It provides information on what personal data we collect, why we collect the personal data, how it is used and the lawful basis on which your personal data is processed, and what your rights are under the applicable data protection and privacy laws, including but not limited to the General Data Protection Regulation (‘GDPR’), the UK Data Protection Act 2018 and the Israeli Protection of Privacy Law 1981.
2. Data controller
The data controller responsible for your personal data is the Tree of Life Resorts & Spa company with whom you make a reservation (‘Company’, ‘we’, ‘us’ and/or ‘our’)
3. The personal data we collect
- We collect the following personal data about you when you make a reservation:
Contact information, such as your first and last name, mailing address, email address, and telephone number;
- Language preference;
- Credit card number or other payment account number, billing address, and other payment and billing information (‘Payment Information’);
- Records and copies of your correspondence if you contact us;
- Guest-stay information, including the properties where you have stayed, date of arrival and departure, and goods and services purchased;
- Depending on the type of reservation, we may also ask for your gender and date of birth, important dates, such as birthdays, anniversaries and special occasions, names of any guests travelling with you and any preferences (such as meal preferences and health conditions) of which you advise us when you make your reservation or which we learn about during your visit at one of our properties.
Sensitive data: In some cases, in connection with your reservation we may need to collect personal data that is considered sensitive data by the law, such as information about your health (for example, allergies or other health conditions). On such occasions, we will only use your personal data for the purposes which we will explain at that time and we will seek your explicit consent. Depending on the circumstances, processing of sensitive data about you may also be necessary to protect your or a third party’s vital interest or for reasons of public interest in the area of public health.
Some of the personal data we request is necessary for us to perform our contract with you and/or to comply with our legal obligations and if you do not wish to provide us with this personal data, it will affect our ability to provide the services you request to you. If the provision of your personal data is purely voluntary, we will inform you accordingly and, in this case, there will be no implications for you if you do not wish to provide us with it.
4. Where we obtain personal data from
We collect your personal data in the following ways:
When you make a reservation
We collect personal data that you provide to us directly when you make a booking through our websites, by email or phone, or communicate with us. If you need to get in touch with our customer service team, or reach out to us through other means (such as through social media) we will collect information from you there, too.
We collect Personal Data when you visit our properties or use on-property services and facilities, such as restaurants, concierge services, spas.
You may make a reservation for our services through third-party services such as online restaurant-reservation (e.g. OpenTable) or travel-fare aggregator websites. When you use some of these, you provide the reservation details to such parties, who then forward your details to us to finalise and administer your reservation. When you make a reservation on a third-party website, please also take the time to read their privacy notice if you wish to understand how these parties may process your personal data.
You are under no legal obligation to furnish any personal data about you, and the furnishing thereof is at your discretion and at your own free will. However, if you do not furnish certain information about you, we may not be able to provide our services to you.
5. How we use your personal data
We use your personal data in the following ways:
- To complete and administer your reservation and stay, including processing your payment, ensuring that your room is available, and provide you with related customer service, including sending confirmations or pre-arrival messages, assist you with meetings, events or celebrations. Such use of your data is necessary to perform our contract with you or, before a reservation is completed, to take steps at your request prior to entering into a contract.
