Data Privacy and Security Policy

Last Updated: 11 December 2023

This Data Privacy and Security Policy (“Privacy Policy”) sets out how The Hongkong and Shanghai Hotels, Limited and its group companies and affiliates (“HSH Group”, “we” or “us”) collects, stores and handles “Personal Data” (i.e., any personal information that can be used to identify a living individual), which we may collect:

  • through websites operated by us from which you are accessing this Privacy Policy, including hshgroup.com, peninsula.com and other websites owned or controlled by the HSH Group (“Websites”);
  • through software applications (including automated tools and chat functionalities) made available by us for use on or through computers and mobile devices (“Apps”);
  • through email messages that we send you that link to this Privacy Policy and through your communications with us online or in person;
  • from third parties or other sources such as public databases, marketing partners, and other third parties; and
  • when you visit or stay as a guest or tenant at one of our properties or through other offline interactions (“Guest Interactions”).

Collectively, we refer to our Websites, the Apps, and Guest Interactions as our “Services”.

You may get the list of relevant companies within the HSH Group by clicking here.

This Privacy Policy is intended to ensure you can make informed decisions about providing your Personal Data when purchasing our products, using our Services, communicating with us and exercising shareholder’s rights. For any comments or queries, please contact us in accordance with Section 5 (Contacting us) below. You can click here to find our Websites and social media pages, where you may search for a Peninsula Hotel and/or restaurant or other goods and services that we operate or provide.

Please note that our Services are not intended for Minors. By “Minors”, we mean: (i) users under the age of 18 years old; or (ii) in the case of a region where the minimum age for processing Personal Data differs, such different age. We do not knowingly solicit or collect Personal Data from Minors for any purpose unless such information are voluntarily provided or consented by a parent or a legal guardian. If you believe that we have Personal Data of a Minor without lawful consent, or if you are the parent or guardian of the user of a relevant Minor and wish to withdraw consent, please contact us in accordance with Section 5 (Contacting us) below. For more information about how we collect, process, and protect Personal Data of Minors, please refer to Minors’ Privacy Policy. If you are a parent or a legal guardian of a Minor, please read the Minors’ Privacy Policy before sharing any Minor’s Personal Data with us.

By providing Personal Data to us, you agree to the processing and use set out in this Privacy Policy and have obtained corresponding authorisation (if required). If you do not agree to the processing of Personal Data in the way this Privacy Policy describes, please do not provide such data and stop using the Services.

We have organised and composed the Privacy Policy by major processes and scope of information processing so that you can easily browse the information of most interest to you.

  1. How we collect and use Personal Data
  2. How we share Personal Data
  3. How we transmit, protect, and store Personal Data
  4. Your rights
  5. Contacting us
  6. Cookies
  7. Changes to the Privacy Policy
  8. Other Sites

Annex I: Local Specific Provisions – California
Annex II: Local Specific Provisions – China

1

How we collect and use Personal Data

1.1 This section provides more detail on the types of Personal Data we collect from you, and why. It also identifies the legal basis under which we process the relevant Personal Data, to the extent this is required by applicable laws.
Personal Data Use Legal Basis (where applicable)
Personal information that you provide to us, or that we obtain from public channels, including your name, date of birth, gender, ID documents, nationality, language preference, telephone number, email address and (residential and/or delivery) address and records of your trading history with us.

