Sunset Hospitality Group (“SHG”, “we”, “us”, “our”) is committed to respecting and protecting your privacy. This Global Privacy Policy (the “Policy”) explains how we collect, use, process, store, protect, share, and dispose of personal data. It applies globally — in EU, UAE,UK, Singapore, and wherever SHG operates — and reflects the obligations under major privacy/data protection laws including but not limited to the EU General Data Protection Regulation (GDPR); UK General Data Protection Regulation and the Data Protection Act 2018 ( UK Data Protection Law); UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL); and Singapore’s Personal Data Protection Act 2012 (PDPA). Some sections of this Policy include obligations that arise under specific local data protection laws. These provisions will apply to you only where those laws are applicable.
We may amend this Policy from time to time. If changes are material, we will provide notice in a manner consistent with applicable law, which may include posting the updated Policy on our website and, where legally required or appropriate, providing direct notification using your last known contact details.

1.Definitions

These definitions apply throughout this Policy. If local law defines terms differently, those local definitions shall apply in that jurisdiction.

• Personal Data / Personal Information: Any data about a natural person (“data subject”) who is identified or identifiable. This can include names, identification numbers, location data, online identifiers, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.
• Processing: Any operation or set of operations which is performed on Personal Data, whether or not by automated means. This includes collection, storage, consultation, use, disclosure, analysis, transmission, erasure, and destruction.
•  Controller: SHG operates through various subsidiaries and affiliates worldwide. Each subsidiary that operates a venue acts as the Data Controller of the Personal Data processed in connection with that venue.
  The full legal entity name of the Controller for each venue is specified on the respective venue’s official website (for example, in the “About Us,” “Booking Terms,” or “Contact” sections). Guests and visitors should refer to the venue’s website for confirmation of the operating entity.
  This Global Privacy Policy should be read together with the information provided on the relevant venue website, which identifies the Controller for that specific venue.
•  Processor: A person or entity that processes Personal Data on behalf of the Controller.
• Data Subject: A natural person whose Personal Data is processed by SHG.
• Data Protection Officer (“DPO”): The person appointed by SHG to oversee compliance with this Policy and applicable laws: manage data subject rights, supervising data handling, liaising with regulators.
•  Sensitive / Special Category Data: Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification, health data, sex life or sexual orientation.
•  Supervisory Authority / Regulator: The official body in a jurisdiction overseeing data protection (e.g. EU national DPAs, UK ICO, UAE Data Office, Singapore PDPC).

• All SHG entities, operations, departments, subsidiaries, affiliates, and employees worldwide.
• All Personal Data processed by SHG in any form (electronic, paper, CCTV recordings, audio, video, third-party data, etc.).
• All services offered: hotel stays, spa & wellness, F&B, loyalty programs, events, online/app bookings, marketing, HR/employment, vendor/supplier management.
• All individuals whose Personal Data SHG processes: guests, prospective guests, loyalty members, website/app users, employees, contractors, suppliers, partners.

Data that is collected, used, stored, transferred or disclosed inside or outside a country, including cross-border transfers.
Exemptions: Where local law provides exemptions (such as but not limited to public authority/security/judicial functions under PDPL in UAE, certain employee-data under PDPA or sector-specific laws), SHG will follow applicable law.

3.Principles and Legal Basis for Processing

SHG processes Personal Data in accordance with the core principles of data protection law, which are recognised across all jurisdictions in which we operate. These principles apply to all Processing activities undertaken by SHG. In addition, SHG ensures that each Processing activity is supported by at least one lawful basis for Processing as required by applicable law. Where data protection requirements differ between jurisdictions, SHG applies the strictest standard that is legally applicable.

