PRIVACY POLICY

Scope of This Policy

This Privacy Policy describes how Lopota LLC and its Affiliates and Subsidiaries (“we” or “us”) collects, uses, consults or otherwise processes an individual’s Personal Data. This Privacy Policy applies globally but depending on where you live some specific provisions of this Privacy Policy may not apply to you.

For the purposes of EU Privacy Law, depending on the type of Personal Data processing described in this Privacy Policy Lopota or its agents/subsidiaries may be operating as a sole or joint Controller. If operating as joint Controllers, both entities jointly determine the means and purposes of the processing of your Personal Data. What this means for you is that you can exercise your rights against either of the joint Controllers by contacting either company as set out below.

In some of the situations described in this Privacy Policy, the hotel where you made a booking and/or stay will also process your data as a (joint or sole) Controller.

Lopota is a company incorporated under the laws of Georgia with the identification code: 431176817 and a legal address at: Village Napareuli, Telavi, Georgia.

We are committed to protecting the privacy of our users and customers.

This Privacy Policy is intended to inform you how we gather, define, and use Personal Data that you provide to us when using our websites and mobile applications or when relying on our hospitality services. Please take a moment to read this Privacy Policy carefully. Please note that if you plan to submit someone else’s Personal Data to us, for instance when making a booking on their behalf, you may only provide us with that person’s details with their consent and after they have been given access to information about how we will use their details, including the purposes set out in this Privacy Policy.

THIS POLICY INCLUDES A DESCRIPTION OF YOUR DATA PROTECTION RIGHTS, INCLUDING A RIGHT TO OBJECT TO SOME OF THE PROCESSING ACTIVITIES WE CARRY OUT. PLEASE NOTE THAT YOUR RIGHTS AS A DATA SUBJECT MAY VARY DEPENDING UPON WHERE YOU LIVE.

LAW OF GEORGIA ON PERSONAL DATA PROTECTION AS WELL AS INTERNATIONAL REGULATIONS REQUIRE US TO BE SPECIFIC ABOUT OUR REASONS AND LEGAL GROUNDS FOR USING YOUR PERSONAL DATA. ACCORDINGLY, FOR THE PURPOSES OF EU PRIVACY LAW ONLY, THE INFORMATION BELOW DESCRIBES THE TYPES OF DATA WE PROCESS, WHERE WE GET YOUR DATA FROM, THE GROUNDS WE RELY ON TO CARRY OUT THE PROCESSING, AND WHO WE MAY SHARE YOUR DATA WITH. EXCEPT FOR THE “PROCESSED DATA CATEGORIES” SECTIONS SET OUT IN THE INFORMATION BELOW, NOTHING IS INTENDED TO BIND US IN RESPECT OF OUR NON-EU USERS.

Definitions

Affiliates and Subsidiaries: Any corporation, firm, partnership or other entity which directly or indirectly controls, is controlled by, or is under common control with Lopota LLC.

Controller: The individual or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

EU Privacy Law: Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (the ”GDPR”), as well as any legislation and/or regulation implementing or created pursuant to the GDPR and the e-Privacy legislation, or which amends, replaces, re-enacts or consolidates any of them, and all other national applicable laws relating to the processing of Personal Data and privacy.

Processor: A natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller.

Recipient: A natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed, whether a Third Party or not.

Third Party: A natural or legal person, public authority, agency or body other than the data subject, controller, Processor and persons who, under the direct authority of the controller or processor, are authorized to process Personal Data.

Supervisory Authority: An independent public authority which is established by a Member State pursuant to Article 51 of the GDPR. 

Personal Data: Any information relating to an identified or identifiable natural person (”Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing: Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

Standard Contractual Clauses: Sets of standard contractual clauses for transfers as adopted by the European Commission for the international transfer of Personal Data. 

Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

Hotel Booking Process

1. Hotel booking process 

In the context of the hotel booking process – whether this takes place online on one of our brand websites, through an online booking channel, via a travel agent, through our call center or directly at the hotel – we process your Personal Data for the purpose of (i) enabling you to reserve a room in the hotel of your choice; (ii) verifying the availability of the hotel and to administer the booking; (iii) sending you a booking confirmation; and (iv) sending you pre-arrival emails. You may unsubscribe from pre-arrival emails at any time by clicking on the unsubscribe link in the emails sent to you. 