Social media account information: depending on your interactions with various social media platforms linked to us or with which we engage, we may process your social media profile names, account ID, photographs, posts, etc. that are publicly available.
We use this information to:
  • administer, process and confirm your reservation requests (including correspondence relating to the same);
  • provide you with and charge for hotel-related Services and related information, including accommodation, food and beverages, spa treatments;
  • provide you with and charge for non-hotel Services and related information, including residential clubs, banquet events, commercial and residential leasing, concierge and transport services;
  • facilitate any special requests or assistance and to customise our Services (including products) to you;
  • complete your orders when you purchase a Peninsula gift certificate, pre-paid card or merchandise; and/or
  • to register and create your account for, or relating to, our Services in accordance with your request.
Necessary to perform our contract with you to provide our Services.
We also use this information to handle any accidents (such as liaising with emergency services) and medical service requests, and to handle any claims made by customers. It is in our and your legitimate interest to ensure that incidents and accidents are handled appropriately.
We may use this information to:
  • provide you with updates, offers, and subscriptions, special events, news and/or other marketing materials, in each case, relating to our Services or services or products of our shopping arcade partners; and/or
  • tailor our marketing communication to you by determining what offers are most likely to be of interest to different categories of customers.
We use this information with your consent.
Registration information of accounts with us, including your name, date of birth, contact details, as well as the username and password that you may provide to us if you are registering an account with us, e.g. through “My Peninsula”, “Peninsula Perfect Companion” or “Mobile PenKey Concierge”. We use this information to:
  • administer, process and confirm your reservation requests (including correspondence relating to the same);
  • provide you with and charge for hotel-related Services and related information, including accommodation, food and beverages, spa treatments;
  • provide you with and charge for non-hotel Services and related information, including residential clubs, banquet events, commercial and residential leasing, concierge and transport services;
  • facilitate any special requests or assistance and to customise our Services (including products) to you;
  • complete your orders when you purchase a Peninsula gift certificate, pre-paid card or merchandise; and/or
  • to register and create your account for the Services in accordance with your request.
Necessary to perform our contract with you to provide our Services.
We may use this information to:
  • to provide you with updates, offers, and subscriptions, special events, news and/or other marketing materials, in each case, relating to our Services or services or products of our shopping arcade partners; and/or
  • to tailor our marketing communication to you by determining what offers are most likely to be of interest to different categories of customers.
We use this information with your consent.
Your payment information such as your credit card information (including credit card number, code and expiry date) and your bank account details. We use this information to:
  • administer, process and confirm your reservation requests (including correspondence relating to the same);
  • provide you with and charge for hotel-related Services and related information, including accommodation, food and beverages, spa treatments;
  • provide you with and charge for non-hotel Services and related information, including residential clubs, banquet events, commercial and residential leasing, concierge and transport services;
  • facilitate any special requests or assistance and to customise our Services (including products) to you; and/or
  • to complete your orders when you purchase a Peninsula gift certificate, pre-paid card or merchandise.
Necessary to perform our contract with you to provide the Services.
If you contact us, via email, telephone or other means of communication, for any purpose (e.g., making enquiries in relation to a transaction with us), we may keep the correspondence on record. We use this information to:
  • administer, process and confirm your reservation requests (including correspondence relating to the same);
  • provide you with and charge for hotel-related Services and related information, including accommodation, food and beverages, spa treatments;
  • provide you with and charge for non-hotel Services and related information, including residential clubs, banquet events, commercial and residential leasing, concierge and transport services; and/or
  • facilitate any special requests or assistance and to customise our Services (including products) to you.
Necessary to perform our contract with you to provide and support the Services.
We also use this information to handle any accidents (such as liaising with emergency services) and medical service requests, and to handle any claims made by you or third parties. It is in our and your legitimate interest to ensure that incidents and accidents are handled appropriately.
CCTV recordings: We may have close circuit television systems installed which will take visual and/or aural recordings where appropriate and relevant, and we may keep recordings as permitted by applicable laws. We use this information to ensure the security of our properties, and, where applicable, to comply with our legal obligations. It is in our legitimate interest to use this information to protect the integrity of the Services.

