For California residents, please click here for additional detailed disclosures (“CCPA Disclosures”).

Policy Changes

At times our Privacy Notice may be changed and any updates will be posted to this site. If material changes are made to this Notice, we will post a notice to the revised policy on the homepage of this site for at least thirty (30) days. Any changes that are made will go into effect when posted on the site and they will apply to all users of our Services. We encourage you to check this policy periodically for updates.

Contact Us

If you have any questions about this Policy, or any concerns or complaints with regard to the administration of the Policy, please contact us by any of the following means:

by calling our Compliance Hotline at 855.251.0649
by mailing a written description of your concern or complaint to:

Sonesta International Hotels Corporation
Chief Compliance Officer,
Two Newton Place,
255 Washington Street Suite 300,
Newton, MA 02458

by emailing to privacyinquiries@sonesta.com

APPENDIX A: ADDITIONAL INFORMATION FOR EEA RESIDENTS

These disclosures (the “EEA Disclosures”) supplement the Sonesta Privacy Notice.

The Disclosures apply only to our processing of personal data within the scope of the General Data Protection Regulation (“GDPR”) from one or more of the European Union Member States plus Iceland, Lichtenstein and Norway (together known as the “European Economic Area” or “EEA”) or the UK, in the event that the UK no longer forms part of the European Union or the EEA.

Data Retention

1. We will retain your personal data for the period necessary to fulfill the purposes outlined in the Sonesta Privacy Notice unless a longer retention period is required or permitted by law.

2. The criteria used to determine our retention periods include:

The length of time we have an ongoing relationship with you and provide the Services to you (for example, for as long as you have an account with us or keep using the Services)
Whether there is a legal obligation to which we are subject (for example, certain laws require us to keep records of your transactions for a certain period of time before we can delete them)
Whether retention is advisable considering our legal position (such as, for statutes of limitations, litigation or regulatory investigations)

International Transfers

We are an international company and we may, subject to applicable law, transfer your information, to our affiliates or selected third parties outside the country where you are located and where information protection standards may differ (e.g., your information may be stored on servers located in other jurisdictions). We will utilize appropriate safeguards governing the transfer and usage of your personal data, such as an adequacy decision by the European Commission, Model Clauses or other applicable adequacy mechanisms. If you would like further detail on the safeguards we have in place you can contact us directly as set forth in the “Contact Us” section below.

Data Subject Rights

Individuals whose personal data we process subject to the GDPR have certain rights, where applicable, as required by law, including the right of access, erasure and data portability, as well as the right to rectification, to restrict processing, to withdraw consent, and to object to processing as follows.

1. Access – Individuals have the right to know if we are processing personal data about them and, if so, to access and obtain a copy of personal data about them, as well as information relating to the processing of that data.

2. Rectification – Individuals have the right to have us correct or update any personal data about them that is inaccurate or incomplete without undue delay.

3. Restriction – Individuals have the right to restrict or limit the ways in which we process personal data about them where the accuracy of the personal data is contested by them, where data has been obtained by us unlawfully, where the individual has objected to our processing of the data (see right of objection below) and we are considering whether to cease processing, or where we no longer need to process the personal data.

4. Objection – Individuals have the right to object to our processing of their personal data where we are relying on legitimate interests as our legal basis and their rights override our legitimate interests in processing their personal data. Individuals also have the right to object to our processing of their personal data for direct marketing purposes.

5.Withdrawal of Consent – Where we rely on consent as the basis for processing personal data, individuals have the right to withdraw their consent.

6. Erasure – Individuals have the right to request deletion or erasure of their personal data in a number of circumstances where required by law. These include where we no longer require the personal data for the purposes for which it was collected, the individual has withdrawn consent or, where we are relying on legitimate interests as a legal basis, and the individual’s rights override our legitimate interests.

7. Portability – Individuals have the right to obtain a copy of the personal data we hold about you in a structured machine-readable format and to have it transmitted to another controller. This right only occurs where we are relying on your consent or performance of a contract as our legal basis and the processing is carried out automatically.

8. Make a Complaint – Individuals also have the right to make a complaint about our personal data handling practices to their local Supervisory Authority. We would, however, appreciate the opportunity to address your concerns directly if possible, and ask you to please contact us in the first instance.

Changes to EEA Disclosures

At times our EEA Disclosures may be changed and any updates will be posted to this site. If material changes are made to this Notice, we will post a notice to the revised policy on the homepage of this site for at least thirty (30) days. Any changes that are made will go into effect when posted on the site and they will apply to all users of our Services. We encourage you to check this policy periodically for updates.

