Table of Contents

1. PURPOSE OF THIS CHARTER 
2. WHO WE ARE? 
3. PRINCIPLES FOR PROTECTING YOUR PERSONAL DATA 
4. SCOPE OF APPLICATION 
5. PERSONAL DATA COLLECTED 
6. WHEN PERSONAL DATA COLLECTED 
7. PURPOSE OF COLLECTION OF PERSONAL DATA 
8. DISCLOSURE OF PERSONAL INFORMATION 
9. INTERNATIONAL TRANSFERS 
10. DATA SECURITY 
11. COLLECTION OF OTHER INFORMATION 
12. STORAGE OF DATA 
13. ACCESS AND MODIFICATION 
14. HOW TO CONTACT US 
15. UPDATES

1. PURPOSE OF THIS CHARTER


This Global Privacy Charter (“Charter”) applies to LUX* Resorts and Hotels, its subsidiaries and all of the hotels within the LUX* Portfolio of Brands (collectively, "LUX," "we," or "us"). At LUX, we strive to deliver outstanding products, services, and experiences around the world. We value your business and, more importantly, your loyalty. We recognise the importance of our customers’ privacy, and we respect the fact that our customers want to safeguard the use of their personal information. We have therefore developed this Charter to explain how we collect data about you, and the nature of that data, how we use that data, who that data may be sent to, and how we can amend data you have submitted to us.

This Global Privacy Charter forms part of the terms and conditions that govern our hotel services. By accepting these terms and conditions, you expressly accept the provisions of this Charter.

2. WHO WE ARE?


LUX* Resorts & Hotels means Lux Island Resorts Ltd (“LIR”), The Lux Collective Ltd (“TLC”) and various hotels and brands, together with their operating and/or management companies (the “Hotels”).

Lux Island Resorts Ltd
LIR is a public company incorporated in Mauritius and its shares are listed on the stock exchange of Mauritius. Its registered office is situated at 58 Pierre Simonet Street Floreal, Mauritius. The main activity of the group is the operation and management of hotels. LIR is the ultimate parent company of TLC and the Hotels owned by LIR.

The Lux Collective Ltd
TLC, a subsidiary of LIR, manages LIR owned resorts and third party owned hotels.

Hotels
More information on hotels and operating and/or management companies is available in our most recent Annual Report located on our website here:
https://www.luxresorts.com/en/about-us/investor-relations/financial-reporting

Each of these entities may act as a controller and will be responsible for handling your personal information.

The data controller of your personal information will be the LIR entity(ies) with which you have a contractual relationship.

TLC is the primary operating entity and data controller responsible for handling your personal information in connection with the operation of the website and the provision of reservation and marketing services.

Each Hotel also may act as a data controller responsible for the provision of services at the respective LUX* hotel(s) owned and/or operated by it.

3. PRINCIPLES FOR PROTECTING YOUR PERSONAL DATA


The seven principles below are applicable within our Group.

1. Transparency: When collecting and processing your personal data, we will communicate all information to you and inform you of the purpose and recipients of the data.

2. Legitimacy: We will collect and process your personal data only for the purposes described in this Charter.

3. Relevance and accuracy: We will only collect personal data that is necessary for data processing. We will take all reasonable steps to ensure that the personal data we hold is accurate and up to date.

4. Storage: We will hold your personal data for the period necessary for processing the same in compliance with the provisions of the law.

5.Access, rectification, opposition:You may access, modify, correct or delete your personal data. You may also oppose the use of your personal data, particularly to avoid receiving sales and marketing information.

6. Confidentiality and security: We will ensure reasonable technical and organisational measures are in place to protect your personal data against alteration or accidental or unlawful loss, or unauthorised use, disclosure or access.

7. Sharing and international transfer:We may share your personal data within our organisation or with third parties (such as commercial partners and/or service providers) for the purposes set out in this Charter. We will take appropriate measures to guarantee security when sharing or transferring such data.

4. SCOPE OF APPLICATION


This policy applies to:
1. All data processing at LUX i.e. those operating under any of the LUX brand name and/ or any other brand owned by LUX.
2. All reservation websites, including the brand site www.luxresorts.com

5. PERSONAL DATA COLLECTED


"Personal data" means any information collected and logged in a format that allows you to be identified personally, either directly (e.g. name) or indirectly (e.g. telephone number) as a natural person. It relates to any personal information you provide to us by phone, SMS, email, in letters, in person, through representatives and other correspondence or means.