In certain jurisdictions, CCTV recordings represent a legal obligation.
We use this information to handle any accidents (such as liaising with emergency services) and medical service requests, and to handle any claims made by customers. It is in our legitimate interest to ensure that incidents and accidents are handled appropriately.
Survey Information We may ask you to complete surveys that we use for research purposes. In such circumstances we will collect the information provided in the survey and use this to assist us in developing new services and products and to improve our existing services and products. We use this information with your consent.
Details of, and information relating to, your visits to our Websites and Apps collected through cookies and similar technologies We use this information to ensure our Websites and Apps function correctly (e.g. content on our Websites and Apps are presented in the most effective manner for you and for your device). Necessary to perform our contract with you to provide and support the Services.
For our hotel-related Services only (e.g., when you make a hotel or spa reservation, purchase a gift certificate from us, or enjoy customised concierge services to be provided via Mobile PenKey Concierge)
Your travel details (including flight number, arrival and departure dates and time, country/region of origin and destination), your frequent flyer information, your travel partner’s information (including accompanying family members, partners or friends), employment information (applicable to group reservation), preferences for rooms, food and beverages, and spa /salon treatments, internet access identifiers, and specific services details (including important dates or anniversaries). We may also need collect information as required by local laws such as the number of identity card or passport, type of entry visa, driver’s license, date and place of birth, gender, title, and nationality. We use this information to:
  • administer, process and confirm your reservation requests (including correspondence relating to the same);
  • provide you with and charge for hotel-related Services and related information, including accommodation, food and beverages, spa treatments; and/or
  • facilitate any special requests or assistance and to customise our Services (including products) to you.
Necessary to perform our contract with you to provide and support the Services.
Health-related information or preferences, such as allergies and health conditions that may be important to know in connection with the provision of food and beverages, or spa / salon treatments. We use this information to provide you with Services in a manner that is suitable to your needs. It is in your and our legitimate interest to ensure the Services are provided in a safe manner.
Your itemised spending to properly assemble your folio during your stay, which includes your room rate and other expenses billed to your room. We use this information to:
  • administer, process and confirm your reservation requests (including correspondence relating to the same);
  • provide you with and charge for hotel-related Services and related information, including accommodation, food and beverages, spa treatments;
  • facilitate any special requests or assistance and to customise our Services (including products) to you; and/or
  • to complete your orders when you purchase a Peninsula gift certificate, pre-paid card or merchandise.
Necessary to perform our contract with you to provide and support the Services.
Personal information provided via dedicated accounts such as “Peninsula Perfect Companion”, “Mobile PenKey Concierge”, such as your name, contact details, date of birth or drivers’ license number for renting a car. We use this information to enrol you in, and provide you with lifestyle and customised concierge services under, the relevant program and account your registered for. Necessary to perform our contract with you to provide and support the Services.
For non-hotel related Services only (e.g., residential and commercial leasing, and operation of residential clubs and provision of food and beverages, banquet and transport services not connected to our hotels)
Information to satisfy your requests for related services: license plate number (applicable to residential and commercial leasing), co-habitant or visitor (applicable to residential leasing), food and beverages preferences and requests (applicable to provision of food and beverages services), itinerary and activity arrangement (applicable to provision of banquet or transport services), etc. We use this information to:
  • provide you with and charge for non-hotel Services and related information, including residential clubs, banquet events, commercial and residential leasing, concierge and transport services; and/or
  • facilitate any special requests or assistance and to customise our Services (including products) to you.
Necessary to perform our contract with you to provide and support the Services.
Information relating to your identity or membership with us such as details of identity card and passport and particulars of tenancy, employment and club membership. We use this information to:
  • provide you with and charge for non-hotel Services and related information, including residential clubs, banquet events, commercial and residential leasing, concierge and transport services; and/or
  • facilitate any special requests or assistance and to customise our Services (including products) to you.
Necessary to perform our contract with you to provide and support the Services.
We may use this information to:
  • provide you with updates, offers, and subscriptions, special events, news and/or other marketing materials, in each case, relating to our Services or services or products of our shopping arcade partners; and/or
  • tailor our marketing communication to you by determining what offers are most likely to be of interest to different categories of customers.
We use this information with your consent.
For communication with shareholders, investors, potential investors and analysts and for verifying shareholders’ identity only (e.g., sharing with you our financial information, announcements and press release and inviting you to our presentations and/or to exercise your shareholder’s rights)
Your full name, email address and addresses, percentage of share and vote, phone number, employer and other Personal Data and, if appropriate, copy of your identification document, strictly for us to communicate with you and/or to verify your identity as our shareholder. We also use any Personal Data of yours that, from time to time, is in possession of the Hong Kong Share Registrar of The Hongkong and Shanghai Hotels, Limited (currently, Computershare Hong Kong Investor Services Limited). We use this information to:
  • complete shareholder proxy voting forms, enable you to attend, participate in, and exercise your shareholder rights during and including asking questions at our shareholder meetings;
  • register your participation in a company webcast or other live streaming or digital meeting format, including of shareholder meetings or results presentations and to participate in an associated Q&A session; and/or
  • complete an investor or media registration form to receive notifications of the release dates of our financial information, email alerts about (and links to) our announcements, press releases, invitations to our investor presentations or media briefings (including via webcasts or other live streaming or digital meeting formats.
We use this information to perform our obligations to you as analysts, shareholders, investors and/or potential investors.
1.2 In general, we may use the Personal Data set out above to assure your future comfort and attention to your individual needs, and/or assist in developing new services and products and to improve our existing services and products. It is in our legitimate interest to continuously improve and develop our Services. In addition, we may use the above information to comply with our legal obligations, to safeguard our legal rights including (without limitation) in relation to the defence of any claims, and to cooperate with law enforcement agencies, government authorities, regulators and/or the court in connection with proceedings or investigations anywhere in the world. We are obliged to meet our legal obligations, and it is in our legitimate interest to safeguard our legal rights.
1.3 There are several ways by which we may collect your Personal Data from you:
  • we may collect your Personal Data from you directly by engaging with you, for example, through our Apps, when you make a direct booking on our Websites, or when you book or purchase our service or product in-person;
  • we may also collect Personal Data from third parties, including agents and online service providers that make hotel, spa or restaurant reservations on your behalf, facilitate online payments or gift purchases or that are otherwise involved in the reservations process or delivering our Services to you; and
  • we may also collect Personal Data from you through your activity on social media platforms that link to us such as Facebook fan pages or WeChat Official Account, or when you share content, photographs or follow us. Please note that these social media platforms will have their own privacy policies and procedures governing the processing of your Personal Data.
1.4 If you provide us with Personal Data about other individuals (e.g., family members or travel companions), regardless of whether you are travelling together, you must obtain such individuals’ authorisation or consent to provide us with their details and let them know where they can find a copy of this Privacy Policy.
1.5 We may combine information that we have collected offline with information we collect online. We combine information across devices, such as computers and mobile devices. We may also combine information we receive from a third party with information we already have.