Contact Us

To assert one of your legal rights described in these EEA Disclosures, or if you have any questions about these EEA Disclosures or our data handling practices, please contact us by any of the following means:

by calling our Compliance Hotline at 855.251.0649
by mailing a written description of your concern or complaint to:

Sonesta International Hotels Corporation
Chief Compliance Officer,
Two Newton Place,
255 Washington Street Suite 300,
Newton, MA 02458

by emailing to privacyinquiries@sonesta.com.

APPENDIX B: ADDITIONAL INFORMATION FOR CALIFORNIA RESIDENTS

These disclosures (the “CCPA Disclosures”) supplement the Sonesta Privacy Notice. These CCPA disclosures apply to Guests who are California residents and only to our processing of personal data that is in scope for the California Consumer Privacy Act (“CCPA”).

Categories of Personal Information Collected

The CCPA requires us to provide additional information about the personal information we collect with reference to specific categories of information. For additional information about our sources of personal data, how we use personal data, and how we disclose personal data, refer to the Sonesta Privacy Notice. Within the last twelve months, we have collected the following categories of personal information from California residents:

Category	Examples
Identifiers.	Name, postal address, Internet Protocol address, email address, account name, driver's license number, passport number, or other similar identifiers.
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).	A name, signature, address, telephone number, passport number, driver's license or state identification card number, employment, employment history, bank account number, credit card number, debit card number, or any other financial information. .
Protected classification characteristics under California or federal law.	Age (40 years or older), citizenship, marital status, sex (including gender, gender identity, or gender expression).
Commercial information.	Products or services purchased, obtained, or considered.
Internet or other similar network activity.	Information on a consumer's interaction with a website, application, or advertisement.
Geolocation data.	Physical location.
Sensory data.	Visual or similar information.
Professional or employment-related information.	Employer details.

“Sales” of Personal Information

We do not sell your personal information for monetary consideration; however, we may disclose certain information for our Marketing Activities or in relation to our co-branded credit cards. Under the CCPA, some of these disclosures may be considered “sales.” In relation to these disclosures, we may share identifiers, commercial information, other financial information, and internet or other similar network activity. In order to opt-out of these disclosures, you may use the contact information below or use this link: Do Not Sell My Personal Information.

California Privacy Rights

1. Privacy Rights – Under the CCPA, California residents may have certain privacy rights, including the rights to: (i) request additional disclosures about the Personal Information we collect, use, and disclose, i.e., a “Request to Know (Categories of Information)”; (ii) obtain a copy of Personal Information, i.e., a “Request to Know (Specific Pieces of Information),” sometimes called the Right to Access; (iii) request deletion of Personal Information, i.e., a “Request to Delete Information,” sometimes called the Right to Be Forgotten; and (iv) opt out of the sale of Personal Information, i.e., a “Request to Opt Out.”

2. How to Exercise Privacy Rights – If you wish to exercise any of these rights please email privacyinquiries@sonesta.com or call us at 855.251.0649. The rights described herein are not absolute and we reserve all of our rights available to us at law in this regard. Additionally, if we retain your personal data only in de-identified form, we will not attempt to re-identify your data in response to a Data Subject Rights request.

We do not discriminate against you, for example, by charging you a different price or offering a different level of service, for exercising any of these rights.

If you make a request related to personal data about you, we will need to verify your identity. To do so, we will request that you match specific pieces of information you have provided us previously, as well as, in some instances, provide a signed declaration under penalty of perjury that you are the individual whose personal information is the subject of the request. If it is necessary to collect additional information from you, we will use the information only for verification purposes and will delete it as soon as practicable after complying with the request. For requests related to particularly sensitive information, we may require additional proof of identification. If you make a request through an authorized agent, we will require written proof that the agent is authorized to act on your behalf. We will process your request within the time provided by applicable law.

3. Additional Privacy Rights for California Residents (California Shine the Light) –

If you are a California resident, California Civil Code Section 1798.83 permits you to request information about our practices related to the disclosure of your personal information to certain third parties for their direct marketing purposes. You may be able to opt-out of our sharing of your personal information with unaffiliated third parties for the third parties' direct marketing purposes in certain circumstances. Please send your request (along with your full name, email address, postal address, and the subject line labeled "Your California Privacy Rights") by email at privacyinquiries@sonesta.com.

Changes to CCPA Disclosures

Contact Us

by calling our Compliance Hotline at 855.251.0649
by mailing a written description of your concern or complaint to:

Sonesta International Hotels Corporation
Chief Compliance Officer,
Two Newton Place,
255 Washington Street Suite 300,
Newton, MA 02458

by emailing to privacyinquiries@sonesta.com.