Processed data categories 

Address, Booking details (including reservation number), Date of arrival and departure, Email address, First name / Last name, First name / Last name of adult co-guest(s), Payment card type, number and expiration date, Telephone number, Title 

Source of data

Depending on the booking mechanism used:

– Directly from you through the online booking form
– Through the online booking channel you used to make the booking
– From your travel agent
– From our call center

Ground for processing

Processing is necessary to take steps to enter into and perform a contract.

Recipients of data 

– Lopota LLC itself
– Other Lopota entities involved
– IT service providers involved in the (online) booking process
– IT service providers
– Email communications service provider

2. Interrupted or incomplete online booking process

When you are booking online but for some reason are not able to finalize the booking process, we process your Personal Data for the purpose of enabling you to easily continue the online booking process by sending you an email with a link to the online booking form, which is pre-filled on the basis of the data you had already provided in the form.

Processed data categories

Address, Date of arrival and departure, Email address, First name / Last name, First name / Last name of adult co-guest(s), Payment card type, number and expiration date, Telephone number, Title

Source of data

Directly from you through the online booking form

Ground for processing

It is in Lopota’s legitimate interest as a business to re-market an interrupted or incomplete booking process. In this context, Lopota’s business interests prevail over yours.

Recipients of data

– Email communications service provider
– Provider of targeted advertisements

3. Guest satisfaction surveys

We may send you guest satisfaction surveys by email during or after your stay to enable us to measure the performance of our hotels. You may unsubscribe from our guest satisfaction survey emails at any time by clicking on the unsubscribe link in the emails sent to you.

Processed data categories

Country of residence, Date of arrival and departure, Email address, First name / Last name, Nationality,  Stay details

Source of data

Depending on the booking mechanism used:

– Directly from you through the booking form
– Through the online booking channel you used to make the booking
– From your travel agent
– From our call center

Ground for processing

Processing is necessary to ensure and follow up on the good performance of the contract you have with us.

Recipients of data

– Other Lopota entities involved
– Guest satisfaction survey provider

4. Service emails Analytics

In the context of service emails, which includes guest satisfaction survey emails and any pre-arrival emails concerning your booking, we may process and collect your Personal Data, and notably whether you have opened and actioned a service email, for analytical purposes in order to measure the click-through rate and improve the content of our service emails. You may unsubscribe from our service emails at any time by clicking on the unsubscribe link in the service emails sent to you.

The information below describes the types of data we process for this purpose, where we get your data from, the ground we rely on to carry out the processing, and who we may share your data with.

Processed data categories

Email address, Email clicking behavior, Email opening behavior, First name / Last name.

Source of data

From our email analytics service provider

Ground for processing

It is in Lopota’s legitimate interest as a business to understand the email clicking behavior of its guests in order to determine whether improvements are needed. In this context, Lopota’s business interests prevail over yours.

Recipients of data

– Other Lopota entities involved
– IT service providers
– Email analytics service provider

Hotel Guests

1. Hotel check-in and check-out

When staying at the hotel we will collect and process your Personal Data for the purposes of (i) registering your arrival and departure at the hotel; (ii) assigning you a key card to your room or allowing you to use your mobile device as a room key; (iii) obtaining a credit card guarantee or hotel deposit to ensure payment of your stay; (iv) creating or updating your profile in our hotel management system; (v) managing payment of your stay; (vi) establishing, printing or sending an invoice for your stay; and (vivii) paying a commission to your travel agent (if applicable).

In the event you have booked a room in our hotel but do not show up – without cancelling – on the date of arrival communicated, we will process your Personal Data for the purposes of (i) cancelling your stay and any other reservation you may have made; and (ii) managing, processing and settling any outstanding payment that may be due.

Processed data categories

Address, Bookings (hotel, restaurant, event, theater, etc.), Date of arrival and departure, Email address, First name / Last name, First name / Last name of adult co-guest(s), Payment card type, number and expiration date, Telephone number, Title

Source of data

Depending on the booking mechanism used:

– Directly from you through the booking form
– Through the online booking channel you used to make the booking
– From your travel agent
– From our call center

Ground for processing

Processing is necessary to perform the contract you have with us.