2

How we share Personal Data

2.1 Only where necessary will we share your Personal Data with third parties. Situations where this may occur include the following:
  1. Affiliates ▶ To provide you with Services and ensure the consistency of service standard and business management, we may share your Personal Data with the affiliates in the HSH Group. Our affiliates have signed an intra-group data sharing agreement and may only use your Personal Data in accordance with this Privacy Policy. You may find a list of the relevant affiliates by clicking here.
  2. Third party service providers who process Personal Data on our behalf to help us undertake the activities described in the Section 1 ▶ We may permit selected third parties such as service providers, agents, contractors, entities, which may include the property/hotel owner, and/or other HSH Group companies, to use your Personal Data for the purposes set out in Section 1 (How we collect and use Personal Data) above, including:
    1. specialised agents helping us to provide advertisements and promotional campaigns and events and analyse their effectiveness, to manage your communications and questions to us, to maintain the relationship with you, to provide personalised services for you, and to send marketing communications to you with your consent in advance;
    2. third party vendors helping us to deliver products to you, such as post offices and couriers;
    3. payment service providers and credit reporters helping us to assess your credit score, to verify your information (if and when this is required for signing certain contracts) and to process your online payment;
    4. third party vendors helping us to provide customer or concierge services and customer care;
    5. travel agencies, firms or companies helping us to provide training, seminars, banquets, events, personalized experience services; and
    6. consulting firms helping us to manage client relationship and to provide reports and analysis of market research and customer surveys.
  3. Law enforcement agencies, government authorities, regulators, and the court to comply with our legal obligations or to handle incidents/ claims ▶ We may disclose your Personal Data when required by relevant laws or by court order or requested by other government or law enforcement authorities to assist with proceedings or investigations. In such circumstances, unfortunately, we may not be able to seek your consent to, or notify you in advance of, such disclosure.
  4. Third parties to safeguard our legal rights and property ▶ We may disclose your information to third parties in order to:
    1. enforce our terms and conditions and other agreements, including investigation of any potential violation thereof;
    2. detect, prevent or otherwise address security, fraud or technical issues; or
    3. protect the rights, property or safety of us, our customers, a third party or the public as required or permitted by law (such as exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction).
  5. Third parties who require such data in connection with a change in the structure of our business ▶ We may also disclose your Personal Data to a prospective buyer, new owner or other third party involved in any of the following transactions or change to our business (including any negotiations regarding any such transaction or change): (i) sale, transfer, merger, consolidation or reorganisation of any part(s) of our business, or merger with, acquisition or formation of a joint venture with any other business; or (ii) sell or transfer any of our assets (in which case the Personal Data may be sold as part of those assets).
2.2 All third-party service providers providing services to or for us are prohibited from retaining, using or disclosing your Personal Data for any purpose except where strictly necessary for the Services (i.e., for the purposes described above).
2.3 This Privacy Policy does not apply to third-party service providers (e.g., airlines, online travel agents, car rental companies, table booking websites) who may collect personal information from you and may share it with us. In these situations, we strongly advise you to review the applicable third-party provider’s privacy policy before providing your personal information.

3

How we transmit, protect, and store Personal Data

Security of communications
3.1 We take commercially reasonable administrative (e.g., information security and access policies), technical, and physical safeguards designed to protect the Personal Data that we possess. Despite such efforts, however, please note that no company can fully eliminate risks or guarantee complete security of Personal Data. We cannot guarantee the security of your Personal Data transmitted through the Services or otherwise via the Internet – any transmission is at your own risk. Unauthorised entry or use, hardware or software failure, and other factors may also compromise the security of your information. Further, while we strive to put in place appropriate contractual protections, we are unable to guarantee the security of Personal Data hosted on databases run by third parties, and to the extent legally permissible, we bear no liability for uses or disclosures of personal information or other data arising in connection with theft of the information or other malicious actions.
3.2 We store certain customer information and reservation details in our Customer Information System and Reservation System on our subcontractor’s secure servers. Our server resides behind various measures such as firewalls, authentication, access control, integrity protection, encryption and anti-virus tools designed to protect Personal Data collected from you against unauthorised or accidental access. Because laws applicable to personal information vary by country, our hotels or other business operations will put in place additional measures that may be different depending on the applicable legal and regulatory requirements.
International Personal Data transfers
3.3 As a global company, we endeavour to provide you with the same outstanding service in Hong Kong, as you would find in Beijing, Shanghai, Paris, New York, Tokyo, etc. To achieve this goal, we have established a global network comprised of properties, offices, trusted service providers and associates around the globe. The nature of our business and our operations require us to transfer your Personal Data to other Group companies, properties, centres of operations, data centres, or service providers that may be domiciled in countries outside of your own for the purposes mentioned in this Privacy Policy. Currently, personal data may be transferred to our headquarters in Hong Kong as well as other countries or regions where we are present or have data servers, including mainland China, Singapore, Japan, Vietnam, United Kingdom, United States of America, Thailand, Turkey, the Philippines, and France. The relevant countries or jurisdictions for the purposes of any such cross-border Personal Data transfer will depend on your location.
3.4 For customers located in relevant jurisdictions, including without limitation the EEA or the UK, transfers between our affiliates in the HSH Group and to third parties use applicable safeguards, such as incorporating standard contractual clauses, obtaining your consent or taking into account adequacy assessments.
Storage of Personal Data
3.5 Your Personal Data will be stored for the period of time required to fulfil the relevant purpose described in Section 1 (How we collect and use Personal Data) above unless otherwise required or permitted by law. If information is used for two purposes, we will retain it until both purposes have been fulfilled, but we will stop using it for a purpose once that purpose is fulfilled.