- As necessary for our legitimate interests or those of a third party to which we are transferring personal data. Which include the following:
- Our reservation website may allow you to create a user account. We use the information you give us to administer this account, allowing you to do a number of useful things such as managing your reservation, taking advantage of special offers, make future reservations easily and manage your personal settings;
- To communicate with you in relation to your reservation and stay, including to respond to and handle any requests you have made, send you administrative information, such as security alerts, or send you a questionnaire or invite you to provide a review about your experience with us. If you have not finalised a reservation online, we may contact you with a reminder to continue with your reservation. We believe that this additional service benefits you as it allows you to carry on with a reservation without having to fill in your reservation details again;
- To conduct analytics to inform our marketing strategy and enable us to enhance and personalise the experience we offer to our customers and our communications, including by creating customer profiles to enable personalised direct marketing communications;
- To provide postal communications which we think will be of interest to you;
- To administer this website, to better understand how visitors interact with our websites and ensure that our website is presented in the most effective manner for you and for your computer/device;
- If you ask us to delete your data or to be removed from our marketing lists and we are required to fulfil your request, to keep basic data to identify you and prevent further unwanted processing;
- To share personal data among our affiliated businesses for administrative purposes and in relation to our sales and marketing activities;
- We may anonymise, aggregate and de-identify the data that we collect and use such anonymised, aggregated and de-identified data for our own internal business purposes, for commercial, statistical and market research purposes, including conducting research on demographics, interests and behaviour. We sometimes ask our customers to take part in market research. Please see the information provided when you are invited to participate to understand what personal data is collected and how your personal data is used further;
- For internal business/technical operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes and as part of our efforts to keep our website, network and information systems secure;
- To (a) respond to requests from competent authorities; (b) enforce our House rules, where applicable; (c) protect our operations or those of any of our affiliated businesses; (d) protect our rights, safety or property, and/or that of our affiliated businesses, you or others; and for enforcing or defending legal rights, or preventing damage;
- As necessary to comply with applicable laws and regulations;
- Our Company and our affiliated businesses may provide you, or permit selected third-party service providers to provide you, with information about goods or services, events and other promotions we feel may interest you. We (or such third-party providers) will contact you by email only with your consent, which was given at the time you provided us with the personal data.
6. Disclosure of your information
We share your personal data with third parties in the following situations:
Our Company, like many businesses, sometimes hires selected third parties who act on our behalf to support our operations, such as (i) card processing or payment services (see the section below headed ‘Payment Information’), (ii) credit reference agencies to protect against possible fraud, (iii) providers of software management solutions for spa and wellness businesses, (iv) reservation platforms, (v) hosting and other information technology and related infrastructure service providers, (vi) web analytics providers, (vii) providers of digital advertising services and (viii) providers of CRM, marketing and sales software solutions. Pursuant to our instructions, these parties may access, process or store your personal data in the course of performing their duties to us and solely in order to perform the services we have hired them to provide.
Tree of Life Resorts & Spa affiliated businesses
We operate on a global scale. In order to provide the services, you request from us, our affiliated businesses may access and process the information which we collect from you for the purposes described above, including to offer products and services to you. Our affiliated businesses will only use your data for the purposes for which we originally collected it.
if we sell our business or our company assets are acquired by a third-party personal data held by us about our members, membership applicants or customers may be one of the transferred assets.
Administrative and legal reasons
if we need to disclose your personal data (i) to comply with a legal obligation and/or judicial or regulatory proceedings, a court order or other legal process. (ii) to enforce our Terms & Conditions, House Rules or other applicable contract terms that you are subject to or (iii) to protect us, our members, membership applicants, or contractors against loss or damage. This may include (without limit) exchanging information with the police, courts or law enforcement organisations.
7. Payment information
Any credit/debit card payments and other payments you make through our website will be processed by our third-party payment providers and the payment data you submit will be securely stored and encrypted by our payment service providers using up to date industry standards. Please note that we do not ourselves directly process or store the debit/credit card data that you submit.
We may arrange that card or payment data you submit in connection with your reservation is stored for the purpose of processing any future payments that you make. We will store this data in accordance with our legal obligations under applicable law and only for so long as legally permitted. You may choose to opt out of us holding your card or payment data although this means that you will need to re-supply us with card/payment details for the purpose of making any future purchases or reservations.
8. Personal data transfers
Your personal data will be transferred to and stored in countries other than the country in which the information was originally collected, including the United States and other destinations outside of Israel or the European Economic Area (‘EEA’), to our service providers and affiliated businesses for the purposes described above. Please note that the countries concerned may not provide the same legal standards for protection of your personal data that you have in the Israel, United Kingdom or EEA. Where we transfer your personal data to countries outside of the EEA we will take all steps to ensure that your personal data will continue to be protected. We will implement appropriate safeguards for the transfer of personal data to our service providers in accordance with the applicable law, such as implementing standard contractual clauses for data transfers. We have implemented data transfer agreements pursuant to applicable data protection law in order to implement appropriate safeguards for the transfer of personal data to Tree of Life Resorts & Spa group and affiliated companies in countries outside of Israel and the EEA. If you would like to receive more information on the safeguards that we implement, including copies of relevant data transfer contracts, please contact us as indicated below.