At various times, we will be obliged to ask you, as our customer, for information about you and/or members of your family, such as:
  • Contact details (e.g. last name, first name, telephone number, email)
  • Personal information (e.g. date of birth, nationality)
  • Information relating to your children (e.g. first name, date of birth)
  • Your credit card number (for transaction and reservation purposes)
  • Your arrival and departure dates
  • Your preferences and interests (e.g. smoking or non-smoking room, preferred floor, type of bedding, sports, cultural interests)
  • Your questions/ comments, during or following a stay in one of our hotels.

Data on minors
The information collected in relation to persons under 18 years of age is limited to their name, nationality and date of birth, which can only be supplied to us by a parent or guardian. We would be grateful if you could ensure that your children do not send us any personal data without your consent (particularly via the internet).

Sensitive personal information
We do not collect sensitive information, such as information concerning race, ethnicity, political opinions, religious and philosophical beliefs, union membership, or details of sexual orientation or character certificate. However, in limited cases we might need to collect sensitive data to provide you with a better service and meet your needs, such as your food preferences, allergies, health conditions, current medication and/ or any physical conditions that affect your mobility. In these cases, the sensitive information will be those volunteered by you and which you have unequivocally agreed to communicate to us.

6. WHEN PERSONAL DATA COLLECTED


Personal data may be collected on a variety of occasions, including:

1. Hotel activities:
    • Booking a room
    • Checking-in and paying
    • Eating/ drinking at the hotel bar or restaurant during a stay
    • Activities offered by the hotel (spa, kids club, water sports, etc.)
    • Requests, complaints and/ or disputes.

2. Closed circuit television systems and other security systems
    • Closed circuit television (CCTV) images only, no audio recording

3. Participation in marketing programs or events:
    • Signing up for loyalty programs
    • Participation in customer surveys (for example, the Guest Satisfaction Survey)
    • Online games or competitions
    • Subscription to newsletters, in order to receive offers and promotions via email

4. Transmission of information from third parties:
    • Tour operators, travel agencies, GDS reservation systems, and others
    • Profiling

5. Internet activities:
    • Connection to our Group’s websites (IP address, cookies)
    • Online forms (online reservation, questionnaires, our Group’s pages on social networks, network login devices)

7. PURPOSE OF COLLECTION OF PERSONAL DATA


We collect your personal data for the purposes of:

1. Meeting our obligations to our customers

2. Managing the reservation of rooms and accommodation requests

3. Creation and storage of documents in compliance with legal and accounting requirements

4. Managing your stay at the hotel:
    • Monitoring your use of services (telephone, bar, restaurants, pay TV etc.)
    • Managing access to rooms

5. Providing a safe and secure environment for our customers, employees, suppliers and service providers and to protect our premises and property.

6. Improving our hotel services, especially:
    • Processing your personal data in our customer marketing program in order to carry out marketing operations, promote brands and gain a better understanding of your requirements and wishes
    • Adapting our products and services to better meet your requirements
    • Customising commercial offers and the promotional messages we send to you
    • Informing you of special offers and any new services created by our Group
    • Carrying out surveys and analyses of questionnaires and customer comments
    • Managing claims/complaints

7. Managing our relationship with customers before, during and after their stay:
    • Providing details for the customer database
    • Segmentation operations based on reservation history and customer travel preferences with a view to sending targeted communications
    • Predicting and anticipating future behaviours
    • Developing statistics and commercial scores, and carrying out reporting
    • Providing context data for the offer push tool when a customer visits the Group’s websites or makes a reservation
    • Knowing and managing the preferences of new or repeat customers
    • Sending you newsletters, promotions, hotel or service offers, offers from partners, or contacting you by telephone
    • Managing requests to unsubscribe from newsletters, promotions, offers and satisfaction surveys

8. Using a trusted third party to cross-check, analyse and apply certain devices to your collected data at the time of booking or at the time of your stay, in order to determine your interests and your customer profile, and to allow us to send you personalised offers.

9. Securing and enhancing your use of LUX websites, especially:
    • Improving navigation
    • Implementing security and fraud prevention.