3.1 Key Principles

• Lawfulness, fairness, transparency: Processing must be lawful, fair to the data subject, and transparent. Data subjects must be informed about what data is collected, why, how it is used, who it is shared with.
• Purpose Limitation: We collect Personal Data only for specified, explicit and legitimate purposes. We do not then use it in a way incompatible with those purposes, unless we first obtain consent or have another legal basis under applicable law.
• Data Minimization: We only collect the Personal Data that is necessary for the purposes. We avoid collecting data that is excessive.
• Accuracy: We keep personal data accurate and up to date. We take reasonable steps to correct or erase inaccurate or incomplete data.
• Storage / Retention Limitation: We retain data only as long as needed for the purposes, complying with legal, contractual, regulatory obligations. After the retention period expires, we securely delete or anonymize the data.
• Integrity & Confidentiality: We protect data against unauthorized or unlawful processing, access, loss, alteration, or destruction via appropriate technical and organizational measures.
• Accountability: SHG is responsible for and must be able to demonstrate compliance with all of the above.

3.2 Legal Bases
We rely on one or more of the following lawful bases for processing:

• Consent: where required by law, and where such consent is freely given, specific, informed, and explicit/unambiguous.
• Contract necessity: where Processing is necessary to enter into or perform a contract with you.
• Legal obligation: where Processing is required to comply with laws or regulations (e.g., tax, immigration, health and safety, consumer protection).
• Vital interests: where Processing is necessary to protect an individual’s life or prevent serious harm.
• Legitimate interests: Where SHG or a third party has a legitimate interest, provided this does not override your fundamental rights and freedoms.

4.Categories of Personal Data We Collect

We may collect and process the following categories of Personal Data where required for the purposes and where permitted by law:

• Identity & basic contact information (name, date of birth, gender, passport/ID number, photographs).
• Contact details: email, postal address, telephone/mobile, emergency contact.
• Booking/reservation information: arrival/departure dates, preferences, stay history, loyalty membership details.
• Payment details: credit/debit card number, billing address, invoices, transaction history.
• Device & online data: IP address, device identifiers, browser/app usage logs, cookies/tracking data.
• CCTV / audio / video surveillance data, security camera footage (for safety, security, fraud prevention).
• Health and medical information (if provided, e.g. in spas, wellness treatments, or emergencies).
• Staff data: employment history, payroll, tax, benefits, performance, training, background checks, medical/emergency contact info, dependents if relevant.
• Vendor/supplier/partner data: company information, contact persons, financial records, compliance and due diligence information.
  Where we collect Sensitive/Special category data, we do so only when strictly necessary, and with additional protections and consents as required by law.

5.Purposes of which We Use Personal Data

We use Personal Data for the following purposes (depending on your relationship with SHG), only to the extent allowed by applicable law:

• To operate, manage and fulfil your reservation/ hotel/ lodging stay, including booking, check-in/check-out, room service, cleaning, safety, housekeeping.
• To process payments, issue invoices, refunds, manage billing and revenue accounting.
• To communicate with you: confirmations, updates, customer support, responses to inquiries, complaints.
• To promote our services: loyalty programs, promotional offers, newsletters, tailored marketing / personalization (only where consent or legal basis is valid under local law).
• To comply with legal, regulatory, immigration, tax, public health, and safety obligations.
• To ensure safety and security of our properties, guests, employees – including CCTV, fraud detection, investigations.
• To carry out HR functions: hiring, payroll, performance management, health & safety, benefits.
• To administer vendor/supplier relationships, auditing, procurement, due diligence.
• To improve our services, develop new products and services, conduct analytics, market research, customer feedback.
• To retain record keeping in line with legal / business requirements.

6.Data Subject (Your) Rights

You have rights over your Personal Data and SHG provides mechanisms to help you exercise these rights. These rights are always subject to applicable laws, including any exemptions or limitations that may apply.
You have the following rights regarding your Personal Data:

• Right of access: to request and receive a copy of your Personal Data SHG holds and information about how it is processed.
• Right to rectification / correction: to ask SHG to correct inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”): to request deletion of your data when it is no longer needed, or if you withdraw consent, or if processing is unlawful. Note: SHG may retain certain data if required by law (tax / regulatory obligations).
• Right to restrict processing: to limit how SHG uses your data.
• Right to object: to certain processing, e.g. direct marketing, or processing based on legitimate interests.
• Right to data portability: where applicable (e.g., under GDPR), to receive your Personal Data in a structured, commonly used, and machine-readable format and to request its transfer to another controller, where technically feasible.
• Right to withdraw consent: if processing is based on consent, you can withdraw at any time, without affecting past processing.
• Rights regarding automated decision-making / profiling: including to request human intervention, to express your point of view, to contest decisions, where decisions produce legal effect or similarly significant effects.
• We will respond to requests to exercise your rights within the timeframes required by law.