4

Your rights

4.1 Some jurisdictions’ laws grant specific rights to users of the Services. Please refer to the Local Specific Provisions (set out in the relevant annexes to this Privacy Policy), or the applicable laws in your jurisdiction, for an overview of specific rights that may apply to persons subject to data protection laws in the listed jurisdictions and how these can be exercised.
4.2 Subject to Section 4.1 above, you may enjoy certain rights in relation to your Personal Data that we hold. Some of these rights only apply in certain circumstances (as set out in more detail below). If you wish to exercise any of these rights, please reach out to us in accordance with Section 5 (Contacting us) below and we will handle your request in line with the applicable law and regulations.
  1. Access: you may ask us to provide you with access to your Personal Data and further details on the use we make of your Personal Data and who we share your Personal Data with.
  2. Correction: you may ask us to correct any inaccuracies in the Personal Data we hold about you.
  3. Complaint: if you are not satisfied with our use of your Personal Data or our response to any exercise of these rights, you may complain to the data protection authority in your country.
  4. Erasure: you may ask us to delete your Personal Data if we no longer have a lawful ground for use, unless otherwise required or stipulated by applicable laws and regulations, but we will let you know if that is the case.
  5. Withdrawal of consent: where processing is based on consent (e.g., marketing, or certain uses of the special categories of Personal Data), and to the extent provided by applicable laws and regulations, you may withdraw your consent to certain processing activity or activities by us by contacting us, and we will stop that particular processing activity. Where consent is required to process your Personal Data, if you do not consent to the processing or if you withdraw your consent, we may not be able to deliver the expected service. Please note that the right to withdraw consent is only available if the legal basis for processing Personal Data is consent.
  6. Object to processing: you may object to our processing of your Personal Data. If you wish to do so, please contact us and we will consider your request.
  7. Restriction: you may require that we stop processing your Personal Data (other than for storage purposes in certain circumstances). Please note, however, that if we stop processing such Personal Data, we may use it again if there are valid grounds under data protection laws for us to do so (e.g., for the defence of legal claims or for another’s protection).
  8. Portability: you may have the right to receive a copy of certain of your Personal Data we process about you. For example, in certain jurisdictions this can comprise Personal Data we process on the basis of your consent (e.g., survey information) or pursuant to our contract with you (e.g., account name), as described in Section 1 (How we collect and use Personal Data) above. We will provide further information to you about transferring this Personal Data if you make such a request.
  9. Advertising: You may choose to stop receiving personalised advertising or marketing promotions from us when using the Services by following the instructions of any marketing materials provided via email, by updating your preferences in your “My Peninsula” or “Peninsula Perfect Companion” account (where applicable) or by contacting us.
4.3 Where we act as a data processor, you should contact the data controller to exercise any of your rights.
4.4 Notwithstanding the foregoing, we may from time to time send you announcements when we consider it necessary to do so (for example, when we need to inform you about maintenance, security or safety matters at our properties). These are essential system and Service-related announcements, and you are not able to opt-out of these notifications, which are not promotional in nature.
Updating information
4.5 We will use reasonable endeavours to ensure that your Personal Data is accurate. In order to assist us with this, you should notify us of any changes to your Personal Data that you have provided to us by updating your details in your account in “My Peninsula”, “Peninsula Perfect Companion” or “Mobile PenKey Concierge” (where applicable) or by contacting us in accordance with Section 5 (Contacting us) below.

5

Contacting us

5.1 If you have any questions about this Privacy Policy or our processing of your Personal Data, or otherwise want to exercise any rights you may have, please contact us at:

Data Privacy Team

The Hongkong and Shanghai Hotels, Limited
8/F St George’s Building
2 Ice House Street
Central, Hong Kong SAR
Phone: +852 2926 2888
Email: privacy@peninsula.com
5.2 You can also reach out to our representatives for data protection purposes as follows:

Representative in the European Union at:

Peninsula Paris Hotel Management SARL
Ref: “EU Representative”
c/o The Peninsula Paris
19 avenue Kléber,
Paris, France, 75116

Attention: Executive Office / HSH Management Services Limited
Phone: +33 1 5812 2888
Email: privacy@peninsula.com

Representative in the United Kingdom at:

Peninsula London Limited
(Acting as general partner on behalf of Peninsula London, LP)
Ref: UK Representative”
c/o The Peninsula London
1 Grosvenor Place, London
SW1 7HJ, United Kingdom

Attention: Executive Office / HSH Management Services Limited
Phone: +44 20 3959 2888
Email: privacy@peninsula.com

Representative in Thailand at:

Siam Chaophraya Holdings Company Limited
Ref: Thailand Representative”
c/o The Peninsula Bangkok
333/1 Charoennakorn Road, Klongton-Sai,
Klongsan, Bangkok 10600, Thailand

Attention: Executive Office / HSH Management Services Limited
Phone: +66 2 020 2888
Email: privacy@peninsula.com

Representative in Türkiye at:

PIT İstanbul Otel İşletmeciliği Anonim Şirketi
Ref: Türkiye Representative”
c/o The Peninsula Istanbul
Karaköy, Kemankeş Karamustafapaşa Mahallesi, Kemankeş Caddesi No:34,
34425 Beyoğlu, Istanbul, Türkiye

Attention: Executive Office / HSH Management Services Limited
Phone: +90 212 931 2888
Email: privacy@peninsula.com

5.3 We will endeavour to deal with your request within a reasonable time. This is without prejudice to any right you may have to launch a claim with a data protection authority in the region in which you live or work where you think we have infringed data protection laws.