10. Conforming to local and applicable international legislations

8. DISCLOSURE OF PERSONAL INFORMATION


As we are present in many countries, we endeavor to provide you with the same services throughout the world. Thus, to guarantee you the right of access and amendment we have to share your personal data with internal and external recipients subject to the following conditions:

1. Within LUX: in order to offer you the best service, we can share your personal data and give access to authorised personnel from the Group, including:
    • Hotel staff
    • Reservation staff using our reservation tools
    • IT departments
    • Marketing staff
    • Legal services if applicable
    • Generally, any appropriate person within the Group for certain specific categories of personal data

2. With service providers and partners: your personal data may be sent to third parties for the purposes of supplying you with services and improving your stay. More specifically we use third parties to:
    • Assist us with digital marketing and customer insight analytics
    • Help us obtain customer feedback to enhance our services

3. Local authorities: we may also be obliged to send your information to local authorities if this is required by law or as part of an inquiry and in accordance with local regulations.
We do not routinely disclose personal information to other organisations unless:
    • Required by law
    • Use or disclosure is permitted by this policy
    • We believe it necessary to provide you with a service or product which you have requested or are contracted to
    • Necessary to protect the rights, property or personal safety of any member of the public or a customer of LUX or the interests of LUX
    • You give your consent


9. INTERNATIONAL TRANSFERS


Due to the global nature of our business and that of our third party suppliers who process your personal data on our behalf, personal information we collect from you may be transferred, processed and stored overseas including (where applicable) outside the jurisdiction where the personal information is collected.

Although the data protection laws of these other countries may not be as comprehensive as those in your own, we will take all necessary steps to ensure that your personal information is treated securely, and in accordance with this Privacy Charter and any applicable laws.

In addition, personal information that you submit for publication on the website will be published on the internet and may be available, via the internet, around the world. LUX cannot prevent the use of such information by others. By submitting your personal data, you expressly agree to these transfers, storing, processing and publishing.

However, any such transfer of information does not change any of our commitments to safeguard your privacy and the information remains subject to existing confidentiality obligations.

10. DATA SECURITY


We are committed to keeping the personal information you provide to us secure and we will take reasonable precautions to protect your personal information from loss, misuse or alteration.

We have implemented information security policies, rules and technical measures to protect the personal information that we have under our control from:
    • unauthorised access;
    • improper use or disclosure;
    • unauthorised modification; and
    • unlawful destruction or accidental loss.

All of our employees and data processors (i.e. those who process your personal information on our behalf, for the purposes listed above), who have access to, and are associated with the processing of personal information, are obliged to respect the confidentiality of the personal information of all users of our services.

11. COLLECTION OF OTHER INFORMATION


“Other Information” is any information that does not reveal your specific identity or does not directly relate to an individual, such as:
    • Browser and device information
    • App usage data
    • Information collected through cookies, pixel tags and other technologies
    • Demographic information and other information provided by you
    • Aggregated information

If we are required to treat Other Information as Personal Information under applicable law, then we may use it for the required purposes and disclose Personal Information as detailed in this Charter. We and our third party service providers may collect Other Information in a variety of ways, including:

• Through your browser or device: Certain information is collected by most browsers or automatically through your device, such as your Media Access Control (MAC) address, computer type (Windows or Macintosh), screen resolution, operating system name and version, device manufacturer and model, language, internet browser type and version and the name and version of the online services (such as the Apps) you are using. We use this information to ensure that our online services function properly.

• Through your use of the Apps: When you download and use an App, we and our service providers may track and collect App usage data, such as the date and time the App on your device accesses our servers and what information and files have been downloaded to the App based on your device number.

• Using cookies: You are advised that LUX uses cookies or other tracers on its online booking sites. These tracers may be installed on your device depending on the preferences that you expressed or may express at any time in accordance with this policy.

We and our service providers use this information for security purposes, to facilitate navigation, to display information more effectively, to collect statistical information, to personalize your experience while using the Online Services and to recognize your computer in order to assist your use of our online services, such as for the online reservation process.