7.Consent, Notices & Transparency

Where required, we obtain valid consent: it is freely given, specific, informed, explicit/unambiguous. We will inform you clearly about what you are consenting to.
We maintain privacy notices/policies that are clear, accessible, intelligible, in plain language. They will include, among others: identity of controller, contact info, what data collected, why/how used, sharing/transfer, retention period, data subject rights.
In case of transfer of data outside certain jurisdictions, we will notify you as required by law about safeguards used.

8.Cross-Border Data Transfers

Because SHG operates on a global basis, your Personal Data may be transferred to, accessed from, or stored in countries other than the one in which it was originally collected. Such transfers may be made between SHG entities, to service providers, or to other third parties engaged in the provision of our services.
SHG ensures that any cross-border transfer of Personal Data is carried out in compliance with applicable data protection laws. This may include, where required:

• transferring Personal Data to jurisdictions that have been formally recognised as providing an adequate level of protection;
• implementing appropriate contractual safeguards, such as standard contractual clauses or other legally approved mechanisms;
• adopting binding corporate rules or other internal frameworks recognised by regulators; or
• relying on specific derogations or exceptions where permitted by law (for example, where the transfer is necessary for the performance of a contract or based on explicit consent).

Regardless of the destination, SHG applies measures designed to ensure that the transferred Personal Data continues to be protected in accordance with the principles set out in this Policy and applicable law.

9. Data Processors, Third Parties & Affiliates

• SHG may use third-party service providers (processors) to perform processing on our behalf (e.g. payment processors, cloud services, marketing agencies, CRM providers, analytics).
• We ensure formal written contracts / agreements with processors that include obligations: only process on our instructions; maintain confidentiality; implement security; assistance with data subject rights / breach notification.
• We conduct due diligence before engaging processors to ensure they can comply with data protection obligations.
• Where processors use sub-processors, we require them to satisfy similar obligations (contractually).
• We may share Personal Data within our corporate group (subsidiaries and affiliates) for operational, compliance, audit, reporting, and service-delivery purposes, where a lawful basis exists and subject to appropriate safeguards; affiliates receiving Personal Data will use it only for permitted purposes and in accordance with applicable law and this Policy.

10.Change of Ownership / Business Transfers

We may disclose or transfer Personal Data in connection with any actual or proposed reorganisation, restructuring, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or shares (“Business Transaction”). Where permitted by applicable law, we may share limited Personal Data with prospective counterparties and their professional advisers for due-diligence purposes, subject to confidentiality and security obligations and the principle of data minimisation.
If a Business Transaction completes, Personal Data relevant to the transferred business may be transferred to, or come under the control of, the acquiring entity (or another controller within our group). We will take steps to ensure that any recipient uses the Personal Data only for permitted purposes, implements appropriate safeguards (including for cross-border transfers where required), and — where legally required — provides individuals with transparency information (for example, the identity and contact details of the new controller and any material changes to purposes or rights).
Where applicable (for example, in certain jurisdictions), we and the recipient will comply with any jurisdiction-specific requirements for Business Transactions, including conditions for due-diligence disclosures and post-completion notifications to affected individuals.

11.Data Security

We implement both technical and organizational measures appropriate to the level of risk, taking into account the nature of the Personal Data, the potential harm that may result from unauthorised use or disclosure, the volume of data processed, and other relevant factors. These measures may include:

• Access controls, least privileged access, role-based access.
• Encryption at rest and in transit (where feasible).
• Network security, intrusion detection, vulnerability assessments.
• Secure disposal / deletion / anonymization of data no longer needed.
• Physical security of premises and hardware, backup, disaster recovery.
• Regular security audits, monitoring, penetration testing.
• Awareness / training for staff on data protection and privacy, handling Personal Data, breach response.