6

Cookies

6.1 Our Websites and Apps use cookies and other technologies to distinguish you from other users of the relevant website. Cookies are small files which, when placed on your device helps us provide you with a good experience when you browse our Websites and also allows us to improve our Websites. For detailed information on the cookies that we use and the purposes for which we use them, please refer to our Cookies Policy.

7

Changes to the Privacy Policy

7.1 In the future, we may need to make changes to this Privacy Policy. All changes will be included in the latest Privacy Policy published on our Websites or Apps, so that you will always understand our current practices with respect to the Personal Data. Any changes to our Privacy Policy will become effective upon posting of the revised Privacy Policy. If required by the applicable laws and regulations, we will notify you of any major changes to this Privacy Policy. Unless otherwise required by the applicable laws and regulations, you will be deemed to have accepted and agreed the revised Privacy Policy then in effect by visiting our websites or using our services after such changes.

8

Other sites and languages

8.1 Our Websites or Apps may contain links to other third-party websites. If you follow a link to any of those third-party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal information. Please check these policies before you provide any personal information to such third-party websites.
8.2 Except as otherwise prescribed by law or as expressly set out, in the event of any discrepancy or inconsistency between the English version and local language version of this Privacy Policy, the English version shall prevail.

Annex I: Local Specific Provisions – California

1. Scope and application

This section applies to California residents covered by the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020, “CCPA”). For the purposes of this section, “personal information” and “sensitive personal information” have the meanings given in the CCPA and do not include information excluded from the CCPA’s scope.
2. Collection and disclosure of personal information

Over the past 12 months, we have collected, and disclosed for a business purpose, the following categories of personal information from or about you or your device:
  • personal information that you provide to us, or that we obtain from public channels, including your name, language preference, telephone number, email address and (residential and/or delivery) address and records of your trading history with us;
  • registration information of accounts with us, including the username and password that you provide to us for registering an account of “My Peninsula”, “Peninsula Perfect Companion” or “Mobile PenKey Concierge”;
  • your payment information such as your credit card information (including credit card number, code and expiry date) and your bank account details;
  • if you contact us, our correspondence via email, telephone or other means of communication, for any purpose (e.g., making enquiries to us before or after a transaction with us);
  • social media account information including, depending on your interactions with various social media platforms linked to us or with which we engage, your profile names, account ID, photographs, posts, etc., that are publicly available;
  • visual and/or aural recordings or images recorded by close circuit television systems installed to the extent appropriate, relevant and permitted by applicable laws and regulations;
  • information that you have provided when completing our surveys that we use for research purposes;
  • information relating to your usage of our Website and Apps, including details of your visits to our Website, Apps and information collected through cookies and other tracking technologies including, but not limited to, your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that you access;
  • your travel details and preferences including your travel details (including flight number, arrival and departure dates and time, country/region of origin and destination), your frequent flyer information, your travel partner’s information (including accompanying family members, partners or friends), employment information (applicable to group reservation), preferences for room, food and beverages and treatment, internet access, and services (including important dates or anniversaries). We may also collect information as required by local laws such as the number of identity card or passport, type of entry visa, driver’s license, date and place of birth, gender, title, nationality, etc.;
  • information on your itemised spending with us to properly assemble your folio during your stay, which includes your room rate and other expenses billed to your room;
  • your information via dedicated accounts such as “My Peninsula” or “Mobile PenKey Concierge”, to provide customised services according to your requests, such as your drivers’ license number for renting a car for you and other information to provide lifestyle experiences and sourcing services for goods, foods, entertainments, etc.;
  • certain information to satisfy your requests for related services, including (but not limited to) license plate numbers (applicable to residential and commercial leasing), personal information of co-habitant(s) or visitor(s) (applicable to residential leasing), food and beverages preferences and requests (applicable to provision of food and beverages services), itinerary and activity arrangement (applicable to provision of banquet or transport services), etc.; and/or
  • information if you submit to us voluntarily in connection with an investment or potential investment in us, including but not limited to your full name, email address and addresses, percentage of share and vote, phone number, employer and other personal information strictly in connection with the investment and, if appropriate, copy of your identification document. We also use any personal information that the Hong Kong Share Registrar of The Hongkong and Shanghai Hotels, Limited (currently, Computershare Hong Kong Investor Services Limited) already hold about you.
We collect and disclose your personal information for the following purposes:
  • to provide you with the Services, process reservation requests and enable and charge for (i) hotel related services, including but not limited to accommodation, food and beverages and spa treatment; and (ii) non-hotel services and information including residential clubs, banquet events, commercial and residential leasing, concierge and transport services;
  • to complete your orders or purchases when you purchase a Peninsula gift certificate, pre-paid card or merchandise;
  • to customise and improve our Services and products;
  • to provide you with updates, offers, subscriptions and other marketing materials relating to our Services to you where you have chosen to receive these;
  • to handle any accidents (such as liaising with emergency services) and medical service requests, and to handle any claims made by customers such as personal injury claims; and
  • to provide investment-related services to you, register to participate in a company webcast or other live streaming or digital meeting format, as well as complete various investor relations processes.
For additional information about what each type of personal information is used for, please refer to Section 1 (How we use Personal Data) above.