Recipients of data

– Other Lopota entities involved
– IT service providers
– Your travel agent (if applicable)

2. Credit limit reports

To ensure payment for all guests staying in a hotel room, each hotel guest is asked for a credit card or deposit upon arrival. In order to ensure that you do not exceed your credit limit during your stay, we produce a credit limit report multiple times a day for the purposes of verifying whether your credit limit has been exceeded. These credit limit reports may contain your Personal Data. Please note that in limited circumstances these credit limit reports may be subject to one of our internal financial audits and may therefore be accessed by members of our internal audit department, in order to ensure that our hotel follow the Lopota’s internal guidelines and policies.

Processed data categories

Date of arrival and departure, First name / Last name, Payment card type, number and expiration date

Source of data

Depending on the booking mechanism used:

– Directly from you through the booking form
– Through the online booking channel you used to make the booking
– From your travel agent
– From our call center

Ground for processing

Processing is necessary to ensure the performance of the contract you have with us.

Recipients of data

– Other Lopota entities involved
– IT service providers

3. Hotel stay

When you stay in one of our hotels, we endeavor to make your stay as pleasant as possible. This requires processing your Personal Data for the purposes of providing specific services during your hotel stay. These services include (i) housekeeping and maintenance; (ii) returning lost or forgotten items to you; and/or (iii) managing your and your co-guests’ preferences, such as dietary requirements and pillow preferences, in order to provide you with a better service during your stay with us.

Processed data categories

Address, Consumption habits, Date of arrival and departure, Dietary requirements, Email address, First name / Last name, First name / Last name of adult co-guest(s), Other preferences, Payment details (for the purpose of returning lost or forgotten items), Telephone number

Source of data

Depending on the booking mechanism used:

– Directly from you through the booking form
– Through the online booking channel you used to make the booking
– From your travel agent
– From our call center
– Directly from you during your stay at the hotel

Ground for processing

It is in Lopota’s legitimate interest as a business to organize its day-to-day hotel maintenance activities, to personalize the services it provides, and/or to be able to identify the owner of a lost or forgotten item. Taking into account the limited Personal Data processed and shared for such purpose(s), Lopota’s business interests prevail over yours.

Recipients of data

– Hotel personnel, including housekeeping, maintenance, front desk, and/or other hotel personnel concerned
– Other Lopota entities involved
– IT service providers
– Delivery or courier service providers (for the purpose of returning lost or forgotten items)

4. Hotel guest additional services

In our hotel you can benefit from additional services and facilities, such as breakfast, room service, minibar, pool, restaurants and bars, spa treatments, laundry services, parking, taxi requests, free Wi-Fi, etc. In the event you make use of additional services or facilities at one of our hotels, your Personal Data may be processed to (i) manage the booking and use of such additional hotel services and/or facilities; (ii) administer any advance bookings of additional services and/or facilities to your file;

Processed data categories

Consumption habits, Date of arrival and departure, Dietary requirements, Email address, First name / Last name, First name / Last name of adult co-guest(s), Payment card type, number and expiration date, , Title

Source of data

– Directly from you through the online booking form
– Through the online booking channel you used to make the booking
– From your travel agent
– From our call center
– Directly from you when making your additional service/facility request
– Through the online booking platform for additional services and facilities

Ground for processing

Processing is necessary to take steps with a view to entering into a contract and/or to perform the contract.

Recipients of data

– Hotel personnel, including front desk, room service, and/or other hotel personnel concerned
– Other Lopota entities involved
– IT service providers

Subscription to Our Newsletters

1. Newsletters and marketing communications

If you have explicitly consented to receive our newsletters or marketing communications, including marketing activities, we may, from time to time, contact you with information about our services and latest offers and process your Personal Data for this purpose.

If you no longer want to receive our newsletters or marketing communications, please let us know by sending us an email at [email protected]. You can also unsubscribe from our marketing emails by clicking on the unsubscribe link in the emails sent to you.