12.Data Breach Notification & Incident Response

We maintain policies and procedures to detect, assess, contain, and mitigate incidents involving Personal Data. In the event of a personal data breach, we will:

• promptly evaluate the nature and impact of the breach;
• determine whether notification to regulators or affected individuals is required under applicable law;
• make such notifications within the timeframes and in the manner prescribed by the relevant authorities, where legally required; and document the breach, the investigation undertaken, and the remedial measures applied.

13.Retention / Deletion / Anonymization

We retain Personal Data for as long as needed to fulfil the purposes described (or required by law / contract), including for legal, accounting, tax, regulatory obligations.
After that, we delete or anonymize data securely. Where deletion is not possible (e.g. archival for auditing, legal reasons), we limit access and protect the data.
We maintain internal retention schedules documented per category of data (guests, employees, CCTV, etc.), reviewed periodically.

14.Special / Sensitive Data

Processing of sensitive data (health, biometric, etc.) is subject to heightened protections. We only process such data when necessary and where permitted by law.
Where required, we perform additional impact assessments, ensure strong security, restrict access, possibly pseudonymization or anonymization.

15.Automated Decision-Making & Profiling

If SHG uses profiling or automated decision making that produces legal effects or significant effects on individuals, we will ensure:

• You are informed about the logic involved, the significance and envisaged consequences.
• You have the right to object, request human intervention, express your views, obtain explanation.
• Decisions will be subject to oversight / internal review.

16.Accountability, Records & Impact Assessments

SHG maintains records of processing activities (“RoPA”), as required by law, which include information such as the categories of data processed, the purposes of processing, retention periods, recipients or third parties, and a description of the technical and organisational security measures in place.
Where required by applicable law, or when processing activities are likely to result in a high risk to individuals (such as large-scale processing of sensitive data or profiling), we carry out Data Protection Impact Assessments (“DPIAs”) to identify and mitigate potential risks.
The DPO, or an equivalent designated contact person, is responsible for overseeing compliance with this Policy and applicable data protection laws, advising on obligations, and acting as a point of contact for regulators and individuals.

17.Children’s / Minors’ Data

If we process the Personal Data of children, as defined by applicable law in each jurisdiction, we will obtain the consent of a parent or legal guardian where required. We will provide information in a clear and age-appropriate manner, limit the collection and use of children’s data to what is strictly necessary, and avoid profiling or marketing activities directed at minors where prohibited by law.

18.Do Not Call, Direct Marketing, Cookies & Tracking (Jurisdiction-Specific Provisions)

We may use Personal Data for direct marketing. Where required by law, we obtain consent before sending such communications and always provide an opt-out option.
We comply with applicable “Do Not Call” or similar rules, which restrict sending marketing messages to registered numbers unless a legal exception applies.
For websites and apps, we may use cookies and similar technologies. Where required, we display a cookie notice and allow you to accept or refuse non-essential cookies.

19.Applicability of Local Laws

This Policy is intended to apply globally across all jurisdictions in which we operate. The rights available to you, and our obligations in handling your Personal Data, will depend on the data protection laws of the jurisdiction in which you are located or in which the Processing takes place. Where those laws impose stricter requirements than those described in this Policy, we will comply with the stricter requirement.
Any interpretation of, or dispute arising from, this Policy or our data handling practices shall be subject to the applicable data protection laws of the relevant jurisdiction, unless otherwise required by contract or mandatory law.
If any provision of this Policy is held invalid under applicable law, that invalidity will not affect other provisions.

20.Enforcement & Penalties

Violations of applicable data protection laws can result in regulatory investigations, orders, fines, suspension of data processing, revoking of licenses.
SHG takes these potential harms seriously, both legal & reputational, and we commit to full compliance.

21.Contacting Us & Exercising Your Rights

If you have questions about this Policy or wish to exercise your rights under applicable law, you may contact our Data Protection Officer (or equivalent contact):
Data Protection Officer
Sunset Hospitality Group
Email: mahin@sunsethospitality.com
You also have the right, where applicable, to lodge a complaint with your local data protection authority.