We disclose each of the categories of personal information that we collect to the following types of entities:
  • affiliates in the HSH Group in order to provide you with Services and ensure the consistency of service standard and business management;
  • selected third parties such as service providers, agents, contractors, entities, which may include the property/hotel owner, and/or other HSH Group companies, to support our use of your Personal Data as set out in Section 1 (How we use Personal Data) above, including:
    • specialised agents;
    • third party vendors providing delivery services;
    • payment service providers and credit reporters;
    • third party vendors providing customer or concierge services and customer care;
    • travel agencies, firms or companies; and
    • consulting firms;
  • law enforcement agencies, government authorities, regulators, and the court to comply with our legal obligations or to handle incidents/ claims. In such circumstances, unfortunately, we may not be able to seek your consent to, or notify you in advance of, such disclosure;
  • Third parties to ensure safety, security or compliance with laws, including to:
    • enforce our terms and conditions and other agreements, including investigation of any potential violation thereof;
    • detect, prevent or otherwise address security, fraud or technical issues; or
    • protect the rights, property or safety of us, our customers, a third party or the public as required or permitted by law.
  • a prospective buyer, new owner or other third party involved in any of the following transactions or change to our business (including any negotiations regarding any such transaction or change): (i) sale, transfer, merger, consolidation or reorganisation of any part(s) of our business, or merger with, acquisition or formation of a joint venture with any other business; or (ii) sell or transfer any of our assets (in which case the Personal Data may be sold as part of those assets).
In the past 12 months, we have not sold or shared personal information of California residents within the meaning of “sold” or “Share” in the CCPA. We also have no knowledge of any sale or sharing of personal information of users under 16 years of age.

In addition, we do not use or disclose sensitive personal information for purposes other than to perform the services reasonably expected by an average consumer who requests those services.
3. Retention of your personal information

The retention period varies for the different categories of data collected. For more information about the retention period, please see Section 3 (How we transmit, protect, and store Personal Data) above.
4. Rights under the CCPA

If you are a California resident and the CCPA does not recognise an exception that applies to you or your personal information, you have the right to:
  • request we disclose to you free of charge the following information covering the 12 months preceding your request:
    • the categories of personal information about you that we collected;
    • the categories of sources from which the personal information was collected;
    • the purpose for collecting personal information about you;
    • the categories of third parties to whom we disclosed personal information about you and the categories of personal information that was disclosed (if applicable) and the purpose for disclosing the personal information about you; and
    • the specific pieces of personal information we collected about you;
  • request we delete personal information we collected from you, unless CCPA recognises an exception;
  • request we correct inaccurate personal information that we maintain about you; and
  • be free from unlawful discrimination for exercising your rights including providing a different level or quality of services or denying goods or services to you when you exercise your rights under the CCPA.
We target to fulfil all verified requests within the period stipulated by the CCPA, being 45 days as at the date of this Privacy Policy. If necessary, extensions for an additional 45 days will be accompanied by an explanation for the extension.
5. How to exercise your rights

If you are a California resident to whom the CCPA applies, you may also exercise your rights, if any, regarding other data by contacting us in accordance with Section 5 (Contacting us) above. We may take steps to verify your identity before complying with your request to protect your privacy and security, and may decline your request if we are unable to verify your identity. To verify your identity, we may need the following information from you: your first name, last name, address, phone number, date of birth and email address.

Under the CCPA, you may exercise these rights yourself or you may also designate an authorised agent to make these requests on your behalf. In order for us to process the request, you must provide the authorised agent with signed written permission. We reserve the right to require the agent to verify their own identity and to confirm directly with you that you have provided the authorised agent permission to submit the request.
6. Contacting us

If you have questions or concerns regarding this Privacy Policy, please contact us in accordance with Section 5 (Contacting us) above.

Additionally, for our US properties, we have the following toll-free numbers available for you to make a request in relation to your Personal Data to us:
  1. The Peninsula Beverly Hills: +1 800 462 7899
  2. The Peninsula Chicago: +1 866 288 8889
  3. The Peninsula New York: +1 800 262 9467
  4. Quail Lodge & Golf Club: +1 866 675 1101

Annex II: Local Specific Provisions – China

We have prepared this Annex II in accordance with the Personal Information Protection Law of the People's Republic of China ("PIPL") for residents of the People’s Republic of China (which, for the purpose of the Annex II of this Privacy Policy only, excluding Hong Kong SAR, Macao SAR and Taiwan, “China”) and individuals who are in China. In case of any conflict between this Annex II and the main text of this Privacy Policy, this Annex II shall prevail.