• Using pixel tags and other similar technologies: Pixel tags (also known as web beacons and clear GIFs) may be used in connection with some online services to, among other things, track the actions of users of the online services (including email recipients), measure the success of our marketing campaigns and compile statistics about usage of the online services and response rates. We also use Google Analytics, which uses cookies and similar technologies to collect and analyse information about use of our services and report on activities and trends. These services may collect information regarding the use of other websites, apps and online resources. You can learn about Google’s practices by going to www.google.com/policies/privacy/partners/, and opt-out by downloading the Google Analytics opt-out browser add-on, available at https://tools.google.com/dlpage/gaoptout

• IP Address: Your IP address is a number that is automatically assigned to the computer that you are using by your Internet Service Provider (ISP). An IP address may be identified and logged automatically in our server log files whenever a user accesses our online services, along with the time of the visit and the page(s) that were visited. Collecting IP addresses is standard practice and is done automatically by many websites, applications and other services. We use IP addresses for purposes such as calculating usage levels, diagnosing server problems and administering our online services. We may also derive your approximate location from your IP address.

• By aggregating information: Aggregated Personal Information does not personally identify you or any other user of the Services (for example, we may aggregate Personal Information to calculate the percentage of our users who have a particular telephone area code).

12. STORAGE OF DATA


We retain your personal data only for the period necessary for the purposes set out in this Charter or in accordance with the provisions of applicable law.

13. ACCESS AND MODIFICATION


Your right of access.
If you ask us, we will confirm whether we are processing your personal information and, if so, provide you with a copy of that personal information. If you require additional copies, we may need to charge a reasonable fee.

Your right to rectification.
If the personal information we hold about you is inaccurate or incomplete, you are entitled to have it rectified. If we have shared your personal information with others, we will let them know about the rectification where possible.

Your right to erasure.
You can ask us to delete or remove your personal information in some circumstances, such as where we no longer need it or if you withdraw your consent (where applicable). However, note that we may retain some of your personal information for a reasonable period of time, even after you withdraw a consent, for legal or compliance purposes. If we have shared your personal information with others, we will let them know about the erasure where possible.

Your right to restrict processing.
You can ask us to suspend the processing of your personal information in certain circumstances, such as where you contest the accuracy of that personal information or you object to us processing it. It would not stop us from storing your personal information, though. We will tell you before we lift any restriction. If we have shared your personal information with others, we will let them know about the restriction where it is possible for us to do so.

Your right to data portability.
With effect from 25 May 2018, you have the right, in certain circumstances, to obtain personal information you have provided to us (in a structured, commonly used and machine readable format) and to reuse it elsewhere.

Your right to object.
You can ask us to stop processing your personal information, and we will do so, if we are:
• relying on our own or someone else’s legitimate interests to process your personal information, except if we can demonstrate compelling legal grounds for the processing; or
• processing your personal information for direct marketing.

Your rights in relation to automated decision-making and profiling
You have the right not to be subject to a decision when it is based on automatic processing, including profiling, if it produces a legal effect or similarly significantly affects you. However, we may conduct automated decision-making and/or profiling where it is necessary for entering into, or the performance of, a contract between you and us.

Your right to withdraw consent
You have the right to withdraw your consent at any time. However we may not be able to provide certain services to you should that be the case.

Your right to lodge a complaint with the supervisory authority
If you have a concern about any aspect of our privacy practices, including the way we have handled your personal information, you can report it to the Data Protection Commissioner of Mauritius. If you are an EU citizen, you have the right to lodge a complaint with the supervisory authority of the country of your residence.

We would appreciate the chance to deal with your concerns before you approach the authorities above, so please contact us in the first instance.

14. HOW TO CONTACT US


If you have any questions or complaints about how we handle your personal data, or would like us to update or erase the data we maintain about you and your preferences, please contact our Data Protection Officer:

By email: dataprotectionofficer@luxresorts.com

By post: Data Protection Officer, 58 Pierre Simonet Street Floreal, Mauritius.

We will try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

For the purposes of confidentiality and personal data protection, we will need to identify you in order to respond to your request. You will be asked to include a copy of an official piece of identification, along with your request. In some cases we may also request an administrative fee to cover the cost of access.

15. UPDATES


We may modify this Charter from time to time. Consequently, we recommend that you consult it regularly, particularly when making a reservation at one of our hotels.

LUX operates in a dynamic business environment. Over time, aspects of our business may change as we respond to changing market conditions. This may require our policies to be reviewed and revised. LUX reserves the right to change its privacy policy at any time and notify you by posting an updated version of the policy on its websites.

The amended policy will apply between us whether or not we have given you specific notice of any change.