9. Tracking and Do Not Track disclosures
Please be advised that parties other than the Company may collect personal data about the online activities of the users of this website over time and across different websites when a consumer uses this website.
Do Not Track (‘DNT’) is a privacy preference you can set in most browsers. If you enable DNT on your browser, we will honour your request not to be tracked across the Internet. For more information, including how to turn on DNT, visit allaboutdnt.com
The website is not directed to children who are under the age of 13 or another legal age determined by the laws of the country where you live (whichever is the higher). The Company does not knowingly collect personal data from minors. If you have reason to believe that a child under the applicable legal age has provided personal data to the Company through the website, please contact us and we will endeavour to delete that information from our databases.
Where we have given you (or where you have chosen) a password or login which enables you to access certain restricted parts of our website, you are responsible for doing everything you reasonably can to keep these details secret. You must not share your password or login details with anyone else.
Unfortunately, the transmission of information over the internet or public communications networks can never be completely secure. We will take appropriate technical and organisational security measures to protect the personal data that you submit to us against unauthorised/unlawful access or loss, destruction or damage, although we cannot 100 per cent guarantee the security of personal data that you provide to us online.
12. Personal data retention
To determine the appropriate retention period for your personal data, we consider the amount, nature, and sensitivity of the personal data, the purposes for which we process your personal data, applicable legal requirements or operational retention needs, and whether we can achieve those purposes through other means.
Upon expiry of the applicable retention period we will securely destroy your personal data in accordance with applicable laws and regulations. In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case it is no longer personal data.
13. Your personal data protection rights
Certain applicable data protection laws give you specific rights in relation to your personal data. In particular, if the processing of your personal data is subject to the GDPR, you have the following rights in relation to your personal data:
Right of access
If you ask us, we will confirm whether we are processing your personal data and, if so, provide you with a copy of that personal data along with certain other details such as the purpose of the data processing. If you require additional copies, we may need to charge a reasonable fee.
Right to rectification
If your personal data is inaccurate or incomplete, you are entitled to ask that we correct or complete it. If we shared your personal data with others, we will tell them about the correction where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your personal data so you can contact them directly.
Right to erasure
Right to restrict processing
You may ask us to restrict or ‘block’ the processing of your personal data in certain circumstances, such as where you contest the accuracy of the personal data or object to us processing it. We will tell you before we lift any restriction on processing. If we shared your personal data with others, we will tell them about the restriction where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your personal data so you can contact them directly.
Right to data portability
You have the right to obtain your personal data from us that you consented to give us or that was provided to us as necessary in connection with our contract with you, and that is processed by automated means. We will provide you with your personal data in a structured, commonly used and machine-readable format. You may reuse it elsewhere.
Right to object
You may ask us at any time to stop processing your personal data, and we will do so:
- If we are relying on a legitimate interest to process your personal data – unless we demonstrate compelling legitimate grounds for the processing;
- If we are processing your personal data for direct marketing.
Right to withdraw consent
If we rely on your consent to process your personal data, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing of your data before we received notice that you wished to withdraw your consent.
Right to lodge a complaint with the data protection authority
If you have a concern about our privacy practices, including the way we handled your personal data, you can report it to the UK data protection authority (the Information Commissioner’s Office or ICO), or, as the case may be, any other competent data protection authority of an EU member state that is authorised to hear those concerns (you may find EU Data Protection Authorities’ contact information here).
If you wish to exercise any of these rights please contact us as described in the ‘Contact’ section below. We may also need to ask you for further information to verify your identity before we can respond to any request.
Questions, comments or requests regarding this policy should be addressed to firstname.lastname@example.org.