1. To whom we share Personal Data

As set out in Section 2 (How we share Personal Data) above, where permitted by the applicable laws and regulations, we may share your Personal Data with our affiliates, service providers, agents, contractors, and other business partners when and if it is necessary to do so. You may find a list of our affiliates to which we share your Personal Data and to know their details by clicking here. In addition, you may contact our Data Privacy Team in accordance with Section 5 (Contacting us) above to obtain information of our business partners and to whom we share your Personal Data.
2. Software Development Kits (SDK) Provided by Third Parties

To provide you with a better service experience, our websites or online channels may contain SDK from third-party providers to whom we may share your Personal Data when you use our Services. You may find details of these SDKs and their operators below:
Name Function Type of personal data collected Operator Privacy policy/hyperlink to official website
Gift platform API Support users to shop on e-commerce platforms Information of orders and addressees, user’s name and email address Techsembly Pte. Ltd https://www.techsembly.com/privacy-policy
Spa Booking Engine Support users to reserve spa service Name, email address and phone number CPS Graphics, Inc. dba Tambourine https://www.tambourine.com/privacy-policy
Spa Booking Engine Support users to reserve spa service Name, email address and phone number Shiji Concept Online Spa https://concept.shijigroup.com/privacy-policy
TravelClick Guest Management Solution User information management Name and email TravelClick https://www.amadeus-hospitality.com/travelclick-legal/terms-and-conditions/
Sinobase Member data management and statistical analysis Name, birthday, mobile phone number, WeChat ID, booking records Sinobase Marketing Technology Corporation https://www.sinobasedm.com/#/
WeChat Order Management Support users to reserve rooms Name, birthday, mobile phone number, WeChat ID, stay period Beijing Shiji Information Technology Co., Ltd. https://www.shijigroup.com/legal/terms-and-conditions
WeChat Content Management and Customer Relationship Management Data management and statistical analysis User’s WeChat ID and nickname, pages and contents visited, and duration of visit Shanghai JINGdigital Co., Ltd. https://www.jingdigital.com/%E9%9A%90%E7%A7%81%E6%94%BF%E7%AD%96/
RECON e-Payment solution Name and credit card number Cityline (Hong Kong) Limited https://www.reconpayment.com/
We will conduct necessary security testing to all third-party SDKs and require third-party providers to implement strict measures to protect the security of your Personal Data. Meanwhile, we may update the SDKs’ information according to changes in service requirements and business functions from time to time. You can find the most updated version in our latest Privacy Policy.
3. Personal Data transmission across international borders

In principle, the Personal Data that is generated or collected by us in China will be stored in China. However, to process your reservation and payment and to provide with you our Services, we may need to transfer your Personal Data outside of China. Data protection laws in these countries or regions may be different from those in China and the level of protection to your Personal Data may vary accordingly.

If your Personal Data is transferred outside of China, we will take appropriate protective measures as required by the laws and regulations in China, including, as appropriate, carrying out personal data protection impact assessments, obtaining necessary certification from the competent authorities, conducting security assessment by qualified third-party institutes, and/or signing the standard contractual clauses issued by the Cyberspace Administration of China with overseas recipients.
4. Special protection of Minors’ Personal Data

Please note that our websites and our products and services are not intended for Minors (i.e., persons under the age of 18) unless expressly stated in the relevant descriptions. We do not knowingly solicit or collect Personal Data of Minors. To ensure that guardians of Minors can make informed decisions regarding provision of Minors’ Personal Data when purchasing and using products and services provided by us, we have published the Minors’ Privacy Policy to explain how we collect, store, use, transfer or disclose the Minors’ Personal Data. If you are a Minor’s guardian, please read and understand the Minors’ Privacy Policy.
5. Contacting us

In addition to contacting us in accordance with Section 5 (Contacting us) above, you may contact our data protection officers in China as follows:

Data Protection Officer in China

The Palace Hotel Ltd.
8 Goldfish Lane, Wangfujing, Beijing
The Peninsula Beijing
Phone: +86 10 8516 2888
Email: privacy@peninsula.com

The Peninsula Shanghai Waitan Hotel Company Limited
No. 32, The Bund 32 Zhongshan Dong Yi Road, Shanghai
The Peninsula Shanghai
Phone: +86 21 2327 2888
Email: privacy@peninsula.com

Peninsula Merchandising (Shenzhen) Company Limited
D16, F/8, Block B, Aerospace Science and Technology Plaza, 3rd Street of Haide, Nanshan District, Shenzhen
Phone: +86 0755 2657 9989
Email: privacy@peninsula.com

Please allow 15 business days for us to process any data access requests. Where the request involves complex information gathering, we will advise you of the additional time needed to process your request.