Processed data categories

– Address, Date of birth, Email address, First name / Last name, Gender, Hobbies and interests, Telephone number, Hotel stay history, Country of residence

Source of data

– Directly from you when subscribing to our newsletter or later when completing your account

Ground for processing

– Ad hoc consent obtained during the subscription to our newsletter

Recipients of data

– Other Lopota entities involved
– IT service providers
– Email communications service provider

2. Newsletters and marketing communications analytics

In the context of our newsletters and marketing communications, we may also process and collect your Personal Data, and notably whether you have opened and interacted with one of our communications, for analytical purposes in order to measure the click-through rate and improve the content of our newsletters and marketing communications.

Processed data categories

– Email address, Email clicking behavior, Email opening behavior, First name / Last name

Source of Data

– From our email analytics service provider

Grounds for Processing

– It is in Lopota’s legitimate interest as a business to understand the click-through rate of its emails in order to determine whether improvements are needed. In this context, Lopota’s business interests prevail over yours.

Recipients of Data

– Other Lopota entities involved
– IT service providers
– Email analytics service provider

Social Media and Online Reviews

We may process your Personal Data obtained through social media platforms (including Facebook, Instagram, LinkedIn, Weibo and Twitter) or online reviews (including on TripAdvisor) concerning our hospitality brands for the purposes of (i) addressing your questions or complaints; (ii) monitoring our online reputation; and (iii) improving our services and identifying opportunities on which we can focus.

Processed data categories

– Any Personal Data you may decide to share with us or published on social media or in other online reviews about us

Source of Data

– Directly from you through publicly accessible social media pages, online booking channels or other (review) websites
– From our online reputation monitoring service provider

Ground for processing

– It is in Lopota’s legitimate interest as a business to process the Personal Data you have chosen to address to us or make publicly available on social media platforms, online booking channels or other (review) websites in order to improve our services and identify business opportunities. In this context, Lopota’s business interests prevail over yours.

Recipients of data

– Other Lopota entities involved
– Online reputation monitoring service provider

Your Rights – Under EU Privacy Law and Law of Georgia on Personal Data Protection

If you are in the EU, EU Privacy Law grants specific rights, summarized below, which you can in principle exercise free of charge, subject to statutory exceptions. These rights may be limited, for example if fulfilling your request would reveal Personal Data about another person, or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. To exercise any of your rights, you can file a request via email at [email protected] .

.

1. Right to withdraw consent

Wherever we rely on your consent, you will be able to withdraw that consent at any time you choose and at your own initiative by logging in to your account on our website (if you have one) or by contacting us at [email protected].. Besides the withdrawal of your consent, you may use the same e-mail and also request access to your personal data, or/and changes in it, including erasure or/and limitation of their processing/use.

Your Rights – Non-EU and foreign citizens

Depending on where you are located you will have different rights in respect of your Personal Data and we will comply with the relevant requirements of applicable laws and this Privacy Policy.

How Is Your Personal Data Shared with Third Parties?

We only share or disclose information as described herein, including with Third Parties.

Your Personal Data will also be shared with government authorities and/or law enforcement officials if required for the purposes above, if mandated by law or if required for the legal protection of the Controller(s) legitimate interests in compliance with applicable laws. In addition, we may share your Personal Data and other information with a successor to all or part of our business, where this is in our legitimate interests in facilitating a business sale and in this context our business interests prevail over yours.

How Long Will We Keep Your Personal Data?

We retain your Personal Data for as long as is required to fulfil the activities set out in this Privacy Policy, for as long as otherwise communicated to you or for as long as is permitted by applicable law.

To determine the appropriate retention period for the information we collect from you, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of the data, the purposes for which we process the Personal Data, and whether we can achieve those purposes through other means, and the applicable legal requirements.

What Happens If We Make Modifications to This Policy?

We reserve the right to modify and update this Privacy Policy from time to time. We will bring these changes to your attention should they be indicative of a fundamental change to the processing or be relevant to the nature of the processing or be relevant to you and impact your data protection rights.

How to Contact Us

Questions, comments, remarks, requests or complaints regarding this Privacy Policy are welcome and should be addressed to 2 Gamrekeli st., 0194 Tbilisi, Georgia or contact us via e-mail:

info@lopotaresort.com